URL:

drmichaelgertsen.com/drmichaelgertsen/09e83hj/5plKZRPcIlvsDtnWuNQ5uzLfuTm/cmF5LnZpZW5uZWF1QG9ha3ZpbGxlLmNh?0s57db=MTMmMTMmMTMmMTMmQjEmRjQmb2JxdEczJkQ0Jk11bHdyVGhHeUtZLi45SjNYNlJyamY6ckY0JjMzJnV5ZnUub2ZlZWppMzMmRTQmdHRibWQxMyZvYnF0RDQmQjEmRjQmbW51aUczJkQ0JkIxJkY0JnplcGNHMyZENCZCMSZGNCZ6ZXBjRDQmQjEmRjQmZWJmaUczJkQ0JkIxJkY0JmZtenV0RzMmRDQmMTMmMTMmMTMmMTMmQjEmRTgmMTMmMTMmMTMmMTMmMTMmMTMmMTMmMTMmQjEmQzQmb2ZlZWppMTMmQjQmenVqbWpjanRqdzEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJkIxJkM0JmZ1aml4MTMmQjQmc3BtcGQxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyZCMSZDOCYxMyZ1eWZ1Lm9mZWVqaS8xMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyZCMSZGNCZmbXp1dEQ0JjEzJjEzJjEzJjEzJkIxJkY0JmZtdWp1RzMmRDQmZm5wSUY0JmZtdWp1RDQmMTMmMTMmMTMmMTMmQjEmRzMmKzEzJmZzMTMmZWViMTMmRTQmRTQmRTQmRTQmRTQmRTQmRDQmMTMmK0czJjEzJjEzJkY0JjMzJkI6NjMmMTk2MyYzRjYzJkRCNjMmMzk2MyYzRjYzJjRCNjMmNEQ2MyY1MyY1MyZCOjYzJjE5NjMmM0Y2MyZEQjYzJjM5NjMmM0Y2MyY0QjYzJjRENjMmRTQmRTQmeGN6Nnpka21IZXtHSGN4MlRaelM0Wm1HSFJpT1hidkdIZXs2VFp2R25bbVM0ZEczJkROUEVHMyZ6ZndzdnR0c2Z6YkczJmx2L3BkL3pmd3N2dHRzZnpiRzMmRzMmQjQmdHF1dWlFNCZtc3ZDNCYzMzMmRTQmdW9mdW9wZDEzJjMzJml0ZnNnZnMzMyZFNCZ3anZyZi5xdXVpMTMmYnVmbkQ0JjEzJjEzJjEzJjEzJkIxJkY0JjMzJjkuR1VWMzMmRTQmdWZ0c2JpZDEzJmJ1Zm5ENCYxMyYxMyYxMyYxMyZCMSZGNCZlYmZpRDQmQjEmRjQmbW51aUQ0JkIxJkY0Jm9icXRHMyZENCZkazdoWlZENCZ0ezVNRTQmTFhteDFPUWdkWFBZc3s1d0c5e1FFNiZDT0Y0JjMzJnV5ZnUub2ZlZWppMzMmRTQmdHRibWQxMyZvYnF0RDQmQjEm

Full analysis: https://app.any.run/tasks/a2bd178b-989c-4cab-bde1-577b4009b9f9
Verdict: Malicious activity
Analysis date: January 10, 2025, 19:38:45
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
phishing
storm1747
tycoon
Indicators:
MD5:

394021FF27425572F3944EFA29BBF4F2

SHA1:

30DD12DECEFA91F373CBF2E29AF57B3F21DB855D

SHA256:

F17CC3D76FB6A6E718AC761F772959A3A1CBB5AC2192A536E24CC699A9103772

SSDEEP:

24:Xf1iRJ6a5NEoMe444444444xdr644H5J+CtuxKGtAL5eDQWuk44pwgsOz5IJJ6aW:P1iRVPeU5PuxKIAL5ec1ywpOsVu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • PHISHING has been detected (SURICATA)

      • msedge.exe (PID: 7172)
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
#PHISHING msedge.exe

Process information

PID
CMD
Path
Indicators
Parent process
7172"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --webtransport-developer-mode --no-appcompat-clear --mojo-platform-channel-handle=2496 --field-trial-handle=2204,i,13280900864495260754,3672259324373187194,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
13
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000fdbinary
MD5:D17B5A55EC9D8608C1D2B531CCB6DE88
SHA256:DC2A3600C7CDFAEA40DB03757D6915D67518215DB51397C8A5BB3F132AE89A49
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\25b7e88f-bb6b-47b6-b2ea-b606da572136.tmpbinary
MD5:464A5309265B2BAC5203A99AA0486419
SHA256:58F8BD7A295CD5D725118C07BC4F8DAADB25E2FAB4E469A801B23C8C4F9F50E3
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecuritybinary
MD5:464A5309265B2BAC5203A99AA0486419
SHA256:58F8BD7A295CD5D725118C07BC4F8DAADB25E2FAB4E469A801B23C8C4F9F50E3
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000fbcompressed
MD5:CA6E0DCAF6FE11E3B4D4D299ECBAB7A6
SHA256:F4A93CF3834C5F3BBBAB2BA619425FB1415050A847F5BC12CD6B0BAB5E68074E
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000fccompressed
MD5:CA6E0DCAF6FE11E3B4D4D299ECBAB7A6
SHA256:F4A93CF3834C5F3BBBAB2BA619425FB1415050A847F5BC12CD6B0BAB5E68074E
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent Statebinary
MD5:D27298C8FB0CF16218D25D457947B02E
SHA256:2C3438C43C011F4911E8D5714A1B80BC51C6FB1AE09EDC51180EAD8FE8C8B4E5
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\8c0dba64-d35e-4f6c-b7a1-0c2a84a36e41.tmpbinary
MD5:D27298C8FB0CF16218D25D457947B02E
SHA256:2C3438C43C011F4911E8D5714A1B80BC51C6FB1AE09EDC51180EAD8FE8C8B4E5
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\2a7b0fb7-0160-45b3-9fac-743d17bb12ee.tmpbinary
MD5:AE3CFB423BD8CD93A2B0C7925501B3F2
SHA256:6051C4A88DBFE6655C3AC964A6904B87854C252D8D83458C1107253CD3A5EE80
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000febinary
MD5:311F1298863858C8334BD7A8A0E34014
SHA256:846351F83ED17838A1DE223EAD4E9900D1E127B3243695DAF5A4988E965C44CC
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity~RF296c6e.TMPbinary
MD5:D2615E0C4F6C46045EDB3EAA0ACE252A
SHA256:48EFA073914F67BCCE305DECBC121BE7FA6D343982BE00A666B4C5FB6A30A7A9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
41
TCP/UDP connections
41
DNS requests
38
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
103.83.194.55:443
https://drmichaelgertsen.com/drmichaelgertsen/09e83hj/5plKZRPcIlvsDtnWuNQ5uzLfuTm/cmF5LnZpZW5uZWF1QG9ha3ZpbGxlLmNh?0s57db=MTMmMTMmMTMmMTMmQjEmRjQmb2JxdEczJkQ0Jk11bHdyVGhHeUtZLi45SjNYNlJyamY6ckY0JjMzJnV5ZnUub2ZlZWppMzMmRTQmdHRibWQxMyZvYnF0RDQmQjEmRjQmbW51aUczJkQ0JkIxJkY0JnplcGNHMyZENCZCMSZGNCZ6ZXBjRDQmQjEmRjQmZWJmaUczJkQ0JkIxJkY0JmZtenV0RzMmRDQmMTMmMTMmMTMmMTMmQjEmRTgmMTMmMTMmMTMmMTMmMTMmMTMmMTMmMTMmQjEmQzQmb2ZlZWppMTMmQjQmenVqbWpjanRqdzEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJkIxJkM0JmZ1aml4MTMmQjQmc3BtcGQxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyZCMSZDOCYxMyZ1eWZ1Lm9mZWVqaS8xMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyZCMSZGNCZmbXp1dEQ0JjEzJjEzJjEzJjEzJkIxJkY0JmZtdWp1RzMmRDQmZm5wSUY0JmZtdWp1RDQmMTMmMTMmMTMmMTMmQjEmRzMmKzEzJmZzMTMmZWViMTMmRTQmRTQmRTQmRTQmRTQmRTQmRDQmMTMmK0czJjEzJjEzJkY0JjMzJkI6NjMmMTk2MyYzRjYzJkRCNjMmMzk2MyYzRjYzJjRCNjMmNEQ2MyY1MyY1MyZCOjYzJjE5NjMmM0Y2MyZEQjYzJjM5NjMmM0Y2MyY0QjYzJjRENjMmRTQmRTQmeGN6Nnpka21IZXtHSGN4MlRaelM0Wm1HSFJpT1hidkdIZXs2VFp2R25bbVM0ZEczJkROUEVHMyZ6ZndzdnR0c2Z6YkczJmx2L3BkL3pmd3N2dHRzZnpiRzMmRzMmQjQmdHF1dWlFNCZtc3ZDNCYzMzMmRTQmdW9mdW9wZDEzJjMzJml0ZnNnZnMzMyZFNCZ3anZyZi5xdXVpMTMmYnVmbkQ0JjEzJjEzJjEzJjEzJkIxJkY0JjMzJjkuR1VWMzMmRTQmdWZ0c2JpZDEzJmJ1Zm5ENCYxMyYxMyYxMyYxMyZCMSZGNCZlYmZpRDQmQjEmRjQmbW51aUQ0JkIxJkY0Jm9icXRHMyZENCZkazdoWlZENCZ0ezVNRTQmTFhteDFPUWdkWFBZc3s1d0c5e1FFNiZDT0Y0JjMzJnV5ZnUub2ZlZWppMzMmRTQmdHRibWQxMyZvYnF0RDQmQjEm
unknown
GET
302
104.18.94.41:443
https://challenges.cloudflare.com/turnstile/v0/api.js?render=explicit
unknown
GET
302
104.18.94.41:443
https://challenges.cloudflare.com/turnstile/v0/api.js?render=explicit
unknown
GET
302
184.30.21.171:443
https://go.microsoft.com/fwlink/?linkid=2133855&bucket=18
unknown
3024
svchost.exe
HEAD
200
2.16.168.108:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d50ccf3e-dd06-4e6f-bb20-931c8ce33527?P1=1736814451&P2=404&P3=2&P4=PL6v7T9cucAXp4hV10DLJGfUJc%2bvniauGyhhX2f9qPiz5MnB2k4eV7y0rdcy0ZlP3ppTIpcM8su2TUGnxbTO5g%3d%3d
unknown
whitelisted
GET
302
104.18.94.41:443
https://challenges.cloudflare.com/turnstile/v0/api.js?render=explicit
unknown
3024
svchost.exe
GET
206
2.16.168.108:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d50ccf3e-dd06-4e6f-bb20-931c8ce33527?P1=1736814451&P2=404&P3=2&P4=PL6v7T9cucAXp4hV10DLJGfUJc%2bvniauGyhhX2f9qPiz5MnB2k4eV7y0rdcy0ZlP3ppTIpcM8su2TUGnxbTO5g%3d%3d
unknown
whitelisted
3024
svchost.exe
GET
206
2.16.168.108:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d50ccf3e-dd06-4e6f-bb20-931c8ce33527?P1=1736814451&P2=404&P3=2&P4=PL6v7T9cucAXp4hV10DLJGfUJc%2bvniauGyhhX2f9qPiz5MnB2k4eV7y0rdcy0ZlP3ppTIpcM8su2TUGnxbTO5g%3d%3d
unknown
whitelisted
GET
200
104.18.95.41:443
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/turnstile/if/ov2/av0/rcv/1a9jw/0x4AAAAAAA4xQO3i_we8Fbpp/auto/fbE/normal/auto/
unknown
html
26.0 Kb
whitelisted
3024
svchost.exe
GET
206
2.16.168.108:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d50ccf3e-dd06-4e6f-bb20-931c8ce33527?P1=1736814451&P2=404&P3=2&P4=PL6v7T9cucAXp4hV10DLJGfUJc%2bvniauGyhhX2f9qPiz5MnB2k4eV7y0rdcy0ZlP3ppTIpcM8su2TUGnxbTO5g%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
whitelisted
3080
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6028
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7540
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4668
msedge.exe
224.0.0.251:5353
unknown
7172
msedge.exe
103.83.194.55:443
drmichaelgertsen.com
HOST4GEEKS-LLC
AU
unknown
7172
msedge.exe
172.67.188.103:443
5l.trilivar.ru
unknown
7172
msedge.exe
104.18.94.41:443
challenges.cloudflare.com
whitelisted
7172
msedge.exe
151.101.194.137:443
code.jquery.com
FASTLY
US
whitelisted
3080
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.238
whitelisted
drmichaelgertsen.com
  • 103.83.194.55
unknown
5l.trilivar.ru
  • 172.67.188.103
  • 104.21.33.3
unknown
code.jquery.com
  • 151.101.194.137
  • 151.101.66.137
  • 151.101.130.137
  • 151.101.2.137
whitelisted
challenges.cloudflare.com
  • 104.18.94.41
  • 104.18.95.41
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
xpaywalletcdn.azureedge.net
  • 13.107.246.45
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
msedge.b.tlu.dl.delivery.mp.microsoft.com
  • 2.16.168.108
  • 2.16.168.112
  • 217.20.57.36
  • 217.20.57.18
  • 217.20.57.19
  • 217.20.57.34
  • 84.201.210.39
  • 84.201.210.23
  • 217.20.57.20
  • 217.20.57.35
  • 23.50.131.30
  • 23.50.131.24
whitelisted

Threats

PID
Process
Class
Message
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Domain identified as part of Tycoon phishing service [Storm-1747] (drmichaelgertsen .com)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Domain identified as part of Tycoon phishing service [Storm-1747] (drmichaelgertsen .com)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected Tycoon2FA`s Phishing-Kit domain by CrossDomain ( .trilivar .ru)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected Tycoon2FA`s Phishing-Kit domain by CrossDomain ( .trilivar .ru)
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
No debug info