File name:	Computer32.exe
Full analysis:	https://app.any.run/tasks/5536c787-6dc1-407e-9441-8cb7bb0533f7
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	June 01, 2025, 11:02:13
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	discord python lumma stealer
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:	6B1E15C1AF201DF2185CF0BA9B927832
SHA1:	A89002C4555A28FE761A84783BE8D91C4E498152
SHA256:	A9DA31D5C92E14751C3A976B654CCBB24091CBC0242BD17352251A30CDFCDD61
SSDEEP:	98304:k/0CeAb/ncfRkzKVfq7AnYRO4Y6ZhkDQet54netUjZUj0vB+kzK/7ueSnKHdFG1n:bvfkfxXwE1MUr881mwU/kiG7k5+G

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2025:06:01 10:46:28+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.43
CodeSize:	178688
InitializedDataSize:	153600
UninitializedDataSize:	-
EntryPoint:	0xc380
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line


(PID) Process:	(5404) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe
Value: 0
(PID) Process:	(5404) firefox.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:	write	Name:	NodeSlots
Value: 02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:	(5404) firefox.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:	write	Name:	MRUListEx
Value: 04000000030000000E00000000000000100000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF
(PID) Process:	(5404) firefox.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4
Operation:	write	Name:	MRUListEx
Value: 010000000000000004000000050000000200000003000000FFFFFFFF
(PID) Process:	(5404) firefox.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell
Operation:	write	Name:	SniffedFolderType
Value: Generic
(PID) Process:	(5404) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	GlobalAssocChangedCounter
Value: 114
(PID) Process:	(5404) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane
Operation:	write	Name:	ExpandedState
Value: 12000000160014001F80CB859F6720028040B29B5540CC05AAB60000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF00000000000000000000160014001F60983FFBB4EAC18D42A78AD1F5659CBA930000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF00000000000000000000160014001F7840F05F6481501B109F0800AA002F954E0000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000000000000000000000000000160014001F706806EE260AA0D7449371BEB064C986830000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF00000000000000000000160014001F580D1A2CF021BE504388B07367FC96EF3C0000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000000000000000000000000000160014001F5425481E03947BC34DB131E946B44C8DD50000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000000000000000000000000000160014001F50E04FD020EA3A6910A2D808002B30309D0000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF000000000000000000003C003A001F44471A0359723FA74489C55595FE6B30EE260001002600EFBE1000000034E9025AA9B7D80155EC262BAAB7D8018F3827B5B0B7D80114000000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF000000000000000000003C003A001F42665C8D01334507439B53224DE2ED1FE6260001002600EFBE11000000A1C1E0E0AF27D301F77F6305B0B7D8019F22F307B0B7D80114000000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000000000000000000000000000940092003200000080004658D1892000474F4F474C457E312E5A49500000760009000400EFBE4658D1894658D1892E000000F55D05000000090000000000000000000000000000001F47700047006F006F0067006C0065004300680072006F006D00650045006E0074006500720070007200690073006500420075006E0064006C006500360034002E007A006900700000001C000000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B0000000000000000000000000000005C005A00320099030000F2588C582000657874312E7A69700000420009000400EFBEF2588C58F2588C582E000000A70D00000000160000000000000000000000000000003A91F90065007800740031002E007A0069007000000018000000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B00000000000000000000000000000050004E00310000000000F258CE5810006578743100003A0009000400EFBEF258CE58F258CE582E000000DE0200000000170000000000000000000000000000001CB7E9006500780074003100000014000000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF000000000000000000006E006C0032001EEC0500F258826620005052454645527E312E5A49500000500009000400EFBEF2588266F25882662E00000028D4000000001900000000000000000000000000000005A1250050007200650066006500720065006E006300650073002E007A006900700000001C000000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B0000000000000000000000000000005800560032007E0D0000F258866620006578742E7A697000400009000400EFBEF2588666F25886662E0000002AD4000000001E0000000000000000000000000000005498DF006500780074002E007A0069007000000016000000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B00000000000000000000000000000062006000310000000000F2588D6610005052454645527E310000480009000400EFBEF2588D66F2588F662E0000002E2F0100000017000000000000000000000000000000CF57130150007200650066006500720065006E00630065007300000018000000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B0000000000000000000000000000004C004A00310000000000F2589066100065787400380009000400EFBEF2589066F25890662E000000E88D0100000007000000000000000000000000000000DE8B4100650078007400000012000000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000000000000000000000000000780076003200C1862C03F258957920004F4D4E495F327E312E5A495000005A0009000400EFBEF258E578F25895792E0000007C600500000039000000000000000000000000000000DE6FED006F006D006E0069005F00320033005F00310030005F0032003000320034005F002E007A006900700000001C000000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B00000000000000000000000000000070006E0032007E0D0000F2587B7920004348524F4D497E312E5A49500000520009000400EFBEF2587B79F2587B792E000000C260050000001800000000000000000000000000000028F586006300680072006F006D00690075006D005F006500780074002E007A006900700000001C000000010000004D0000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000000000000000000000000000
(PID) Process:	(5404) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\exe
Operation:	write	Name:	2
Value: 14001F50E04FD020EA3A6910A2D808002B30309D14002E803ACCBFB42CDB4C42B0297FE99A87C6416A0032002F07DE00C15A4B582000434F4D5055547E312E45584500004E0009000400EFBEC15A4B58C15A4B582E000000E25D050000000D0000000000000000000000000000003B0C770043006F006D0070007500740065007200330032002E0065007800650000001C000000
(PID) Process:	(5404) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\exe
Operation:	write	Name:	MRUListEx
Value: 020000000100000000000000FFFFFFFF
(PID) Process:	(5404) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*
Operation:	write	Name:	8
Value: 14001F50E04FD020EA3A6910A2D808002B30309D14002E803ACCBFB42CDB4C42B0297FE99A87C6416A0032002F07DE00C15A4B582000434F4D5055547E312E45584500004E0009000400EFBEC15A4B58C15A4B582E000000E25D050000000D0000000000000000000000000000003B0C770043006F006D0070007500740065007200330032002E0065007800650000001C000000

PID	Process	Filename		Type
7232	Computer32.exe	C:\Users\admin\AppData\Local\Temp\_MEI72322\_asyncio.pyd		executable
		MD5:56F958EEBBC62305B4BF690D61C78E28	SHA256:50631361EF074BE42D788818AF91D0301D22FA24A970F41F496D8272B92CFE31
7232	Computer32.exe	C:\Users\admin\AppData\Local\Temp\_MEI72322\_bz2.pyd		executable
		MD5:684D656AADA9F7D74F5A5BDCF16D0EDB	SHA256:A5DFB4A663DEF3D2276B88866F6D220F6D30CC777B5D841CF6DBB15C6858017C
7232	Computer32.exe	C:\Users\admin\AppData\Local\Temp\_MEI72322\VCRUNTIME140.dll		executable
		MD5:32DA96115C9D783A0769312C0482A62D	SHA256:8B10C53241726B0ACC9F513157E67FCB01C166FEC69E5E38CA6AADA8F9A3619F
7232	Computer32.exe	C:\Users\admin\AppData\Local\Temp\_MEI72322\VCRUNTIME140_1.dll		executable
		MD5:C0C0B4C611561F94798B62EB43097722	SHA256:497A280550443E3E9F89E428E51CB795139CA8944D5DEDD54A7083C00E7164E5
7232	Computer32.exe	C:\Users\admin\AppData\Local\Temp\_MEI72322\_hashlib.pyd		executable
		MD5:3E540EF568215561590DF215801B0F59	SHA256:0ED7A6ED080499BC6C29D7113485A8A61BDBA93087B010FCA67D9B8289CBE6FA
7232	Computer32.exe	C:\Users\admin\AppData\Local\Temp\_MEI72322\_lzma.pyd		executable
		MD5:D63E2E743EA103626D33B3C1D882F419	SHA256:7C2D2030D5D246739C5D85F087FCF404BC36E1815E69A8AC7C9541267734FC28
7232	Computer32.exe	C:\Users\admin\AppData\Local\Temp\_MEI72322\_ssl.pyd		executable
		MD5:689F1ABAC772C9E4C2D3BAD3758CB398	SHA256:D3A89AA7E4A1DF1151632A8A5CAF338C4DDDB674EC093BFDBC122ADC9DB28A97
7232	Computer32.exe	C:\Users\admin\AppData\Local\Temp\_MEI72322\_queue.pyd		executable
		MD5:CC0F4A77CCFE39EFC8019FA8B74C06D0	SHA256:DEE7D19A9FCAB0DF043DC56F2CDC32F1A2A968AB229679B38B378C61CA0CBA53
7232	Computer32.exe	C:\Users\admin\AppData\Local\Temp\_MEI72322\_ctypes.pyd		executable
		MD5:29873384E13B0A78EE9857604161514B	SHA256:3CC8500A958CC125809B0467930EBCCE88A09DCC0CEDD7A45FACF3E332F7DB33
7232	Computer32.exe	C:\Users\admin\AppData\Local\Temp\_MEI72322\_decimal.pyd		executable
		MD5:21FCB8E3D4310346A5DC1A216E7E23CA	SHA256:9A0E05274CAD8D90F6BA6BC594261B36BFBDDF4F5CA6846B6367FE6A4E2FDCE4

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	2.16.168.114:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5404	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	unknown	—	—	whitelisted
—	—	GET	200	184.25.206.92:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	200	151.101.67.19:443	https://spocs.getpocket.com/spocs	unknown	binary	18.5 Kb	whitelisted
—	—	GET	200	151.101.67.19:443	https://contile.services.mozilla.com/v1/tiles	unknown	binary	5.05 Kb	whitelisted
—	—	GET	200	34.160.144.191:443	https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-2024-03-20-10-07-03.chain	unknown	text	5.23 Kb	whitelisted
—	—	GET	200	142.250.185.138:443	https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POST&$req=ChUKE25hdmNsaWVudC1hdXRvLWZmb3gaJwgFEAEaGwoNCAUQBhgBIgMwMDEwARD31RUaAhgJ1ShmESICIAIoARonCAEQARobCg0IARAGGAEiAzAwMTABEJz_DRoCGAnWZvpiIgIgAigBGicIAxABGhsKDQgDEAYYASIDMDAxMAEQpPYNGgIYCRiY-6YiAiACKAEaJwgHEAEaGwoNCAcQBhgBIgMwMDEwARDLxQ4aAhgJeFtrxyICIAIoARolCAkQARoZCg0ICRAGGAEiAzAwMTABECMaAhgJi9M7nSICIAIoAQ==	unknown	binary	6.43 Mb	whitelisted
—	—	GET	101	34.107.243.93:443	https://push.services.mozilla.com/	unknown	—	—	—
—	—	GET	200	34.149.100.209:443	https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US	unknown	binary	330 b	whitelisted
—	—	GET	200	151.101.195.19:443	https://ads-img.mozilla.org/v1/images?image_data=Cj0KO2h0dHBzOi8vYW1wLWFzc2V0LjQ1dHUxYzAuY29tL2Fzc2V0cy8xMDA5LzE1MjEyMjgwODcxNzYuanBnEiAV36GGy4uG4Kc3hcPXsQNe08loM62OgGAgcMju8zD3jQ	unknown	image	9.76 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	2.16.168.114:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
—	—	184.25.206.92:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
7288	Computer32.exe	162.159.138.232:443	discord.com	CLOUDFLARENET	—	whitelisted
4200	Computer32.exe	162.159.138.232:443	discord.com	CLOUDFLARENET	—	whitelisted
5404	firefox.exe	34.107.221.82:80	detectportal.firefox.com	GOOGLE	US	whitelisted
5404	firefox.exe	34.36.137.203:443	contile.services.mozilla.com	GOOGLE-CLOUD-PLATFORM	US	whitelisted
5404	firefox.exe	34.160.144.191:443	content-signature-2.cdn.mozilla.net	GOOGLE	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
google.com	172.217.18.14	whitelisted
crl.microsoft.com	2.16.168.114 2.16.168.124	whitelisted
www.microsoft.com	184.25.206.92	whitelisted
discord.com	162.159.138.232 162.159.135.232 162.159.137.232 162.159.136.232 162.159.128.233	whitelisted
detectportal.firefox.com	34.107.221.82	whitelisted
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82 2600:1901:0:38d7::	whitelisted
contile.services.mozilla.com	34.36.137.203	whitelisted
spocs.getpocket.com	34.36.137.203	whitelisted
mc.prod.ads.prod.webservices.mozgcp.net	34.36.137.203	whitelisted

PID	Process	Class	Message
2196	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
7288	Computer32.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
7288	Computer32.exe	Misc activity	ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
2196	svchost.exe	Misc activity	ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
4200	Computer32.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
4200	Computer32.exe	Misc activity	ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
2196	svchost.exe	Domain Observed Used for C2 Detected	STEALER [ANY.RUN] Suspected Lumma domain by CrossDomain (uncoverit .org)
2196	svchost.exe	Domain Observed Used for C2 Detected	STEALER [ANY.RUN] Suspected Lumma domain by CrossDomain (uncoverit .org)
2196	svchost.exe	Domain Observed Used for C2 Detected	STEALER [ANY.RUN] Suspected Lumma domain by CrossDomain (uncoverit .org)
—	—	Misc activity	ET INFO Generic HTTP EXE Upload Outbound

General Info

Computer32.exe

6B1E15C1AF201DF2185CF0BA9B927832

A89002C4555A28FE761A84783BE8D91C4E498152

A9DA31D5C92E14751C3A976B654CCBB24091CBC0242BD17352251A30CDFCDD61

98304:k/0CeAb/ncfRkzKVfq7AnYRO4Y6ZhkDQet54netUjZUj0vB+kzK/7ueSnKHdFG1n:bvfkfxXwE1MUr881mwU/kiG7k5+G

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

LUMMA has been detected (SURICATA)

Stealers network behavior

SUSPICIOUS

The process drops C-runtime libraries

Process drops legitimate windows executable

Process drops python dynamic module

Application launched itself

Executable content was dropped or overwritten

Loads Python modules

Contacting a server suspected of hosting an CnC

INFO

Checks supported languages

The sample compiled with english language support

Reads the computer name

Create files in a temporary directory

Checks proxy server information

Manual execution by a user

Attempting to use instant messaging service

Application launched itself

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings