URL: | s0x.xemirax.ru |
Full analysis: | https://app.any.run/tasks/d4d59e3d-07c7-4726-b34f-d2dbffce4cac |
Verdict: | Malicious activity |
Analysis date: | January 10, 2025, 23:51:12 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MD5: | 7EBD83EB2B16E0EABBC3437733CABA23 |
SHA1: | 776186CF7B639CCA412A115A99107CB4A5F2408D |
SHA256: | 6BACB822F02CD4F96D0952A5E5DC5F1E35C3490F122CDE6D7E0DB690D2235B3B |
SSDEEP: | 3:Sd2yA:SjA |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
7172 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --webtransport-developer-mode --no-appcompat-clear --mojo-platform-channel-handle=2496 --field-trial-handle=2204,i,13280900864495260754,3672259324373187194,262144 --variations-seed-version /prefetch:3 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | msedge.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 122.0.2365.59 |
PID | Process | Filename | Type | |
---|---|---|---|---|
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000fb | binary | |
MD5:311F1298863858C8334BD7A8A0E34014 | SHA256:846351F83ED17838A1DE223EAD4E9900D1E127B3243695DAF5A4988E965C44CC | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity | binary | |
MD5:501A7411D0FF6BA9290547B82E09E734 | SHA256:6B9BD235C840E08A5A763CF34704575D8E2CFB4100487125BF1D362FA421626A | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\2be59d50-23b8-49d2-8ad9-aa293a3c717f.tmp | binary | |
MD5:501A7411D0FF6BA9290547B82E09E734 | SHA256:6B9BD235C840E08A5A763CF34704575D8E2CFB4100487125BF1D362FA421626A | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity~RF296fba.TMP | binary | |
MD5:D2615E0C4F6C46045EDB3EAA0ACE252A | SHA256:48EFA073914F67BCCE305DECBC121BE7FA6D343982BE00A666B4C5FB6A30A7A9 | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State | binary | |
MD5:4FC13DBE565B10BBF0375C59DF80331C | SHA256:CA594FC6948BF1827380793903847380D4291D9C4BADF8F9871E2D4ED05CD8EE | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State~RF296d1a.TMP | binary | |
MD5:D0453075479429FE52D8FB780A7DA8E9 | SHA256:574112CCCB36E004E93B2BCBBA7F6CEB8FF3B12E3E462BEF80F1B57044E035B1 | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\e38f8d1d-5ba5-40b6-9812-cfc98dd668de.tmp | binary | |
MD5:4FC13DBE565B10BBF0375C59DF80331C | SHA256:CA594FC6948BF1827380793903847380D4291D9C4BADF8F9871E2D4ED05CD8EE | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\7b328895-a9a8-45f4-be2f-9d270267476f.tmp | binary | |
MD5:DB29B2191198EF49E75E47BCE7002306 | SHA256:49A375F7F5EB1013D3679B099D6A82137395C3E00D8FC4B5EC7D58433FB8B60A | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State~RF29a13a.TMP | binary | |
MD5:4FC13DBE565B10BBF0375C59DF80331C | SHA256:CA594FC6948BF1827380793903847380D4291D9C4BADF8F9871E2D4ED05CD8EE |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3024 | svchost.exe | HEAD | 200 | 199.232.210.172:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d50ccf3e-dd06-4e6f-bb20-931c8ce33527?P1=1736890132&P2=404&P3=2&P4=U%2bCqYhTsCnlSLaZ9g6VR12R7IZQ8tNbzN0euMbnUQL1jEFy1AzjoDm76X4FcdzQ9uUG7k3RgzaL%2fAbqduhpP%2fw%3d%3d | unknown | — | — | whitelisted |
3024 | svchost.exe | GET | 206 | 199.232.210.172:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d50ccf3e-dd06-4e6f-bb20-931c8ce33527?P1=1736890132&P2=404&P3=2&P4=U%2bCqYhTsCnlSLaZ9g6VR12R7IZQ8tNbzN0euMbnUQL1jEFy1AzjoDm76X4FcdzQ9uUG7k3RgzaL%2fAbqduhpP%2fw%3d%3d | unknown | — | — | whitelisted |
3024 | svchost.exe | GET | 206 | 199.232.210.172:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d50ccf3e-dd06-4e6f-bb20-931c8ce33527?P1=1736890132&P2=404&P3=2&P4=U%2bCqYhTsCnlSLaZ9g6VR12R7IZQ8tNbzN0euMbnUQL1jEFy1AzjoDm76X4FcdzQ9uUG7k3RgzaL%2fAbqduhpP%2fw%3d%3d | unknown | — | — | whitelisted |
3024 | svchost.exe | GET | 206 | 199.232.210.172:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d50ccf3e-dd06-4e6f-bb20-931c8ce33527?P1=1736890132&P2=404&P3=2&P4=U%2bCqYhTsCnlSLaZ9g6VR12R7IZQ8tNbzN0euMbnUQL1jEFy1AzjoDm76X4FcdzQ9uUG7k3RgzaL%2fAbqduhpP%2fw%3d%3d | unknown | — | — | whitelisted |
3024 | svchost.exe | GET | 206 | 199.232.210.172:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d50ccf3e-dd06-4e6f-bb20-931c8ce33527?P1=1736890132&P2=404&P3=2&P4=U%2bCqYhTsCnlSLaZ9g6VR12R7IZQ8tNbzN0euMbnUQL1jEFy1AzjoDm76X4FcdzQ9uUG7k3RgzaL%2fAbqduhpP%2fw%3d%3d | unknown | — | — | whitelisted |
3024 | svchost.exe | GET | 206 | 199.232.210.172:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d50ccf3e-dd06-4e6f-bb20-931c8ce33527?P1=1736890132&P2=404&P3=2&P4=U%2bCqYhTsCnlSLaZ9g6VR12R7IZQ8tNbzN0euMbnUQL1jEFy1AzjoDm76X4FcdzQ9uUG7k3RgzaL%2fAbqduhpP%2fw%3d%3d | unknown | — | — | whitelisted |
3024 | svchost.exe | GET | 206 | 199.232.210.172:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d50ccf3e-dd06-4e6f-bb20-931c8ce33527?P1=1736890132&P2=404&P3=2&P4=U%2bCqYhTsCnlSLaZ9g6VR12R7IZQ8tNbzN0euMbnUQL1jEFy1AzjoDm76X4FcdzQ9uUG7k3RgzaL%2fAbqduhpP%2fw%3d%3d | unknown | — | — | whitelisted |
3024 | svchost.exe | GET | 206 | 199.232.210.172:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d50ccf3e-dd06-4e6f-bb20-931c8ce33527?P1=1736890132&P2=404&P3=2&P4=U%2bCqYhTsCnlSLaZ9g6VR12R7IZQ8tNbzN0euMbnUQL1jEFy1AzjoDm76X4FcdzQ9uUG7k3RgzaL%2fAbqduhpP%2fw%3d%3d | unknown | — | — | whitelisted |
3024 | svchost.exe | GET | 206 | 199.232.210.172:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d50ccf3e-dd06-4e6f-bb20-931c8ce33527?P1=1736890132&P2=404&P3=2&P4=U%2bCqYhTsCnlSLaZ9g6VR12R7IZQ8tNbzN0euMbnUQL1jEFy1AzjoDm76X4FcdzQ9uUG7k3RgzaL%2fAbqduhpP%2fw%3d%3d | unknown | — | — | whitelisted |
3024 | svchost.exe | GET | 206 | 199.232.210.172:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/fd0b3f36-5596-4351-a52a-324d9881c330?P1=1737015041&P2=404&P3=2&P4=ZqFbwW9p2bnqkSAt9186tXBmu1MIj6pbdS1pQXY3uWco65oFq5VelkcPO6sRDmz1lSS28zat00W3eL9REJ2XTg%3d%3d | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4940 | svchost.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 239.255.255.250:1900 | — | — | — | whitelisted |
3612 | RUXIMICS.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3080 | MoUsoCoreWorker.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4668 | msedge.exe | 224.0.0.251:5353 | — | — | — | unknown |
7172 | msedge.exe | 2.23.227.215:443 | www.bing.com | Ooredoo Q.S.C. | QA | whitelisted |
7172 | msedge.exe | 104.21.85.129:443 | s0x.xemirax.ru | — | — | unknown |
4940 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3080 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3696 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
Domain | IP | Reputation |
---|---|---|
google.com |
| whitelisted |
www.bing.com |
| whitelisted |
s0x.xemirax.ru |
| unknown |
settings-win.data.microsoft.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
edge.microsoft.com |
| whitelisted |
msedge.b.tlu.dl.delivery.mp.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Possible Social Engineering Attempted | PHISHING [ANY.RUN] Suspected Storms-1747`s Phishing domain by CrossDomain ( .xemirax .ru) |
— | — | Possible Social Engineering Attempted | PHISHING [ANY.RUN] Suspected Storms-1747`s Phishing domain by CrossDomain ( .xemirax .ru) |