File name:

?????.exe

Full analysis: https://app.any.run/tasks/b53b3ff3-7ee5-444a-8ed8-4e4df212cb7e
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 15:26:36
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
autoit
telegram
lumma
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

7143D853C039A248687CD5A71D4234FB

SHA1:

F787E69197B32F7730C51D3CEEE9FB155725B53D

SHA256:

D1E594B6F6871D7ECF1BD6C68F7BAC0B35816ED161BD537A200366043E5FD8EC

SSDEEP:

49152:vOoVOCjcU5eB3spnKrXg2XviQsLnLYIxazu9rOdErEyqDpJpCf27jgo3X3/b3mDt:vOo4Cbwrw0mLYIxazu9XQDpJp8270o36

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA mutex has been found

      • Google.com (PID: 7376)

    • Steals credentials from Web Browsers

      • Google.com (PID: 7376)

    • Actions looks like stealing of personal data

      • Google.com (PID: 7376)

  • SUSPICIOUS

    • Executing commands from a ".bat" file

      • b53b3ff3-7ee5-444a-8ed8-4e4df212cb7e.exe (PID: 7472)

    • Starts CMD.EXE for commands execution

      • b53b3ff3-7ee5-444a-8ed8-4e4df212cb7e.exe (PID: 7472)
      • cmd.exe (PID: 7536)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 7536)

    • Reads security settings of Internet Explorer

      • b53b3ff3-7ee5-444a-8ed8-4e4df212cb7e.exe (PID: 7472)

    • Get information on the list of running processes

      • cmd.exe (PID: 7536)

    • There is functionality for taking screenshot (YARA)

      • b53b3ff3-7ee5-444a-8ed8-4e4df212cb7e.exe (PID: 7472)
      • Google.com (PID: 7376)

    • Application launched itself

      • cmd.exe (PID: 7536)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • Google.com (PID: 7376)

    • The executable file from the user directory is run by the CMD process

      • Google.com (PID: 7376)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 7536)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7536)

    • Searches for installed software

      • Google.com (PID: 7376)

  • INFO

    • Reads the computer name

      • b53b3ff3-7ee5-444a-8ed8-4e4df212cb7e.exe (PID: 7472)
      • Google.com (PID: 7376)
      • extrac32.exe (PID: 6620)

    • Checks supported languages

      • b53b3ff3-7ee5-444a-8ed8-4e4df212cb7e.exe (PID: 7472)
      • extrac32.exe (PID: 6620)
      • Google.com (PID: 7376)

    • Process checks computer location settings

      • b53b3ff3-7ee5-444a-8ed8-4e4df212cb7e.exe (PID: 7472)

    • Creates a new folder

      • cmd.exe (PID: 1276)

    • Reads the software policy settings

      • Google.com (PID: 7376)
      • slui.exe (PID: 7640)

    • Create files in a temporary directory

      • b53b3ff3-7ee5-444a-8ed8-4e4df212cb7e.exe (PID: 7472)
      • extrac32.exe (PID: 6620)

    • Reads mouse settings

      • Google.com (PID: 7376)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:04:10 12:19:23+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 25600
InitializedDataSize: 431104
UninitializedDataSize: 16896
EntryPoint: 0x33e9
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
148
Monitored processes
17
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start b53b3ff3-7ee5-444a-8ed8-4e4df212cb7e.exe no specs cmd.exe no specs conhost.exe no specs sppextcomobj.exe no specs slui.exe tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs extrac32.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs #LUMMA google.com choice.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
680C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1276cmd /c md 24831C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4812cmd /c copy /b 24831\Google.com + Pour + Sequence + Postage + Heroes + Syracuse + Dominican + Mph + Bukkake + Nsw + Transfers 24831\Google.comC:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5512cmd /c copy /b ..\Anxiety.mid + ..\Casual.mid + ..\Brian.mid + ..\Tunes.mid + ..\Fold.mid + ..\Reserved.mid + ..\Using.mid I C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6048choice /d y /t 5C:\Windows\SysWOW64\choice.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Offers the user a choice
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\choice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6620extrac32 /Y /E Lead.midC:\Windows\SysWOW64\extrac32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® CAB File Extract Utility
Exit code:
0
Version:
5.00 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\extrac32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7376Google.com I C:\Users\admin\AppData\Local\Temp\24831\Google.com
cmd.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script (Beta)
Version:
3, 3, 15, 5
Modules
Images
c:\users\admin\appdata\local\temp\24831\google.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
7412findstr /V "Works" Monica C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7472"C:\Users\admin\AppData\Local\Temp\b53b3ff3-7ee5-444a-8ed8-4e4df212cb7e.exe" C:\Users\admin\AppData\Local\Temp\b53b3ff3-7ee5-444a-8ed8-4e4df212cb7e.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\b53b3ff3-7ee5-444a-8ed8-4e4df212cb7e.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7536"C:\WINDOWS\System32\CMd.eXe" /c copy Biology.mid Biology.mid.bat & Biology.mid.batC:\Windows\SysWOW64\cmd.exeb53b3ff3-7ee5-444a-8ed8-4e4df212cb7e.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
1 647
Read events
1 647
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
20
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
7472b53b3ff3-7ee5-444a-8ed8-4e4df212cb7e.exeC:\Users\admin\AppData\Local\Temp\Using.midbinary
MD5:B9A7AF81787DA11B9D3B75D852C11C2A
SHA256:391F2E180BEB64F713DC1AEE1913D9C119CA294C3E1622B44635B52BB1C09245
7472b53b3ff3-7ee5-444a-8ed8-4e4df212cb7e.exeC:\Users\admin\AppData\Local\Temp\Biology.midtext
MD5:51C643CBDFCA245ACF34DDA92035443E
SHA256:A218560AEE36CA21E961F55113BE5798071B102CECEDD7DD9867CF50DF49F07C
7472b53b3ff3-7ee5-444a-8ed8-4e4df212cb7e.exeC:\Users\admin\AppData\Local\Temp\Anxiety.midbinary
MD5:266307033AB9909D7CE39602CC2F8C8B
SHA256:19858410F38A3685F4B056FDE003BAA1DEB868AE4A77F96E54C215DAE8FB14FC
6620extrac32.exeC:\Users\admin\AppData\Local\Temp\Pourbinary
MD5:B949851CF0BECCEBF08A23D1AD0E1C78
SHA256:89324E410AD3036619BA6DA71C9309775558F751679F95BCBD3E193A3D8898AC
7472b53b3ff3-7ee5-444a-8ed8-4e4df212cb7e.exeC:\Users\admin\AppData\Local\Temp\Tunes.midbinary
MD5:CB29AAC7D271D9BC5E8582F5B99F5ABD
SHA256:9461770707BC96748927E37D228063407F3BC976649038B2D0DC26782E1819A3
7472b53b3ff3-7ee5-444a-8ed8-4e4df212cb7e.exeC:\Users\admin\AppData\Local\Temp\Fold.midbinary
MD5:B099303DEF92A49E62B312D479246090
SHA256:0C61C0D8BA4BE8E15C71636E63A26E65480452A67EC6422E5E987CFB65DE5DCA
7472b53b3ff3-7ee5-444a-8ed8-4e4df212cb7e.exeC:\Users\admin\AppData\Local\Temp\Brian.midbinary
MD5:61FD776C32F1146C6B17FC8615167442
SHA256:FCEC8A0FBD0397833DB6FA7F95BED699B87E345D2574F74B286DBC6253EC357F
7536cmd.exeC:\Users\admin\AppData\Local\Temp\Biology.mid.battext
MD5:51C643CBDFCA245ACF34DDA92035443E
SHA256:A218560AEE36CA21E961F55113BE5798071B102CECEDD7DD9867CF50DF49F07C
6620extrac32.exeC:\Users\admin\AppData\Local\Temp\Bukkakebinary
MD5:890C821655AC088A22E237677D17E24D
SHA256:14A1204C6398704E2B384282C59E3C09D62FC670FC2C8DCC63FAD8B59D0E8A31
6620extrac32.exeC:\Users\admin\AppData\Local\Temp\Dominicanbinary
MD5:C122F355ACAE2596CB3DB0CED86A2AB9
SHA256:A459D92A302EDB077B9B40FDEA6EBE27B7CD697B9E27B3F0FA8976CE109C5409
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
27
DNS requests
18
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4120
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4120
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5496
MoUsoCoreWorker.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
5496
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7376
Google.com
149.154.167.99:443
t.me
Telegram Messenger Inc
GB
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 2.19.11.105
  • 2.19.11.120
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 184.30.21.171
whitelisted
google.com
  • 216.58.206.46
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.31.73
  • 20.190.159.73
  • 20.190.159.64
  • 20.190.159.68
  • 20.190.159.71
  • 40.126.31.131
  • 20.190.159.129
  • 20.190.159.4
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
ScKtoWPvAe.ScKtoWPvAe
unknown
t.me
  • 149.154.167.99
whitelisted
jugulagklc.live
  • 104.21.112.1
  • 104.21.96.1
  • 104.21.48.1
  • 104.21.80.1
  • 104.21.16.1
  • 104.21.32.1
  • 104.21.64.1
unknown

Threats

PID
Process
Class
Message
7376
Google.com
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
?????.exe