URL:

http://email.mailgun.waiverforever.com/c/eJxMz8FqAyEQxvGn0WMYZ43Rg4dA2XOhFHoLro7RZt0pu2ZL3r6k9ND7j-_jn7zLxgYlyauT1sYAAsjinSKbdAKCkwbI0aEzNhtl7TBESElWj4BH0EordwSAAxJNIcIQJ0pKuUloaKHO1_ty-A51pzXzSjuth8hNzr70_rWJ4SxwFDjWvHHjhToXCvOTCBzfXhEFjnL1JbQWbpQrAoDQ8AiF-Xdoi7SQD_fO9HyTW70ulC6J4-VGD18_93M1_PH-8lennJb9n989_gQAAP__qFtQ0w

Full analysis: https://app.any.run/tasks/15437712-b164-4dc7-b0e6-dc0f415c19ca
Verdict: Malicious activity
Analysis date: April 15, 2025, 17:32:59
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
phishing
Indicators:
MD5:

8998B956F131BB007E091F38E57A792C

SHA1:

DB17B4C1BD2E181FB67BF2E91E3EE82A757D460A

SHA256:

86CB09CB037A9D7A21AD7DACA508FBCF03F9EE5D1EEEC7A522BAF376F911B274

SSDEEP:

6:CyYMWWWGlbtEKnVQXAWP0jtNf50GJNAgG1sA1oVxve12mnSzBjR+86Fz:eWnln8xAn0eNFoRgpe1RShIF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • PHISHING has been detected (SURICATA)

      • msedge.exe (PID: 1396)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
#PHISHING msedge.exe

Process information

PID
CMD
Path
Indicators
Parent process
1396"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --webtransport-developer-mode --no-appcompat-clear --mojo-platform-channel-handle=2532 --field-trial-handle=2372,i,8504447382059928769,14367336096275567116,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
33
DNS requests
16
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1396
msedge.exe
GET
302
34.110.180.34:80
http://email.mailgun.waiverforever.com/c/eJxMz8FqAyEQxvGn0WMYZ43Rg4dA2XOhFHoLro7RZt0pu2ZL3r6k9ND7j-_jn7zLxgYlyauT1sYAAsjinSKbdAKCkwbI0aEzNhtl7TBESElWj4BH0EordwSAAxJNIcIQJ0pKuUloaKHO1_ty-A51pzXzSjuth8hNzr70_rWJ4SxwFDjWvHHjhToXCvOTCBzfXhEFjnL1JbQWbpQrAoDQ8AiF-Xdoi7SQD_fO9HyTW70ulC6J4-VGD18_93M1_PH-8lennJb9n989_gQAAP__qFtQ0w
unknown
whitelisted
3256
RUXIMICS.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3080
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1876
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1876
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3256
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.160.14:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
POST
200
20.190.160.14:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
403
184.30.21.171:443
https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409
unknown
whitelisted
POST
403
184.30.21.171:443
https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409
unknown
html
384 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3256
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3080
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1876
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
239.255.255.250:1900
whitelisted
1396
msedge.exe
2.19.96.49:443
www.bing.com
Akamai International B.V.
DE
whitelisted
1396
msedge.exe
34.110.180.34:80
email.mailgun.waiverforever.com
GOOGLE
US
whitelisted
1396
msedge.exe
188.114.96.3:443
ifsomonetoheal.com
unknown
6124
svchost.exe
40.126.31.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3256
RUXIMICS.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3080
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 172.217.23.110
whitelisted
www.bing.com
  • 2.19.96.49
  • 2.19.96.50
  • 2.19.96.67
  • 2.19.96.104
  • 2.19.96.8
whitelisted
email.mailgun.waiverforever.com
  • 34.110.180.34
whitelisted
ifsomonetoheal.com
  • 188.114.96.3
  • 188.114.97.3
unknown
login.live.com
  • 40.126.31.67
  • 40.126.31.130
  • 20.190.159.129
  • 40.126.31.71
  • 40.126.31.2
  • 40.126.31.128
  • 20.190.159.68
  • 40.126.31.0
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
v10.events.data.microsoft.com
  • 13.89.179.8
whitelisted

Threats

PID
Process
Class
Message
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected Phishing domain by CrossDomain ( .waiverforever .com)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected Phishing domain by CrossDomain ( .waiverforever .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://email.mailgun.waiverforever.com/c/eJxMz8FqAyEQxvGn0WMYZ43Rg4dA2XOhFHoLro7RZt0pu2ZL3r6k9ND7j-_jn7zLxgYlyauT1sYAAsjinSKbdAKCkwbI0aEzNhtl7TBESElWj4BH0EordwSAAxJNIcIQJ0pKuUloaKHO1_ty-A51pzXzSjuth8hNzr70_rWJ4SxwFDjWvHHjhToXCvOTCBzfXhEFjnL1JbQWbpQrAoDQ8AiF-Xdoi7SQD_fO9HyTW70ulC6J4-VGD18_93M1_PH-8lennJb9n989_gQAAP__qFtQ0w