URL:

https://gofile.io/d/g7AgiW

Full analysis: https://app.any.run/tasks/983758b3-93b1-44b1-ad1b-0026a1b40618
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: May 17, 2025, 18:08:18
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
fileshare
lumma
stealer
python
trox
Indicators:
MD5:

209A7B0FAF516D74E1FAF1DADA066D9A

SHA1:

E5F178E72A284753F228D82AA92B78D4E73C9AAB

SHA256:

C1274945325BA1EAACC47951D5082F1F39A622A219061D2D4605DDCE29E761FC

SSDEEP:

3:N8rxL16yn:2ZX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA has been detected (SURICATA)

      • msedge.exe (PID: 7304)

    • TROX has been detected

      • main.exe (PID: 6760)
      • loader.exe (PID: 8116)
      • main.exe (PID: 6244)
      • main.exe (PID: 4008)

    • Known privilege escalation attack

      • dllhost.exe (PID: 7832)

    • Executing a file with an untrusted certificate

      • Built.exe (PID: 7596)
      • Built.exe (PID: 8028)

    • Adds path to the Windows Defender exclusion list

      • Built.exe (PID: 8028)
      • cmd.exe (PID: 5008)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 7864)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 7864)

    • Changes settings for real-time protection

      • powershell.exe (PID: 7864)

    • Changes Windows Defender settings

      • cmd.exe (PID: 5864)
      • cmd.exe (PID: 5008)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 7864)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 5864)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 7864)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 7864)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 7864)

  • SUSPICIOUS

    • Contacting a server suspected of hosting an CnC

      • msedge.exe (PID: 7304)

    • Starts CMD.EXE for commands execution

      • main.exe (PID: 6708)
      • main.exe (PID: 4152)
      • loader.exe (PID: 960)
      • Built.exe (PID: 8028)
      • main.exe (PID: 6540)

    • Process drops python dynamic module

      • main.exe (PID: 6760)
      • loader.exe (PID: 8116)
      • main.exe (PID: 6244)
      • main.exe (PID: 4008)
      • Built.exe (PID: 7596)

    • The process drops C-runtime libraries

      • main.exe (PID: 6760)
      • main.exe (PID: 6244)
      • Built.exe (PID: 7596)
      • main.exe (PID: 4008)
      • loader.exe (PID: 8116)

    • Loads Python modules

      • main.exe (PID: 6708)

    • Process drops legitimate windows executable

      • main.exe (PID: 6760)
      • main.exe (PID: 6244)
      • loader.exe (PID: 8116)
      • dwm.exe (PID: 1852)
      • Built.exe (PID: 7596)
      • main.exe (PID: 4008)

    • Executable content was dropped or overwritten

      • main.exe (PID: 6760)
      • loader.exe (PID: 8116)
      • loader.exe (PID: 1348)
      • main.exe (PID: 6244)
      • dwm.exe (PID: 1852)
      • main.exe (PID: 4008)
      • Built.exe (PID: 7596)

    • Probably UAC bypass using CMSTP.exe (Connection Manager service profile)

      • loader.exe (PID: 7648)

    • Uses TASKKILL.EXE to kill process

      • mshta.exe (PID: 2192)

    • Reads security settings of Internet Explorer

      • main.exe (PID: 6760)

    • The executable file from the user directory is run by the CMD process

      • main.exe (PID: 4008)

    • Starts a Microsoft application from unusual location

      • Built.exe (PID: 7596)
      • Built.exe (PID: 8028)

    • Application launched itself

      • Built.exe (PID: 7596)

    • Found strings related to reading or modifying Windows Defender settings

      • Built.exe (PID: 8028)

    • Get information on the list of running processes

      • Built.exe (PID: 8028)
      • cmd.exe (PID: 8088)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 5008)
      • cmd.exe (PID: 5864)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 5864)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • Built.exe (PID: 8028)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 5008)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 5864)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 6416)

  • INFO

    • Checks supported languages

      • identity_helper.exe (PID: 3020)
      • main.exe (PID: 6760)
      • main.exe (PID: 6708)

    • Application launched itself

      • msedge.exe (PID: 5452)

    • Reads Environment values

      • identity_helper.exe (PID: 3020)

    • Reads the computer name

      • identity_helper.exe (PID: 3020)
      • main.exe (PID: 6760)

    • Attempting to use file storage service

      • msedge.exe (PID: 7304)

    • Manual execution by a user

      • WinRAR.exe (PID: 7944)
      • main.exe (PID: 6760)
      • loader.exe (PID: 7648)
      • loader.exe (PID: 1348)
      • main.exe (PID: 6244)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7944)

    • The sample compiled with english language support

      • main.exe (PID: 6760)
      • main.exe (PID: 6244)
      • loader.exe (PID: 8116)
      • dwm.exe (PID: 1852)
      • main.exe (PID: 4008)
      • Built.exe (PID: 7596)

    • Create files in a temporary directory

      • main.exe (PID: 6760)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
226
Monitored processes
91
Malicious processes
15
Suspicious processes
3

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs #LUMMA msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs sppextcomobj.exe no specs slui.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs winrar.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs #TROX main.exe conhost.exe no specs main.exe no specs cmd.exe no specs cmd.exe no specs #TROX main.exe conhost.exe no specs main.exe cmd.exe no specs cmd.exe no specs svchost.exe loader.exe no specs cmd.exe no specs cmstp.exe no specs CMSTPLUA loader.exe loader.exe no specs mshta.exe no specs #TROX loader.exe conhost.exe no specs dwm.exe taskkill.exe no specs conhost.exe no specs loader.exe no specs cmd.exe no specs #TROX main.exe conhost.exe no specs built.exe built.exe main.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs tasklist.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
664powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Local\Temp\Built.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
856"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7500 --field-trial-handle=2204,i,960036806136148330,6079292172555608363,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
896C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
960"C:\Users\admin\AppData\Local\Temp\loader.exe" C:\Users\admin\AppData\Local\Temp\onefile_8116_133919789593165967\loader.exeloader.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\onefile_8116_133919789593165967\loader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\onefile_8116_133919789593165967\python311.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
1012"C:\Windows\System32\taskkill.exe" /IM cmstp.exe /FC:\Windows\System32\taskkill.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1128"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=7440 --field-trial-handle=2204,i,960036806136148330,6079292172555608363,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1184C:\WINDOWS\system32\cmd.exe /c "start main.exe"C:\Windows\System32\cmd.exeloader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1272"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7860 --field-trial-handle=2204,i,960036806136148330,6079292172555608363,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1328"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=8276 --field-trial-handle=2204,i,960036806136148330,6079292172555608363,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1348"C:\Users\admin\Downloads\sapphire_cracked\loader.exe" C:\Users\admin\Downloads\sapphire_cracked\loader.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\downloads\sapphire_cracked\loader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
18 734
Read events
18 690
Write events
44
Delete events
0

Modification events

(PID) Process:(5452) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
33DF6B11EF932F00
(PID) Process:(5452) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(5452) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(5452) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(5452) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(5452) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
66107911EF932F00
(PID) Process:(5452) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328448
Operation:writeName:WindowTabManagerFileMappingId
Value:
{553E10FC-0851-4D42-B990-D69A0965CC97}
(PID) Process:(5452) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328448
Operation:writeName:WindowTabManagerFileMappingId
Value:
{60E6DC78-2DE0-4365-8E65-9033966D7255}
(PID) Process:(5452) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328448
Operation:writeName:WindowTabManagerFileMappingId
Value:
{9B676512-50C8-4F28-9E47-388C70DD313A}
(PID) Process:(5452) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328448
Operation:writeName:WindowTabManagerFileMappingId
Value:
{90EBA2AA-7735-48A2-9201-ABD4603CFFEA}
Executable files
192
Suspicious files
449
Text files
74
Unknown types
0

Dropped files

PID
Process
Filename
Type
5452msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF10bb53.TMP
MD5:
SHA256:
5452msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
5452msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF10bb53.TMP
MD5:
SHA256:
5452msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
5452msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF10bb43.TMP
MD5:
SHA256:
5452msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
5452msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF10bb72.TMP
MD5:
SHA256:
5452msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
5452msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF10bb91.TMP
MD5:
SHA256:
5452msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
95
DNS requests
102
Threats
29

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.36:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5064
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.36:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7304
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5452
msedge.exe
239.255.255.250:1900
whitelisted
7304
msedge.exe
150.171.27.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7304
msedge.exe
45.112.123.126:443
gofile.io
AMAZON-02
SG
whitelisted
7304
msedge.exe
13.107.246.45:443
edge-mobile-static.azureedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7304
msedge.exe
13.107.6.158:443
business.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.110
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.216.77.36
  • 23.216.77.21
  • 23.216.77.28
  • 23.216.77.4
  • 23.216.77.34
  • 23.216.77.5
  • 23.216.77.20
  • 23.216.77.43
  • 23.216.77.8
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 23.35.229.160
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
gofile.io
  • 45.112.123.126
whitelisted
edge.microsoft.com
  • 150.171.27.11
  • 150.171.28.11
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
  • 104.126.37.136
  • 104.126.37.123
  • 104.126.37.131
  • 104.126.37.130
  • 104.126.37.129
  • 104.126.37.186
  • 104.126.37.144
  • 104.126.37.185
  • 104.126.37.137
whitelisted

Threats

PID
Process
Class
Message
7304
msedge.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
7304
msedge.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
7304
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io)
7304
msedge.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
7304
msedge.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
7304
msedge.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
7304
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io)
7304
msedge.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
7304
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io)
7304
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://gofile.io/d/g7AgiW