URL:

https://tracking.kvo1.io/enSVbg

Full analysis: https://app.any.run/tasks/e7236def-3755-4252-a9d9-a50d6dfa61bc
Verdict: Malicious activity
Threats:

EvilProxy is a phishing-as-a-service (PhaaS) platform that enables cybercriminals to bypass multi-factor authentication (MFA) and hijack user sessions. It leverages reverse proxy techniques to harvest credentials and session cookies, posing a serious threat to both individuals and enterprises.

Malware Trends Tracker     >>>
Analysis date: March 15, 2026, 21:00:22
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
phishing
evilproxy
Indicators:
MD5:

D649FEE7A78AC8BDDBDC075DA8135BD0

SHA1:

596C623AB9E6B140EAE015C3CA5B1BA888CED0EF

SHA256:

55ABDA2C9935DD6976C4550DAAE7536F0C31267D16D97995D373D9B7A991419B

SSDEEP:

3:N8fvjDPUi:2nci

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • PHISHING has been detected (SURICATA)

      • msedge.exe (PID: 6612)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
156
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
#PHISHING msedge.exe

Process information

PID
CMD
Path
Indicators
Parent process
6612"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --webtransport-developer-mode --string-annotations --always-read-main-dll --field-trial-handle=2268,i,4483529040041015744,4079588458005810556,262144 --variations-seed-version --mojo-platform-channel-handle=2612 /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
133.0.3065.92
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
14
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
6612msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000b6binary
MD5:3E48438A3BB8BDF3B337D171970E0979
SHA256:DDD7E8FC642C0A979AEB2F403BD6F50437DC52F13B2DC19113B895BF76377457
6612msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent Statetext
MD5:F054A7D6E382DF24018FE84986B710A2
SHA256:4E5235C6B40BCE6C5FD0554D554FCDB38E8016DCDDFA9CAB63103407CAF8DAEB
6612msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000b7compressed
MD5:F3AD19FDBD15A27B32A4D25E49CC266E
SHA256:3A657EDDEC2905CE29950E37A3CC78C6839AFC858FE26A89490A1502BE032D13
6612msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State~RF13c0c3.TMPtext
MD5:8CA6AC4CD0D4F8B2EA5A9FC6FD4311D7
SHA256:EE810A451AEA499C3D6F89EDB840ED025DF0937874485A211A3BB39F915F4EA0
6612msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000b9binary
MD5:260C81A4759BAF163C025001C4F27872
SHA256:3100E775E8616CD2611BEECFA23A4263D7037586789B43F035236A2E6FBD4C62
6612msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000bccompressed
MD5:35F6E927B743E5C51EDC69E69172B68C
SHA256:D6B61E8C88E8CC9F68AC4A914301687BFE6459A306FBC068C4B86D502829A43A
6612msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\9262c960-468a-4142-aba7-54483ea4116e.tmptext
MD5:F054A7D6E382DF24018FE84986B710A2
SHA256:4E5235C6B40BCE6C5FD0554D554FCDB38E8016DCDDFA9CAB63103407CAF8DAEB
6612msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000bacompressed
MD5:1C0D6AB57F7F9489916221BE190ACF48
SHA256:D558E9CC4B05F7F83F124570D2E026CE8FA24F85E0830AFAA152C1B0634CF900
6612msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c0compressed
MD5:E6F9C2D5A74A3E5D1F4EC8A81C969438
SHA256:0BEB2B49EB3C530408AB26D852F699CFB133F7C45E5DDFAB26BE9F506C30D552
6612msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000b5binary
MD5:21AD0BDC35C8AEC1364003FDB4FEE011
SHA256:ABCC6EA2A48809CDDD125CD93C43F7352CC910B527CC2EE0B50FE4864B039ECC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
108
TCP/UDP connections
84
DNS requests
74
Threats
31

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6244
svchost.exe
HEAD
200
23.197.142.186:443
https://fs.microsoft.com/fs/windows/config.json
unknown
whitelisted
3792
RUXIMICS.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/RUXIM?os=Windows&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3623&OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&FlightRing=Retail&AttrDataVer=188&App=RUXIM&AppVer=&DeviceFamily=Windows.Desktop
unknown
whitelisted
5336
MoUsoCoreWorker.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3593&FlightIds=&UpdateOfferedDays=344&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%206%20Model%2014%20Stepping%203&sku=48&ActivationChannel=Retail&AttrDataVer=188&IsMDMEnrolled=0&ProcessorCores=4&ProcessorModel=Intel%28R%29%20Core%28TM%29%20i5-6400%20CPU%20%40%202.70GHz&TotalPhysicalRAM=4096&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260246&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
unknown
whitelisted
6612
msedge.exe
GET
403
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/550117a4-8c0f-4d0d-8ff8-7c3caccb0e8a?P1=1757972498&P2=404&P3=2&P4=SosfgGvPP%2bqG%2fKPFOnStRp0ebgR4wibSifLIFAVozbIX%2fohzlu3OKFqIl2l0qzX%2bohjhEGOVS0QtuGPmE2Wd%2bQ%3d%3d
unknown
whitelisted
HEAD
200
23.197.142.186:443
https://fs.microsoft.com/fs/windows/config.json
unknown
GET
301
104.17.94.1:443
https://tracking.kvo1.io/enSVbg
unknown
text
136 b
unknown
POST
200
150.171.27.11:443
https://edge.microsoft.com/componentupdater/api/v1/update
unknown
text
1.57 Kb
whitelisted
7480
svchost.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7016
svchost.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.197.142.186:443
https://fs.microsoft.com/fs/windows/config.json
unknown
text
55 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
7480
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7016
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3792
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5336
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
224.0.0.251:5353
whitelisted
6612
msedge.exe
199.232.210.172:80
msedge.b.tlu.dl.delivery.mp.microsoft.com
FASTLY
US
whitelisted
6244
svchost.exe
23.197.142.186:443
fs.microsoft.com
AKAMAI-AS
US
whitelisted
6612
msedge.exe
104.17.93.1:443
tracking.kvo1.io
CLOUDFLARENET
US
whitelisted
6612
msedge.exe
150.171.28.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7480
svchost.exe
2.16.164.72:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
msedge.b.tlu.dl.delivery.mp.microsoft.com
  • 199.232.210.172
  • 199.232.214.172
  • 23.55.161.21
  • 23.55.161.28
  • 91.80.49.22
  • 62.74.30.247
  • 31.145.66.243
  • 91.80.49.86
  • 91.81.130.151
  • 62.74.30.122
  • 31.145.66.229
  • 91.81.129.180
  • 92.223.97.79
whitelisted
google.com
  • 216.58.206.78
whitelisted
fs.microsoft.com
  • 23.197.142.186
whitelisted
tracking.kvo1.io
  • 104.17.93.1
  • 104.17.94.1
unknown
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
crl.microsoft.com
  • 2.16.164.72
  • 2.16.164.49
  • 2.16.164.9
whitelisted
fastx.to
  • 144.172.89.223
unknown
www.microsoft.com
  • 23.52.181.212
whitelisted
benefitswave.com
  • 172.86.105.195
unknown

Threats

PID
Process
Class
Message
7480
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
6612
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
6612
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
Misc activity
ET HUNTING HTTP Permissions-Policy Geolocation Directive Misconfiguration
6612
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
Misc activity
ET HUNTING HTTP Permissions-Policy Geolocation Directive Misconfiguration
Misc activity
ET HUNTING HTTP Permissions-Policy Geolocation Directive Misconfiguration
Misc activity
ET HUNTING HTTP Permissions-Policy Geolocation Directive Misconfiguration
Misc activity
ET HUNTING HTTP Permissions-Policy Geolocation Directive Misconfiguration
Misc activity
ET HUNTING HTTP Permissions-Policy Geolocation Directive Misconfiguration
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://tracking.kvo1.io/enSVbg