File name:

18052025_0153_bin.jpg.ps1

Full analysis: https://app.any.run/tasks/e940a708-15a3-405c-80bd-9d889228f996
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: May 18, 2025, 01:59:45
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
lumma
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (65475), with CRLF line terminators
MD5:

E6560FB812FF29108059E9711F61891D

SHA1:

6573BB7FC6E26A47D1D32C5CD2314D0C6A8D2808

SHA256:

F6DFF5860881CDD6D5DB1C1871F3CD142185ED5CC4466989BA393A71535D0DA4

SSDEEP:

12288:zGXICziovuKs/t6UWAfP5BfIBYrPnX2OQ2mSpMC4Zo2hCw:QICzzvuK3AfPHXs2TMC4Zo2hCw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 6768)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6768)

    • LUMMA mutex has been found

      • RegSvcs.exe (PID: 5720)

    • Steals credentials from Web Browsers

      • RegSvcs.exe (PID: 5720)

    • Actions looks like stealing of personal data

      • RegSvcs.exe (PID: 5720)

    • LUMMA has been detected (YARA)

      • RegSvcs.exe (PID: 5720)

  • SUSPICIOUS

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6768)

    • Searches for installed software

      • RegSvcs.exe (PID: 5720)

    • There is functionality for taking screenshot (YARA)

      • RegSvcs.exe (PID: 5720)

  • INFO

    • Checks supported languages

      • RegSvcs.exe (PID: 5720)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 6768)

    • Reads the computer name

      • RegSvcs.exe (PID: 5720)

    • Reads the machine GUID from the registry

      • RegSvcs.exe (PID: 5720)

    • Reads the software policy settings

      • RegSvcs.exe (PID: 5720)
      • slui.exe (PID: 6676)

    • Checks proxy server information

      • slui.exe (PID: 6676)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Lumma

(PID) Process(5720) RegSvcs.exe
C2 (9)conmog.digital/gnb
onehunqpom.life/zpxd
narrathfpt.top/tekq
featurlyin.top/pdal
overcovtcg.top/juhd
laminaflbx.shop/twoq
posseswsnc.top/akds
jackthyfuc.run/xpas
blackswmxc.top/bgry
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs #LUMMA regsvcs.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
5720#by-unknownC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\msvcp_win.dll
Lumma
(PID) Process(5720) RegSvcs.exe
C2 (9)conmog.digital/gnb
onehunqpom.life/zpxd
narrathfpt.top/tekq
featurlyin.top/pdal
overcovtcg.top/juhd
laminaflbx.shop/twoq
posseswsnc.top/akds
jackthyfuc.run/xpas
blackswmxc.top/bgry
5892\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6676C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6768"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\18052025_0153_bin.jpg.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
11 337
Read events
11 337
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6768powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10c6dc.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
6768powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LQVH7B5MOWRYAXNT4TMS.tempbinary
MD5:77BDBBE6A7820B1DBA3FE1D555EF445F
SHA256:53EFE4261C8FE649407C66A401B7A746BFD79CDAC4FD7CF6DD3909DD0323FCC9
6768powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:AFDAF7A8D696780C8FA7A1ED9B8F450B
SHA256:EE9B6C4A2F8E5AD0326DD8DB9E223FA52A108AD3F5E363630C715D1495072ABE
6768powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_dtbu3nra.vnk.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6768powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_eureqogi.nez.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6768powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:77BDBBE6A7820B1DBA3FE1D555EF445F
SHA256:53EFE4261C8FE649407C66A401B7A746BFD79CDAC4FD7CF6DD3909DD0323FCC9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
50
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5548
SIHClient.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5548
SIHClient.exe
GET
200
96.6.17.223:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5548
SIHClient.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5548
SIHClient.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
5548
SIHClient.exe
GET
200
96.6.17.223:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5548
SIHClient.exe
GET
200
96.6.17.223:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5548
SIHClient.exe
GET
200
96.6.17.223:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
5548
SIHClient.exe
GET
200
96.6.17.223:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5720
RegSvcs.exe
104.21.82.104:443
conmog.digital
CLOUDFLARENET
unknown
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5548
SIHClient.exe
20.109.210.53:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5548
SIHClient.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
5548
SIHClient.exe
96.6.17.223:80
www.microsoft.com
AKAMAI-AS
NO
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.238
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.160.22
  • 40.126.32.134
  • 20.190.160.14
  • 20.190.160.3
  • 40.126.32.136
  • 20.190.160.66
  • 40.126.32.68
  • 40.126.32.138
whitelisted
conmog.digital
  • 104.21.82.104
  • 172.67.156.93
unknown
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 96.6.17.223
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
18052025_0153_bin.jpg.ps1