download:

/ReSeT

Full analysis: https://app.any.run/tasks/d6d7f0d4-ac76-475f-992a-dd79706b873e
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: April 17, 2025, 20:45:42
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
arch-exec
golang
lumma
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (10816)
MD5:

9E1BEB8280B76A3AF346203E9AE4D72E

SHA1:

EF136290EBCA44012E66733828F29379AA08DA4B

SHA256:

8C64E7871F918EEF31B943EC08FE4BE6B805179061A7A2B4A3BEAEEF557231C2

SSDEEP:

192:wEV0KBI/YFjgqytES8C4Q9WH8UAjdZuUbj+gAsYx5bx2mQTYVsnUbGN9Av7yEi8+:wEVdGijoES8C42WH8UAjjuUbj+grYZ/o

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 900)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 900)

    • Executing a file with an untrusted certificate

      • lufinal.exe (PID: 6872)
      • lufinal.exe (PID: 1272)

    • LUMMA has been detected (YARA)

      • lufinal.exe (PID: 6872)

  • SUSPICIOUS

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 900)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 900)

    • Starts a new process with hidden mode (POWERSHELL)

      • powershell.exe (PID: 900)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 900)

    • Application launched itself

      • lufinal.exe (PID: 1272)

    • Checks for external IP

      • powershell.exe (PID: 900)

    • Likely accesses (executes) a file from the Public directory

      • 7zr.exe (PID: 6388)
      • lufinal.exe (PID: 1272)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 900)

    • Extracts files to a directory (POWERSHELL)

      • powershell.exe (PID: 900)

    • Drops 7-zip archiver for unpacking

      • powershell.exe (PID: 900)

  • INFO

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 900)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 900)

    • Disables trace logs

      • powershell.exe (PID: 900)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 900)

    • The sample compiled with english language support

      • powershell.exe (PID: 900)

    • Checks proxy server information

      • powershell.exe (PID: 900)

    • Checks supported languages

      • lufinal.exe (PID: 1272)
      • 7zr.exe (PID: 6388)

    • Reads the computer name

      • 7zr.exe (PID: 6388)

    • Manual execution by a user

      • mspaint.exe (PID: 5640)
      • mspaint.exe (PID: 6476)

    • Application based on Golang

      • lufinal.exe (PID: 1272)
      • lufinal.exe (PID: 6872)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
10
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe no specs 7zr.exe no specs conhost.exe no specs lufinal.exe no specs #LUMMA lufinal.exe no specs mspaint.exe no specs mspaint.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
536\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
900"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\AppData\Local\Temp\ReSeT.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
960\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe7zr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1272"C:\Users\Public\Libraries\TempW9AXs\c\lufinal.exe" C:\Users\Public\Libraries\TempW9AXs\c\lufinal.exepowershell.exe
User:
admin
Company:
Malwarebytes
Integrity Level:
MEDIUM
Description:
Malwarebytes Setup
Version:
5.2.8.127
Modules
Images
c:\users\public\libraries\tempw9axs\c\lufinal.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2656C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
5640"C:\WINDOWS\system32\mspaint.exe" "C:\Users\admin\Desktop\johncum.jpg"C:\Windows\System32\mspaint.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Paint
Exit code:
0
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mspaint.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6388"C:\Users\Public\Libraries\TempW9AXs\7zr.exe" x "C:\Users\Public\Libraries\TempW9AXs\lufinal.7z" -oC:\Users\Public\Libraries\TempW9AXs\c -pQweqwe123123 -y C:\Users\Public\Libraries\TempW9AXs\7zr.exepowershell.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Reduced Standalone Console
Exit code:
0
Version:
24.09
Modules
Images
c:\users\public\libraries\tempw9axs\7zr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\msvcp_win.dll
6476"C:\WINDOWS\system32\mspaint.exe" "C:\Users\admin\Desktop\lalegal.png"C:\Windows\System32\mspaint.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Paint
Exit code:
0
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mspaint.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6872noneC:\Users\Public\Libraries\TempW9AXs\c\lufinal.exe
lufinal.exe
User:
admin
Company:
Malwarebytes
Integrity Level:
MEDIUM
Description:
Malwarebytes Setup
Version:
5.2.8.127
7084"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
6 912
Read events
6 853
Write events
57
Delete events
2

Modification events

(PID) Process:(5640) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\Ribbon
Operation:writeName:QatItems
Value:
<siq:customUI xmlns:siq="http://schemas.microsoft.com/windows/2009/ribbon/qat"><siq:ribbon minimized="false"><siq:qat position="0"><siq:sharedControls><siq:control idQ="siq:20002" visible="false" argument="0"/><siq:control idQ="siq:20003" visible="false" argument="0"/><siq:control idQ="siq:20004" visible="true" argument="0"/><siq:control idQ="siq:20014" visible="false" argument="0"/><siq:control idQ="siq:20017" visible="false" argument="0"/><siq:control idQ="siq:20019" visible="false" argument="0"/><siq:control idQ="siq:31001" visible="true" argument="0"/><siq:control idQ="siq:31002" visible="true" argument="0"/></siq:sharedControls></siq:qat></siq:ribbon></siq:customUI>
(PID) Process:(5640) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List
Operation:delete keyName:(default)
Value:
(PID) Process:(5640) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List
Operation:writeName:File1
Value:
C:\Users\admin\Desktop\johncum.jpg
(PID) Process:(5640) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:WindowPlacement
Value:
2C00000000000000010000000000000000000000FFFFFFFFFFFFFFFF7F000000470000007F04000087020000
(PID) Process:(5640) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:ShowThumbnail
Value:
0
(PID) Process:(5640) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:BMPWidth
Value:
0
(PID) Process:(5640) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:BMPHeight
Value:
0
(PID) Process:(5640) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:ThumbXPos
Value:
0
(PID) Process:(5640) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:ThumbYPos
Value:
0
(PID) Process:(5640) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:ThumbWidth
Value:
0
Executable files
1
Suspicious files
5
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
900powershell.exeC:\Users\Public\Libraries\TempW9AXs\lufinal.7z
MD5:
SHA256:
63887zr.exeC:\Users\Public\Libraries\TempW9AXs\c\lufinal.exe
MD5:
SHA256:
900powershell.exeC:\Users\Public\Libraries\test.txttext
MD5:4E7541EDBBDF3DEE0A8B93BB837CC712
SHA256:5101E1905792EA7967DE32FA6BCDD13B0BCDA825469C2EB8BDE04D6C69475950
900powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QD4OU1DGILKIX5MEYPA4.tempbinary
MD5:0B3A28C7E729550B9F8972D286B4A0B7
SHA256:C54978AEF14A6E76C9EFAD7969E8562D5E1016B77ED38F58D87527A9DE25DDA6
900powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ozn01cos.fwg.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
900powershell.exeC:\Users\Public\Libraries\TempW9AXs\z.zipcompressed
MD5:73328A7C03E79AE9314AD164C07F4302
SHA256:EF50E00B1C63343497A9EC89018C8DDEE83C778240A9F865A83FF452BDF1773A
900powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10b940.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
900powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2ndgcmij.tqa.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
900powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:0B3A28C7E729550B9F8972D286B4A0B7
SHA256:C54978AEF14A6E76C9EFAD7969E8562D5E1016B77ED38F58D87527A9DE25DDA6
900powershell.exeC:\Users\Public\Libraries\TempW9AXs\7zr.exeexecutable
MD5:9F018E5FEB96AAE0E893A739C83A8B1F
SHA256:D2C0045523CF053A6B43F9315E9672FC2535F06AEADD4FFA53C729CD8B2B6DFE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
23
DNS requests
18
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2140
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2140
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.216.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
900
powershell.exe
172.67.188.125:443
kutt.it
CLOUDFLARENET
US
suspicious
900
powershell.exe
13.107.42.20:443
dev.azure.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6544
svchost.exe
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.216.77.42
  • 23.216.77.28
  • 23.216.77.43
  • 23.216.77.18
  • 23.216.77.19
  • 23.216.77.21
  • 23.216.77.39
  • 23.216.77.30
  • 23.216.77.22
whitelisted
google.com
  • 216.58.206.78
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
kutt.it
  • 172.67.188.125
  • 104.21.43.235
unknown
dev.azure.com
  • 13.107.42.20
whitelisted
login.live.com
  • 20.190.159.75
  • 40.126.31.0
  • 20.190.159.129
  • 20.190.159.71
  • 20.190.159.73
  • 40.126.31.128
  • 20.190.159.128
  • 20.190.159.23
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
api.ipify.org
  • 172.67.74.152
  • 104.26.13.205
  • 104.26.12.205
shared
hkdk.events
  • 104.18.17.219
  • 104.18.16.219
unknown

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
INFO [ANY.RUN] Possible short link service (kutt .it)
2196
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
900
powershell.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/ReSeT