File name:

lnstaII.exe

Full analysis: https://app.any.run/tasks/373005e8-cf9b-4402-ab9c-e993392cef61
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 02:18:27
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
delphi
inno
installer
telegram
lumma
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:

E073F51731466D9369C908FB1271B415

SHA1:

8D3C67A4136F3F4CC0B86DDEB0DF5AFAF37A24D6

SHA256:

44F3FCAF50C792E553ED637729EEE34E859ED0ADD6DFFEE072A4C91F3B6E193A

SSDEEP:

98304:6+QqZ8fZKS8zAPxjG9RpuYrL/t/7ietyw+69crPWoSK3fokvCxsL5jFTtHVz5X6a:Tdwe8kUmnpfT+eQK4YuVtFHUjX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA mutex has been found

      • ENConfig.exe (PID: 7728)

    • Actions looks like stealing of personal data

      • ENConfig.exe (PID: 7728)

    • Executing a file with an untrusted certificate

      • ENConfig.exe (PID: 7728)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • lnstaII.exe (PID: 7508)
      • lnstaII.tmp (PID: 7528)
      • lnstaII.exe (PID: 7564)
      • lnstaII.tmp (PID: 7592)

    • Reads the Windows owner or organization settings

      • lnstaII.tmp (PID: 7528)
      • lnstaII.tmp (PID: 7592)

    • Reads security settings of Internet Explorer

      • lnstaII.tmp (PID: 7528)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • ENConfig.exe (PID: 7728)

    • Process drops legitimate windows executable

      • lnstaII.tmp (PID: 7592)

    • Searches for installed software

      • ENConfig.exe (PID: 7728)

  • INFO

    • Checks supported languages

      • lnstaII.exe (PID: 7508)
      • lnstaII.tmp (PID: 7528)
      • lnstaII.exe (PID: 7564)
      • lnstaII.tmp (PID: 7592)
      • ENConfig.exe (PID: 7728)

    • Create files in a temporary directory

      • lnstaII.exe (PID: 7508)
      • lnstaII.tmp (PID: 7528)
      • lnstaII.exe (PID: 7564)
      • lnstaII.tmp (PID: 7592)

    • Reads the computer name

      • lnstaII.tmp (PID: 7528)
      • lnstaII.tmp (PID: 7592)
      • ENConfig.exe (PID: 7728)

    • Process checks computer location settings

      • lnstaII.tmp (PID: 7528)

    • Detects InnoSetup installer (YARA)

      • lnstaII.exe (PID: 7564)
      • lnstaII.tmp (PID: 7592)

    • Compiled with Borland Delphi (YARA)

      • lnstaII.exe (PID: 7564)
      • lnstaII.tmp (PID: 7592)

    • The sample compiled with english language support

      • lnstaII.tmp (PID: 7592)

    • Creates files or folders in the user directory

      • lnstaII.tmp (PID: 7592)

    • Reads the software policy settings

      • ENConfig.exe (PID: 7728)
      • slui.exe (PID: 8064)

    • Attempting to use instant messaging service

      • ENConfig.exe (PID: 7728)

    • Reads the machine GUID from the registry

      • ENConfig.exe (PID: 7728)

    • Checks proxy server information

      • slui.exe (PID: 8064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (39.4)
.exe | Win32 EXE PECompact compressed (generic) (14.9)
.exe | Win32 Executable (generic) (1.6)
.exe | Win16/32 Executable Delphi generic (0.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:09:13 09:00:51+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741376
InitializedDataSize: 80896
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 2.0.1.1
ProductVersionNumber: 2.0.1.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Seiko Epson Corporation
FileDescription: EpsonNet Config
FileVersion: 2.0.1.1
LegalCopyright: ENConfig
OriginalFileName: ENConfig.exe
ProductName: ENConfig
ProductVersion: 2.0.1.1
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
6
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start lnstaii.exe lnstaii.tmp lnstaii.exe lnstaii.tmp #LUMMA enconfig.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7508"C:\Users\admin\Desktop\lnstaII.exe" C:\Users\admin\Desktop\lnstaII.exe
explorer.exe
User:
admin
Company:
Seiko Epson Corporation
Integrity Level:
MEDIUM
Description:
EpsonNet Config
Exit code:
1
Version:
2.0.1.1
Modules
Images
c:\users\admin\desktop\lnstaii.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7528"C:\Users\admin\AppData\Local\Temp\is-VOGRD.tmp\lnstaII.tmp" /SL5="$80352,13930909,823296,C:\Users\admin\Desktop\lnstaII.exe" C:\Users\admin\AppData\Local\Temp\is-VOGRD.tmp\lnstaII.tmp
lnstaII.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\is-vogrd.tmp\lnstaii.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
7564"C:\Users\admin\Desktop\lnstaII.exe" /VERYSILENTC:\Users\admin\Desktop\lnstaII.exe
lnstaII.tmp
User:
admin
Company:
Seiko Epson Corporation
Integrity Level:
MEDIUM
Description:
EpsonNet Config
Exit code:
0
Version:
2.0.1.1
Modules
Images
c:\users\admin\desktop\lnstaii.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7592"C:\Users\admin\AppData\Local\Temp\is-AIL5P.tmp\lnstaII.tmp" /SL5="$90352,13930909,823296,C:\Users\admin\Desktop\lnstaII.exe" /VERYSILENTC:\Users\admin\AppData\Local\Temp\is-AIL5P.tmp\lnstaII.tmp
lnstaII.exe
User:
admin
Company:
Seiko Epson Corporation
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-ail5p.tmp\lnstaii.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
7728"C:\Users\admin\AppData\Roaming\{9026D7E2-C04A-4A5C-830D-5C78CFA216E8}\ENConfig.exe" C:\Users\admin\AppData\Roaming\{9026D7E2-C04A-4A5C-830D-5C78CFA216E8}\ENConfig.exe
lnstaII.tmp
User:
admin
Company:
Seiko Epson Corporation
Integrity Level:
MEDIUM
Description:
EpsonNet Config
Version:
4, 9, 3, 2100
Modules
Images
c:\users\admin\appdata\roaming\{9026d7e2-c04a-4a5c-830d-5c78cfa216e8}\enconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
8064C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
7 141
Read events
7 141
Write events
0
Delete events
0

Modification events

No data
Executable files
72
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
7592lnstaII.tmpC:\Users\admin\AppData\Roaming\{9026D7E2-C04A-4A5C-830D-5C78CFA216E8}\dynamiclinkui.dllexecutable
MD5:1E8030AA264522F0D9B4CABD6787807F
SHA256:0B31C371CA1247A8D5451752D17DB277FA3C73A2D85FE0C6ECBB817A3A9A7CC5
7528lnstaII.tmpC:\Users\admin\AppData\Local\Temp\is-45913.tmp\_isetup\_isdecmp.dllexecutable
MD5:077CB4461A2767383B317EB0C50F5F13
SHA256:8287D0E287A66EE78537C8D1D98E426562B95C50F569B92CEA9CE36A9FA57E64
7528lnstaII.tmpC:\Users\admin\AppData\Local\Temp\is-45913.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
7592lnstaII.tmpC:\Users\admin\AppData\Local\Temp\is-0C27E.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
7592lnstaII.tmpC:\Users\admin\AppData\Local\Temp\is-0C27E.tmp\_isetup\_isdecmp.dllexecutable
MD5:077CB4461A2767383B317EB0C50F5F13
SHA256:8287D0E287A66EE78537C8D1D98E426562B95C50F569B92CEA9CE36A9FA57E64
7592lnstaII.tmpC:\Users\admin\AppData\Local\Temp\is-0C27E.tmp\_isetup\_iscrypt.dllexecutable
MD5:A69559718AB506675E907FE49DEB71E9
SHA256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
7592lnstaII.tmpC:\Users\admin\AppData\Roaming\{9026D7E2-C04A-4A5C-830D-5C78CFA216E8}\ConcurrencyCheck.dllexecutable
MD5:AE4A03A70AC76E06B414F2DF064DDE25
SHA256:4920A82964D82E0895FA851BA391F9766E01852B56CB6BEA0D25071A5C232AA9
7592lnstaII.tmpC:\Users\admin\AppData\Roaming\{9026D7E2-C04A-4A5C-830D-5C78CFA216E8}\FileTracker32.dllexecutable
MD5:4CD3430043E10D0393F9E209BA31CD31
SHA256:AE6353A1A7F46CABD775A6DBC1F1DFAAC7FBC30DAFB0F2AFE86B7285231A1B28
7508lnstaII.exeC:\Users\admin\AppData\Local\Temp\is-VOGRD.tmp\lnstaII.tmpexecutable
MD5:CDC8306E8553022B16582A1B9C5665CC
SHA256:8C167745BB095F4D5CD027F63D45C6602E02884EA8199B799C4B31703DB279B6
7592lnstaII.tmpC:\Users\admin\AppData\Roaming\{9026D7E2-C04A-4A5C-830D-5C78CFA216E8}\is-GLNJM.tmpexecutable
MD5:0A459886E1584024676898D073808059
SHA256:6AABB0C5B7B5B04E6DFEF398CEF35AF3D9E18A6AB302794FA9F113F91380E3D7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
27
DNS requests
7
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2656
RUXIMICS.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2656
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
104.21.63.147:443
https://jumpxer.run/pogai
unknown
binary
70 b
unknown
POST
200
104.21.63.147:443
https://jumpxer.run/pogai
unknown
binary
70 b
unknown
POST
200
172.67.147.29:443
https://jumpxer.run/pogai
unknown
binary
70 b
unknown
POST
200
172.67.147.29:443
https://jumpxer.run/pogai
unknown
binary
70 b
unknown
POST
200
104.21.63.147:443
https://jumpxer.run/pogai
unknown
binary
32.7 Kb
unknown
POST
200
172.67.147.29:443
https://jumpxer.run/pogai
unknown
binary
70 b
unknown
GET
200
149.154.167.99:443
https://t.me/asdccscasaa333t23f
unknown
html
12.1 Kb
whitelisted
POST
200
104.21.63.147:443
https://jumpxer.run/pogai
unknown
binary
10.7 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2656
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2656
RUXIMICS.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2656
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
7728
ENConfig.exe
149.154.167.99:443
t.me
Telegram Messenger Inc
GB
whitelisted
7728
ENConfig.exe
104.21.63.147:443
jumpxer.run
CLOUDFLARENET
unknown
7216
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8064
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
t.me
  • 149.154.167.99
whitelisted
jumpxer.run
  • 104.21.63.147
  • 172.67.147.29
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
7728
ENConfig.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
lnstaII.exe