URL:

https://webmail-cake-924c-vvn.fresfst.workers.dev/?data=ZGlzYWJpbGl0eV9hcHBsaWNhdGlvbl9hY2NvbW1vZGF0aW9uQGhkc3VwcGx5LmNvbQ==

Full analysis: https://app.any.run/tasks/38c4f3c7-acba-44ec-b968-88c94c154255
Verdict: Malicious activity
Analysis date: January 10, 2025, 21:57:31
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
phishing
Indicators:
MD5:

665B32F7C8EC6299DF8CFF7C63E3740A

SHA1:

D9F088EE92391F83873A8A7B7827AA1363DA1E7A

SHA256:

7725054553603BB29E0B2A0CCC035E9CEBA8A1D9278FF484154E4C315EDA165D

SSDEEP:

3:N8RoEMJUfYSMocE7yU8tqVWceWLCln0bc0cB+GiSmHUYYn:2elJUfYSPcE5uLs/43B8wYY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • PHISHING has been detected (SURICATA)

      • msedge.exe (PID: 7172)
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
166
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
#PHISHING msedge.exe

Process information

PID
CMD
Path
Indicators
Parent process
7172"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --webtransport-developer-mode --no-appcompat-clear --mojo-platform-channel-handle=2496 --field-trial-handle=2204,i,13280900864495260754,3672259324373187194,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
40
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000104binary
MD5:C819982402CB76D1AE8CC1A61600994F
SHA256:C5B63EC429C910ACA2DD4BA8476393DAE7E29D5868B8A7523B547DF4E68A0AD6
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000101binary
MD5:D01BADBE54DA029265F37E141298650E
SHA256:659D3D0DB4EFD4262B6763A516B996C5A727E023FCF6F8B1164C43B2867725F8
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000107binary
MD5:822D94F19FE57477865209E1242A3C63
SHA256:8E4560C16C7970EFA47680450B2CF239D4A482C056D308ACEA12BB9022906C8B
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000102image
MD5:085BFDA064BA5270173582B40753580F
SHA256:C9140CC02C3041789E037E8005F6A20C8B70E256239076DF7AF518ACE3DA5F1E
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ffbinary
MD5:37F1584DFB05AFA37EB6DCF866F415D3
SHA256:022B312F71C943339D5577CAE46606C8256014B6E3DA4C1D9275EB8D5D3DFFF9
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000fbini
MD5:7EB2ADE813390CE69A66B46ABC482F7B
SHA256:3B7D13710426253350401D970BA95C70A7E53104AB042253A06E9B556DAD87DA
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000109image
MD5:538EA4AF4B53F5068B4D120970AE1797
SHA256:CD162F9A5995D54BEE5B4B454B96CB562C8841840BE9284E99A68246CBF40832
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000fccompressed
MD5:FC3FC31E5E7C0933DC18E562C1C071BF
SHA256:DDAD766FB94B23EFEB5574CDEDC5E8446D496FB91BD0B08CD80BE212E001055D
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity~RF297056.TMPbinary
MD5:D2615E0C4F6C46045EDB3EAA0ACE252A
SHA256:48EFA073914F67BCCE305DECBC121BE7FA6D343982BE00A666B4C5FB6A30A7A9
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000108image
MD5:AC37D9F3B31C5DE9284F4476C211678E
SHA256:ADB84FCE28F94427E4981224801D9AE96ECB143DEB6684D59050983D000451E5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
152
TCP/UDP connections
82
DNS requests
86
Threats
18

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
HEAD
200
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d50ccf3e-dd06-4e6f-bb20-931c8ce33527?P1=1736810881&P2=404&P3=2&P4=Kr8rotlRhebgaTJSZX%2fXMWF2e4QuiSc8GSWcYxk5DWL4PnK6gp4FPqtVheafk5WvNG8bHN59KbrXR8dbdDZXgg%3d%3d
unknown
whitelisted
3024
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d50ccf3e-dd06-4e6f-bb20-931c8ce33527?P1=1736810881&P2=404&P3=2&P4=Kr8rotlRhebgaTJSZX%2fXMWF2e4QuiSc8GSWcYxk5DWL4PnK6gp4FPqtVheafk5WvNG8bHN59KbrXR8dbdDZXgg%3d%3d
unknown
whitelisted
GET
200
172.67.74.152:443
https://api.ipify.org/?format=json
unknown
binary
20 b
malicious
POST
200
13.107.21.239:443
https://edge.microsoft.com/componentupdater/api/v1/update?cup2key=7:xWHclom1iiCmUmF0brZ78sMvlDMOFMlyVay0H8p8iKY&cup2hreq=b31e1d122c655a7189e9f84bda8903ce9f7ab671c251b272d2982a6d523a3eba
unknown
text
18.4 Kb
whitelisted
GET
200
216.58.206.46:443
https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js
unknown
binary
84.6 Kb
whitelisted
GET
200
13.107.246.45:443
https://xpaywalletcdn.azureedge.net/mswallet/ExpressCheckout/v2/GetEligibleSites?version=0&type=topSite&IsStable=false
unknown
binary
497 b
whitelisted
GET
200
104.16.224.64:443
https://hdsupply.com/wp-content/themes/oceanwp/assets/css/third/simple-line-icons.min.css?ver=2.4.0
unknown
text
10.8 Kb
GET
200
13.107.21.239:443
https://edge.microsoft.com/neededge/v1?bucket=18
unknown
xml
741 Kb
whitelisted
GET
200
146.70.157.20:443
https://eastcloud.remaxisgroup.ru/[email protected]
unknown
html
131 Kb
GET
200
146.70.157.20:443
https://eastcloud.remaxisgroup.ru/sso/index.html?emailtoken=disability_application_accommodation@hdsupply.com&domain=hdsupply.com
unknown
html
1.61 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4708
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
239.255.255.250:1900
whitelisted
416
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3080
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4668
msedge.exe
224.0.0.251:5353
unknown
7172
msedge.exe
104.21.24.218:443
webmail-cake-924c-vvn.fresfst.workers.dev
CLOUDFLARENET
shared
3080
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7172
msedge.exe
146.70.157.20:443
eastcloud.remaxisgroup.ru
RO
unknown
4708
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7172
msedge.exe
142.250.186.106:443
ajax.googleapis.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.238
whitelisted
webmail-cake-924c-vvn.fresfst.workers.dev
  • 104.21.24.218
  • 172.67.220.218
shared
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
eastcloud.remaxisgroup.ru
  • 146.70.157.20
unknown
ajax.googleapis.com
  • 142.250.186.106
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
api.ipify.org
  • 104.26.12.205
  • 104.26.13.205
  • 172.67.74.152
shared
arc.msn.com
  • 20.223.35.26
  • 20.103.156.88
whitelisted
msedge.b.tlu.dl.delivery.mp.microsoft.com
  • 199.232.214.172
  • 199.232.210.172
  • 23.32.238.99
  • 23.32.238.105
  • 84.201.210.20
  • 217.20.57.40
  • 84.201.210.18
  • 217.20.57.37
  • 217.20.57.23
  • 217.20.57.24
  • 217.20.57.21
  • 217.20.57.41
  • 217.20.57.19
  • 84.201.210.23
  • 217.20.57.18
  • 217.20.57.36
  • 217.20.57.20
  • 84.201.210.39
  • 217.20.57.35
  • 217.20.57.34
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
INFO [ANY.RUN] DNS Query to Cloudflare Worker App
Not Suspicious Traffic
INFO [ANY.RUN] DNS Query to Cloudflare Worker App
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected Phishing domain by CrossDomain ( .fresfst .workers .dev)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Phishing based on domain name abuse (webmail-)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected Phishing domain by CrossDomain ( .fresfst .workers .dev)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Phishing based on domain name abuse (webmail-)
Misc activity
ET INFO Observed DNS Query to Cloudflare workers.dev Domain
Misc activity
ET INFO Observed DNS Query to Cloudflare workers.dev Domain
Misc activity
ET INFO Observed Cloudflare workers.dev Domain in TLS SNI
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected Phishing domain by CrossDomain ( .remaxisgroup .ru)
No debug info