Malware analysis https://track.pstmrk.it/3ts/gamma.app/JjV-/QTm9AQ/AQ/adf663ab-e4ca-4790-8edc-82e0c67b20c8/1/Gu4NZjKk7r Malicious activity

Add for printing

URL:	https://track.pstmrk.it/3ts/gamma.app/JjV-/QTm9AQ/AQ/adf663ab-e4ca-4790-8edc-82e0c67b20c8/1/Gu4NZjKk7r
Full analysis:	https://app.any.run/tasks/af4dcbb9-6a13-40ec-8614-e5724328ddf0
Verdict:	Malicious activity
Analysis date:	May 10, 2025, 01:52:13
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	phishing websocket
MD5:	1648CD9CBC63A1B1EAB4AB6B6D6CB7A0
SHA1:	7649760B3AE4519DFB518FED10D0FDA14C1A2827
SHA256:	55777F4D41839D61DDD0E70B6A4AD48955E174DF2EED7F991282FA8A8FCDD9AE
SSDEEP:	3:N8fv83RQE10Vk0p/sWABGzRVRTzRrm:2n8hQ3//shGBfRa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
No suspicious indicators.
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

155

Monitored processes

1

Malicious processes

0

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
1396	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --webtransport-developer-mode --no-appcompat-clear --mojo-platform-channel-handle=2532 --field-trial-handle=2372,i,8504447382059928769,14367336096275567116,262144 --variations-seed-version /prefetch:3	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe		msedge.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 122.0.2365.59

Add for printing

Total events

0

Read events

0

Write events

0

Delete events

0

Modification events

No data

Add for printing

Executable files

5

Suspicious files

95

Text files

30

Unknown types

3

Dropped files

PID	Process	Filename		Type
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000bd		binary
		MD5:671E5511F5F667E1102B5C1E04D4190A	SHA256:1E654302AF010F94C994F3980F582B7748E727771C6492A7EEB14BB400D8DC2A
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State		binary
		MD5:50823AF426E5FA5F5641C1004F470D3E	SHA256:599163927CC9E5640C868AEDD3B0B6EC79E6513970504124E417922D8AAAB7C3
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000bb		compressed
		MD5:10B84D6DDEFB33D0D3F0615CA3E91C5A	SHA256:C69A6E50A300D39721F9AE8FC5B40600DD90093F65E3A4650C9540C58C071144
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State~RF139250.TMP		binary
		MD5:50823AF426E5FA5F5641C1004F470D3E	SHA256:599163927CC9E5640C868AEDD3B0B6EC79E6513970504124E417922D8AAAB7C3
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000bc		binary
		MD5:66D76C4644B6C4024B96531C1FF8EE64	SHA256:B6685D3E5394FCF2BE0CB5EE027C13989480925141771F03536C2C9A1FAD7D0E
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c1		binary
		MD5:E2F572937964E599D9ACDEE37203F8B1	SHA256:A2FE26617356A7E387016C35317A786B6DAB99DB1F8ED2994DCF1E23FFF272FB
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c0		binary
		MD5:0806F2DFF681C394B6CA341D5AA6572E	SHA256:86F876127D7F6EC4015FA945AE3F318A915F6CFE1D75E26C239093C0C918DC9D
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ca		image
		MD5:7D7F2BEC71308F7D4CFDBDFA0A264C88	SHA256:37919F25D2185DE55D966B028267B85DBE46BCBF4EDCE9864CD19118C97F0390
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c3		binary
		MD5:F6852936326156C86AD25E8848F1BE85	SHA256:E4DF300DE4AB671A293859B9795E182038CB1D7DEAB72261BA31FE298435282E
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000bf		binary
		MD5:0C3E693586754A02975071A720746336	SHA256:2C608D956FB5138EF176B125E04E3E4961799E92C2928DFFCD9BA05BBF812565

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

199

TCP/UDP connections

339

DNS requests

171

Threats

12

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	302	3.13.46.171:443	https://track.pstmrk.it/3ts/gamma.app/JjV-/QTm9AQ/AQ/adf663ab-e4ca-4790-8edc-82e0c67b20c8/1/Gu4NZjKk7r	unknown	—	—	—
—	—	GET	302	3.13.46.171:443	https://track.pstmrk.it/3ts/gamma.app/JjV-/QTm9AQ/AQ/adf663ab-e4ca-4790-8edc-82e0c67b20c8/1/Gu4NZjKk7r	unknown	—	—	—
3080	MoUsoCoreWorker.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1032	RUXIMICS.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5896	svchost.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5896	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1032	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3080	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	400	20.190.160.128:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	403	184.30.21.171:443	https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409	unknown	html	386 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	239.255.255.250:1900	—	—	—	whitelisted
3080	MoUsoCoreWorker.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
1032	RUXIMICS.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
5896	svchost.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
1396	msedge.exe	54.155.60.93:443	track.pstmrk.it	AMAZON-02	IE	shared
4404	svchost.exe	40.126.31.0:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1396	msedge.exe	104.18.10.200:443	gamma.app	CLOUDFLARENET	—	suspicious
5896	svchost.exe	2.16.164.120:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
3080	MoUsoCoreWorker.exe	2.16.164.120:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
1032	RUXIMICS.exe	2.16.164.120:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.185.78	whitelisted
track.pstmrk.it	54.155.60.93 54.154.85.144 52.18.252.197	shared
login.live.com	40.126.31.0 40.126.31.67 20.190.159.0 40.126.31.1 20.190.159.128 20.190.159.2 40.126.31.73 20.190.159.130	whitelisted
gamma.app	104.18.10.200 104.18.11.200	unknown
crl.microsoft.com	2.16.164.120 2.16.164.49 2.16.164.72 23.216.77.4 23.216.77.29 23.216.77.21 23.216.77.18 23.216.77.15 23.216.77.20 23.216.77.23 23.216.77.38 23.216.77.17	whitelisted
www.microsoft.com	95.101.149.131 184.30.21.171	whitelisted
settings-win.data.microsoft.com	20.73.194.208 51.104.136.2	whitelisted
www.bing.com	104.126.37.131 104.126.37.145 2.16.241.218 2.16.241.201 2.23.227.215 2.23.227.208	whitelisted
go.microsoft.com	184.30.18.9	whitelisted
challenges.cloudflare.com	104.18.95.41 104.18.94.41	whitelisted

Threats

PID	Process	Class	Message
—	—	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing Gamma app
—	—	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing Gamma app
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
—	—	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing Gamma app
—	—	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing Gamma app
—	—	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing Gamma app
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
—	—	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing Gamma app
—	—	Not Suspicious Traffic	INFO [ANY.RUN] An application monitoring request to sentry .io
—	—	Not Suspicious Traffic	INFO [ANY.RUN] An application monitoring request to sentry .io

Add for printing

No debug info

General Info

https://track.pstmrk.it/3ts/gamma.app/JjV-/QTm9AQ/AQ/adf663ab-e4ca-4790-8edc-82e0c67b20c8/1/Gu4NZjKk7r

1648CD9CBC63A1B1EAB4AB6B6D6CB7A0

7649760B3AE4519DFB518FED10D0FDA14C1A2827

55777F4D41839D61DDD0E70B6A4AD48955E174DF2EED7F991282FA8A8FCDD9AE

3:N8fv83RQE10Vk0p/sWABGzRVRTzRrm:2n8hQ3//shGBfRa

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

INFO

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings