File name:

lnstaIIer_x86.exe

Full analysis: https://app.any.run/tasks/4643f7b9-3b57-42b6-bced-682bae3198d9
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 23:40:35
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
lumma
stealer
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 12 sections
MD5:

BB620E74AE6FA833DE408F40A5BE72C8

SHA1:

57A23195BEBF8289FA43F111A377FE334D37E3D3

SHA256:

3E4063337F4511FC116C1D206E409E619508EF7708AD4C78BC360B21FA1110F6

SSDEEP:

49152:nFvdiyNcrDo+2GnuR/NlSDFecbSAGYSR2BH179X4pOeikhS4a3epupi:FFiyNcrDYG0l6Fe1eh9opXhOec

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2196)

    • Connects to the CnC server

      • svchost.exe (PID: 2196)

    • LUMMA mutex has been found

      • MSBuild.exe (PID: 7660)

    • Actions looks like stealing of personal data

      • MSBuild.exe (PID: 7660)

    • Steals credentials from Web Browsers

      • MSBuild.exe (PID: 7660)

    • LUMMA has been detected (YARA)

      • MSBuild.exe (PID: 7660)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • lnstaIIer_x86.exe (PID: 7628)

    • Process drops legitimate windows executable

      • lnstaIIer_x86.exe (PID: 7628)

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2196)

    • There is functionality for taking screenshot (YARA)

      • MSBuild.exe (PID: 7660)

    • Process requests binary or script from the Internet

      • MSBuild.exe (PID: 7660)

    • Connects to the server without a host name

      • MSBuild.exe (PID: 7660)

    • Searches for installed software

      • MSBuild.exe (PID: 7660)

  • INFO

    • The sample compiled with english language support

      • lnstaIIer_x86.exe (PID: 7628)

    • Checks supported languages

      • lnstaIIer_x86.exe (PID: 7628)
      • MSBuild.exe (PID: 7660)

    • Reads the computer name

      • MSBuild.exe (PID: 7660)

    • Reads the machine GUID from the registry

      • MSBuild.exe (PID: 7660)

    • Reads the software policy settings

      • MSBuild.exe (PID: 7660)
      • slui.exe (PID: 7220)

    • Checks proxy server information

      • slui.exe (PID: 7220)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Lumma

(PID) Process(7660) MSBuild.exe
C2 (9)parakehjet.run/kewk
buzzarddf.live/ktnt
zenithcorde.top/auid
bearjk.live/benj
techguidet.digital/apdo
techsyncq.run/riid
btcgeared.live/lbak
clarmodq.top/qoxo
fishgh.digital/tequ
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:04:28 16:26:11+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 892416
InitializedDataSize: 92160
UninitializedDataSize: -
EntryPoint: 0xb9d58
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 12.0.19041.1
ProductVersionNumber: 12.0.19041.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Microsoft Windows Media Player Setup Utility
FileVersion: 12.0.19041.1 (WinBuild.160101.0800)
InternalName: unregmp2.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: unregmp2.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 12.0.19041.1
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start lnstaiier_x86.exe no specs #LUMMA msbuild.exe #LUMMA svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
7220C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7628"C:\Users\admin\Desktop\lnstaIIer_x86.exe" C:\Users\admin\Desktop\lnstaIIer_x86.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Media Player Setup Utility
Exit code:
0
Version:
12.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\desktop\lnstaiier_x86.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
7660"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
lnstaIIer_x86.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
Lumma
(PID) Process(7660) MSBuild.exe
C2 (9)parakehjet.run/kewk
buzzarddf.live/ktnt
zenithcorde.top/auid
bearjk.live/benj
techguidet.digital/apdo
techsyncq.run/riid
btcgeared.live/lbak
clarmodq.top/qoxo
fishgh.digital/tequ
Total events
6 801
Read events
6 801
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
44
TCP/UDP connections
53
DNS requests
18
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7660
MSBuild.exe
GET
185.215.113.51:80
http://185.215.113.51/conhost.exe
unknown
malicious
GET
304
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
POST
200
104.21.51.232:443
https://zenithcorde.top/auid
unknown
binary
68 b
malicious
POST
200
172.67.190.162:443
https://zenithcorde.top/auid
unknown
binary
32.7 Kb
malicious
POST
200
104.21.51.232:443
https://zenithcorde.top/auid
unknown
binary
68 b
malicious
POST
200
172.67.190.162:443
https://zenithcorde.top/auid
unknown
binary
68 b
malicious
POST
400
40.126.32.136:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
200
104.21.51.232:443
https://zenithcorde.top/auid
unknown
binary
68 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6544
svchost.exe
20.190.160.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7660
MSBuild.exe
172.67.190.162:443
zenithcorde.top
CLOUDFLARENET
US
malicious
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
login.live.com
  • 20.190.160.67
  • 20.190.160.17
  • 40.126.32.76
  • 20.190.160.64
  • 40.126.32.133
  • 20.190.160.131
  • 20.190.160.4
  • 40.126.32.136
whitelisted
clarmodq.top
malicious
zenithcorde.top
  • 172.67.190.162
  • 104.21.51.232
malicious
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected Domain Associated with Malware Distribution (zenithcorde .top)
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected Domain Associated with Malware Distribution (clarmodq .top)
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clarmodq .top)
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
lnstaIIer_x86.exe