URL:

https://2fa.com-token-auth.com/XNlcvVys3S2V3bWIvLzljeXhqV0JsbFZINzBERHRBWGMxN0UzalZNZ3FVQjQrM3Z4UVJDWFpuMXZhVWdpVjAyN2FtQk5OSkZDOGJLZXBDSmpjZk1EaUxNR1grc3o2bk5jZk9CZFpuUmVOamk5THVkQzlsZWVvV2psM1JRdjZZR0xkbDdzZFJlbDhmemkxdnN0QjhucG9ZRFovKzBYUW16RFVwcHdTeUJpN20yK1NFMXd2OFJSN0RteFBCcGFLR3FUNW5BdVdnd3l6cGxKOVRlL21lekstLVJ5M3l0Ukhld2FWUDZzWWYtLSt2RG52MHhIVllLM2tHaDR3SmJ3cUE9PQ==?cid=2350780366

Full analysis: https://app.any.run/tasks/b906caee-ff52-4b21-8e36-8617ff7053ee
Verdict: Malicious activity
Analysis date: January 10, 2025, 18:43:29
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
phishing
Indicators:
MD5:

9A1F2309CCDAC61056074DAF79905FE0

SHA1:

1103ACF07A5058461201FCAA7A930096BBD791C5

SHA256:

5E75A2F6F4D35AC91DD792DDE960FB78B7E1E9931B78F7DCDD2B4DEF53D6E7E3

SSDEEP:

12:2jORXY+TErAR9ockfJa/TFxqHDEhtyohnwN:2j2T5LcfJa/6HD0An

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • KNOWBE4 has been detected (SURICATA)

      • msedge.exe (PID: 7172)
    • PHISHING has been detected (SURICATA)

      • msedge.exe (PID: 7172)
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
158
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
#KNOWBE4 msedge.exe

Process information

PID
CMD
Path
Indicators
Parent process
7172"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --webtransport-developer-mode --no-appcompat-clear --mojo-platform-channel-handle=2496 --field-trial-handle=2204,i,13280900864495260754,3672259324373187194,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
21
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000100compressed
MD5:090B4D9FF04EA8049ADB7F7A4AC8D2A2
SHA256:5CE9296CB8DD1032943AFADDC24A16A4F46DFEDAC68EC9FBB8C04D5D9EC9F564
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity~RF29507a.TMPbinary
MD5:D2615E0C4F6C46045EDB3EAA0ACE252A
SHA256:48EFA073914F67BCCE305DECBC121BE7FA6D343982BE00A666B4C5FB6A30A7A9
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000fdcompressed
MD5:090B4D9FF04EA8049ADB7F7A4AC8D2A2
SHA256:5CE9296CB8DD1032943AFADDC24A16A4F46DFEDAC68EC9FBB8C04D5D9EC9F564
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecuritybinary
MD5:74821BA75AB6F3A6325721EDFDC3E7C1
SHA256:C25A215461425B4D33F83445DAC9D181A389E77B2E3E43B8C656BCF2E18078E8
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000febinary
MD5:311F1298863858C8334BD7A8A0E34014
SHA256:846351F83ED17838A1DE223EAD4E9900D1E127B3243695DAF5A4988E965C44CC
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity~RF297920.TMPbinary
MD5:74821BA75AB6F3A6325721EDFDC3E7C1
SHA256:C25A215461425B4D33F83445DAC9D181A389E77B2E3E43B8C656BCF2E18078E8
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\c7e77d98-4a56-426f-8642-b3a27e609b16.tmpbinary
MD5:74821BA75AB6F3A6325721EDFDC3E7C1
SHA256:C25A215461425B4D33F83445DAC9D181A389E77B2E3E43B8C656BCF2E18078E8
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\5a3aa464-c5a1-4c92-bd50-8e0251b7b3a0.tmpbinary
MD5:2B81D926DBBC9C8F9118FD60AC15319C
SHA256:6A38E0C888EEF91A868D68DBAED99BD8FB2F46FA242CBB7A1CBFF110EDD55486
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000fbhtml
MD5:D8798AAE777F6C93C53155F081A8C8EA
SHA256:69FEB31D20F8340079383EB02BD89606E55D53476E2C1A9D70646E3A19FE4A25
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State~RF296d29.TMPbinary
MD5:D0453075479429FE52D8FB780A7DA8E9
SHA256:574112CCCB36E004E93B2BCBBA7F6CEB8FF3B12E3E462BEF80F1B57044E035B1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
87
TCP/UDP connections
52
DNS requests
64
Threats
23

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
302
23.35.229.160:443
https://go.microsoft.com/fwlink/?linkid=2133855&bucket=18
unknown
GET
200
18.173.205.111:443
https://secured-login.net/favicon.ico
unknown
3024
svchost.exe
HEAD
200
2.16.168.108:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d50ccf3e-dd06-4e6f-bb20-931c8ce33527?P1=1736876664&P2=404&P3=2&P4=GDlBNGscsF1ySQA2WUhKnFIks4AA69o6XLZRmmvZFmyCk2ygY6se7MZbQfkSYnx5izHtbppLnF7PVK57hamwuQ%3d%3d
unknown
whitelisted
3024
svchost.exe
GET
206
2.16.168.108:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d50ccf3e-dd06-4e6f-bb20-931c8ce33527?P1=1736876664&P2=404&P3=2&P4=GDlBNGscsF1ySQA2WUhKnFIks4AA69o6XLZRmmvZFmyCk2ygY6se7MZbQfkSYnx5izHtbppLnF7PVK57hamwuQ%3d%3d
unknown
whitelisted
GET
200
3.5.9.207:443
https://helpimg.s3.amazonaws.com/landing_pages/oops/styles.css
unknown
text
5.52 Kb
shared
GET
200
18.173.205.50:443
https://training.knowbe4.com/packs/js/vendor-954761ad0dceb106b971.js
unknown
html
1.72 Kb
whitelisted
GET
200
18.173.205.114:443
https://secured-login.net/assets/application-237cb5c4f318687625f8ccf2f42de3fc20238bfe267384653491a6bba8c8f6f5.js
unknown
s
371 Kb
whitelisted
GET
200
13.107.21.239:443
https://edge.microsoft.com/neededge/v1?bucket=18
unknown
xml
741 Kb
whitelisted
GET
200
13.107.246.45:443
https://xpaywalletcdn.azureedge.net/mswallet/ExpressCheckout/v2/GetEligibleSites?version=0&type=topSite&IsStable=false
unknown
binary
497 b
whitelisted
GET
200
18.173.205.114:443
https://secured-login.net/pages/ac64029cfb186cc848628300fa715e50/XNlcvVys3S2V3bWIvLzljeXhqV0JsbFZINzBERHRBWGMxN0UzalZNZ3FVQjQrM3Z4UVJDWFpuMXZhVWdpVjAyN2FtQk5OSkZDOGJLZXBDSmpjZk1EaUxNR1grc3o2bk5jZk9CZFpuUmVOamk5THVkQzlsZWVvV2psM1JRdjZZR0xkbDdzZFJlbDhmemkxdnN0QjhucG9ZRFovKzBYUW16RFVwcHdTeUJpN20yK1NFMXd2OFJSN0RteFBCcGFLR3FUNW5BdVdnd3l6cGxKOVRlL21lekstLVJ5M3l0Ukhld2FWUDZzWWYtLSt2RG52MHhIVllLM2tHaDR3SmJ3cUE9PQ==
unknown
html
73.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2208
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
239.255.255.250:1900
whitelisted
3080
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5204
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4668
msedge.exe
224.0.0.251:5353
unknown
7172
msedge.exe
3.231.74.234:443
2fa.com-token-auth.com
AMAZON-AES
US
whitelisted
7172
msedge.exe
34.193.6.123:443
2fa.com-token-auth.com
AMAZON-AES
US
whitelisted
3080
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5204
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7172
msedge.exe
18.173.205.50:443
training.knowbe4.com
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.46
whitelisted
2fa.com-token-auth.com
  • 3.231.74.234
  • 34.193.6.123
  • 34.195.197.181
  • 35.169.9.104
  • 54.87.176.87
  • 54.161.180.244
unknown
secured-login.net
  • 34.193.6.123
  • 34.195.197.181
  • 54.87.176.87
  • 3.231.74.234
  • 35.169.9.104
  • 54.161.180.244
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
helpimg.s3.amazonaws.com
  • 52.217.173.201
  • 3.5.12.15
  • 52.217.108.76
  • 54.231.160.41
  • 54.231.164.9
  • 54.231.198.57
  • 3.5.28.57
  • 16.182.109.97
shared
training.knowbe4.com
  • 18.173.205.50
  • 18.173.205.70
  • 18.173.205.111
  • 18.173.205.114
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
go.microsoft.com
  • 2.23.242.9
whitelisted
unpkg.com
  • 104.17.245.203
  • 104.17.249.203
  • 104.17.246.203
  • 104.17.247.203
  • 104.17.248.203
whitelisted
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain (com-token-auth .com)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] KnowBe4: Security Awareness Training (secured-login. net)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] KnowBe4: Security Awareness Training (secured-login. net)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected Phishing Training domain ( .knowbe4 .)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] KnowBe4: Security Awareness Training (knowbe4 .com)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected Phishing Training domain ( .knowbe4 .)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] KnowBe4: Security Awareness Training (knowbe4 .com)
Not Suspicious Traffic
INFO [ANY.RUN] Global content delivery network (unpkg .com)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected Phishing Training domain ( .knowbe4 .)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] KnowBe4: Security Awareness Training (secured-login. net)
No debug info