File name:

DropCheats.exe

Full analysis: https://app.any.run/tasks/f2f6fce8-5a72-4660-8972-d5fcf940788e
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: May 20, 2025, 03:23:54
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
autoit
telegram
lumma
stealer
autoit-loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

645482B4585D20DBFD43343A817C4583

SHA1:

A57520261DDE415BADB03EEE0EB59A68BA2F0CF0

SHA256:

840296B84636D6A6A2C26247583DE904FE4F6B15F8BECED0D664494020FBCACC

SSDEEP:

98304:zaRXQl9AGcBBcGUvcTegj6tmhM/ni/jDmS01U4G05q3L043Va:T

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • AutoIt loader has been detected (YARA)

      • Describes.com (PID: 8076)

    • LUMMA mutex has been found

      • Describes.com (PID: 8076)

    • Steals credentials from Web Browsers

      • Describes.com (PID: 8076)

    • Actions looks like stealing of personal data

      • Describes.com (PID: 8076)

  • SUSPICIOUS

    • Executing commands from a ".bat" file

      • DropCheats.exe (PID: 7692)

    • Reads security settings of Internet Explorer

      • DropCheats.exe (PID: 7692)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 7736)
      • DropCheats.exe (PID: 7692)

    • The executable file from the user directory is run by the CMD process

      • Describes.com (PID: 8076)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 7736)

    • There is functionality for taking screenshot (YARA)

      • DropCheats.exe (PID: 7692)
      • Describes.com (PID: 8076)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7736)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • Describes.com (PID: 8076)

    • Searches for installed software

      • Describes.com (PID: 8076)

    • Get information on the list of running processes

      • cmd.exe (PID: 7736)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 7736)

    • Application launched itself

      • cmd.exe (PID: 7736)

  • INFO

    • Reads the computer name

      • DropCheats.exe (PID: 7692)
      • Describes.com (PID: 8076)
      • extrac32.exe (PID: 8000)

    • Create files in a temporary directory

      • DropCheats.exe (PID: 7692)
      • extrac32.exe (PID: 8000)

    • Checks supported languages

      • DropCheats.exe (PID: 7692)
      • extrac32.exe (PID: 8000)
      • Describes.com (PID: 8076)

    • Reads mouse settings

      • Describes.com (PID: 8076)

    • Reads the machine GUID from the registry

      • Describes.com (PID: 8076)

    • Creates a new folder

      • cmd.exe (PID: 7980)

    • Reads the software policy settings

      • Describes.com (PID: 8076)
      • slui.exe (PID: 672)

    • Checks proxy server information

      • slui.exe (PID: 672)

    • Process checks computer location settings

      • DropCheats.exe (PID: 7692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:04:10 12:19:23+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 25600
InitializedDataSize: 431104
UninitializedDataSize: 16896
EntryPoint: 0x33e9
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
15
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start dropcheats.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs extrac32.exe no specs findstr.exe no specs cmd.exe no specs #LUMMA describes.com choice.exe no specs svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
672C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
7692"C:\Users\admin\Desktop\DropCheats.exe" C:\Users\admin\Desktop\DropCheats.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\dropcheats.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7736"C:\WINDOWS\System32\CMd.exe" /c copy Trains.aspx Trains.aspx.bat & Trains.aspx.batC:\Windows\SysWOW64\cmd.exeDropCheats.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7744\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7808tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7816findstr /I "opssvc wrsa" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7924tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7932findstr "bdservicehost SophosHealth AvastUI AVGUI nsWscSvc ekrn" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7980cmd /c md 567509C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
7 289
Read events
7 289
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
20
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
7692DropCheats.exeC:\Users\admin\AppData\Local\Temp\Tournament.aspxbinary
MD5:958A948A6A4CE4E30CB883DED686D5D7
SHA256:468F640D84EEDE1FEC20C6BD8BEB2A3BEF8D85F41F452A34C92F4CADA0859DFF
7692DropCheats.exeC:\Users\admin\AppData\Local\Temp\Rehab.aspxbinary
MD5:D1EA04CA0A798690B0B74DDEF29DBFFC
SHA256:F8516D6D5FEE62D525BC74D11AC6D604BA2226A170164931B8F7F337F28D7101
7692DropCheats.exeC:\Users\admin\AppData\Local\Temp\Offices.aspxbinary
MD5:944652EA308E0EA4809B924846A57121
SHA256:EDC03A1EB7F29A35F74E6170A6B39545357A2A05868BCE8A970823D4CB6CED41
7692DropCheats.exeC:\Users\admin\AppData\Local\Temp\Upgrading.aspxbinary
MD5:A89AAAB72C9432F2049D0E0CAD1006C0
SHA256:704E46F09953CE999F1296B1F59E1D3880B5745C9A126EE97464F43E318E86D8
7692DropCheats.exeC:\Users\admin\AppData\Local\Temp\Outcomes.aspxbinary
MD5:DEEDDEFCFCBEFA64F4418F0AB37F7749
SHA256:834E9E9558EFD11D07571B68115CEBC136124E19D12A5466EDC2DA49442BAD56
7692DropCheats.exeC:\Users\admin\AppData\Local\Temp\Carriers.aspxbinary
MD5:212166E482D27E824DECADAF9C5561D1
SHA256:7A04308297F36323E029C766D13111767BF694E30BB1BC416AF4CB69B84D6A3F
8000extrac32.exeC:\Users\admin\AppData\Local\Temp\Kongbinary
MD5:96F4BF7BD55BEB6360332A993F8EAEE5
SHA256:90D8AF3A62E2EC1D273C06A76AEF9D7C8322A67253613AACA60F2C9F63BAE900
8000extrac32.exeC:\Users\admin\AppData\Local\Temp\Frogbinary
MD5:CDEDD78802D1E011D275BC8102417D09
SHA256:AB0DDA81D6711A481B748456CBE1AA956C32FAF08E443AD14462CC0B1016E6B2
7736cmd.exeC:\Users\admin\AppData\Local\Temp\Trains.aspx.battext
MD5:CE549C06F1F70C873A8C8C28D0F2DA1A
SHA256:471C6224C217326F497D57442A74135DEDE1E825E9CC930B396103ADD4539C42
8000extrac32.exeC:\Users\admin\AppData\Local\Temp\Athensbinary
MD5:D2DEA29DEF6419B1AC613E14D912F86A
SHA256:BB42B0523C37821ABDAD4E55C3E0E831E0EF6A6B4082A0740ADD4C85804BA2EF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
48
DNS requests
17
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2392
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2392
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
2392
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
2392
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
2392
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2392
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
2392
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
2392
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2392
SIHClient.exe
172.202.163.200:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
2392
SIHClient.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2392
SIHClient.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
8076
Describes.com
149.154.167.99:443
t.me
Telegram Messenger Inc
GB
whitelisted
8076
Describes.com
172.67.222.194:443
narrathfpt.top
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 216.58.206.78
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
vWsURrMLAPaGUY.vWsURrMLAPaGUY
unknown
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
t.me
  • 149.154.167.99
whitelisted
chainsimbb.run
unknown
narrathfpt.top
  • 172.67.222.194
  • 104.21.83.105
unknown

Threats

PID
Process
Class
Message
8076
Describes.com
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DropCheats.exe