File name:	thepixelfarmpfcleanv51r2xforce11malwarenozeros.zip
Full analysis:	https://app.any.run/tasks/195881c7-761a-45b7-845b-edcc8765cb5e
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 19, 2025, 19:55:55
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec autoit autoit-loader lumma stealer
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	EB6146FB0FFD2CB9CCEC1E41B735CFAB
SHA1:	77B014CB9BF8B583AF6EA2AD1A812EDAB04A08DD
SHA256:	EC689732317E063910E3A7D5E8C1594CBC3A412EBE46B02DDED18FEDAA4C4B7C
SSDEEP:	98304:gkyDorkBV1SkhkpIXgjU/3/DC4gCMsHQKqB053o/jOVs4Bk8+O8XaytohR3FxlTK:SWMO9xS3gTTR/8v9dO1qnq7Rhi85f84L

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2025:05:19 15:20:34
ZipCRC:	0x28f0dd37
ZipCompressedSize:	19582000
ZipUncompressedSize:	31652912
ZipFileName:	the pixel farm pfclean v51r2 xforce 11.exe


(PID) Process:	(6816) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(6816) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(6816) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(6816) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\thepixelfarmpfcleanv51r2xforce11malwarenozeros.zip
(PID) Process:	(6816) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6816) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6816) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6816) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6816) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\VirusScan
Operation:	write	Name:	DefScanner
Value: Windows Defender

PID	Process	Filename		Type
2852	the pixel farm pfclean v51r2 xforce 11.exe	C:\Users\admin\AppData\Local\Temp\Southeast.xlam		text
		MD5:65D49D511F33091EA6B2EEBF02D930A0	SHA256:DB592310308C45E9E658B823923A4D21B8E5ADB825480B3682560FDEC53DEB85
2852	the pixel farm pfclean v51r2 xforce 11.exe	C:\Users\admin\AppData\Local\Temp\Ballot.xlam		binary
		MD5:6E705BC42918BBEF76034272D57187D6	SHA256:DC1C9A60CBDA337EAF08DDC57319EDBDB6190068D9A90E4EF1F5302A26962F3F
2852	the pixel farm pfclean v51r2 xforce 11.exe	C:\Users\admin\AppData\Local\Temp\Lopez.xlam		binary
		MD5:538989B3D21D9B57A951C288D77E95FF	SHA256:3CCC96439D019635F2BF89EF5EA1BA0A0A1F8AF8EE6D0276D3D151AE493D3EA2
2852	the pixel farm pfclean v51r2 xforce 11.exe	C:\Users\admin\AppData\Local\Temp\Electric.xlam		binary
		MD5:9C7D4AB1EB8CCC11EA2B939FF2D645C0	SHA256:FA02407652553DB9ED08C2653DC4273660DA597C87FE9C375487EBEC714E9004
2852	the pixel farm pfclean v51r2 xforce 11.exe	C:\Users\admin\AppData\Local\Temp\Newton.xlam		binary
		MD5:AF59C96AF7C6A54E399FDF6FC972FB4A	SHA256:C8621CE407829C92AA4424BF70E33DAF854613B981F465369DE92FC94F76A817
1116	extrac32.exe	C:\Users\admin\AppData\Local\Temp\Dont		binary
		MD5:82F66347BF91C1A9D3D06BE6A4B4775F	SHA256:58CDFC9CB009E9E3DBFCFC08161F4C15230FCCADB329723FDB19B1DE542E6E50
2852	the pixel farm pfclean v51r2 xforce 11.exe	C:\Users\admin\AppData\Local\Temp\Construction.xlam		binary
		MD5:2CBF63B3C304DA9931CC573FFFDDA9A5	SHA256:811F39C07A1DC8539E8C76DFB5CA98E2026C381671585909BABEB5A542D309F9
1128	cmd.exe	C:\Users\admin\AppData\Local\Temp\Southeast.xlam.bat		text
		MD5:65D49D511F33091EA6B2EEBF02D930A0	SHA256:DB592310308C45E9E658B823923A4D21B8E5ADB825480B3682560FDEC53DEB85
2852	the pixel farm pfclean v51r2 xforce 11.exe	C:\Users\admin\AppData\Local\Temp\Lookup.xlam		binary
		MD5:9551BA3663FE456808D9ECA3A665DD86	SHA256:AF65453F571968DD36CD9F6FAEA7161212C2A25B69F8C564AB397CC42B08E18F
1116	extrac32.exe	C:\Users\admin\AppData\Local\Temp\Census		binary
		MD5:4858BCB014DC33BB307C376BC1E13988	SHA256:0BB9DB87ADD7781409D9E6D9D79992270155C05148CF86AB4E5DBA93F015ADB6

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
616	SIHClient.exe	GET	200	23.48.23.164:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
616	SIHClient.exe	GET	200	23.48.23.164:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
616	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
616	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
616	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
616	SIHClient.exe	GET	200	23.48.23.164:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
616	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
616	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
616	SIHClient.exe	20.109.210.53:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
616	SIHClient.exe	23.48.23.164:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
616	SIHClient.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
616	SIHClient.exe	13.95.31.18:443	fe3cr.delivery.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 4.231.128.59	whitelisted
google.com	142.250.186.78	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
slscr.update.microsoft.com	20.109.210.53	whitelisted
crl.microsoft.com	23.48.23.164 23.48.23.143 23.48.23.194 23.48.23.150 23.48.23.147 23.48.23.158 23.48.23.140 23.48.23.141 23.48.23.138	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted
nexusrules.officeapps.live.com	52.111.227.14	whitelisted
mwiqoVQmMLqTYRxCcviaXKWDykqQy.mwiqoVQmMLqTYRxCcviaXKWDykqQy	—	unknown

General Info

thepixelfarmpfcleanv51r2xforce11malwarenozeros.zip

EB6146FB0FFD2CB9CCEC1E41B735CFAB

77B014CB9BF8B583AF6EA2AD1A812EDAB04A08DD

EC689732317E063910E3A7D5E8C1594CBC3A412EBE46B02DDED18FEDAA4C4B7C

98304:gkyDorkBV1SkhkpIXgjU/3/DC4gCMsHQKqB053o/jOVs4Bk8+O8XaytohR3FxlTK:SWMO9xS3gTTR/8v9dO1qnq7Rhi85f84L

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

AutoIt loader has been detected (YARA)

LUMMA mutex has been found

Steals credentials from Web Browsers

Actions looks like stealing of personal data

SUSPICIOUS

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

Get information on the list of running processes

Reads security settings of Internet Explorer

Using 'findstr.exe' to search for text patterns in files and output

Application launched itself

The executable file from the user directory is run by the CMD process

Starts the AutoIt3 executable file

Starts application with an unusual extension

There is functionality for taking screenshot (YARA)

Searches for installed software

INFO

Reads the computer name

Manual execution by a user

Checks supported languages

Create files in a temporary directory

Process checks computer location settings

Creates a new folder

Executable content was dropped or overwritten

Checks proxy server information

Reads the software policy settings

Reads the machine GUID from the registry

Reads mouse settings

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings