File name:	_9022822d6fec2947acbca51a9509c18293ecd1538ede58bd8a8f20ab60060cc2.exe
Full analysis:	https://app.any.run/tasks/eb1ef873-3e09-4404-9d91-3f116c665854
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 07, 2026, 06:05:20
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	lumma stealer exploit
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:	1740031C54455EAEE3C3DADB66FD3935
SHA1:	CD96D5B9B70D77C7755ECC20FBBA6E030D9E5C96
SHA256:	9022822D6FEC2947ACBCA51A9509C18293ECD1538EDE58BD8A8F20AB60060CC2
SSDEEP:	49152:qzKN8L45uBBIwXKvzDmbxi5EmqOglt/zrGj+LfiOl8P2goT+k99eu+VJ:xa45Bw05EfOgn+jHOl8PO9W

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	3
CodeSize:	483840
InitializedDataSize:	31744
UninitializedDataSize:	-
EntryPoint:	0x67a20
OSVersion:	6.1
ImageVersion:	1
SubsystemVersion:	6.1
Subsystem:	Windows GUI


(PID) Process:	(2392) slui.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:	write	Name:	@%SystemRoot%\System32\sppcomapi.dll,-3200
Value: Software Licensing
(PID) Process:	(6424) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6424) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6424) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6424) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Styles
Operation:	write	Name:	MaxScriptStatements
Value: 10000000
(PID) Process:	(6384) BaseZipInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\BaseZipInstaller_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6384) BaseZipInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\BaseZipInstaller_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6384) BaseZipInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\BaseZipInstaller_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(6384) BaseZipInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\BaseZipInstaller_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(6384) BaseZipInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\BaseZipInstaller_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:

PID	Process	Filename		Type
6384	BaseZipInstaller.exe	C:\Users\admin\AppData\Local\Packages\Extensions\147BC60418E616589EDB8734717C06316F057ADA30822AF120E1EB925F8B5DB3\icons\icon16.png.tmp		binary
		MD5:B755666049D03DCF47CBB04DE0F6E59D	SHA256:EBB4C471FE56D27FE5914A15AA058A8C21ED13DC853321141F22975FF14CE579
6424	mshta.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\Quantum_Backup_Home_380[1].js		binary
		MD5:13556FE53407E946CE7D8FC737AD1122	SHA256:AB466A562908C87DD279F23470A2887E4A171509E81670671DDB11B593526710
6424	mshta.exe	C:\Users\admin\BaseZipInstaller\BaseZipInstaller.exe		binary
		MD5:F9D569A71E1C49F9452B7131326F8639	SHA256:2735E12030C195FB5454E4736C51B55B59664B93CAE9F4BD5317AFCD9C2AF0BF
6424	mshta.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms		binary
		MD5:2B0583A458B4927F867162A928BD38F5	SHA256:75A173E96226D2323BA697FAF915DA50C05F437863A8A5650F746974F6377179
5304	curl.exe	C:\Users\admin\BaseZipInstaller.zip		binary
		MD5:1D9EE15C3B4343C6630F7BCB7E48DBD3	SHA256:4D069F2A1BA77523E1B0D1F89CA289E9BA7DD9549C425011447D64C3C3BECB50
6384	BaseZipInstaller.exe	C:\Users\admin\AppData\Local\Packages\Extensions\147BC60418E616589EDB8734717C06316F057ADA30822AF120E1EB925F8B5DB3\config\settings.js		binary
		MD5:5290D62F76319A3D026B7387A53E0D45	SHA256:46F26DA42DBE2CA8E0A79DBF75B2B9AD825FE659166873F911E70B6B4C77F413
6384	BaseZipInstaller.exe	C:\Users\admin\AppData\Local\Packages\Extensions\147BC60418E616589EDB8734717C06316F057ADA30822AF120E1EB925F8B5DB3\config\settings.js.tmp		binary
		MD5:5290D62F76319A3D026B7387A53E0D45	SHA256:46F26DA42DBE2CA8E0A79DBF75B2B9AD825FE659166873F911E70B6B4C77F413
6384	BaseZipInstaller.exe	C:\Users\admin\AppData\Local\Packages\Extensions\147BC60418E616589EDB8734717C06316F057ADA30822AF120E1EB925F8B5DB3\icons\icon128.png.tmp		binary
		MD5:82F6710D5808AC189A405601142E6BF8	SHA256:99FD6A36ABBD6818AA0818EE056D6FA2C0100F288D8AF3F671E41065CF261553
6384	BaseZipInstaller.exe	C:\Users\admin\AppData\Local\Packages\Extensions\147BC60418E616589EDB8734717C06316F057ADA30822AF120E1EB925F8B5DB3\icons\icon16.png		binary
		MD5:B755666049D03DCF47CBB04DE0F6E59D	SHA256:EBB4C471FE56D27FE5914A15AA058A8C21ED13DC853321141F22975FF14CE579
6384	BaseZipInstaller.exe	C:\Users\admin\AppData\Local\Packages\Extensions\147BC60418E616589EDB8734717C06316F057ADA30822AF120E1EB925F8B5DB3\icons\icon48.png		binary
		MD5:4577209CFA3F8543C795EEB2530E9FE0	SHA256:2DBB36E4C4F84C6F42115163F0CF8ABFB60D3DE38DC2514D7E859E547874A67B

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5276	MoUsoCoreWorker.exe	GET	304	52.183.220.149:443	https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30	US	—	—	whitelisted
5276	MoUsoCoreWorker.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
6148	_9022822d6fec2947acbca51a9509c18293ecd1538ede58bd8a8f20ab60060cc2.exe	POST	200	91.92.243.168:80	http://atomiy.cyou/	SC	binary	75 b	unknown
4212	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
4212	svchost.exe	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
5276	MoUsoCoreWorker.exe	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
6148	_9022822d6fec2947acbca51a9509c18293ecd1538ede58bd8a8f20ab60060cc2.exe	POST	200	91.92.243.168:80	http://atomiy.cyou/	SC	binary	75 b	unknown
4212	svchost.exe	GET	200	52.183.220.149:443	https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaasMedic?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&appVer=10.0.19041.3758&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4	US	—	3.41 Kb	whitelisted
2392	slui.exe	POST	500	48.192.1.65:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	binary	512 b	whitelisted
5316	svchost.exe	POST	200	20.190.159.129:443	https://login.live.com/RST2.srf	US	binary	1.24 Kb	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	52.183.220.149 4.231.128.59 51.104.136.2	whitelisted
activation-v2.sls.microsoft.com	48.192.1.64	whitelisted
www.bing.com	184.86.251.29 184.86.251.6 184.86.251.14 184.86.251.10 184.86.251.15 184.86.251.28 184.86.251.30 184.86.251.4 184.86.251.8	whitelisted
google.com	192.178.183.101 192.178.183.139 192.178.183.100 192.178.183.138 192.178.183.102 192.178.183.113	whitelisted
atomiy.cyou	91.92.243.168	malicious
crl.microsoft.com	23.216.77.6 23.216.77.28 2.16.164.120 2.16.164.49	whitelisted
www.microsoft.com	88.221.169.152 23.52.181.212	whitelisted
login.live.com	20.190.159.2 20.190.159.75 20.190.159.129 40.126.31.2 40.126.31.71 20.190.159.130 40.126.31.73 20.190.159.64	whitelisted
client.wns.windows.com	172.211.123.249 172.211.123.250	whitelisted
msgrouppolicy.vg	31.57.118.10	malicious

PID	Process	Class	Message
6148	_9022822d6fec2947acbca51a9509c18293ecd1538ede58bd8a8f20ab60060cc2.exe	Misc activity	INFO [ANY.RUN] Connection to IP from commonly abused ASN (AS214943 RAILNET)
2232	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (atomiy .cyou)
6148	_9022822d6fec2947acbca51a9509c18293ecd1538ede58bd8a8f20ab60060cc2.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 14
4212	svchost.exe	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
—	—	Misc activity	ET INFO Observed UA-CPU Header
—	—	A Network Trojan was detected	ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)
6424	mshta.exe	Misc activity	ET INFO Observed UA-CPU Header
6424	mshta.exe	A Network Trojan was detected	ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)
2232	svchost.exe	Misc activity	INFO [ANY.RUN] .cc TLD domain request

General Info

_9022822d6fec2947acbca51a9509c18293ecd1538ede58bd8a8f20ab60060cc2.exe

1740031C54455EAEE3C3DADB66FD3935

CD96D5B9B70D77C7755ECC20FBBA6E030D9E5C96

9022822D6FEC2947ACBCA51A9509C18293ECD1538EDE58BD8A8F20AB60060CC2

49152:qzKN8L45uBBIwXKvzDmbxi5EmqOglt/zrGj+LfiOl8P2goT+k99eu+VJ:xa45Bw05EfOgn+jHOl8PO9W

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

LUMMA mutex has been found

LUMMA has been detected (SURICATA)

EXPLOIT has been detected (SURICATA)

Steals credentials from Web Browsers

SUSPICIOUS

Possible stealing of email data

Contacting a server suspected of hosting an CnC

Searches for installed software

Possible stealing of messenger data

Possible stealing from crypto wallets

Starts MSHTA.EXE for opening HTA or HTMLS files

Executed via WMI

INFO

Checks supported languages

Reads the computer name

Reads Internet Explorer settings

Disables trace logs

Creates files or folders in the user directory

Reads Environment values

Execution of CURL command

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings