File name:

stage1.ps1

Full analysis: https://app.any.run/tasks/72a31ead-4f7c-444b-a2de-592b8f63f0e8
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: January 23, 2025, 20:39:14
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
arch-doc
stealer
lumma
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

9CC29D3F5D6F3A35268CDE9622B1AC9A

SHA1:

241B1037ACF1D713FC90239739428E3D3C0B9AD2

SHA256:

A33973F5DB28149436244EA6DE4FB1EEC9F297B795B949F293BFC322504D9510

SSDEEP:

48:hwYgtoMKVdW31Kc2uI1pP24EgsHBzTNVbc5+A1Ksf1KE:htgto3CH2tvPlaHBQ5+mHr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6536)

    • Actions looks like stealing of personal data

      • explorer.exe (PID: 2212)

    • LUMMA mutex has been found

      • explorer.exe (PID: 2212)

    • Steals credentials from Web Browsers

      • explorer.exe (PID: 2212)

  • SUSPICIOUS

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 6736)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 6736)
      • powershell.exe (PID: 6536)
      • ISDbg.exe (PID: 1512)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6536)

    • The process creates files with name similar to system file names

      • powershell.exe (PID: 6536)
      • ISDbg.exe (PID: 1512)

    • Extracts files to a directory (POWERSHELL)

      • powershell.exe (PID: 6536)

    • Process drops legitimate windows executable

      • ISDbg.exe (PID: 1512)
      • powershell.exe (PID: 6536)

    • The process drops C-runtime libraries

      • ISDbg.exe (PID: 1512)
      • powershell.exe (PID: 6536)

    • Starts CMD.EXE for commands execution

      • ISDbg.exe (PID: 6328)

    • Starts itself from another location

      • ISDbg.exe (PID: 1512)

    • Searches for installed software

      • explorer.exe (PID: 2212)

  • INFO

    • Checks supported languages

      • csc.exe (PID: 6736)
      • cvtres.exe (PID: 6848)
      • ISDbg.exe (PID: 6328)
      • ISDbg.exe (PID: 1512)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 6736)

    • Create files in a temporary directory

      • cvtres.exe (PID: 6848)
      • csc.exe (PID: 6736)
      • ISDbg.exe (PID: 6328)

    • Disables trace logs

      • powershell.exe (PID: 6536)

    • Checks proxy server information

      • powershell.exe (PID: 6536)

    • The sample compiled with english language support

      • powershell.exe (PID: 6536)
      • ISDbg.exe (PID: 1512)

    • The process uses the downloaded file

      • powershell.exe (PID: 6536)

    • Reads the computer name

      • ISDbg.exe (PID: 1512)

    • Creates files or folders in the user directory

      • ISDbg.exe (PID: 1512)

    • Reads the software policy settings

      • explorer.exe (PID: 2212)

    • The executable file from the user directory is run by the Powershell process

      • ISDbg.exe (PID: 1512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
10
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs csc.exe cvtres.exe no specs isdbg.exe isdbg.exe no specs cmd.exe no specs conhost.exe no specs #LUMMA explorer.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
204C:\WINDOWS\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exeISDbg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1512"C:\Users\admin\AppData\Local\Temp\extract1\ISDbg.exe" -ExecutionPolicy Bypass C:\Users\admin\AppData\Local\Temp\extract1\ISDbg.exe
powershell.exe
User:
admin
Company:
Flexera
Integrity Level:
MEDIUM
Description:
InstallShield (R) Script Debugger
Exit code:
0
Version:
27.0.58
Modules
Images
c:\users\admin\appdata\local\temp\extract1\isdbg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2212"C:\WINDOWS\SysWOW64\explorer.exe" -ExecutionPolicy Bypass C:\Windows\SysWOW64\explorer.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\osbpax
c:\windows\syswow64\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcp_win.dll
5432\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6328"C:\Users\admin\AppData\Roaming\comHelpcjq_x86\ISDbg.exe" -ExecutionPolicy Bypass C:\Users\admin\AppData\Roaming\comHelpcjq_x86\ISDbg.exeISDbg.exe
User:
admin
Company:
Flexera
Integrity Level:
MEDIUM
Description:
InstallShield (R) Script Debugger
Exit code:
1
Version:
27.0.58
Modules
Images
c:\users\admin\appdata\roaming\comhelpcjq_x86\isdbg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6536"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\stage1.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6544\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6736"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\o3yborvg.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
6848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES6F76.tmp" "c:\Users\admin\AppData\Local\Temp\CSC89B7E8C83FC4A748053CAA292270D1.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_clr0400.dll
Total events
10 050
Read events
10 050
Write events
0
Delete events
0

Modification events

No data
Executable files
13
Suspicious files
12
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
6536powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\66I0FD8PJNVOR3NUYBOL.tempbinary
MD5:C0AEC752489543DE45C56008131DE5FF
SHA256:535275F4D1B674ED071A7D8E16B8A536EA9721BEE587C2B260EC0B0F61C31EE3
6536powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_nuxlizph.r13.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6536powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:C0AEC752489543DE45C56008131DE5FF
SHA256:535275F4D1B674ED071A7D8E16B8A536EA9721BEE587C2B260EC0B0F61C31EE3
6848cvtres.exeC:\Users\admin\AppData\Local\Temp\RES6F76.tmpbinary
MD5:B41CBB40A895400E6E8806740FE693F0
SHA256:B8B8A53C0EC5303F3D886E8613F484E7D14EF018DB1EC51751FCFA14C72A06B5
6736csc.exeC:\Users\admin\AppData\Local\Temp\CSC89B7E8C83FC4A748053CAA292270D1.TMPbinary
MD5:D82AAE4B1A354FE11F6DA039D34961EF
SHA256:3D41F955C4C07547D178B7D7422A93281B61A613CB76156B2B9372F798F8851E
6536powershell.exeC:\Users\admin\AppData\Local\Temp\o3yborvg.0.cstext
MD5:7EF2DC814F5C082336D1FBE487A53299
SHA256:89BDFB37BAD7981CB859D457C6DA2AC99D1F6B3C8C3324B46C569F2CEC1124B3
6536powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1363af.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
6736csc.exeC:\Users\admin\AppData\Local\Temp\o3yborvg.dllexecutable
MD5:EC1CCCCC78C0BEA515B90A2E270F34FB
SHA256:248EA89434B405E16E1CDF537E8F1DAA127F2AB46909283A6268A7C220F3BE20
6736csc.exeC:\Users\admin\AppData\Local\Temp\o3yborvg.outtext
MD5:3B1A9729674815D144E6B80113C04340
SHA256:FE069F5666DA981AD40A96085C6A74609F210BA9E893FA6A3A9F4A62101FCAB8
6536powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ufleit2m.1vn.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
28
DNS requests
9
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1864
RUXIMICS.exe
GET
200
23.48.23.180:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2624
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1864
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
188.114.96.3:443
https://musicloobkw.top/api
unknown
text
18.3 Kb
POST
200
172.67.188.120:443
https://resso-security.com/2-912381232/sendNotification.php
unknown
POST
200
188.114.97.3:443
https://musicloobkw.top/api
unknown
text
15 b
POST
200
188.114.96.3:443
https://musicloobkw.top/api
unknown
text
15 b
POST
200
188.114.97.3:443
https://musicloobkw.top/api
unknown
text
15 b
POST
200
188.114.97.3:443
https://musicloobkw.top/api
unknown
text
15 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2624
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.178:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1864
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2624
svchost.exe
23.48.23.180:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.180:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1864
RUXIMICS.exe
23.48.23.180:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2624
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
www.bing.com
  • 104.126.37.178
  • 104.126.37.139
  • 104.126.37.153
  • 104.126.37.128
  • 104.126.37.144
  • 104.126.37.155
  • 104.126.37.131
  • 104.126.37.130
  • 104.126.37.123
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 23.48.23.180
  • 23.48.23.164
  • 23.48.23.145
  • 23.48.23.159
  • 23.48.23.141
  • 23.48.23.158
  • 23.48.23.143
  • 23.48.23.169
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
resso-security.com
  • 172.67.188.120
  • 104.21.8.135
unknown
musicloobkw.top
  • 188.114.97.3
  • 188.114.96.3
unknown
self.events.data.microsoft.com
  • 20.189.173.26
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
stage1.ps1