URL: | https://2fa.com-token-auth.com/XNlcvVys3S2V3bWIvLzljeXhqV0JsbFZINzBERHRBWGMxN0UzalZNZ3FVQjQrM3Z4UVJDWFpuMXZhVWdpVjAyN2FtQk5OSkZDOGJLZXBDSmpjZk1EaUxNR1grc3o2bk5jZk9CZFpuUmVOamk5THVkQzlsZWVvV2psM1JRdjZZR0xkbDdzZFJlbDhmemkxdnN0QjhucG9ZRFovKzBYUW16RFVwcHdTeUJpN20yK1NFMXd2OFJSN0RteFBCcGFLR3FUNW5BdVdnd3l6cGxKOVRlL21lekstLVJ5M3l0Ukhld2FWUDZzWWYtLSt2RG52MHhIVllLM2tHaDR3SmJ3cUE9PQ==?cid=2350780366 |
Full analysis: | https://app.any.run/tasks/b906caee-ff52-4b21-8e36-8617ff7053ee |
Verdict: | Malicious activity |
Analysis date: | January 10, 2025, 18:43:29 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MD5: | 9A1F2309CCDAC61056074DAF79905FE0 |
SHA1: | 1103ACF07A5058461201FCAA7A930096BBD791C5 |
SHA256: | 5E75A2F6F4D35AC91DD792DDE960FB78B7E1E9931B78F7DCDD2B4DEF53D6E7E3 |
SSDEEP: | 12:2jORXY+TErAR9ockfJa/TFxqHDEhtyohnwN:2j2T5LcfJa/6HD0An |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
7172 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --webtransport-developer-mode --no-appcompat-clear --mojo-platform-channel-handle=2496 --field-trial-handle=2204,i,13280900864495260754,3672259324373187194,262144 --variations-seed-version /prefetch:3 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | msedge.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 122.0.2365.59 |
PID | Process | Filename | Type | |
---|---|---|---|---|
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000100 | compressed | |
MD5:090B4D9FF04EA8049ADB7F7A4AC8D2A2 | SHA256:5CE9296CB8DD1032943AFADDC24A16A4F46DFEDAC68EC9FBB8C04D5D9EC9F564 | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity~RF29507a.TMP | binary | |
MD5:D2615E0C4F6C46045EDB3EAA0ACE252A | SHA256:48EFA073914F67BCCE305DECBC121BE7FA6D343982BE00A666B4C5FB6A30A7A9 | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000fd | compressed | |
MD5:090B4D9FF04EA8049ADB7F7A4AC8D2A2 | SHA256:5CE9296CB8DD1032943AFADDC24A16A4F46DFEDAC68EC9FBB8C04D5D9EC9F564 | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity | binary | |
MD5:74821BA75AB6F3A6325721EDFDC3E7C1 | SHA256:C25A215461425B4D33F83445DAC9D181A389E77B2E3E43B8C656BCF2E18078E8 | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000fe | binary | |
MD5:311F1298863858C8334BD7A8A0E34014 | SHA256:846351F83ED17838A1DE223EAD4E9900D1E127B3243695DAF5A4988E965C44CC | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity~RF297920.TMP | binary | |
MD5:74821BA75AB6F3A6325721EDFDC3E7C1 | SHA256:C25A215461425B4D33F83445DAC9D181A389E77B2E3E43B8C656BCF2E18078E8 | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\c7e77d98-4a56-426f-8642-b3a27e609b16.tmp | binary | |
MD5:74821BA75AB6F3A6325721EDFDC3E7C1 | SHA256:C25A215461425B4D33F83445DAC9D181A389E77B2E3E43B8C656BCF2E18078E8 | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\5a3aa464-c5a1-4c92-bd50-8e0251b7b3a0.tmp | binary | |
MD5:2B81D926DBBC9C8F9118FD60AC15319C | SHA256:6A38E0C888EEF91A868D68DBAED99BD8FB2F46FA242CBB7A1CBFF110EDD55486 | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000fb | html | |
MD5:D8798AAE777F6C93C53155F081A8C8EA | SHA256:69FEB31D20F8340079383EB02BD89606E55D53476E2C1A9D70646E3A19FE4A25 | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State~RF296d29.TMP | binary | |
MD5:D0453075479429FE52D8FB780A7DA8E9 | SHA256:574112CCCB36E004E93B2BCBBA7F6CEB8FF3B12E3E462BEF80F1B57044E035B1 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 302 | 23.35.229.160:443 | https://go.microsoft.com/fwlink/?linkid=2133855&bucket=18 | unknown | — | — | — |
— | — | GET | 200 | 18.173.205.111:443 | https://secured-login.net/favicon.ico | unknown | — | — | — |
3024 | svchost.exe | HEAD | 200 | 2.16.168.108:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d50ccf3e-dd06-4e6f-bb20-931c8ce33527?P1=1736876664&P2=404&P3=2&P4=GDlBNGscsF1ySQA2WUhKnFIks4AA69o6XLZRmmvZFmyCk2ygY6se7MZbQfkSYnx5izHtbppLnF7PVK57hamwuQ%3d%3d | unknown | — | — | whitelisted |
3024 | svchost.exe | GET | 206 | 2.16.168.108:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d50ccf3e-dd06-4e6f-bb20-931c8ce33527?P1=1736876664&P2=404&P3=2&P4=GDlBNGscsF1ySQA2WUhKnFIks4AA69o6XLZRmmvZFmyCk2ygY6se7MZbQfkSYnx5izHtbppLnF7PVK57hamwuQ%3d%3d | unknown | — | — | whitelisted |
— | — | GET | 200 | 3.5.9.207:443 | https://helpimg.s3.amazonaws.com/landing_pages/oops/styles.css | unknown | text | 5.52 Kb | shared |
— | — | GET | 200 | 18.173.205.50:443 | https://training.knowbe4.com/packs/js/vendor-954761ad0dceb106b971.js | unknown | html | 1.72 Kb | whitelisted |
— | — | GET | 200 | 18.173.205.114:443 | https://secured-login.net/assets/application-237cb5c4f318687625f8ccf2f42de3fc20238bfe267384653491a6bba8c8f6f5.js | unknown | s | 371 Kb | whitelisted |
— | — | GET | 200 | 13.107.21.239:443 | https://edge.microsoft.com/neededge/v1?bucket=18 | unknown | xml | 741 Kb | whitelisted |
— | — | GET | 200 | 13.107.246.45:443 | https://xpaywalletcdn.azureedge.net/mswallet/ExpressCheckout/v2/GetEligibleSites?version=0&type=topSite&IsStable=false | unknown | binary | 497 b | whitelisted |
— | — | GET | 200 | 18.173.205.114:443 | https://secured-login.net/pages/ac64029cfb186cc848628300fa715e50/XNlcvVys3S2V3bWIvLzljeXhqV0JsbFZINzBERHRBWGMxN0UzalZNZ3FVQjQrM3Z4UVJDWFpuMXZhVWdpVjAyN2FtQk5OSkZDOGJLZXBDSmpjZk1EaUxNR1grc3o2bk5jZk9CZFpuUmVOamk5THVkQzlsZWVvV2psM1JRdjZZR0xkbDdzZFJlbDhmemkxdnN0QjhucG9ZRFovKzBYUW16RFVwcHdTeUJpN20yK1NFMXd2OFJSN0RteFBCcGFLR3FUNW5BdVdnd3l6cGxKOVRlL21lekstLVJ5M3l0Ukhld2FWUDZzWWYtLSt2RG52MHhIVllLM2tHaDR3SmJ3cUE9PQ== | unknown | html | 73.3 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2208 | RUXIMICS.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 239.255.255.250:1900 | — | — | — | whitelisted |
3080 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5204 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4668 | msedge.exe | 224.0.0.251:5353 | — | — | — | unknown |
7172 | msedge.exe | 3.231.74.234:443 | 2fa.com-token-auth.com | AMAZON-AES | US | whitelisted |
7172 | msedge.exe | 34.193.6.123:443 | 2fa.com-token-auth.com | AMAZON-AES | US | whitelisted |
3080 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5204 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
7172 | msedge.exe | 18.173.205.50:443 | training.knowbe4.com | — | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
google.com |
| whitelisted |
2fa.com-token-auth.com |
| unknown |
secured-login.net |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
helpimg.s3.amazonaws.com |
| shared |
training.knowbe4.com |
| whitelisted |
edge.microsoft.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
unpkg.com |
| whitelisted |
www.bing.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain (com-token-auth .com) |
— | — | Possible Social Engineering Attempted | PHISHING [ANY.RUN] KnowBe4: Security Awareness Training (secured-login. net) |
— | — | Possible Social Engineering Attempted | PHISHING [ANY.RUN] KnowBe4: Security Awareness Training (secured-login. net) |
— | — | Possible Social Engineering Attempted | PHISHING [ANY.RUN] Suspected Phishing Training domain ( .knowbe4 .) |
— | — | Possible Social Engineering Attempted | PHISHING [ANY.RUN] KnowBe4: Security Awareness Training (knowbe4 .com) |
— | — | Possible Social Engineering Attempted | PHISHING [ANY.RUN] Suspected Phishing Training domain ( .knowbe4 .) |
— | — | Possible Social Engineering Attempted | PHISHING [ANY.RUN] KnowBe4: Security Awareness Training (knowbe4 .com) |
— | — | Not Suspicious Traffic | INFO [ANY.RUN] Global content delivery network (unpkg .com) |
— | — | Possible Social Engineering Attempted | PHISHING [ANY.RUN] Suspected Phishing Training domain ( .knowbe4 .) |
— | — | Possible Social Engineering Attempted | PHISHING [ANY.RUN] KnowBe4: Security Awareness Training (secured-login. net) |