URL:

https://webmail-cake-924c-vvn.fresfst.workers.dev/?data=ZGlzYWJpbGl0eV9hcHBsaWNhdGlvbl9hY2NvbW1vZGF0aW9uQGhkc3VwcGx5LmNvbQ==

Full analysis: https://app.any.run/tasks/3b7cb313-2478-4395-94c8-605da6bb03d7
Verdict: Malicious activity
Analysis date: January 10, 2025, 21:52:13
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
phishing
Indicators:
MD5:

665B32F7C8EC6299DF8CFF7C63E3740A

SHA1:

D9F088EE92391F83873A8A7B7827AA1363DA1E7A

SHA256:

7725054553603BB29E0B2A0CCC035E9CEBA8A1D9278FF484154E4C315EDA165D

SSDEEP:

3:N8RoEMJUfYSMocE7yU8tqVWceWLCln0bc0cB+GiSmHUYYn:2elJUfYSPcE5uLs/43B8wYY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • PHISHING has been detected (SURICATA)

      • msedge.exe (PID: 7172)
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
158
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
#PHISHING msedge.exe

Process information

PID
CMD
Path
Indicators
Parent process
7172"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --webtransport-developer-mode --no-appcompat-clear --mojo-platform-channel-handle=2496 --field-trial-handle=2204,i,13280900864495260754,3672259324373187194,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
31
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State~RF29576f.TMPbinary
MD5:D0453075479429FE52D8FB780A7DA8E9
SHA256:574112CCCB36E004E93B2BCBBA7F6CEB8FF3B12E3E462BEF80F1B57044E035B1
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000fbtext
MD5:7EB2ADE813390CE69A66B46ABC482F7B
SHA256:3B7D13710426253350401D970BA95C70A7E53104AB042253A06E9B556DAD87DA
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000107binary
MD5:C819982402CB76D1AE8CC1A61600994F
SHA256:C5B63EC429C910ACA2DD4BA8476393DAE7E29D5868B8A7523B547DF4E68A0AD6
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000102image
MD5:085BFDA064BA5270173582B40753580F
SHA256:C9140CC02C3041789E037E8005F6A20C8B70E256239076DF7AF518ACE3DA5F1E
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000fdcompressed
MD5:FC3FC31E5E7C0933DC18E562C1C071BF
SHA256:DDAD766FB94B23EFEB5574CDEDC5E8446D496FB91BD0B08CD80BE212E001055D
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000fcbinary
MD5:311F1298863858C8334BD7A8A0E34014
SHA256:846351F83ED17838A1DE223EAD4E9900D1E127B3243695DAF5A4988E965C44CC
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000100binary
MD5:A8F4C49DF77BE8341C40F23CCBB66D37
SHA256:B00C4D14D58D161C04C9011665DC5EE95BFDF735BAE6957604E62EDF1FEEFBA3
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\ebdce83f-f83e-4062-9ec6-24f2d7156a04.tmpbinary
MD5:52BF7D0457F7DDEF57D691B016264CDA
SHA256:C6599A9066D305263FE8B059F8E13C06D8CE24AB5C970CBD328F2AFC956AC442
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent Statebinary
MD5:52BF7D0457F7DDEF57D691B016264CDA
SHA256:C6599A9066D305263FE8B059F8E13C06D8CE24AB5C970CBD328F2AFC956AC442
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecuritybinary
MD5:9F3FE96D28C532424307569F039DAB2B
SHA256:B5F9586BBCCFA2FCFFA9C1E5CAB9CC9987922B5D6D80CE3358425165F16128BD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
128
TCP/UDP connections
72
DNS requests
76
Threats
21

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
146.70.157.20:443
https://eastcloud.remaxisgroup.ru/[email protected]
unknown
html
131 Kb
GET
400
104.21.24.218:443
https://webmail-cake-924c-vvn.fresfst.workers.dev/favicon.ico
unknown
text
26 b
shared
3024
svchost.exe
HEAD
200
23.32.238.152:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d50ccf3e-dd06-4e6f-bb20-931c8ce33527?P1=1736814451&P2=404&P3=2&P4=PL6v7T9cucAXp4hV10DLJGfUJc%2bvniauGyhhX2f9qPiz5MnB2k4eV7y0rdcy0ZlP3ppTIpcM8su2TUGnxbTO5g%3d%3d
unknown
whitelisted
3024
svchost.exe
GET
206
23.32.238.152:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d50ccf3e-dd06-4e6f-bb20-931c8ce33527?P1=1736814451&P2=404&P3=2&P4=PL6v7T9cucAXp4hV10DLJGfUJc%2bvniauGyhhX2f9qPiz5MnB2k4eV7y0rdcy0ZlP3ppTIpcM8su2TUGnxbTO5g%3d%3d
unknown
whitelisted
GET
200
13.107.21.239:443
https://edge.microsoft.com/neededge/v1?bucket=18
unknown
xml
741 Kb
whitelisted
GET
200
104.26.13.205:443
https://api.ipify.org/?format=json
unknown
binary
22 b
malicious
GET
200
13.107.246.45:443
https://xpaywalletcdn.azureedge.net/mswallet/ExpressCheckout/v2/GetEligibleSites?version=0&type=dafSite&IsStable=false
unknown
binary
332 Kb
whitelisted
3024
svchost.exe
GET
206
23.32.238.152:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d50ccf3e-dd06-4e6f-bb20-931c8ce33527?P1=1736814451&P2=404&P3=2&P4=PL6v7T9cucAXp4hV10DLJGfUJc%2bvniauGyhhX2f9qPiz5MnB2k4eV7y0rdcy0ZlP3ppTIpcM8su2TUGnxbTO5g%3d%3d
unknown
whitelisted
POST
200
204.79.197.239:443
https://edge.microsoft.com/componentupdater/api/v1/update?cup2key=7:CGw6tP8-4AoYKtpYMVuk896RT0sahXiISFs-1bqRPfo&cup2hreq=b5e44e4c692329b6e6d529355dca7e950af330a8c46cf329de6229b0502c6167
unknown
text
18.4 Kb
whitelisted
GET
200
146.70.157.20:443
https://eastcloud.remaxisgroup.ru/sso/b64.js
unknown
binary
4.58 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
416
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3080
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4136
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
239.255.255.250:1900
whitelisted
4668
msedge.exe
224.0.0.251:5353
unknown
7172
msedge.exe
172.67.220.218:443
webmail-cake-924c-vvn.fresfst.workers.dev
CLOUDFLARENET
US
shared
7172
msedge.exe
146.70.157.20:443
eastcloud.remaxisgroup.ru
RO
unknown
3696
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7172
msedge.exe
13.107.21.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7172
msedge.exe
23.35.238.131:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.184.238
whitelisted
webmail-cake-924c-vvn.fresfst.workers.dev
  • 172.67.220.218
  • 104.21.24.218
shared
eastcloud.remaxisgroup.ru
  • 146.70.157.20
unknown
go.microsoft.com
  • 23.35.238.131
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
ajax.googleapis.com
  • 142.250.185.170
whitelisted
msedge.b.tlu.dl.delivery.mp.microsoft.com
  • 23.32.238.152
  • 23.32.238.105
  • 23.32.238.99
  • 199.232.210.172
  • 199.232.214.172
  • 2.16.168.108
  • 2.16.168.112
whitelisted
api.ipify.org
  • 104.26.12.205
  • 172.67.74.152
  • 104.26.13.205
shared
arc.msn.com
  • 20.199.58.43
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
INFO [ANY.RUN] DNS Query to Cloudflare Worker App
Not Suspicious Traffic
INFO [ANY.RUN] DNS Query to Cloudflare Worker App
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Phishing based on domain name abuse (webmail-)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected Phishing domain by CrossDomain ( .fresfst .workers .dev)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected Phishing domain by CrossDomain ( .fresfst .workers .dev)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Phishing based on domain name abuse (webmail-)
Misc activity
ET INFO Observed Cloudflare workers.dev Domain in TLS SNI
Misc activity
ET INFO Observed DNS Query to Cloudflare workers.dev Domain
Misc activity
ET INFO Observed Cloudflare workers.dev Domain in TLS SNI
Misc activity
ET INFO Observed DNS Query to Cloudflare workers.dev Domain
No debug info