Malware analysis https://www.canva.com/design/DAHLnlP_QpA/A46odYo_htRyooTYroiJnQ/view Malicious activity

Add for printing

URL:	https://www.canva.com/design/DAHLnlP_QpA/A46odYo_htRyooTYroiJnQ/view
Full analysis:	https://app.any.run/tasks/f0db5abd-0a6f-434d-b20f-e89e9418dec3
Verdict:	Malicious activity
Threats:	FlowerStorm is a phishing-as-a-service (PhaaS) platform used by cybercriminals to steal Microsoft 365 credentials and bypass multi-factor authentication (MFA) protections through adversary-in-the-middle (AiTM) attacks. Emerging after the disruption of Rockstar2FA in late 2024, FlowerStorm rapidly gained popularity among attackers targeting enterprises across North America and Europe. Malware Trends Tracker >>>
Analysis date:	June 04, 2026, 18:59:19
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	phishing storm1167 flowerstorm
MD5:	FE57BFE4461676B5BF7CE62F3BAF7610
SHA1:	0035F3B0FB3A8591E8744EE22E3D3551917630B7
SHA256:	84121956405114CC86ECEF04B0869FFA23A1AA4AB9F6A76432F5F370438B5168
SSDEEP:	3:N8DSLHTiAWDrLuGcr7v43:2OLNDGSvA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
No suspicious indicators.
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

149

Monitored processes

0

Malicious processes

0

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

No data

Add for printing

Total events

0

Read events

0

Write events

0

Delete events

0

Modification events

No data

Add for printing

Executable files

0

Suspicious files

0

Text files

0

Unknown types

0

Dropped files

No data

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

306

TCP/UDP connections

148

DNS requests

117

Threats

55

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
8032	svchost.exe	HEAD	200	23.197.142.186:443	https://fs.microsoft.com/fs/windows/config.json	US	—	—	whitelisted
8032	svchost.exe	HEAD	200	192.168.1.2:443	https://fs.microsoft.com/fs/windows/config.json	unknown	—	—	—
8032	svchost.exe	GET	200	192.168.1.2:443	https://fs.microsoft.com/fs/windows/config.json	unknown	—	—	—
7144	msedge.exe	GET	200	192.168.1.2:443	https://static.canva.com/web/6ea0f47ee5c1a5a5.ltr.css	unknown	—	—	—
7292	RUXIMICS.exe	GET	304	48.209.138.189:443	https://settings-win.data.microsoft.com/settings/v3.0/WSD/RUXIM?os=Windows&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3623&OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&FlightRing=Retail&AttrDataVer=188&App=RUXIM&AppVer=&DeviceFamily=Windows.Desktop	US	—	—	whitelisted
7144	msedge.exe	GET	200	192.168.1.2:443	https://static.canva.com/web/21ee3dfce83854dc.runtime.js	unknown	—	—	—
7144	msedge.exe	GET	200	192.168.1.2:443	https://static.canva.com/web/ef9c26dd631a6509.vendor.js	unknown	text	52.7 Kb	whitelisted
7144	msedge.exe	GET	200	192.168.1.2:443	https://static.canva.com/web/4f14cd56dd6663d0.s4le6a.vendor.js	unknown	—	—	—
7144	msedge.exe	GET	200	192.168.1.2:443	https://static.canva.com/web/632303916d3585d8.strings.js	unknown	—	—	—
7144	msedge.exe	GET	200	192.168.1.2:443	https://static.canva.com/web/a95ea08b6c0ef0df.en.js	unknown	—	—	—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
7324	svchost.exe	48.209.138.189:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7292	RUXIMICS.exe	48.209.138.189:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5336	MoUsoCoreWorker.exe	48.209.138.189:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7144	msedge.exe	224.0.0.251:5353	—	—	—	whitelisted
8032	svchost.exe	23.197.142.186:443	fs.microsoft.com	AKAMAI-AS	US	whitelisted
7144	msedge.exe	103.169.142.21:443	www.canva.com	CLOUDFLARESPECTRUM Cloudflare, Inc.	US	whitelisted
7324	svchost.exe	2.16.241.12:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
7292	RUXIMICS.exe	2.16.241.12:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
7144	msedge.exe	103.169.142.20:443	www.canva.com	CLOUDFLARESPECTRUM Cloudflare, Inc.	US	whitelisted
7144	msedge.exe	2.16.241.222:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	48.209.138.189 48.209.133.15	whitelisted
google.com	142.250.154.113 142.250.154.102 142.250.154.100 142.250.154.139 142.250.154.138 142.250.154.101	whitelisted
fs.microsoft.com	23.197.142.186	whitelisted
www.canva.com	103.169.142.21 103.169.142.20	whitelisted
crl.microsoft.com	2.16.241.12 2.16.241.19	whitelisted
static.canva.com	103.169.142.20 103.169.142.21	whitelisted
www.bing.com	2.16.241.222 2.16.241.207 2.16.241.201 2.16.241.225 2.16.241.205 2.16.241.218	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
msedge.b.tlu.dl.delivery.mp.microsoft.com	92.223.97.79	whitelisted
o13855.ingest.sentry.io	34.160.81.0	whitelisted

Threats

PID	Process	Class	Message
7144	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Canva designs and to share platform (static .canva .com)
7144	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Canva designs and to share platform (static .canva .com)
7144	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Canva designs and to share platform (static .canva .com)
7144	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Canva designs and to share platform (static .canva .com)
7144	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Canva designs and to share platform (static .canva .com)
7144	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Canva designs and to share platform (static .canva .com)
5336	MoUsoCoreWorker.exe	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
7144	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Canva designs and to share platform (static .canva .com)
7144	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] An application monitoring request to sentry .io
7144	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] An application monitoring request to sentry .io

Add for printing

No debug info

General Info

https://www.canva.com/design/DAHLnlP_QpA/A46odYo_htRyooTYroiJnQ/view

FE57BFE4461676B5BF7CE62F3BAF7610

0035F3B0FB3A8591E8744EE22E3D3551917630B7

84121956405114CC86ECEF04B0869FFA23A1AA4AB9F6A76432F5F370438B5168

3:N8DSLHTiAWDrLuGcr7v43:2OLNDGSvA

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

INFO

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings