File name:

DropCheats.exe

Full analysis: https://app.any.run/tasks/f2f6fce8-5a72-4660-8972-d5fcf940788e
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: May 20, 2025, 03:23:54
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
autoit
telegram
lumma
stealer
autoit-loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

645482B4585D20DBFD43343A817C4583

SHA1:

A57520261DDE415BADB03EEE0EB59A68BA2F0CF0

SHA256:

840296B84636D6A6A2C26247583DE904FE4F6B15F8BECED0D664494020FBCACC

SSDEEP:

98304:zaRXQl9AGcBBcGUvcTegj6tmhM/ni/jDmS01U4G05q3L043Va:T

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • Describes.com (PID: 8076)

    • AutoIt loader has been detected (YARA)

      • Describes.com (PID: 8076)

    • Actions looks like stealing of personal data

      • Describes.com (PID: 8076)

    • LUMMA mutex has been found

      • Describes.com (PID: 8076)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • DropCheats.exe (PID: 7692)
      • cmd.exe (PID: 7736)

    • Application launched itself

      • cmd.exe (PID: 7736)

    • Get information on the list of running processes

      • cmd.exe (PID: 7736)

    • Reads security settings of Internet Explorer

      • DropCheats.exe (PID: 7692)

    • Executing commands from a ".bat" file

      • DropCheats.exe (PID: 7692)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 7736)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7736)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 7736)

    • The executable file from the user directory is run by the CMD process

      • Describes.com (PID: 8076)

    • There is functionality for taking screenshot (YARA)

      • DropCheats.exe (PID: 7692)
      • Describes.com (PID: 8076)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • Describes.com (PID: 8076)

    • Searches for installed software

      • Describes.com (PID: 8076)

  • INFO

    • Create files in a temporary directory

      • DropCheats.exe (PID: 7692)
      • extrac32.exe (PID: 8000)

    • Reads the computer name

      • DropCheats.exe (PID: 7692)
      • extrac32.exe (PID: 8000)
      • Describes.com (PID: 8076)

    • Checks supported languages

      • DropCheats.exe (PID: 7692)
      • extrac32.exe (PID: 8000)
      • Describes.com (PID: 8076)

    • Process checks computer location settings

      • DropCheats.exe (PID: 7692)

    • Creates a new folder

      • cmd.exe (PID: 7980)

    • Reads mouse settings

      • Describes.com (PID: 8076)

    • Reads the machine GUID from the registry

      • Describes.com (PID: 8076)

    • Reads the software policy settings

      • Describes.com (PID: 8076)
      • slui.exe (PID: 672)

    • Checks proxy server information

      • slui.exe (PID: 672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:04:10 12:19:23+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 25600
InitializedDataSize: 431104
UninitializedDataSize: 16896
EntryPoint: 0x33e9
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
15
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start dropcheats.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs extrac32.exe no specs findstr.exe no specs cmd.exe no specs #LUMMA describes.com choice.exe no specs svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
672C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
7692"C:\Users\admin\Desktop\DropCheats.exe" C:\Users\admin\Desktop\DropCheats.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\dropcheats.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7736"C:\WINDOWS\System32\CMd.exe" /c copy Trains.aspx Trains.aspx.bat & Trains.aspx.batC:\Windows\SysWOW64\cmd.exeDropCheats.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7744\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7808tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7816findstr /I "opssvc wrsa" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7924tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7932findstr "bdservicehost SophosHealth AvastUI AVGUI nsWscSvc ekrn" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7980cmd /c md 567509C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
7 289
Read events
7 289
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
20
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
7692DropCheats.exeC:\Users\admin\AppData\Local\Temp\Brakes.aspxbinary
MD5:B79F9450524E8C37C57E95699D9F1CA1
SHA256:2FADB07D812E1700EAD3AA65E9B107BE2936DDD408BFD0E36BF40545988A6298
7692DropCheats.exeC:\Users\admin\AppData\Local\Temp\Outcomes.aspxbinary
MD5:DEEDDEFCFCBEFA64F4418F0AB37F7749
SHA256:834E9E9558EFD11D07571B68115CEBC136124E19D12A5466EDC2DA49442BAD56
7692DropCheats.exeC:\Users\admin\AppData\Local\Temp\Residents.aspxcompressed
MD5:7294D5B6D6F06EF130A5175E3E728E2A
SHA256:DF13F9962593D3B5F8FF1336C98A95752F322FB701059A4BEBDC939638125072
7692DropCheats.exeC:\Users\admin\AppData\Local\Temp\Latter.aspxbinary
MD5:4F20D7C0C8CE324ABCB6C44D05E2DE7F
SHA256:B65A52E3DDBADBB74BB927B1A613C438973C27C7F5CBF8A945736ED88F573E3B
8000extrac32.exeC:\Users\admin\AppData\Local\Temp\Athensbinary
MD5:D2DEA29DEF6419B1AC613E14D912F86A
SHA256:BB42B0523C37821ABDAD4E55C3E0E831E0EF6A6B4082A0740ADD4C85804BA2EF
8000extrac32.exeC:\Users\admin\AppData\Local\Temp\Wattsbinary
MD5:23161EF854DFB7764B13FA901A520F7A
SHA256:DD6E3E262C6A6A5D31AB00E72C093453D09D01EBB82363EA0A1F242E1DB24EED
8000extrac32.exeC:\Users\admin\AppData\Local\Temp\Thatbinary
MD5:6D62EC9CDC5F3C33D174EC5D383AB5A4
SHA256:CBA657FD5B3BA8E3056BDFD3E31BFAB179C726DFD7FB7BA23C5C7EEB77A7F881
8000extrac32.exeC:\Users\admin\AppData\Local\Temp\Kongbinary
MD5:96F4BF7BD55BEB6360332A993F8EAEE5
SHA256:90D8AF3A62E2EC1D273C06A76AEF9D7C8322A67253613AACA60F2C9F63BAE900
8000extrac32.exeC:\Users\admin\AppData\Local\Temp\Consolesbinary
MD5:3BACD6B5F4D88A831B225EEFC9F97181
SHA256:6E8CAE3ACF3B1583B136A965794C6DBC6F8E167F5708130D2A40EE5424BE234D
8000extrac32.exeC:\Users\admin\AppData\Local\Temp\Friendlybinary
MD5:BDD39812B37BF4FD41E792C15F6F7025
SHA256:7840FC8EF206BDC61791B5655424EBC9860BE11CC64B60B95DF84ADE4BBB1BF5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
48
DNS requests
17
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2392
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2392
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
2392
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
2392
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
2392
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2392
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
2392
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
2392
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2392
SIHClient.exe
172.202.163.200:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
2392
SIHClient.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2392
SIHClient.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
8076
Describes.com
149.154.167.99:443
t.me
Telegram Messenger Inc
GB
whitelisted
8076
Describes.com
172.67.222.194:443
narrathfpt.top
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 216.58.206.78
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
vWsURrMLAPaGUY.vWsURrMLAPaGUY
unknown
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
t.me
  • 149.154.167.99
whitelisted
chainsimbb.run
unknown
narrathfpt.top
  • 172.67.222.194
  • 104.21.83.105
unknown

Threats

PID
Process
Class
Message
8076
Describes.com
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DropCheats.exe