File name:	setup.exe
Full analysis:	https://app.any.run/tasks/bec4264b-85b0-4b22-a08e-e53209101eaf
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 10, 2025, 23:51:58
OS:	Windows 11 Professional (build: 22000, 64 bit)
Tags:	autoit stealer lumma autoit-loader
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:	CA3E492EBD940233FFF9FC4E0E76A891
SHA1:	4F31FD884013868B6F32EB26DF365A7CE872918E
SHA256:	03B139C2D7EB566155C820059DD90FE815F813E5644BA8199BC4F01B4FA921AC
SSDEEP:	49152:WS/4cXuY4UNEepwW7alYrvFPUgyQJa2FWO/rujfVDbdhx82k/SjUW/KAKgaIzgPN:z4SLalYDFPUgyrkB/uRh8Sj1KJgaIzuH

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2010:04:10 12:19:23+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	9
CodeSize:	25600
InitializedDataSize:	431104
UninitializedDataSize:	16896
EntryPoint:	0x33e9
OSVersion:	5
ImageVersion:	6
SubsystemVersion:	5
Subsystem:	Windows GUI


(PID) Process:	(1616) setup.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(1616) setup.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(1616) setup.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(1616) setup.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0

PID	Process	Filename		Type
1616	setup.exe	C:\Users\admin\AppData\Local\Temp\Ul.vsdx		text
		MD5:77CDF4B521683D0917BD9B78D9AF7DD9	SHA256:EAB32B59C501FA143A93E166B23185ABF6EA952E5F390354B3D4002D1FE1947B
1616	setup.exe	C:\Users\admin\AppData\Local\Temp\Fiction.vsdx		binary
		MD5:FC4277C3DD4C3DBF1D0330AE0F3ADF27	SHA256:189F3B1FCE47DDD1A4AF4123DB002C6E99AA83B6E84960DF6EBF2B8A2DCEFA09
1616	setup.exe	C:\Users\admin\AppData\Local\Temp\English.vsdx		binary
		MD5:A84506E6303CF868C06719AC260922A6	SHA256:12C424C6BB0DCE749CCE178E0F6042EE553F67AF8EEF6E30F6AAA0638B3321E0
1616	setup.exe	C:\Users\admin\AppData\Local\Temp\Productions.vsdx		binary
		MD5:BAD93116B7517329ADF5983F699AF283	SHA256:AA76F40285D1FE78740210A999EDB4C76F5E359E8149091A331C7E28CDA1C83F
1616	setup.exe	C:\Users\admin\AppData\Local\Temp\Ability.vsdx		binary
		MD5:F63E79DAC28BBEB0EE41082B7CC58F09	SHA256:E557C93BF020A2C31C159489E30453B5560955D46A13144B2746A6FEB5180279
1616	setup.exe	C:\Users\admin\AppData\Local\Temp\Portland.vsdx		binary
		MD5:486E5F1262784019F4F3505C38A584D0	SHA256:FF628E89823F2E8C0724446D19C2274A7C8E320728B2CF451B08FD2BBC674038
5176	extrac32.exe	C:\Users\admin\AppData\Local\Temp\Concerns		binary
		MD5:78168E40CB1452CF834DD1137593025B	SHA256:1D7E086F1425BB5981B119B93545E28ADAA16D7F9C735654B272F2C7D87E06DB
1616	setup.exe	C:\Users\admin\AppData\Local\Temp\Enclosed.vsdx		compressed
		MD5:62F5433E864A092382778DB50D695B24	SHA256:1EEBA50572B8211F8D0093DDE7AD0B50212DFBADF25DACEB7155835BA5487846
1616	setup.exe	C:\Users\admin\AppData\Local\Temp\Gis.vsdx		binary
		MD5:775B0FC0B8809B371EB9AE81C918F303	SHA256:09EBA05368CEEB05C3A50D0D2AC6739974D95846071EC773626DF0896537846C
5176	extrac32.exe	C:\Users\admin\AppData\Local\Temp\Facility		binary
		MD5:6F1211E99F2B43F77C3A45B305558E36	SHA256:1EE4B5B0C738955633EBA86A1D970CA32E2FC3EC4F0660956F6A8D4D6B7AA861

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1352	svchost.exe	GET	200	88.221.110.216:80	http://www.msftconnecttest.com/connecttest.txt	unknown	—	—	whitelisted
2768	svchost.exe	GET	200	199.232.214.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4c1c53e3976db8c9	unknown	—	—	whitelisted
2768	svchost.exe	GET	200	199.232.214.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?98835d2fbe5f2dfa	unknown	—	—	whitelisted
3640	svchost.exe	GET	200	199.232.214.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e9f723a4a1e59b1b	unknown	—	—	whitelisted
2768	svchost.exe	GET	200	199.232.214.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?0cde1ba27ffa6121	unknown	—	—	whitelisted
2768	svchost.exe	GET	200	199.232.214.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e8295883656f7dad	unknown	—	—	whitelisted
—	—	POST	200	104.21.61.66:443	https://aigjmr.digital/xaf	unknown	binary	10.7 Kb	unknown
—	—	POST	200	20.190.160.67:443	https://login.live.com/RST2.srf	unknown	xml	11.1 Kb	whitelisted
—	—	POST	200	172.67.206.243:443	https://aigjmr.digital/xaf	unknown	binary	70 b	unknown
—	—	POST	200	20.190.160.67:443	https://login.live.com/RST2.srf	unknown	xml	11.1 Kb	whitelisted

Domain	IP	Reputation
google.com	216.58.206.46	whitelisted
login.live.com	40.126.31.129 20.190.159.68 40.126.31.130 20.190.159.23 20.190.159.64 20.190.159.73 20.190.159.129 40.126.31.128 20.190.159.131 40.126.31.3 40.126.31.131 20.190.159.4	whitelisted
ctldl.windowsupdate.com	199.232.214.172 199.232.210.172	whitelisted
settings-win.data.microsoft.com	40.127.240.158	whitelisted
checkappexec.microsoft.com	98.64.238.3	whitelisted
kMocBwQIQuslkcFlACcjh.kMocBwQIQuslkcFlACcjh	—	unknown
aigjmr.digital	104.21.61.66 172.67.206.243	unknown
fs.microsoft.com	2.16.185.191	whitelisted
self.events.data.microsoft.com	40.79.141.153	whitelisted

PID	Process	Class	Message
1352	svchost.exe	Misc activity	ET INFO Microsoft Connection Test
—	—	Generic Protocol Command Decode	SURICATA HTTP Request unrecognized authorization method

PID	Process	IP	Domain	ASN	CN	Reputation
1352	svchost.exe	88.221.110.216:80	—	Akamai International B.V.	DE	unknown
3640	svchost.exe	40.126.31.129:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3640	svchost.exe	199.232.214.172:80	ctldl.windowsupdate.com	FASTLY	US	whitelisted
3528	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5268	smartscreen.exe	98.64.238.3:443	checkappexec.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3028	Warriors.com	104.21.61.66:443	aigjmr.digital	CLOUDFLARENET	—	unknown
3952	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
2336	svchost.exe	2.16.185.191:443	fs.microsoft.com	AKAMAI-AS	DE	whitelisted
2768	svchost.exe	199.232.214.172:80	ctldl.windowsupdate.com	FASTLY	US	whitelisted
2988	OfficeClickToRun.exe	40.79.141.153:443	self.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted

General Info

setup.exe

CA3E492EBD940233FFF9FC4E0E76A891

4F31FD884013868B6F32EB26DF365A7CE872918E

03B139C2D7EB566155C820059DD90FE815F813E5644BA8199BC4F01B4FA921AC

49152:WS/4cXuY4UNEepwW7alYrvFPUgyQJa2FWO/rujfVDbdhx82k/SjUW/KAKgaIzgPN:z4SLalYDFPUgyrkB/uRh8Sj1KJgaIzuH

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

LUMMA mutex has been found

Steals credentials from Web Browsers

Actions looks like stealing of personal data

AutoIt loader has been detected (YARA)

SUSPICIOUS

Reads the Internet Settings

Starts CMD.EXE for commands execution

Reads security settings of Internet Explorer

Get information on the list of running processes

Application launched itself

Executing commands from a ".bat" file

Starts the AutoIt3 executable file

Using 'findstr.exe' to search for text patterns in files and output

Starts application with an unusual extension

The executable file from the user directory is run by the CMD process

Reads settings of System Certificates

Searches for installed software

There is functionality for taking screenshot (YARA)

INFO

Create files in a temporary directory

Checks supported languages

Reads the computer name

Creates a new folder

Reads mouse settings

Reads the machine GUID from the registry

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings