Malware analysis http://red.thaistellar.com/3306488CD17089759Js0tO0UE1UBr219832ca Malicious activity

Add for printing

URL:	http://red.thaistellar.com/3306488CD17089759Js0tO0UE1UBr219832ca
Full analysis:	https://app.any.run/tasks/15df0b06-4e7d-4a31-9fa5-6b1087dc0e2a
Verdict:	Malicious activity
Analysis date:	April 15, 2025, 18:42:49
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	phishing
Indicators:
MD5:	E2F9436EDF853B28A290C5A6BCD50B7D
SHA1:	CBC46DB8F20B5BE47EFA4665317A43E21C639BED
SHA256:	F7D1C5DCFC4A0B1DC20F29FA543996EADCB408C561FA9C2BB5239CA9B365E345
SSDEEP:	3:N1KMSNVJ6lFqWVRYlq:CMiozVRmq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
- PHISHING has been detected (SURICATA)
  - msedge.exe (PID: 1396)
SUSPICIOUS
No suspicious indicators.
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

157

Monitored processes

1

Malicious processes

1

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
1396	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --webtransport-developer-mode --no-appcompat-clear --mojo-platform-channel-handle=2532 --field-trial-handle=2372,i,8504447382059928769,14367336096275567116,262144 --variations-seed-version /prefetch:3	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe		msedge.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 122.0.2365.59

Add for printing

Total events

0

Read events

0

Write events

0

Delete events

0

Modification events

No data

Add for printing

Executable files

7

Suspicious files

90

Text files

43

Unknown types

4

Dropped files

PID	Process	Filename		Type
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000bc		binary
		MD5:2356652EC28DAF79B1AC683D674BEA10	SHA256:3518D517E6C11230F28CE10B26BBB4E1D9DED21F23E19F0E2C4334D6F752C83D
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c0		binary
		MD5:9A01B69183A9604AB3A439E388B30501	SHA256:20B535FA80C8189E3B87D1803038389960203A886D502BC2EF1857AFFC2F38D2
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c3		text
		MD5:8721CD8BD8ECA1D76EF01462F04D5443	SHA256:1C8C049F5DDC929EDEC2FFF085D1C98EBD13E2E2FDDAC3E8579E2D4B7BBCEECC
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c6		binary
		MD5:163A4C0927F7ECDE46318DDF4E1D2D20	SHA256:8B72ED7BFBCDEA73A308ADE5E2E0167F7F05DEE7EE0DD2015D9962777B9A1C0F
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c7		image
		MD5:0AAC780DAE5B1B76E83CF5C1AD36102B	SHA256:BFC6BAD34423B057690A151B045E1535B372CE27C9667C6FF64547EE0C9ED890
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000be		compressed
		MD5:44E7153330CBCF289ED95CEAF4AB741B	SHA256:F63B77FE506390B10C63FBE6914E7E88CF81CD729CC3CFEAD69022DEDC5BA6B9
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000bf		binary
		MD5:CC1E5EDA776BE5F0FF614285C31D4892	SHA256:476ADF42B40325098FCFA8B36AB3E769186BB4F6CE6A249753E2E1A9C22BF99E
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ca		image
		MD5:EF2C9C1C6DE95708392ECD97EFBF8A5C	SHA256:60E3759F1F9B789EC817CE5D928F33CB09A0D7D1B3377720A0F00435E521FF35
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c2		text
		MD5:A32652CBB2387BE0D09C41F2A8854B8D	SHA256:E46BD34E1847758E5A865F16988FFE85076B894580FAB20E733ACC595EADF88A
1396	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c4		image
		MD5:4ED7232C7412C89D616A04F01F899340	SHA256:D14E77620E05E36AFB8CE5F06C09992B162BEB326CE6D5C026D8A03DFB2DDCD5

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

263

TCP/UDP connections

173

DNS requests

195

Threats

31

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1396	msedge.exe	GET	302	134.195.88.184:80	http://red.thaistellar.com/3306488CD17089759Js0tO0UE1UBr219832ca	unknown	—	—	—
3080	MoUsoCoreWorker.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4504	RUXIMICS.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3484	svchost.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	172.67.131.75:443	https://direct-meds.com/dm-wl-us-100-otd/css/style.css	unknown	—	—	—
4504	RUXIMICS.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3484	svchost.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	302	34.49.216.119:443	https://www.cpqpm8trk.com/3J67C/2CTPL1/?sub1=4ae4fcc33d03490d9447e48cfc54cca2&sub2=65	unknown	html	166 b	—
—	—	POST	200	20.190.159.64:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	16.7 Kb	whitelisted
—	—	GET	200	172.67.131.75:443	https://direct-meds.com/dm-wl-us-100-otd/index-vsl.php?uid=6&oid=10&affid=67&source_id=65&sub5=b769384c7ee1462f9a9f4725a3654bdd	unknown	html	96.5 Kb	—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4504	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	239.255.255.250:1900	—	—	—	whitelisted
3080	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3484	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1396	msedge.exe	2.19.96.130:443	www.bing.com	Akamai International B.V.	DE	whitelisted
1396	msedge.exe	134.195.88.184:80	red.thaistellar.com	HOSTHATCH	US	unknown
1396	msedge.exe	34.120.99.223:443	www.anlo8y4ntwtrk.com	GOOGLE-CLOUD-PLATFORM	US	unknown
4404	svchost.exe	20.190.159.71:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1396	msedge.exe	34.49.216.119:443	www.cpqpm8trk.com	GOOGLE-CLOUD-PLATFORM	US	unknown
1396	msedge.exe	172.67.131.75:443	direct-meds.com	CLOUDFLARENET	US	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
google.com	142.250.184.206	whitelisted
www.bing.com	2.19.96.130 2.19.96.80 2.19.96.8 2.19.96.128 2.19.96.11 2.19.96.35 2.19.96.16 2.19.96.26 2.19.96.129 2.16.204.137 2.16.204.160 2.16.204.153 2.16.204.157 2.16.204.136 2.16.204.152 2.16.204.151 2.16.204.135 2.16.204.159 2.16.241.201 2.16.241.218 2.16.241.205 2.16.241.207	whitelisted
red.thaistellar.com	134.195.88.184	unknown
www.anlo8y4ntwtrk.com	34.120.99.223	unknown
login.live.com	20.190.159.71 20.190.159.4 40.126.31.128 20.190.159.23 20.190.159.64 20.190.159.68 20.190.159.73 40.126.31.69	whitelisted
www.cpqpm8trk.com	34.49.216.119	unknown
direct-meds.com	172.67.131.75 104.21.10.96	unknown
crl.microsoft.com	2.16.241.12 2.16.241.19 23.48.23.180 23.48.23.141 23.48.23.190 23.48.23.166 23.48.23.147 23.48.23.143 23.48.23.193 23.48.23.177 23.48.23.173	whitelisted
www.microsoft.com	23.219.150.101 2.16.253.202	whitelisted

Threats

PID	Process	Class	Message
—	—	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing domain by CrossDomain ( .cpqpm8trk .com)
—	—	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing domain by CrossDomain ( .cpqpm8trk .com)
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
—	—	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing domain by CrossDomain ( .s83hzm3ak .com)
—	—	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing domain by CrossDomain ( .s83hzm3ak .com)
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Cloud-Hosted Matomo Analytics (matomo .cloud)
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Cloud-Hosted Matomo Analytics (matomo .cloud)
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)

Add for printing

No debug info

General Info

http://red.thaistellar.com/3306488CD17089759Js0tO0UE1UBr219832ca

E2F9436EDF853B28A290C5A6BCD50B7D

CBC46DB8F20B5BE47EFA4665317A43E21C639BED

F7D1C5DCFC4A0B1DC20F29FA543996EADCB408C561FA9C2BB5239CA9B365E345

3:N1KMSNVJ6lFqWVRYlq:CMiozVRmq

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

PHISHING has been detected (SURICATA)

SUSPICIOUS

INFO

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings