Malware analysis setup.exe Malicious activity | ANY.RUN

Add for printing

File name:	setup.exe
Full analysis:	https://app.any.run/tasks/67906a87-fe21-484d-ac06-bde7640a1675
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	December 20, 2024, 10:55:35
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	autoit stealer lumma autoit-loader
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	4FAAF8B146989402B01872F5F1FA5A88
SHA1:	DC08532EB134AD2AEA2994705DDAEFF156C7DD6F
SHA256:	3A10EC9DB282D82494DAE795ACF0DB44F8CF2E52BA69C06DBE87CAF759A9642F
SSDEEP:	49152:ED3htlXhg0po3+8IzCmuUrHnRkWi/HvFz/dgs9H2iN4NuaLRfnRgRcr7dCz8+HVT:E5Xh5KuVxuUrxI1z/zWi+YapBMztVm50

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- AutoIt loader has been detected (YARA)
  - Oops.com (PID: 6720)
- LUMMA mutex has been found
  - Oops.com (PID: 6720)
- Actions looks like stealing of personal data
  - Oops.com (PID: 6720)
- LUMMA has been detected (SURICATA)
  - svchost.exe (PID: 2192)
- Steals credentials from Web Browsers
  - Oops.com (PID: 6720)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - setup.exe (PID: 6260)
- Starts CMD.EXE for commands execution
  - setup.exe (PID: 6260)
  - cmd.exe (PID: 6380)
- Application launched itself
  - cmd.exe (PID: 6380)
- Using 'findstr.exe' to search for text patterns in files and output
  - cmd.exe (PID: 6380)
- Get information on the list of running processes
  - cmd.exe (PID: 6380)
- Executing commands from ".cmd" file
  - setup.exe (PID: 6260)
- The executable file from the user directory is run by the CMD process
  - Oops.com (PID: 6720)
- Starts application with an unusual extension
  - cmd.exe (PID: 6380)
- Starts the AutoIt3 executable file
  - cmd.exe (PID: 6380)
- Contacting a server suspected of hosting an CnC
  - svchost.exe (PID: 2192)
INFO
- Reads the computer name
  - setup.exe (PID: 6260)
  - Oops.com (PID: 6720)
- Checks supported languages
  - setup.exe (PID: 6260)
  - Oops.com (PID: 6720)
- Creates a new folder
  - cmd.exe (PID: 6636)
- Process checks computer location settings
  - setup.exe (PID: 6260)
- Reads mouse settings
  - Oops.com (PID: 6720)
- Reads the software policy settings
  - Oops.com (PID: 6720)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2012:02:24 19:20:04+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	10
CodeSize:	29696
InitializedDataSize:	1132544
UninitializedDataSize:	16896
EntryPoint:	0x38af
OSVersion:	5
ImageVersion:	6
SubsystemVersion:	5
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

146

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2192

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

6260

"C:\Users\admin\AppData\Local\Temp\setup.exe"

C:\Users\admin\AppData\Local\Temp\setup.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll

6380

"C:\Windows\System32\cmd.exe" /c copy Verse Verse.cmd & Verse.cmd

C:\Windows\SysWOW64\cmd.exe

—

setup.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

6396

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6452

"C:\WINDOWS\system32\UCPDMgr.exe"

C:\Windows\System32\UCPDMgr.exe

—

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

User Choice Protection Manager

Exit code:

Version:

1.0.0.414301

Modules

Images
c:\windows\system32\ucpdmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

6460

tasklist

C:\Windows\SysWOW64\tasklist.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Lists the current running tasks

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

6480

findstr /I "opssvc wrsa"

C:\Windows\SysWOW64\findstr.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Find String (QGREP) Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

6576

tasklist

C:\Windows\SysWOW64\tasklist.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Lists the current running tasks

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

6584

findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"

C:\Windows\SysWOW64\findstr.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Find String (QGREP) Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

6636

cmd /c md 762009

C:\Windows\SysWOW64\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

Add for printing

Total events

1 194

Read events

1 194

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6260	setup.exe	C:\Users\admin\AppData\Local\Temp\Tax		binary
		MD5:DBB2F626FAA591055BB550415E53F07D	SHA256:6D49DF4DB6E3188909456837737B2BDE7F69B1621CE8FCEA2336363313C2B484
6260	setup.exe	C:\Users\admin\AppData\Local\Temp\Wellington		binary
		MD5:B77C663AD6F288716EA743C0821AF230	SHA256:FFAC95DB57A02329095E74CFB04FB0E2499617B67ECE41C8A76E08F9B86264CB
6260	setup.exe	C:\Users\admin\AppData\Local\Temp\Recorders		binary
		MD5:ADA95C38A1BFC3D6E7E71A7DD905E49E	SHA256:108DE0DF5BEC8E1FAE15268D610EAD26CB8D1B6E85B590A020DD6F625AE8036E
6260	setup.exe	C:\Users\admin\AppData\Local\Temp\Mhz		binary
		MD5:D89012682B79133C829F5F262DB69C3B	SHA256:0E0371850D046D0555276D56F1ADBB8070E8731E7841EF41A401F72E8FAA0B75
6260	setup.exe	C:\Users\admin\AppData\Local\Temp\Boxed		binary
		MD5:6D8FC84B306ADC0492BD6B21336CA080	SHA256:6C6D0FCE7E337E2A8582F1751B96BF7326A40403A9C0E0DCEE7F69F243799BAB
6260	setup.exe	C:\Users\admin\AppData\Local\Temp\Carpet		binary
		MD5:D6FDAC1A41F26CB2EACE7C04DD05695C	SHA256:890664F5520BF8376F7A6D7D8FEC0404AB6ABE0D80C7E3AB6413347E0016B49F
6260	setup.exe	C:\Users\admin\AppData\Local\Temp\Jury		binary
		MD5:453792E93105051E32DCE2567A60DE07	SHA256:90F397F2D62D90813AF0580D2B91F4786FF3B433831F5CEAF590A9CBC6AFA6DE
6260	setup.exe	C:\Users\admin\AppData\Local\Temp\Treasurer		binary
		MD5:BDE0D0C513DA1DBD0E72EA64C16E205D	SHA256:37024DBFED21DD53908033255D4308B9882F42F6EC6F210C6A0B9510B1BF4676
6260	setup.exe	C:\Users\admin\AppData\Local\Temp\Functions		binary
		MD5:8295BDFA725B8121D94ED92841677C85	SHA256:C4D29FA80E5AEAD1E7B90D68E34E42FDF993F1C1045081B3F8491D3A283A409F
6260	setup.exe	C:\Users\admin\AppData\Local\Temp\Aimed		binary
		MD5:DA423A6CED09A03CC7908C05A513E8CD	SHA256:410469BDA684DC47667CA985496183F734EBD1B493142BA7222B27463AB2A397

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	2.16.164.106:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	88.221.125.143:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
3172	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
1356	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
3172	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:137	—	—	—	whitelisted
5564	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5064	SearchApp.exe	2.23.209.185:443	www.bing.com	Akamai International B.V.	GB	whitelisted
4712	MoUsoCoreWorker.exe	2.16.164.106:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	88.221.125.143:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5064	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1176	svchost.exe	20.190.159.75:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1176	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2	whitelisted
www.bing.com	2.23.209.185 2.23.209.179 2.23.209.131 2.23.209.137 2.23.209.183 2.23.209.177 2.23.209.135 2.23.209.176 2.23.209.133	whitelisted
crl.microsoft.com	2.16.164.106 2.16.164.49	whitelisted
www.microsoft.com	88.221.125.143 184.30.21.171	whitelisted
google.com	142.250.184.206	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	20.190.159.75 20.190.159.23 20.190.159.64 20.190.159.0 20.190.159.71 20.190.159.73 40.126.31.69 40.126.31.71	whitelisted
go.microsoft.com	184.28.89.167 23.43.62.58	whitelisted
pPWHIINwGxxwQbgviFATVpP.pPWHIINwGxxwQbgviFATVpP	—	unknown
slscr.update.microsoft.com	20.12.23.50	whitelisted

Threats

PID	Process	Class	Message
2192	svchost.exe	Domain Observed Used for C2 Detected	STEALER [ANY.RUN] Suspected Lumma domain by CrossDomain (klipcatepiu0 .shop)

Add for printing

No debug info

General Info

setup.exe

4FAAF8B146989402B01872F5F1FA5A88

DC08532EB134AD2AEA2994705DDAEFF156C7DD6F

3A10EC9DB282D82494DAE795ACF0DB44F8CF2E52BA69C06DBE87CAF759A9642F

49152:ED3htlXhg0po3+8IzCmuUrHnRkWi/HvFz/dgs9H2iN4NuaLRfnRgRcr7dCz8+HVT:E5Xh5KuVxuUrxI1z/zWi+YapBMztVm50

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

AutoIt loader has been detected (YARA)

LUMMA mutex has been found

Actions looks like stealing of personal data

LUMMA has been detected (SURICATA)

Steals credentials from Web Browsers

SUSPICIOUS

Reads security settings of Internet Explorer

Starts CMD.EXE for commands execution

Application launched itself

Using 'findstr.exe' to search for text patterns in files and output

Get information on the list of running processes

Executing commands from ".cmd" file

The executable file from the user directory is run by the CMD process

Starts application with an unusual extension

Starts the AutoIt3 executable file

Contacting a server suspected of hosting an CnC

INFO

Reads the computer name

Checks supported languages

Creates a new folder

Process checks computer location settings

Reads mouse settings

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings