File name:

stage1.ps1

Full analysis: https://app.any.run/tasks/72a31ead-4f7c-444b-a2de-592b8f63f0e8
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: January 23, 2025, 20:39:14
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
arch-doc
stealer
lumma
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

9CC29D3F5D6F3A35268CDE9622B1AC9A

SHA1:

241B1037ACF1D713FC90239739428E3D3C0B9AD2

SHA256:

A33973F5DB28149436244EA6DE4FB1EEC9F297B795B949F293BFC322504D9510

SSDEEP:

48:hwYgtoMKVdW31Kc2uI1pP24EgsHBzTNVbc5+A1Ksf1KE:htgto3CH2tvPlaHBQ5+mHr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6536)

    • Actions looks like stealing of personal data

      • explorer.exe (PID: 2212)

    • LUMMA mutex has been found

      • explorer.exe (PID: 2212)

    • Steals credentials from Web Browsers

      • explorer.exe (PID: 2212)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • csc.exe (PID: 6736)
      • powershell.exe (PID: 6536)
      • ISDbg.exe (PID: 1512)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 6736)

    • Extracts files to a directory (POWERSHELL)

      • powershell.exe (PID: 6536)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6536)

    • The process drops C-runtime libraries

      • powershell.exe (PID: 6536)
      • ISDbg.exe (PID: 1512)

    • The process creates files with name similar to system file names

      • powershell.exe (PID: 6536)
      • ISDbg.exe (PID: 1512)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 6536)
      • ISDbg.exe (PID: 1512)

    • Starts itself from another location

      • ISDbg.exe (PID: 1512)

    • Starts CMD.EXE for commands execution

      • ISDbg.exe (PID: 6328)

    • Searches for installed software

      • explorer.exe (PID: 2212)

  • INFO

    • Reads the machine GUID from the registry

      • csc.exe (PID: 6736)

    • Checks supported languages

      • csc.exe (PID: 6736)
      • cvtres.exe (PID: 6848)
      • ISDbg.exe (PID: 1512)
      • ISDbg.exe (PID: 6328)

    • Checks proxy server information

      • powershell.exe (PID: 6536)

    • The process uses the downloaded file

      • powershell.exe (PID: 6536)

    • Create files in a temporary directory

      • cvtres.exe (PID: 6848)
      • csc.exe (PID: 6736)
      • ISDbg.exe (PID: 6328)

    • Disables trace logs

      • powershell.exe (PID: 6536)

    • The sample compiled with english language support

      • powershell.exe (PID: 6536)
      • ISDbg.exe (PID: 1512)

    • The executable file from the user directory is run by the Powershell process

      • ISDbg.exe (PID: 1512)

    • Reads the software policy settings

      • explorer.exe (PID: 2212)

    • Reads the computer name

      • ISDbg.exe (PID: 1512)

    • Creates files or folders in the user directory

      • ISDbg.exe (PID: 1512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
10
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs csc.exe cvtres.exe no specs isdbg.exe isdbg.exe no specs cmd.exe no specs conhost.exe no specs #LUMMA explorer.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
204C:\WINDOWS\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exeISDbg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1512"C:\Users\admin\AppData\Local\Temp\extract1\ISDbg.exe" -ExecutionPolicy Bypass C:\Users\admin\AppData\Local\Temp\extract1\ISDbg.exe
powershell.exe
User:
admin
Company:
Flexera
Integrity Level:
MEDIUM
Description:
InstallShield (R) Script Debugger
Exit code:
0
Version:
27.0.58
Modules
Images
c:\users\admin\appdata\local\temp\extract1\isdbg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2212"C:\WINDOWS\SysWOW64\explorer.exe" -ExecutionPolicy Bypass C:\Windows\SysWOW64\explorer.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\osbpax
c:\windows\syswow64\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcp_win.dll
5432\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6328"C:\Users\admin\AppData\Roaming\comHelpcjq_x86\ISDbg.exe" -ExecutionPolicy Bypass C:\Users\admin\AppData\Roaming\comHelpcjq_x86\ISDbg.exeISDbg.exe
User:
admin
Company:
Flexera
Integrity Level:
MEDIUM
Description:
InstallShield (R) Script Debugger
Exit code:
1
Version:
27.0.58
Modules
Images
c:\users\admin\appdata\roaming\comhelpcjq_x86\isdbg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6536"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\stage1.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6544\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6736"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\o3yborvg.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
6848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES6F76.tmp" "c:\Users\admin\AppData\Local\Temp\CSC89B7E8C83FC4A748053CAA292270D1.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_clr0400.dll
Total events
10 050
Read events
10 050
Write events
0
Delete events
0

Modification events

No data
Executable files
13
Suspicious files
12
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
6536powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\66I0FD8PJNVOR3NUYBOL.tempbinary
MD5:C0AEC752489543DE45C56008131DE5FF
SHA256:535275F4D1B674ED071A7D8E16B8A536EA9721BEE587C2B260EC0B0F61C31EE3
6536powershell.exeC:\Users\admin\AppData\Local\Temp\o3yborvg.0.cstext
MD5:7EF2DC814F5C082336D1FBE487A53299
SHA256:89BDFB37BAD7981CB859D457C6DA2AC99D1F6B3C8C3324B46C569F2CEC1124B3
6536powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:C0AEC752489543DE45C56008131DE5FF
SHA256:535275F4D1B674ED071A7D8E16B8A536EA9721BEE587C2B260EC0B0F61C31EE3
6736csc.exeC:\Users\admin\AppData\Local\Temp\CSC89B7E8C83FC4A748053CAA292270D1.TMPbinary
MD5:D82AAE4B1A354FE11F6DA039D34961EF
SHA256:3D41F955C4C07547D178B7D7422A93281B61A613CB76156B2B9372F798F8851E
6536powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ufleit2m.1vn.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6536powershell.exeC:\Users\admin\AppData\Local\Temp\o3yborvg.cmdlinetext
MD5:68D5B45EFB901DF070FF768DEA665F3A
SHA256:997F96FCDFA21E1EB2B42A93D2AEE92855A43E1149BA052A60F1B8BA241985D2
6536powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_nuxlizph.r13.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6536powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1363af.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
6536powershell.exeC:\Users\admin\AppData\Local\Temp\extract1\ISUIServices.dllexecutable
MD5:30806A5B2B548B8AE5DCE694F04F119C
SHA256:3AD57C99FD061B4C99120F1BD34466D221B80776CAB62D52496F1C0350908D31
6536powershell.exeC:\Users\admin\AppData\Local\Temp\extract1\msvcp140.dllexecutable
MD5:DC739066C9D0CA961CBA2F320CADE28E
SHA256:74E9268A68118BB1AC5154F8F327887715960CCC37BA9DABBE31ECD82DCBAA55
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
28
DNS requests
9
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.180:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2624
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1864
RUXIMICS.exe
GET
200
23.48.23.180:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2624
svchost.exe
GET
200
23.48.23.180:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1864
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
172.67.188.120:443
https://resso-security.com/2-912381232/sendNotification.php
unknown
GET
200
172.67.188.120:443
https://resso-security.com/1-723628312/23748237478234-nightly.zip
unknown
compressed
5.41 Mb
POST
200
188.114.97.3:443
https://musicloobkw.top/api
unknown
text
2 b
POST
200
188.114.96.3:443
https://musicloobkw.top/api
unknown
text
18.3 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2624
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.178:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1864
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2624
svchost.exe
23.48.23.180:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.180:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1864
RUXIMICS.exe
23.48.23.180:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2624
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
www.bing.com
  • 104.126.37.178
  • 104.126.37.139
  • 104.126.37.153
  • 104.126.37.128
  • 104.126.37.144
  • 104.126.37.155
  • 104.126.37.131
  • 104.126.37.130
  • 104.126.37.123
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 23.48.23.180
  • 23.48.23.164
  • 23.48.23.145
  • 23.48.23.159
  • 23.48.23.141
  • 23.48.23.158
  • 23.48.23.143
  • 23.48.23.169
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
resso-security.com
  • 172.67.188.120
  • 104.21.8.135
unknown
musicloobkw.top
  • 188.114.97.3
  • 188.114.96.3
unknown
self.events.data.microsoft.com
  • 20.189.173.26
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
stage1.ps1