URL: | drmichaelgertsen.com/drmichaelgertsen/09e83hj/5plKZRPcIlvsDtnWuNQ5uzLfuTm/cmF5LnZpZW5uZWF1QG9ha3ZpbGxlLmNh?0s57db=MTMmMTMmMTMmMTMmQjEmRjQmb2JxdEczJkQ0Jk11bHdyVGhHeUtZLi45SjNYNlJyamY6ckY0JjMzJnV5ZnUub2ZlZWppMzMmRTQmdHRibWQxMyZvYnF0RDQmQjEmRjQmbW51aUczJkQ0JkIxJkY0JnplcGNHMyZENCZCMSZGNCZ6ZXBjRDQmQjEmRjQmZWJmaUczJkQ0JkIxJkY0JmZtenV0RzMmRDQmMTMmMTMmMTMmMTMmQjEmRTgmMTMmMTMmMTMmMTMmMTMmMTMmMTMmMTMmQjEmQzQmb2ZlZWppMTMmQjQmenVqbWpjanRqdzEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJkIxJkM0JmZ1aml4MTMmQjQmc3BtcGQxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyZCMSZDOCYxMyZ1eWZ1Lm9mZWVqaS8xMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyZCMSZGNCZmbXp1dEQ0JjEzJjEzJjEzJjEzJkIxJkY0JmZtdWp1RzMmRDQmZm5wSUY0JmZtdWp1RDQmMTMmMTMmMTMmMTMmQjEmRzMmKzEzJmZzMTMmZWViMTMmRTQmRTQmRTQmRTQmRTQmRTQmRDQmMTMmK0czJjEzJjEzJkY0JjMzJkI6NjMmMTk2MyYzRjYzJkRCNjMmMzk2MyYzRjYzJjRCNjMmNEQ2MyY1MyY1MyZCOjYzJjE5NjMmM0Y2MyZEQjYzJjM5NjMmM0Y2MyY0QjYzJjRENjMmRTQmRTQmeGN6Nnpka21IZXtHSGN4MlRaelM0Wm1HSFJpT1hidkdIZXs2VFp2R25bbVM0ZEczJkROUEVHMyZ6ZndzdnR0c2Z6YkczJmx2L3BkL3pmd3N2dHRzZnpiRzMmRzMmQjQmdHF1dWlFNCZtc3ZDNCYzMzMmRTQmdW9mdW9wZDEzJjMzJml0ZnNnZnMzMyZFNCZ3anZyZi5xdXVpMTMmYnVmbkQ0JjEzJjEzJjEzJjEzJkIxJkY0JjMzJjkuR1VWMzMmRTQmdWZ0c2JpZDEzJmJ1Zm5ENCYxMyYxMyYxMyYxMyZCMSZGNCZlYmZpRDQmQjEmRjQmbW51aUQ0JkIxJkY0Jm9icXRHMyZENCZkazdoWlZENCZ0ezVNRTQmTFhteDFPUWdkWFBZc3s1d0c5e1FFNiZDT0Y0JjMzJnV5ZnUub2ZlZWppMzMmRTQmdHRibWQxMyZvYnF0RDQmQjEm |
Full analysis: | https://app.any.run/tasks/a2bd178b-989c-4cab-bde1-577b4009b9f9 |
Verdict: | Malicious activity |
Analysis date: | January 10, 2025, 19:38:45 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MD5: | 394021FF27425572F3944EFA29BBF4F2 |
SHA1: | 30DD12DECEFA91F373CBF2E29AF57B3F21DB855D |
SHA256: | F17CC3D76FB6A6E718AC761F772959A3A1CBB5AC2192A536E24CC699A9103772 |
SSDEEP: | 24:Xf1iRJ6a5NEoMe444444444xdr644H5J+CtuxKGtAL5eDQWuk44pwgsOz5IJJ6aW:P1iRVPeU5PuxKIAL5ec1ywpOsVu |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
7172 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --webtransport-developer-mode --no-appcompat-clear --mojo-platform-channel-handle=2496 --field-trial-handle=2204,i,13280900864495260754,3672259324373187194,262144 --variations-seed-version /prefetch:3 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | msedge.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 122.0.2365.59 |
PID | Process | Filename | Type | |
---|---|---|---|---|
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000fd | binary | |
MD5:D17B5A55EC9D8608C1D2B531CCB6DE88 | SHA256:DC2A3600C7CDFAEA40DB03757D6915D67518215DB51397C8A5BB3F132AE89A49 | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\25b7e88f-bb6b-47b6-b2ea-b606da572136.tmp | binary | |
MD5:464A5309265B2BAC5203A99AA0486419 | SHA256:58F8BD7A295CD5D725118C07BC4F8DAADB25E2FAB4E469A801B23C8C4F9F50E3 | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity | binary | |
MD5:464A5309265B2BAC5203A99AA0486419 | SHA256:58F8BD7A295CD5D725118C07BC4F8DAADB25E2FAB4E469A801B23C8C4F9F50E3 | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000fb | compressed | |
MD5:CA6E0DCAF6FE11E3B4D4D299ECBAB7A6 | SHA256:F4A93CF3834C5F3BBBAB2BA619425FB1415050A847F5BC12CD6B0BAB5E68074E | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000fc | compressed | |
MD5:CA6E0DCAF6FE11E3B4D4D299ECBAB7A6 | SHA256:F4A93CF3834C5F3BBBAB2BA619425FB1415050A847F5BC12CD6B0BAB5E68074E | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State | binary | |
MD5:D27298C8FB0CF16218D25D457947B02E | SHA256:2C3438C43C011F4911E8D5714A1B80BC51C6FB1AE09EDC51180EAD8FE8C8B4E5 | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\8c0dba64-d35e-4f6c-b7a1-0c2a84a36e41.tmp | binary | |
MD5:D27298C8FB0CF16218D25D457947B02E | SHA256:2C3438C43C011F4911E8D5714A1B80BC51C6FB1AE09EDC51180EAD8FE8C8B4E5 | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\2a7b0fb7-0160-45b3-9fac-743d17bb12ee.tmp | binary | |
MD5:AE3CFB423BD8CD93A2B0C7925501B3F2 | SHA256:6051C4A88DBFE6655C3AC964A6904B87854C252D8D83458C1107253CD3A5EE80 | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000fe | binary | |
MD5:311F1298863858C8334BD7A8A0E34014 | SHA256:846351F83ED17838A1DE223EAD4E9900D1E127B3243695DAF5A4988E965C44CC | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity~RF296c6e.TMP | binary | |
MD5:D2615E0C4F6C46045EDB3EAA0ACE252A | SHA256:48EFA073914F67BCCE305DECBC121BE7FA6D343982BE00A666B4C5FB6A30A7A9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 103.83.194.55:443 | https://drmichaelgertsen.com/drmichaelgertsen/09e83hj/5plKZRPcIlvsDtnWuNQ5uzLfuTm/cmF5LnZpZW5uZWF1QG9ha3ZpbGxlLmNh?0s57db=MTMmMTMmMTMmMTMmQjEmRjQmb2JxdEczJkQ0Jk11bHdyVGhHeUtZLi45SjNYNlJyamY6ckY0JjMzJnV5ZnUub2ZlZWppMzMmRTQmdHRibWQxMyZvYnF0RDQmQjEmRjQmbW51aUczJkQ0JkIxJkY0JnplcGNHMyZENCZCMSZGNCZ6ZXBjRDQmQjEmRjQmZWJmaUczJkQ0JkIxJkY0JmZtenV0RzMmRDQmMTMmMTMmMTMmMTMmQjEmRTgmMTMmMTMmMTMmMTMmMTMmMTMmMTMmMTMmQjEmQzQmb2ZlZWppMTMmQjQmenVqbWpjanRqdzEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJkIxJkM0JmZ1aml4MTMmQjQmc3BtcGQxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyZCMSZDOCYxMyZ1eWZ1Lm9mZWVqaS8xMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyZCMSZGNCZmbXp1dEQ0JjEzJjEzJjEzJjEzJkIxJkY0JmZtdWp1RzMmRDQmZm5wSUY0JmZtdWp1RDQmMTMmMTMmMTMmMTMmQjEmRzMmKzEzJmZzMTMmZWViMTMmRTQmRTQmRTQmRTQmRTQmRTQmRDQmMTMmK0czJjEzJjEzJkY0JjMzJkI6NjMmMTk2MyYzRjYzJkRCNjMmMzk2MyYzRjYzJjRCNjMmNEQ2MyY1MyY1MyZCOjYzJjE5NjMmM0Y2MyZEQjYzJjM5NjMmM0Y2MyY0QjYzJjRENjMmRTQmRTQmeGN6Nnpka21IZXtHSGN4MlRaelM0Wm1HSFJpT1hidkdIZXs2VFp2R25bbVM0ZEczJkROUEVHMyZ6ZndzdnR0c2Z6YkczJmx2L3BkL3pmd3N2dHRzZnpiRzMmRzMmQjQmdHF1dWlFNCZtc3ZDNCYzMzMmRTQmdW9mdW9wZDEzJjMzJml0ZnNnZnMzMyZFNCZ3anZyZi5xdXVpMTMmYnVmbkQ0JjEzJjEzJjEzJjEzJkIxJkY0JjMzJjkuR1VWMzMmRTQmdWZ0c2JpZDEzJmJ1Zm5ENCYxMyYxMyYxMyYxMyZCMSZGNCZlYmZpRDQmQjEmRjQmbW51aUQ0JkIxJkY0Jm9icXRHMyZENCZkazdoWlZENCZ0ezVNRTQmTFhteDFPUWdkWFBZc3s1d0c5e1FFNiZDT0Y0JjMzJnV5ZnUub2ZlZWppMzMmRTQmdHRibWQxMyZvYnF0RDQmQjEm | unknown | — | — | — |
— | — | GET | 302 | 104.18.94.41:443 | https://challenges.cloudflare.com/turnstile/v0/api.js?render=explicit | unknown | — | — | — |
— | — | GET | 302 | 104.18.94.41:443 | https://challenges.cloudflare.com/turnstile/v0/api.js?render=explicit | unknown | — | — | — |
— | — | GET | 302 | 184.30.21.171:443 | https://go.microsoft.com/fwlink/?linkid=2133855&bucket=18 | unknown | — | — | — |
3024 | svchost.exe | HEAD | 200 | 2.16.168.108:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d50ccf3e-dd06-4e6f-bb20-931c8ce33527?P1=1736814451&P2=404&P3=2&P4=PL6v7T9cucAXp4hV10DLJGfUJc%2bvniauGyhhX2f9qPiz5MnB2k4eV7y0rdcy0ZlP3ppTIpcM8su2TUGnxbTO5g%3d%3d | unknown | — | — | whitelisted |
— | — | GET | 302 | 104.18.94.41:443 | https://challenges.cloudflare.com/turnstile/v0/api.js?render=explicit | unknown | — | — | — |
3024 | svchost.exe | GET | 206 | 2.16.168.108:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d50ccf3e-dd06-4e6f-bb20-931c8ce33527?P1=1736814451&P2=404&P3=2&P4=PL6v7T9cucAXp4hV10DLJGfUJc%2bvniauGyhhX2f9qPiz5MnB2k4eV7y0rdcy0ZlP3ppTIpcM8su2TUGnxbTO5g%3d%3d | unknown | — | — | whitelisted |
3024 | svchost.exe | GET | 206 | 2.16.168.108:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d50ccf3e-dd06-4e6f-bb20-931c8ce33527?P1=1736814451&P2=404&P3=2&P4=PL6v7T9cucAXp4hV10DLJGfUJc%2bvniauGyhhX2f9qPiz5MnB2k4eV7y0rdcy0ZlP3ppTIpcM8su2TUGnxbTO5g%3d%3d | unknown | — | — | whitelisted |
— | — | GET | 200 | 104.18.95.41:443 | https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/turnstile/if/ov2/av0/rcv/1a9jw/0x4AAAAAAA4xQO3i_we8Fbpp/auto/fbE/normal/auto/ | unknown | html | 26.0 Kb | whitelisted |
3024 | svchost.exe | GET | 206 | 2.16.168.108:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d50ccf3e-dd06-4e6f-bb20-931c8ce33527?P1=1736814451&P2=404&P3=2&P4=PL6v7T9cucAXp4hV10DLJGfUJc%2bvniauGyhhX2f9qPiz5MnB2k4eV7y0rdcy0ZlP3ppTIpcM8su2TUGnxbTO5g%3d%3d | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 239.255.255.250:1900 | — | — | — | whitelisted |
3080 | MoUsoCoreWorker.exe | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6028 | svchost.exe | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
7540 | RUXIMICS.exe | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4668 | msedge.exe | 224.0.0.251:5353 | — | — | — | unknown |
7172 | msedge.exe | 103.83.194.55:443 | drmichaelgertsen.com | HOST4GEEKS-LLC | AU | unknown |
7172 | msedge.exe | 172.67.188.103:443 | 5l.trilivar.ru | — | — | unknown |
7172 | msedge.exe | 104.18.94.41:443 | challenges.cloudflare.com | — | — | whitelisted |
7172 | msedge.exe | 151.101.194.137:443 | code.jquery.com | FASTLY | US | whitelisted |
3080 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
Domain | IP | Reputation |
---|---|---|
google.com |
| whitelisted |
drmichaelgertsen.com |
| unknown |
5l.trilivar.ru |
| unknown |
code.jquery.com |
| whitelisted |
challenges.cloudflare.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
edge.microsoft.com |
| whitelisted |
xpaywalletcdn.azureedge.net |
| whitelisted |
go.microsoft.com |
| whitelisted |
msedge.b.tlu.dl.delivery.mp.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Possible Social Engineering Attempted | PHISHING [ANY.RUN] Domain identified as part of Tycoon phishing service [Storm-1747] (drmichaelgertsen .com) |
— | — | Possible Social Engineering Attempted | PHISHING [ANY.RUN] Domain identified as part of Tycoon phishing service [Storm-1747] (drmichaelgertsen .com) |
— | — | Possible Social Engineering Attempted | PHISHING [ANY.RUN] Suspected Tycoon2FA`s Phishing-Kit domain by CrossDomain ( .trilivar .ru) |
— | — | Possible Social Engineering Attempted | PHISHING [ANY.RUN] Suspected Tycoon2FA`s Phishing-Kit domain by CrossDomain ( .trilivar .ru) |
— | — | Not Suspicious Traffic | INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com) |
— | — | Not Suspicious Traffic | INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com) |
— | — | Not Suspicious Traffic | INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com) |
— | — | Not Suspicious Traffic | INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge |
— | — | Not Suspicious Traffic | INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com) |
— | — | Not Suspicious Traffic | INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge |