URL:

https://52f1897b.5648702dd4d5255cab645104.workers.dev

Full analysis: https://app.any.run/tasks/6ea4ea62-c8c1-4068-9759-d22da7497f7f
Verdict: Malicious activity
Analysis date: January 10, 2025, 20:06:23
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
phishing
Indicators:
MD5:

EE8A79C1E32645A2E00EEEF02DF288F1

SHA1:

DC3A0E09BFF58BBF5816D76847CE03793AE2296F

SHA256:

3E073301A390F0698BE79F254C3D78BBAF5FED8B6715A0CF62AE3350A288D3CE

SSDEEP:

3:N8oIVVtcRQUVR9fw2:2oIVV+zVR9fw2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • PHISHING has been detected (SURICATA)

      • msedge.exe (PID: 7172)
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
149
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
#PHISHING msedge.exe

Process information

PID
CMD
Path
Indicators
Parent process
7172"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --webtransport-developer-mode --no-appcompat-clear --mojo-platform-channel-handle=2496 --field-trial-handle=2204,i,13280900864495260754,3672259324373187194,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
16
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000101text
MD5:19214F6C8641D8C436C4790098832DA8
SHA256:16AD7BB6AEB8F7180CAB732DFDCB31DF27D8243C362D2662CA65DFAD0FB7456C
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\6c693013-5d6e-4108-8945-90c4fe881db9.tmpbinary
MD5:0D9304AB8028D15A37D9AE22AF343757
SHA256:CF933FFCCEC57C66C9AE875B23A5C6D0D69465146F5C6CE86E6625A2EF6DCE4F
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\df93be02-17b2-47d5-aef2-26581340d13e.tmpbinary
MD5:372AF91CB6E57F2670975815F270D0AA
SHA256:16E9720FCA9E55E9DEBDB546300BA4C5D73A71DE3783FD0C7CA7E30084B6C8E1
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State~RF295740.TMPbinary
MD5:D0453075479429FE52D8FB780A7DA8E9
SHA256:574112CCCB36E004E93B2BCBBA7F6CEB8FF3B12E3E462BEF80F1B57044E035B1
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State~RF2a57e7.TMPbinary
MD5:372AF91CB6E57F2670975815F270D0AA
SHA256:16E9720FCA9E55E9DEBDB546300BA4C5D73A71DE3783FD0C7CA7E30084B6C8E1
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000fcbinary
MD5:311F1298863858C8334BD7A8A0E34014
SHA256:846351F83ED17838A1DE223EAD4E9900D1E127B3243695DAF5A4988E965C44CC
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity~RF298804.TMPbinary
MD5:0D9304AB8028D15A37D9AE22AF343757
SHA256:CF933FFCCEC57C66C9AE875B23A5C6D0D69465146F5C6CE86E6625A2EF6DCE4F
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000100text
MD5:CD9AC9A4C2703363869B800C9E6D9C7E
SHA256:E30BD8D95F16750B95765CF9B5349E04EC689877CB672EA0CFD0136B9CB01949
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent Statebinary
MD5:372AF91CB6E57F2670975815F270D0AA
SHA256:16E9720FCA9E55E9DEBDB546300BA4C5D73A71DE3783FD0C7CA7E30084B6C8E1
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity~RF295730.TMPbinary
MD5:D2615E0C4F6C46045EDB3EAA0ACE252A
SHA256:48EFA073914F67BCCE305DECBC121BE7FA6D343982BE00A666B4C5FB6A30A7A9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
48
TCP/UDP connections
64
DNS requests
59
Threats
18

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
302
104.18.94.41:443
https://challenges.cloudflare.com/turnstile/v0/api.js?onload=onloadTurnstileCallback
unknown
3024
svchost.exe
HEAD
200
23.32.238.105:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d50ccf3e-dd06-4e6f-bb20-931c8ce33527?P1=1736816725&P2=404&P3=2&P4=AQ9V5v6xyFY6FAPwzfm0W2uUkymmbb6EVRMNJrbjw3aFf6cfcvXMaw1JopKk8SfmBsm1zcn%2b3UA5ith44Qh4tQ%3d%3d
unknown
whitelisted
GET
302
104.18.94.41:443
https://challenges.cloudflare.com/turnstile/v0/api.js?onload=onloadTurnstileCallback
unknown
3024
svchost.exe
GET
206
23.32.238.105:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d50ccf3e-dd06-4e6f-bb20-931c8ce33527?P1=1736816725&P2=404&P3=2&P4=AQ9V5v6xyFY6FAPwzfm0W2uUkymmbb6EVRMNJrbjw3aFf6cfcvXMaw1JopKk8SfmBsm1zcn%2b3UA5ith44Qh4tQ%3d%3d
unknown
whitelisted
OPTIONS
200
192.0.78.26:443
https://en-repooficeairfix.icu/?ctsllixw
unknown
GET
302
192.0.78.27:443
https://portal365verf02.top/?dataXX0=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1cmwiOiJodHRwczovL3BvcnRhbDM2NXZlcmYwMi50b3AvIiwiZG9tYWluIjoicG9ydGFsMzY1dmVyZjAyLnRvcCIsImtleSI6ImVzcTByOGE5aVJsaSIsInFyYyI6bnVsbCwiaWF0IjoxNzM2NTM5NjA0LCJleHAiOjE3MzY1Mzk3MjR9.uItHw4DOqfZsJkRfAqEx8c7Yizxt0bIU4pPniTDHmmw
unknown
GET
192.0.78.26:443
https://portal365verf02.top/
unknown
3024
svchost.exe
GET
206
23.32.238.105:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d50ccf3e-dd06-4e6f-bb20-931c8ce33527?P1=1736816725&P2=404&P3=2&P4=AQ9V5v6xyFY6FAPwzfm0W2uUkymmbb6EVRMNJrbjw3aFf6cfcvXMaw1JopKk8SfmBsm1zcn%2b3UA5ith44Qh4tQ%3d%3d
unknown
whitelisted
3024
svchost.exe
GET
206
23.32.238.105:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d50ccf3e-dd06-4e6f-bb20-931c8ce33527?P1=1736816725&P2=404&P3=2&P4=AQ9V5v6xyFY6FAPwzfm0W2uUkymmbb6EVRMNJrbjw3aFf6cfcvXMaw1JopKk8SfmBsm1zcn%2b3UA5ith44Qh4tQ%3d%3d
unknown
whitelisted
GET
200
104.18.95.41:443
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/turnstile/if/ov2/av0/rcv/811gq/0x4AAAAAAA44TVMLbqDkCk-m/auto/fbE/normal/auto/
unknown
html
26.0 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
whitelisted
3664
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3080
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4724
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4668
msedge.exe
224.0.0.251:5353
unknown
7172
msedge.exe
172.67.208.94:443
52f1897b.5648702dd4d5255cab645104.workers.dev
shared
7172
msedge.exe
104.126.37.152:443
www.bing.com
Akamai International B.V.
DE
whitelisted
7172
msedge.exe
104.18.95.41:443
challenges.cloudflare.com
whitelisted
7172
msedge.exe
13.107.246.45:443
xpaywalletcdn.azureedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7172
msedge.exe
104.18.94.41:443
challenges.cloudflare.com
CLOUDFLARENET
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.206
whitelisted
www.bing.com
  • 104.126.37.152
  • 104.126.37.146
  • 104.126.37.130
  • 104.126.37.131
  • 104.126.37.123
  • 104.126.37.129
  • 104.126.37.138
  • 104.126.37.186
  • 104.126.37.154
  • 104.126.37.178
  • 104.126.37.144
  • 104.126.37.163
  • 104.126.37.176
  • 104.126.37.139
  • 104.126.37.161
  • 104.126.37.155
  • 104.126.37.153
whitelisted
52f1897b.5648702dd4d5255cab645104.workers.dev
  • 172.67.208.94
  • 104.21.42.188
shared
challenges.cloudflare.com
  • 104.18.95.41
  • 104.18.94.41
whitelisted
xpaywalletcdn.azureedge.net
  • 13.107.246.45
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
msedge.b.tlu.dl.delivery.mp.microsoft.com
  • 23.32.238.105
  • 2.19.198.41
  • 23.32.238.152
  • 23.32.238.98
  • 23.32.238.99
  • 2.16.168.112
  • 2.16.168.108
  • 84.201.210.23
  • 217.20.57.36
  • 217.20.57.35
  • 217.20.57.34
  • 217.20.57.18
  • 217.20.57.20
  • 84.201.210.39
  • 217.20.57.19
whitelisted
en-repooficeairfix.icu
  • 178.215.224.116
unknown

Threats

PID
Process
Class
Message
Not Suspicious Traffic
INFO [ANY.RUN] DNS Query to Cloudflare Worker App
Not Suspicious Traffic
INFO [ANY.RUN] DNS Query to Cloudflare Worker App
Misc activity
ET INFO Observed DNS Query to Cloudflare workers.dev Domain
Misc activity
ET INFO Observed DNS Query to Cloudflare workers.dev Domain
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspicious Cloudflare Worker Name observed in Phishing (TLS SNI)
Misc activity
ET INFO Observed Cloudflare workers.dev Domain in TLS SNI
Not Suspicious Traffic
INFO [ANY.RUN] DNS Query to Cloudflare Worker App
Not Suspicious Traffic
INFO [ANY.RUN] DNS Query to Cloudflare Worker App
Misc activity
ET INFO Observed DNS Query to Cloudflare workers.dev Domain
Misc activity
ET INFO Observed DNS Query to Cloudflare workers.dev Domain
No debug info