URL:

https://movefreephysio.com.sg/winsha/

Full analysis: https://app.any.run/tasks/1220ed76-7b99-4d36-ad5e-d4f6c5d402c2
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: June 25, 2025, 20:53:02
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
autoit
lumma
stealer
autoit-loader
Indicators:
MD5:

CC43BCE39C78BA4CBD83B7D7000A069F

SHA1:

77CA2CAB575B379A6836A1CFE2D3ABC9E50D60A3

SHA256:

C585DB201D034255FBFB2E79C962A7F9F49BDADBEBCD92C2B7A50B7E645229EB

SSDEEP:

3:N8xmXP5OQSMLWNjn:2UXROQ/LWNj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • TradingView Premium Desktop.exe (PID: 3836)

    • Loads dropped or rewritten executable

      • TradingView Premium Desktop.exe (PID: 3836)
      • tasklist.exe (PID: 7536)
      • tasklist.exe (PID: 4192)
      • Driven.com (PID: 7748)
      • FileCoAuth.exe (PID: 7284)

    • Connects to the CnC server

      • svchost.exe (PID: 2200)

    • LUMMA has been detected (SURICATA)

      • Driven.com (PID: 7748)
      • svchost.exe (PID: 2200)

    • LUMMA mutex has been found

      • Driven.com (PID: 7748)

    • AutoIt loader has been detected (YARA)

      • Driven.com (PID: 7748)

    • Steals credentials from Web Browsers

      • Driven.com (PID: 7748)

    • Actions looks like stealing of personal data

      • Driven.com (PID: 7748)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 2764)

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 2764)

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 2764)

    • Get information on the list of running processes

      • cmd.exe (PID: 3488)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 3488)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3488)

    • The executable file from the user directory is run by the CMD process

      • Driven.com (PID: 7748)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 3488)

    • Reads security settings of Internet Explorer

      • TradingView Premium Desktop.exe (PID: 3836)

    • Executing commands from a ".bat" file

      • TradingView Premium Desktop.exe (PID: 3836)

    • Starts CMD.EXE for commands execution

      • TradingView Premium Desktop.exe (PID: 3836)

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2200)
      • Driven.com (PID: 7748)

    • There is functionality for taking screenshot (YARA)

      • Driven.com (PID: 7748)
      • TradingView Premium Desktop.exe (PID: 3836)

    • Searches for installed software

      • Driven.com (PID: 7748)

  • INFO

    • Checks supported languages

      • identity_helper.exe (PID: 7412)
      • extrac32.exe (PID: 4820)
      • Driven.com (PID: 7748)
      • TradingView Premium Desktop.exe (PID: 3836)

    • Reads Environment values

      • identity_helper.exe (PID: 7412)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 1208)

    • Manual execution by a user

      • WinRAR.exe (PID: 2764)
      • TradingView Premium Desktop.exe (PID: 3836)

    • Application launched itself

      • msedge.exe (PID: 1208)
      • chrome.exe (PID: 1136)
      • chrome.exe (PID: 1732)
      • chrome.exe (PID: 7796)
      • chrome.exe (PID: 724)
      • msedge.exe (PID: 6236)
      • msedge.exe (PID: 4680)
      • msedge.exe (PID: 3752)
      • msedge.exe (PID: 2708)
      • msedge.exe (PID: 3688)

    • Reads the computer name

      • identity_helper.exe (PID: 7412)
      • TradingView Premium Desktop.exe (PID: 3836)
      • Driven.com (PID: 7748)
      • extrac32.exe (PID: 4820)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 2764)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2764)

    • Reads the software policy settings

      • slui.exe (PID: 5576)
      • Driven.com (PID: 7748)

    • Checks proxy server information

      • slui.exe (PID: 5576)

    • The sample compiled with arabic language support

      • WinRAR.exe (PID: 2764)

    • The sample compiled with bulgarian language support

      • WinRAR.exe (PID: 2764)

    • The sample compiled with german language support

      • WinRAR.exe (PID: 2764)

    • The sample compiled with czech language support

      • WinRAR.exe (PID: 2764)

    • The sample compiled with russian language support

      • WinRAR.exe (PID: 2764)

    • The sample compiled with french language support

      • WinRAR.exe (PID: 2764)

    • The sample compiled with Italian language support

      • WinRAR.exe (PID: 2764)

    • The sample compiled with japanese language support

      • WinRAR.exe (PID: 2764)

    • The sample compiled with polish language support

      • WinRAR.exe (PID: 2764)

    • The sample compiled with portuguese language support

      • WinRAR.exe (PID: 2764)

    • The sample compiled with swedish language support

      • WinRAR.exe (PID: 2764)

    • The sample compiled with slovak language support

      • WinRAR.exe (PID: 2764)

    • The sample compiled with turkish language support

      • WinRAR.exe (PID: 2764)

    • The sample compiled with chinese language support

      • WinRAR.exe (PID: 2764)

    • Create files in a temporary directory

      • TradingView Premium Desktop.exe (PID: 3836)
      • extrac32.exe (PID: 4820)

    • The sample compiled with spanish language support

      • WinRAR.exe (PID: 2764)

    • The sample compiled with korean language support

      • WinRAR.exe (PID: 2764)

    • Reads mouse settings

      • Driven.com (PID: 7748)

    • Process checks computer location settings

      • TradingView Premium Desktop.exe (PID: 3836)

    • Reads the machine GUID from the registry

      • Driven.com (PID: 7748)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
253
Monitored processes
103
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe no specs msedge.exe no specs winrar.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs tradingview premium desktop.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs extrac32.exe no specs findstr.exe no specs #LUMMA driven.com choice.exe no specs #LUMMA svchost.exe msedge.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs filecoauth.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
724"C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe
Driven.com
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
856"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=2792,i,5650008548375423453,11427156612870967644,262144 --variations-seed-version --mojo-platform-channel-handle=2824 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1128"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4324,i,5650008548375423453,11427156612870967644,262144 --variations-seed-version --mojo-platform-channel-handle=4320 /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1128\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1128"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.127 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffc55ddfff8,0x7ffc55de0004,0x7ffc55de0010C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1136"C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe
Driven.com
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1208"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://movefreephysio.com.sg/winsha/"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1732"C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe
Driven.com
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1840"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,747688135463936343,4982963131158000758,262144 --variations-seed-version --mojo-platform-channel-handle=3208 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1984"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.127 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffc55ddfff8,0x7ffc55de0004,0x7ffc55de0010C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
28 496
Read events
28 410
Write events
86
Delete events
0

Modification events

(PID) Process:(1208) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(1208) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(1208) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(1208) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(1208) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
C8A089EA01972F00
(PID) Process:(1208) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\393992
Operation:writeName:WindowTabManagerFileMappingId
Value:
{13F95B46-79E1-4A8A-ABDF-5AB6819C85D8}
(PID) Process:(1208) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\393992
Operation:writeName:WindowTabManagerFileMappingId
Value:
{94362DB2-80EF-41DF-B5B7-E9C4F33B7626}
(PID) Process:(1208) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\393992
Operation:writeName:WindowTabManagerFileMappingId
Value:
{09BA153F-B165-428D-8163-BB0A16249B5A}
(PID) Process:(1208) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
7548A8EA01972F00
(PID) Process:(1208) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-autolaunch
Operation:writeName:Enabled
Value:
0
Executable files
950
Suspicious files
1 220
Text files
892
Unknown types
203

Dropped files

PID
Process
Filename
Type
1208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RF175a55.TMP
MD5:
SHA256:
1208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
1208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF175a64.TMP
MD5:
SHA256:
1208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF175a74.TMP
MD5:
SHA256:
1208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
1208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF175a84.TMP
MD5:
SHA256:
1208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
1208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF175a93.TMP
MD5:
SHA256:
1208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF175a93.TMP
MD5:
SHA256:
1208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
184
DNS requests
171
Threats
20

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4580
msedge.exe
GET
200
150.171.28.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:l40Vn5y7LZXScIHpET4COXXPsbxuyWnWhaXjY4mu2EE&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
unknown
whitelisted
1268
svchost.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
8016
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2148
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7632
svchost.exe
HEAD
200
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/bf8090eb-6e5c-4c51-9250-5bf9b46cf160?P1=1751142482&P2=404&P3=2&P4=iBTN4lAUh8REOMTCdqnuLssA9XqaXJJUhqe3IKNZa9qrE4eIULBh6zn2G24KShYnki3KcZxMcUBSjDYaptljMw%3d%3d
unknown
whitelisted
8016
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7632
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/bf8090eb-6e5c-4c51-9250-5bf9b46cf160?P1=1751142482&P2=404&P3=2&P4=iBTN4lAUh8REOMTCdqnuLssA9XqaXJJUhqe3IKNZa9qrE4eIULBh6zn2G24KShYnki3KcZxMcUBSjDYaptljMw%3d%3d
unknown
whitelisted
7632
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/bf8090eb-6e5c-4c51-9250-5bf9b46cf160?P1=1751142482&P2=404&P3=2&P4=iBTN4lAUh8REOMTCdqnuLssA9XqaXJJUhqe3IKNZa9qrE4eIULBh6zn2G24KShYnki3KcZxMcUBSjDYaptljMw%3d%3d
unknown
whitelisted
7632
svchost.exe
HEAD
200
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/4c4fdee0-d69c-42b7-bf5c-3ec046e9dfc9?P1=1751142483&P2=404&P3=2&P4=CMzaDT7UgUrG5jjXxq%2fxYpYMNfV%2fZ%2bBXo37ZaT1%2fqS6hmuhspnZyAfBRItumnynzOgjxx5VnKWgIF4oNZ50%2bKg%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3936
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4580
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4580
msedge.exe
150.171.28.11:80
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4580
msedge.exe
101.100.235.120:443
movefreephysio.com.sg
Vodien Internet Solutions Pte Ltd
SG
unknown
4580
msedge.exe
150.171.28.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4580
msedge.exe
92.123.104.45:443
copilot.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 172.217.16.206
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
movefreephysio.com.sg
  • 101.100.235.120
unknown
copilot.microsoft.com
  • 92.123.104.45
  • 92.123.104.53
whitelisted
www.bing.com
  • 92.123.104.61
  • 92.123.104.17
  • 92.123.104.28
  • 92.123.104.11
  • 92.123.104.8
  • 92.123.104.30
  • 92.123.104.33
  • 92.123.104.40
  • 92.123.104.59
  • 2.16.241.201
  • 2.16.241.205
  • 2.16.241.218
  • 2.23.227.215
  • 2.23.227.208
whitelisted
update.googleapis.com
  • 142.250.181.227
whitelisted
edgeassetservice.azureedge.net
  • 13.107.253.45
whitelisted
crl.microsoft.com
  • 23.48.23.173
  • 23.48.23.159
  • 23.48.23.178
  • 23.48.23.181
  • 23.48.23.162
  • 23.48.23.166
  • 23.48.23.176
  • 23.48.23.190
  • 23.48.23.164
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2200
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (baviip .xyz)
7748
Driven.com
Not Suspicious Traffic
ET INFO OpenSSL Demo CA - Internet Widgits Pty (O)
7748
Driven.com
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (baviip .xyz) in TLS SNI
7748
Driven.com
Not Suspicious Traffic
ET INFO OpenSSL Demo CA - Internet Widgits Pty (O)
7748
Driven.com
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (baviip .xyz) in TLS SNI
7748
Driven.com
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (baviip .xyz) in TLS SNI
7748
Driven.com
Not Suspicious Traffic
ET INFO OpenSSL Demo CA - Internet Widgits Pty (O)
7748
Driven.com
Not Suspicious Traffic
ET INFO OpenSSL Demo CA - Internet Widgits Pty (O)
7748
Driven.com
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (baviip .xyz) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://movefreephysio.com.sg/winsha/