Malware analysis https://track.pstmrk.it/3ts/gamma.app/JjV-/Qia9AQ/AQ/89998c6f-6f2f-48ef-988b-2c71a9f4b078/1/JFTYCTDiR- Malicious activity

Add for printing

URL:	https://track.pstmrk.it/3ts/gamma.app/JjV-/Qia9AQ/AQ/89998c6f-6f2f-48ef-988b-2c71a9f4b078/1/JFTYCTDiR-
Full analysis:	https://app.any.run/tasks/79bf097f-32f5-4a5b-a9e8-7f08e68cc4ae
Verdict:	Malicious activity
Analysis date:	May 10, 2025, 01:13:52
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	phishing
Indicators:
MD5:	6A1F7E31F3C99580ABD7AFC23BB2BC47
SHA1:	94C0F33237F563BA5B2E8EE61F5D73DC10A01111
SHA256:	DFD4DD7F6D1F280D4C17E83D6BA8ED49184BBAF6AA7E657D8D25099DB028BDE3
SSDEEP:	3:N8fv83RQE1eEV9Bd0dmIcdFqGSdyyyNv:2n8hQ1E1d0AhdF9ScyyNv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
- PHISHING has been detected (SURICATA)
  - msedge.exe (PID: 1396)
SUSPICIOUS
No suspicious indicators.
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

152

Monitored processes

1

Malicious processes

1

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
1396	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --webtransport-developer-mode --no-appcompat-clear --mojo-platform-channel-handle=2532 --field-trial-handle=2372,i,8504447382059928769,14367336096275567116,262144 --variations-seed-version /prefetch:3	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe		msedge.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 122.0.2365.59

Add for printing

Total events

0

Read events

0

Write events

0

Delete events

0

Modification events

No data

Add for printing

Executable files

3

Suspicious files

97

Text files

15

Unknown types

0

Dropped files

PID	Process	Filename		Type
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State~RF1390ba.TMP		binary
		MD5:50823AF426E5FA5F5641C1004F470D3E	SHA256:599163927CC9E5640C868AEDD3B0B6EC79E6513970504124E417922D8AAAB7C3
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State		binary
		MD5:3140CB797498137E330D3CAE1AD5970A	SHA256:B4C87E65FB18FF2E4028E934653089C7DE70D854E7D861D9A1063189C5212119
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000bb		compressed
		MD5:10B84D6DDEFB33D0D3F0615CA3E91C5A	SHA256:C69A6E50A300D39721F9AE8FC5B40600DD90093F65E3A4650C9540C58C071144
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000bf		binary
		MD5:AB632DA2E04EA311E078D0456E185873	SHA256:63E996CE464BC817E49F5116FA2A1B2A2CA25340768E92157EEE4E889C7C8A90
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000bd		binary
		MD5:671E5511F5F667E1102B5C1E04D4190A	SHA256:1E654302AF010F94C994F3980F582B7748E727771C6492A7EEB14BB400D8DC2A
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c2		binary
		MD5:F6852936326156C86AD25E8848F1BE85	SHA256:E4DF300DE4AB671A293859B9795E182038CB1D7DEAB72261BA31FE298435282E
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000bc		binary
		MD5:85726AA624A74BACC308034DC657365D	SHA256:971EC281939EE44AD3D78E2C21ED3005D71EDA48C4D9073784BF253A38541020
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\40c41af4-436e-4b71-a113-b2fe0668baca.tmp		binary
		MD5:3140CB797498137E330D3CAE1AD5970A	SHA256:B4C87E65FB18FF2E4028E934653089C7DE70D854E7D861D9A1063189C5212119
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c5		binary
		MD5:764B65B8EAF71782F3B389974BE9EA7E	SHA256:4D127F796E8889D049DA1719E0C1EB38A5D76E1F48B785B0A2811E941490BC0C
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000be		binary
		MD5:0C3E693586754A02975071A720746336	SHA256:2C608D956FB5138EF176B125E04E3E4961799E92C2928DFFCD9BA05BBF812565

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

116

TCP/UDP connections

74

DNS requests

120

Threats

11

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	302	18.221.71.19:443	https://track.pstmrk.it/3ts/gamma.app/JjV-/Qia9AQ/AQ/89998c6f-6f2f-48ef-988b-2c71a9f4b078/1/JFTYCTDiR-	unknown	—	—	—
—	—	GET	302	3.130.226.128:443	https://track.pstmrk.it/3ts/gamma.app/JjV-/Qia9AQ/AQ/89998c6f-6f2f-48ef-988b-2c71a9f4b078/1/JFTYCTDiR-	unknown	—	—	—
5484	RUXIMICS.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3080	MoUsoCoreWorker.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1880	svchost.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5484	RUXIMICS.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3080	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1880	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	200	20.190.159.4:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
—	—	POST	403	184.30.21.171:443	https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409	unknown	html	384 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	239.255.255.250:1900	—	—	—	whitelisted
5484	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3080	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1880	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1396	msedge.exe	52.18.252.197:443	track.pstmrk.it	AMAZON-02	IE	shared
4940	svchost.exe	20.190.159.4:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1396	msedge.exe	104.18.11.200:443	gamma.app	CLOUDFLARENET	—	suspicious
5484	RUXIMICS.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3080	MoUsoCoreWorker.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1880	svchost.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158	whitelisted
google.com	172.217.18.14	whitelisted
track.pstmrk.it	52.18.252.197 54.154.85.144 54.155.60.93	shared
login.live.com	20.190.159.4 40.126.31.130 40.126.31.0 20.190.159.68 20.190.159.128 40.126.31.71 20.190.159.130 20.190.159.71	whitelisted
gamma.app	104.18.11.200 104.18.10.200	unknown
crl.microsoft.com	23.48.23.143 23.48.23.156	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
www.bing.com	2.23.227.208 2.23.227.215	whitelisted
go.microsoft.com	184.30.18.9	whitelisted
challenges.cloudflare.com	104.18.95.41 104.18.94.41	whitelisted

Threats

PID	Process	Class	Message
—	—	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing Gamma app
—	—	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing Gamma app
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
—	—	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing Gamma app
—	—	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing Gamma app
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
—	—	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing Gamma app
—	—	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing Gamma app
—	—	Not Suspicious Traffic	INFO [ANY.RUN] An application monitoring request to sentry .io
—	—	Not Suspicious Traffic	INFO [ANY.RUN] An application monitoring request to sentry .io

Add for printing

No debug info

General Info

https://track.pstmrk.it/3ts/gamma.app/JjV-/Qia9AQ/AQ/89998c6f-6f2f-48ef-988b-2c71a9f4b078/1/JFTYCTDiR-

6A1F7E31F3C99580ABD7AFC23BB2BC47

94C0F33237F563BA5B2E8EE61F5D73DC10A01111

DFD4DD7F6D1F280D4C17E83D6BA8ED49184BBAF6AA7E657D8D25099DB028BDE3

3:N8fv83RQE1eEV9Bd0dmIcdFqGSdyyyNv:2n8hQ1E1d0AhdF9ScyyNv

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

PHISHING has been detected (SURICATA)

SUSPICIOUS

INFO

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings