Malware analysis https://gamma.app/reset?code=o18buftupqxnsuc&flow=signup&email=daniyar.bimurzin%2540ftel.kz Malicious activity

Add for printing

URL:	https://gamma.app/reset?code=o18buftupqxnsuc&flow=signup&email=daniyar.bimurzin%2540ftel.kz
Full analysis:	https://app.any.run/tasks/3147520c-e50b-4ef9-abe3-da36cd94ceb7
Verdict:	Malicious activity
Analysis date:	May 10, 2025, 01:09:26
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	phishing
MD5:	9979BD4CA49DB472E84453BBAF635AB4
SHA1:	D6F2E1AEFDC8AD27A2F3143F700B0B4F969510D5
SHA256:	7BF122871CD1944DB324FE703CD641BB17F21109887D0B66DC2F43082350969B
SSDEEP:	3:N8lajIDROf77DLAc5bEUeXfKDzr:280NOf77XAc5bY83

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
No suspicious indicators.
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

152

Monitored processes

1

Malicious processes

0

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
1396	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --webtransport-developer-mode --no-appcompat-clear --mojo-platform-channel-handle=2532 --field-trial-handle=2372,i,8504447382059928769,14367336096275567116,262144 --variations-seed-version /prefetch:3	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe		msedge.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 122.0.2365.59

Add for printing

Total events

0

Read events

0

Write events

0

Delete events

0

Modification events

No data

Add for printing

Executable files

5

Suspicious files

55

Text files

2

Unknown types

0

Dropped files

PID	Process	Filename		Type
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000bb		compressed
		MD5:10B84D6DDEFB33D0D3F0615CA3E91C5A	SHA256:C69A6E50A300D39721F9AE8FC5B40600DD90093F65E3A4650C9540C58C071144
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State~RF1391a4.TMP		binary
		MD5:50823AF426E5FA5F5641C1004F470D3E	SHA256:599163927CC9E5640C868AEDD3B0B6EC79E6513970504124E417922D8AAAB7C3
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State		binary
		MD5:3140CB797498137E330D3CAE1AD5970A	SHA256:B4C87E65FB18FF2E4028E934653089C7DE70D854E7D861D9A1063189C5212119
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c1		compressed
		MD5:E3B87336D57706DF1EB036FD6D197BAF	SHA256:2F6A7BE9DEFC16E37D998F46DBFF97A3DB316A05B5F985BF843B8D0326A116F5
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\f148e872-102d-4e37-bd77-b11dee958f54.tmp		binary
		MD5:3140CB797498137E330D3CAE1AD5970A	SHA256:B4C87E65FB18FF2E4028E934653089C7DE70D854E7D861D9A1063189C5212119
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000be		binary
		MD5:ED2A583E5AE28B576F33E4F6719EFFCE	SHA256:666DC20EBFEE527440815C55DDC592A425E296A5B2E7B7DE9244E2E9A5E1B038
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c0		compressed
		MD5:033D09C1282976F3028D775062ED9A4D	SHA256:5F71A8918CCE08A127DAE21C550A4DC502E0DE207024A3E97A3AA0D12F0A2023
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000bc		compressed
		MD5:1DA93F4D9AD4494510FBCF7B568BCB84	SHA256:E89EF9D303444FCE633EB0C0E5A3245ADF1AA27C7CBDF8F780464D61EF053427
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000bd		compressed
		MD5:CA63D10CEDC51597FAC2ADF52AFAF17A	SHA256:7110A6CB650C6FF50113F2F28C2F41435B861ABBB26853A238EF9DDFC07410B8
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ca		compressed
		MD5:386D87873CC9E0E429740D817B49F874	SHA256:BEC5574FB191385B3BCC2C3CB587C9F3A8D94090EDE6B4D5688189370D876362

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

171

TCP/UDP connections

126

DNS requests

144

Threats

11

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1880	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1880	svchost.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3080	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	2.23.227.208:443	https://www.bing.com/bloomfilterfiles/ExpandedDomainsFilterGlobal.json	unknown	binary	654 Kb	whitelisted
—	—	GET	200	104.18.94.41:443	https://challenges.cloudflare.com/turnstile/v0/b/701fd2559006/api.js?onload=OUxOl5&render=explicit	unknown	binary	47.0 Kb	whitelisted
—	—	POST	200	20.190.159.73:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
—	—	POST	403	184.30.21.171:443	https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409	unknown	html	386 b	whitelisted
—	—	GET	200	104.18.95.41:443	https://challenges.cloudflare.com/turnstile/v0/b/701fd2559006/api.js?onload=OUxOl5&render=explicit	unknown	binary	47.0 Kb	whitelisted
—	—	POST	200	40.126.31.1:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	16.7 Kb	whitelisted
—	—	POST	403	184.30.21.171:443	https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409	unknown	html	386 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3080	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	239.255.255.250:1900	—	—	—	whitelisted
5080	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1880	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1396	msedge.exe	104.18.11.200:443	gamma.app	CLOUDFLARENET	—	suspicious
4936	svchost.exe	20.190.159.73:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1880	svchost.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1880	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
3080	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
1396	msedge.exe	2.23.227.208:443	www.bing.com	Ooredoo Q.S.C.	QA	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.124.78.146	whitelisted
google.com	142.250.181.238	whitelisted
gamma.app	104.18.11.200 104.18.10.200	unknown
login.live.com	20.190.159.73 40.126.31.128 40.126.31.69 20.190.159.23 20.190.159.71 20.190.159.0 40.126.31.129 40.126.31.1	whitelisted
crl.microsoft.com	23.48.23.143 23.48.23.166 23.48.23.156	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
www.bing.com	2.23.227.208 2.23.227.215	whitelisted
challenges.cloudflare.com	104.18.94.41 104.18.95.41	whitelisted
go.microsoft.com	184.30.18.9	whitelisted
v10.events.data.microsoft.com	20.189.173.5	whitelisted

Threats

PID	Process	Class	Message
—	—	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing Gamma app
—	—	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing Gamma app
—	—	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing Gamma app
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
—	—	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing Gamma app
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
—	—	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing Gamma app
—	—	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing Gamma app
—	—	Not Suspicious Traffic	INFO [ANY.RUN] An application monitoring request to sentry .io
—	—	Not Suspicious Traffic	INFO [ANY.RUN] An application monitoring request to sentry .io

Add for printing

No debug info

General Info

https://gamma.app/reset?code=o18buftupqxnsuc&flow=signup&email=daniyar.bimurzin%2540ftel.kz

9979BD4CA49DB472E84453BBAF635AB4

D6F2E1AEFDC8AD27A2F3143F700B0B4F969510D5

7BF122871CD1944DB324FE703CD641BB17F21109887D0B66DC2F43082350969B

3:N8lajIDROf77DLAc5bEUeXfKDzr:280NOf77XAc5bY83

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

INFO

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings