URL:

https://movefreephysio.com.sg/winsha/

Full analysis: https://app.any.run/tasks/1220ed76-7b99-4d36-ad5e-d4f6c5d402c2
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: June 25, 2025, 20:53:02
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
autoit
lumma
stealer
autoit-loader
Indicators:
MD5:

CC43BCE39C78BA4CBD83B7D7000A069F

SHA1:

77CA2CAB575B379A6836A1CFE2D3ABC9E50D60A3

SHA256:

C585DB201D034255FBFB2E79C962A7F9F49BDADBEBCD92C2B7A50B7E645229EB

SSDEEP:

3:N8xmXP5OQSMLWNjn:2UXROQ/LWNj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • TradingView Premium Desktop.exe (PID: 3836)

    • Loads dropped or rewritten executable

      • TradingView Premium Desktop.exe (PID: 3836)
      • tasklist.exe (PID: 7536)
      • tasklist.exe (PID: 4192)
      • Driven.com (PID: 7748)
      • FileCoAuth.exe (PID: 7284)

    • AutoIt loader has been detected (YARA)

      • Driven.com (PID: 7748)

    • LUMMA mutex has been found

      • Driven.com (PID: 7748)

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2200)
      • Driven.com (PID: 7748)

    • Actions looks like stealing of personal data

      • Driven.com (PID: 7748)

    • Steals credentials from Web Browsers

      • Driven.com (PID: 7748)

    • Connects to the CnC server

      • svchost.exe (PID: 2200)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 2764)

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 2764)

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 2764)

    • Reads security settings of Internet Explorer

      • TradingView Premium Desktop.exe (PID: 3836)

    • Executing commands from a ".bat" file

      • TradingView Premium Desktop.exe (PID: 3836)

    • The executable file from the user directory is run by the CMD process

      • Driven.com (PID: 7748)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3488)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 3488)

    • There is functionality for taking screenshot (YARA)

      • TradingView Premium Desktop.exe (PID: 3836)
      • Driven.com (PID: 7748)

    • Get information on the list of running processes

      • cmd.exe (PID: 3488)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 3488)

    • Starts CMD.EXE for commands execution

      • TradingView Premium Desktop.exe (PID: 3836)

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2200)
      • Driven.com (PID: 7748)

    • Searches for installed software

      • Driven.com (PID: 7748)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 1208)
      • msedge.exe (PID: 2708)
      • chrome.exe (PID: 7796)
      • chrome.exe (PID: 724)
      • chrome.exe (PID: 1732)
      • msedge.exe (PID: 3752)
      • msedge.exe (PID: 3688)
      • msedge.exe (PID: 4680)
      • chrome.exe (PID: 1136)
      • msedge.exe (PID: 6236)

    • Checks supported languages

      • identity_helper.exe (PID: 7412)
      • extrac32.exe (PID: 4820)
      • Driven.com (PID: 7748)
      • TradingView Premium Desktop.exe (PID: 3836)

    • Reads the computer name

      • identity_helper.exe (PID: 7412)
      • TradingView Premium Desktop.exe (PID: 3836)
      • extrac32.exe (PID: 4820)
      • Driven.com (PID: 7748)

    • Reads Environment values

      • identity_helper.exe (PID: 7412)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 1208)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2764)

    • Manual execution by a user

      • WinRAR.exe (PID: 2764)
      • TradingView Premium Desktop.exe (PID: 3836)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 2764)

    • Checks proxy server information

      • slui.exe (PID: 5576)

    • Reads the software policy settings

      • slui.exe (PID: 5576)
      • Driven.com (PID: 7748)

    • The sample compiled with arabic language support

      • WinRAR.exe (PID: 2764)

    • The sample compiled with bulgarian language support

      • WinRAR.exe (PID: 2764)

    • The sample compiled with german language support

      • WinRAR.exe (PID: 2764)

    • The sample compiled with russian language support

      • WinRAR.exe (PID: 2764)

    • The sample compiled with czech language support

      • WinRAR.exe (PID: 2764)

    • The sample compiled with french language support

      • WinRAR.exe (PID: 2764)

    • The sample compiled with spanish language support

      • WinRAR.exe (PID: 2764)

    • The sample compiled with Italian language support

      • WinRAR.exe (PID: 2764)

    • The sample compiled with swedish language support

      • WinRAR.exe (PID: 2764)

    • The sample compiled with korean language support

      • WinRAR.exe (PID: 2764)

    • The sample compiled with japanese language support

      • WinRAR.exe (PID: 2764)

    • The sample compiled with polish language support

      • WinRAR.exe (PID: 2764)

    • The sample compiled with portuguese language support

      • WinRAR.exe (PID: 2764)

    • The sample compiled with slovak language support

      • WinRAR.exe (PID: 2764)

    • The sample compiled with turkish language support

      • WinRAR.exe (PID: 2764)

    • The sample compiled with chinese language support

      • WinRAR.exe (PID: 2764)

    • Create files in a temporary directory

      • TradingView Premium Desktop.exe (PID: 3836)
      • extrac32.exe (PID: 4820)

    • Process checks computer location settings

      • TradingView Premium Desktop.exe (PID: 3836)

    • Reads mouse settings

      • Driven.com (PID: 7748)

    • Reads the machine GUID from the registry

      • Driven.com (PID: 7748)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
253
Monitored processes
103
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe no specs msedge.exe no specs winrar.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs tradingview premium desktop.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs extrac32.exe no specs findstr.exe no specs #LUMMA driven.com choice.exe no specs #LUMMA svchost.exe msedge.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs filecoauth.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
724"C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe
Driven.com
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
856"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=2792,i,5650008548375423453,11427156612870967644,262144 --variations-seed-version --mojo-platform-channel-handle=2824 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1128"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4324,i,5650008548375423453,11427156612870967644,262144 --variations-seed-version --mojo-platform-channel-handle=4320 /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1128\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1128"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.127 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffc55ddfff8,0x7ffc55de0004,0x7ffc55de0010C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1136"C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe
Driven.com
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1208"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://movefreephysio.com.sg/winsha/"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1732"C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe
Driven.com
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1840"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,747688135463936343,4982963131158000758,262144 --variations-seed-version --mojo-platform-channel-handle=3208 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1984"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.127 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffc55ddfff8,0x7ffc55de0004,0x7ffc55de0010C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
28 496
Read events
28 410
Write events
86
Delete events
0

Modification events

(PID) Process:(1208) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(1208) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(1208) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(1208) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(1208) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
C8A089EA01972F00
(PID) Process:(1208) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\393992
Operation:writeName:WindowTabManagerFileMappingId
Value:
{13F95B46-79E1-4A8A-ABDF-5AB6819C85D8}
(PID) Process:(1208) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\393992
Operation:writeName:WindowTabManagerFileMappingId
Value:
{94362DB2-80EF-41DF-B5B7-E9C4F33B7626}
(PID) Process:(1208) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\393992
Operation:writeName:WindowTabManagerFileMappingId
Value:
{09BA153F-B165-428D-8163-BB0A16249B5A}
(PID) Process:(1208) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
7548A8EA01972F00
(PID) Process:(1208) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-autolaunch
Operation:writeName:Enabled
Value:
0
Executable files
950
Suspicious files
1 220
Text files
892
Unknown types
203

Dropped files

PID
Process
Filename
Type
1208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RF175a55.TMP
MD5:
SHA256:
1208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
1208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF175a64.TMP
MD5:
SHA256:
1208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF175a74.TMP
MD5:
SHA256:
1208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
1208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF175a84.TMP
MD5:
SHA256:
1208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
1208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF175a93.TMP
MD5:
SHA256:
1208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF175a93.TMP
MD5:
SHA256:
1208msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
184
DNS requests
171
Threats
20

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
8016
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4580
msedge.exe
GET
200
150.171.28.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:l40Vn5y7LZXScIHpET4COXXPsbxuyWnWhaXjY4mu2EE&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
unknown
whitelisted
2148
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1268
svchost.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7632
svchost.exe
HEAD
200
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/03b2d981-4f59-42a6-8f9a-a2b6278a0020?P1=1751142482&P2=404&P3=2&P4=Qso62c3rtLRVUMCIuXLFQaLzzjn72eRTnrEMPa67pfkqKgsIJuUMXivpZ%2bP6%2ba%2f%2faimnEYkyI%2buUfjkSDtJ3Kg%3d%3d
unknown
whitelisted
8016
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7632
svchost.exe
HEAD
200
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/2ef98485-cbad-4d99-b4c2-cd4abac73fb4?P1=1751142482&P2=404&P3=2&P4=T7RNTxncI9cz0N8h21I%2fD0x1T%2f44QCuceuAinkg4ibFrjKP9yVYfQnECxeIhu9t5lCdBS9I2oLbVgbi9IojJcQ%3d%3d
unknown
whitelisted
7632
svchost.exe
HEAD
200
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9244b52a-55cc-41a2-b7c4-7f4983d8753c?P1=1751142483&P2=404&P3=2&P4=iTlMp2TRCVkhIClsl4cHrhtaBq4%2fMJWToJ7NAm1yOJb9fBG7mdyvR49IZPJH52wWVe0KERyzQlq4%2fr8rP8rO9A%3d%3d
unknown
whitelisted
7632
svchost.exe
GET
200
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9244b52a-55cc-41a2-b7c4-7f4983d8753c?P1=1751142483&P2=404&P3=2&P4=iTlMp2TRCVkhIClsl4cHrhtaBq4%2fMJWToJ7NAm1yOJb9fBG7mdyvR49IZPJH52wWVe0KERyzQlq4%2fr8rP8rO9A%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3936
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4580
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4580
msedge.exe
150.171.28.11:80
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4580
msedge.exe
101.100.235.120:443
movefreephysio.com.sg
Vodien Internet Solutions Pte Ltd
SG
unknown
4580
msedge.exe
150.171.28.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4580
msedge.exe
92.123.104.45:443
copilot.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 172.217.16.206
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
movefreephysio.com.sg
  • 101.100.235.120
unknown
copilot.microsoft.com
  • 92.123.104.45
  • 92.123.104.53
whitelisted
www.bing.com
  • 92.123.104.61
  • 92.123.104.17
  • 92.123.104.28
  • 92.123.104.11
  • 92.123.104.8
  • 92.123.104.30
  • 92.123.104.33
  • 92.123.104.40
  • 92.123.104.59
  • 2.16.241.201
  • 2.16.241.205
  • 2.16.241.218
  • 2.23.227.215
  • 2.23.227.208
whitelisted
update.googleapis.com
  • 142.250.181.227
whitelisted
edgeassetservice.azureedge.net
  • 13.107.253.45
whitelisted
crl.microsoft.com
  • 23.48.23.173
  • 23.48.23.159
  • 23.48.23.178
  • 23.48.23.181
  • 23.48.23.162
  • 23.48.23.166
  • 23.48.23.176
  • 23.48.23.190
  • 23.48.23.164
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2200
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (baviip .xyz)
7748
Driven.com
Not Suspicious Traffic
ET INFO OpenSSL Demo CA - Internet Widgits Pty (O)
7748
Driven.com
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (baviip .xyz) in TLS SNI
7748
Driven.com
Not Suspicious Traffic
ET INFO OpenSSL Demo CA - Internet Widgits Pty (O)
7748
Driven.com
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (baviip .xyz) in TLS SNI
7748
Driven.com
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (baviip .xyz) in TLS SNI
7748
Driven.com
Not Suspicious Traffic
ET INFO OpenSSL Demo CA - Internet Widgits Pty (O)
7748
Driven.com
Not Suspicious Traffic
ET INFO OpenSSL Demo CA - Internet Widgits Pty (O)
7748
Driven.com
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (baviip .xyz) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://movefreephysio.com.sg/winsha/