Malware analysis https://www.canva.com/design/DAHE-h-A-UY/ATjFgg6-Py0dXykr9EAa4A/view?utm_content=DAHE-h-A-UY&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=hea2c5afbb5 Malicious activity

Add for printing

URL:	https://www.canva.com/design/DAHE-h-A-UY/ATjFgg6-Py0dXykr9EAa4A/view?utm_content=DAHE-h-A-UY&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=hea2c5afbb5
Full analysis:	https://app.any.run/tasks/1c3993d9-f5c8-441c-8054-043807aa9a56
Verdict:	Malicious activity
Threats:	Sneaky 2FA is an Adversary-in-the-Middle (AiTM) phishing kit targeting Microsoft 365 accounts. Distributed as a Phishing-as-a-Service (PhaaS) through a Telegram bot, this malware bypasses two-factor authentication (2FA) to steal credentials and session cookies, posing a significant threat to individuals and organizations. Malware Trends Tracker >>>
Analysis date:	March 27, 2026, 09:15:52
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	phishing flowerstorm sneaky2fa
Indicators:
MD5:	7871FFEFDB80DC82C10B29CC32DD9950
SHA1:	06212091B9409863F6ECCB655DD4B768A72C0324
SHA256:	794D59D23278533E02415FCF7F7A27A4ED320D432ECDB8EF38E97F9A54D517D2
SSDEEP:	3:N8DSLHTiAWDNIG0IcYIkCGAL+gNIGBomAGN/MRI6jRIYzTEtQWYMUQt9DEalHw:2OLNUIfCFCXpIzmtN/MRIHTiWhJthjlQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
- PHISHING has been detected (SURICATA)
  - msedge.exe (PID: 7028)
SUSPICIOUS
- Contacting a server suspected of hosting an CnC
  - msedge.exe (PID: 7028)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

169

Monitored processes

1

Malicious processes

1

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

7028

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --webtransport-developer-mode --string-annotations --always-read-main-dll --field-trial-handle=2256,i,13378875761215938322,9620771509043916482,262144 --variations-seed-version --mojo-platform-channel-handle=2616 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

0

Read events

0

Write events

0

Delete events

0

Modification events

No data

Add for printing

Executable files

3

Suspicious files

30

Text files

4

Unknown types

0

Dropped files

PID	Process	Filename		Type
7028	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000b5		text
		MD5:E762FE48F237433248062D4C1D1ACB8B	SHA256:6D10FFE4E339CD38A2BFD67C3AB03510CD768C7010934ECC17C1B0504588005A
7028	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000b8		binary
		MD5:429F83152504AB97CA4B29E58A72D6D3	SHA256:F62003C119633CEC60A9B57130684E8B108C0DB7A23A192A65DC8AC32B91B997
7028	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c2		binary
		MD5:0E72B44A08363E5552D4F75701D72244	SHA256:55DA1EE8745F202DBC36DA9DAC7B6CAB6298FB053BD6AA650E8E3ED5F274019F
7028	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c3		binary
		MD5:3A3265A87F63CEA5940448965C50057F	SHA256:8ED8A052AD888AEEC956002D14C75719496281D24B97189E85B4D5179B5F72CA
7028	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c4		binary
		MD5:47A1AF27065747A7B9CF257260E5FAFB	SHA256:744E35B085E4BA712BCED3A9C9A2F877963123CDE03F2699A5B8F285399361EC
7028	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c5		binary
		MD5:7A2B8BECFD52FA035A326E50E2B12792	SHA256:173B148B82F893ABCAFA96B23A2CE922D68D5AB87E9FCB69A74B11F532462D5B
7028	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c7		binary
		MD5:7C10AFD8CA956C3E242AAC12BFF65F88	SHA256:88EC3A83D1C8D759F81C13B0DB061469F3993D583993A176E339FF83463DEA8B
7028	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000b6		binary
		MD5:4226C71E603A621F200C8255F7FDE739	SHA256:230238628E2F90DF44EA20B0D66CC1131E96FE3C95BF2639C29608AC3A7F2DC7
7028	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c0		binary
		MD5:429F83152504AB97CA4B29E58A72D6D3	SHA256:F62003C119633CEC60A9B57130684E8B108C0DB7A23A192A65DC8AC32B91B997
7028	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ba		binary
		MD5:B54B8082D979A501F4D833C52DBC9F33	SHA256:6837D15DFD45EC4A8E9C6AEB4821EA687B72B353DD439BB07D0F0514EE476071

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

228

TCP/UDP connections

142

DNS requests

92

Threats

26

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7760	svchost.exe	HEAD	200	23.197.142.186:443	https://fs.microsoft.com/fs/windows/config.json	unknown	—	—	whitelisted
488	svchost.exe	GET	200	23.216.77.36:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7092	RUXIMICS.exe	GET	200	23.216.77.36:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5336	MoUsoCoreWorker.exe	GET	200	23.216.77.36:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
488	svchost.exe	GET	200	23.52.181.212:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5336	MoUsoCoreWorker.exe	GET	200	23.52.181.212:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7092	RUXIMICS.exe	GET	200	23.52.181.212:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7028	msedge.exe	GET	200	104.126.37.163:443	https://www.bing.com/bloomfilterfiles/ExpandedDomainsFilterGlobal.json	unknown	text	665 Kb	whitelisted
7028	msedge.exe	GET	200	104.16.102.112:443	https://static.canva.com/web/48c83f65e2484aac.ltr.css	unknown	text	495 b	unknown
7028	msedge.exe	GET	200	104.16.102.112:443	https://static.canva.com/web/08e648cf7e3cae3b.vendor.js	unknown	binary	49.4 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
488	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5336	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7092	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	224.0.0.251:5353	—	—	—	whitelisted
488	svchost.exe	23.216.77.36:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
5336	MoUsoCoreWorker.exe	23.216.77.36:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
7092	RUXIMICS.exe	23.216.77.36:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
7028	msedge.exe	104.16.103.112:443	www.canva.com	CLOUDFLARENET	US	whitelisted
488	svchost.exe	23.52.181.212:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
5336	MoUsoCoreWorker.exe	23.52.181.212:80	www.microsoft.com	AKAMAI-AS	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 20.73.194.208 4.231.128.59 51.124.78.146	whitelisted
google.com	142.251.127.139 142.251.127.138 142.251.127.100 142.251.127.102 142.251.127.113 142.251.127.101	whitelisted
crl.microsoft.com	23.216.77.36 23.216.77.42 23.216.77.6 23.216.77.8 23.216.77.22	whitelisted
www.canva.com	104.16.103.112 104.16.102.112	whitelisted
www.microsoft.com	23.52.181.212	whitelisted
static.canva.com	104.16.103.112 104.16.102.112	whitelisted
www.bing.com	104.126.37.123 104.126.37.130 104.126.37.186 104.126.37.137 104.126.37.185 104.126.37.131 104.126.37.177 104.126.37.178 104.126.37.176 104.126.37.161 104.126.37.179 104.126.37.171 104.126.37.163 104.126.37.162 104.126.37.184 104.126.37.160	whitelisted
login.live.com	20.190.160.2 40.126.32.138 40.126.32.136 20.190.160.3 40.126.32.68 40.126.32.76 20.190.160.128 20.190.160.130 20.190.159.23 40.126.31.3 40.126.31.71 40.126.31.130 40.126.31.1 40.126.31.69 20.190.159.75 20.190.159.130	whitelisted
fs.microsoft.com	23.197.142.186	whitelisted
o13855.ingest.sentry.io	34.160.81.0	whitelisted

Threats

PID	Process	Class	Message
7028	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Canva designs and to share platform (static .canva .com)
7028	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Canva designs and to share platform (static .canva .com)
7028	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Canva designs and to share platform (static .canva .com)
7028	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Canva designs and to share platform (static .canva .com)
7028	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] An application monitoring request to sentry .io
7028	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] An application monitoring request to sentry .io
7028	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Canva designs and to share platform (static .canva .com)
7028	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Canva designs and to share platform (static .canva .com)
7028	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Canva designs and to share platform (static .canva .com)
7028	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Canva designs and to share platform (static .canva .com)

Add for printing

No debug info

General Info

https://www.canva.com/design/DAHE-h-A-UY/ATjFgg6-Py0dXykr9EAa4A/view?utm_content=DAHE-h-A-UY&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=hea2c5afbb5

7871FFEFDB80DC82C10B29CC32DD9950

06212091B9409863F6ECCB655DD4B768A72C0324

794D59D23278533E02415FCF7F7A27A4ED320D432ECDB8EF38E97F9A54D517D2

3:N8DSLHTiAWDNIG0IcYIkCGAL+gNIGBomAGN/MRI6jRIYzTEtQWYMUQt9DEalHw:2OLNUIfCFCXpIzmtN/MRIHTiWhJthjlQ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

PHISHING has been detected (SURICATA)

SUSPICIOUS

Contacting a server suspected of hosting an CnC

INFO

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings