URL:

kmspico.io

Full analysis: https://app.any.run/tasks/20fec74e-f052-4347-98ab-839f367863f7
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: January 15, 2025, 04:44:03
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
discord
lumma
stealer
Indicators:
MD5:

CDFA9B3709EE060A4BECE6FCCC5A9F66

SHA1:

AD8ECBEB0C58236D94E85BE6FA7644647D2A87BD

SHA256:

AA0CFEA953F3EE084C0F287C2D06EF13DA9AC1CDF98A6F3493319852D95376DC

SSDEEP:

3:/G0n:x

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to the CnC server

      • msedge.exe (PID: 6608)

    • Executing a file with an untrusted certificate

      • KMSpico.exe (PID: 936)
      • core.exe (PID: 7956)
      • KMSELDI.exe (PID: 3188)
      • AutoPico.exe (PID: 8180)

    • Steals credentials from Web Browsers

      • core.exe (PID: 7956)

    • LUMMA mutex has been found

      • core.exe (PID: 7956)

    • Actions looks like stealing of personal data

      • core.exe (PID: 7956)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7360)

    • Changes powershell execution policy (Bypass)

      • core.exe (PID: 7956)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 3608)

    • Changes image file execution options

      • KMSELDI.exe (PID: 3188)

    • Uses WMIC.EXE to add exclusions to the Windows Defender

      • cmd.exe (PID: 3840)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 3840)
      • net.exe (PID: 7796)
      • net.exe (PID: 3888)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 848)
      • KMSpico.tmp (PID: 7980)
      • KMSpico.tmp (PID: 5392)
      • WinRAR.exe (PID: 1868)

    • Executable content was dropped or overwritten

      • KMSpico.exe (PID: 8068)
      • KMSpico.tmp (PID: 7980)
      • KMSpico.exe (PID: 7920)
      • KMSpico.exe (PID: 936)
      • KMSpico.tmp (PID: 2672)
      • KMSELDI.exe (PID: 3188)
      • powershell.exe (PID: 8004)
      • csc.exe (PID: 4968)

    • Reads the Windows owner or organization settings

      • KMSpico.tmp (PID: 7980)
      • KMSpico.tmp (PID: 2672)

    • Process drops legitimate windows executable

      • KMSpico.tmp (PID: 2672)

    • Starts POWERSHELL.EXE for commands execution

      • core.exe (PID: 7956)
      • cmd.exe (PID: 7980)
      • cmd.exe (PID: 3840)

    • The process executes Powershell scripts

      • core.exe (PID: 7956)

    • Starts CMD.EXE for commands execution

      • KMSpico.tmp (PID: 2672)
      • WinRAR.exe (PID: 1868)
      • cmd.exe (PID: 7980)
      • cscript.exe (PID: 4804)
      • cmd.exe (PID: 3840)

    • Executing commands from ".cmd" file

      • KMSpico.tmp (PID: 2672)
      • WinRAR.exe (PID: 1868)
      • cscript.exe (PID: 4804)

    • Creates a new Windows service

      • sc.exe (PID: 7204)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 7164)
      • cmd.exe (PID: 3840)

    • Modifies the phishing filter of IE

      • KMSpico.tmp (PID: 2672)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 3724)
      • cmd.exe (PID: 1796)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 7980)
      • cmd.exe (PID: 3840)
      • cmd.exe (PID: 7668)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 7980)
      • cmd.exe (PID: 3840)

    • Executes script without checking the security policy

      • powershell.exe (PID: 8140)
      • powershell.exe (PID: 188)
      • powershell.exe (PID: 540)
      • powershell.exe (PID: 8004)
      • powershell.exe (PID: 1684)

    • Application launched itself

      • cmd.exe (PID: 7980)
      • cmd.exe (PID: 3840)

    • Uses RUNDLL32.EXE to load library

      • cscript.exe (PID: 4804)

    • Runs shell command (SCRIPT)

      • cscript.exe (PID: 4804)

    • Hides command output

      • cmd.exe (PID: 3724)
      • cmd.exe (PID: 7532)
      • cmd.exe (PID: 6068)
      • cmd.exe (PID: 3820)
      • cmd.exe (PID: 7176)
      • cmd.exe (PID: 7760)
      • cmd.exe (PID: 5616)
      • cmd.exe (PID: 7132)
      • cmd.exe (PID: 3420)
      • cmd.exe (PID: 7324)
      • cmd.exe (PID: 6932)
      • cmd.exe (PID: 2800)
      • cmd.exe (PID: 7764)

    • Windows service management via SC.EXE

      • sc.exe (PID: 4384)
      • sc.exe (PID: 7632)
      • sc.exe (PID: 3984)
      • sc.exe (PID: 7952)
      • sc.exe (PID: 6512)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 3840)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 8004)

    • Gets content of a file (POWERSHELL)

      • powershell.exe (PID: 8004)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 3840)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 3840)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 3420)
      • cmd.exe (PID: 3840)
      • cmd.exe (PID: 4128)
      • cmd.exe (PID: 5392)
      • cmd.exe (PID: 8156)
      • cmd.exe (PID: 7088)
      • cmd.exe (PID: 3140)
      • cmd.exe (PID: 7764)
      • cmd.exe (PID: 7788)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 8004)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 4968)

    • Uses WMIC.EXE to obtain service application data

      • cmd.exe (PID: 2408)
      • cmd.exe (PID: 3840)

    • Lists all scheduled tasks

      • schtasks.exe (PID: 6368)

  • INFO

    • Checks supported languages

      • identity_helper.exe (PID: 7992)
      • KMSpico.exe (PID: 8068)
      • KMSpico.tmp (PID: 7980)
      • KMSpico.exe (PID: 936)
      • KMSpico.tmp (PID: 5392)
      • KMSpico.exe (PID: 7920)
      • KMSpico.tmp (PID: 2672)
      • core.exe (PID: 7956)
      • AutoPico.exe (PID: 8180)
      • KMSELDI.exe (PID: 3188)
      • UninsHs.exe (PID: 3260)
      • SECOH-QAD.exe (PID: 7900)
      • mode.com (PID: 7920)
      • mode.com (PID: 7380)
      • mode.com (PID: 5872)
      • csc.exe (PID: 4968)

    • Reads Environment values

      • identity_helper.exe (PID: 7992)
      • KMSELDI.exe (PID: 3188)

    • Reads the computer name

      • identity_helper.exe (PID: 7992)
      • KMSpico.tmp (PID: 7980)
      • KMSpico.tmp (PID: 5392)
      • KMSpico.tmp (PID: 2672)
      • core.exe (PID: 7956)
      • KMSELDI.exe (PID: 3188)
      • AutoPico.exe (PID: 8180)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 848)
      • msedge.exe (PID: 7936)
      • msedge.exe (PID: 3736)
      • msedge.exe (PID: 6240)
      • KMSpico.tmp (PID: 7980)
      • msedge.exe (PID: 2736)
      • WinRAR.exe (PID: 1868)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 6240)
      • AutoPico.exe (PID: 8180)
      • reg.exe (PID: 6196)
      • reg.exe (PID: 7072)
      • reg.exe (PID: 4020)
      • reg.exe (PID: 5876)
      • reg.exe (PID: 6156)
      • reg.exe (PID: 8060)
      • reg.exe (PID: 7332)
      • reg.exe (PID: 3824)
      • reg.exe (PID: 3260)
      • reg.exe (PID: 8172)
      • reg.exe (PID: 2976)
      • reg.exe (PID: 7604)
      • reg.exe (PID: 6892)
      • reg.exe (PID: 7148)
      • reg.exe (PID: 3744)
      • reg.exe (PID: 2260)
      • reg.exe (PID: 3584)
      • reg.exe (PID: 4308)
      • reg.exe (PID: 5308)
      • reg.exe (PID: 8004)
      • reg.exe (PID: 624)
      • reg.exe (PID: 4392)
      • reg.exe (PID: 7844)
      • reg.exe (PID: 5564)
      • reg.exe (PID: 7336)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 848)
      • msedge.exe (PID: 7184)

    • Create files in a temporary directory

      • KMSpico.exe (PID: 8068)
      • KMSpico.tmp (PID: 7980)
      • KMSpico.exe (PID: 7920)
      • KMSpico.exe (PID: 936)
      • KMSpico.tmp (PID: 2672)
      • core.exe (PID: 7956)

    • Application launched itself

      • msedge.exe (PID: 6240)

    • Creates files or folders in the user directory

      • KMSpico.tmp (PID: 7980)

    • Creates a software uninstall entry

      • KMSpico.tmp (PID: 7980)
      • KMSpico.tmp (PID: 2672)

    • Process checks computer location settings

      • KMSpico.tmp (PID: 7980)
      • KMSpico.tmp (PID: 5392)

    • The sample compiled with english language support

      • KMSpico.tmp (PID: 2672)
      • msedge.exe (PID: 7184)

    • Creates files in the program directory

      • KMSpico.tmp (PID: 2672)
      • KMSELDI.exe (PID: 3188)

    • Reads the software policy settings

      • core.exe (PID: 7956)

    • Reads product name

      • KMSELDI.exe (PID: 3188)

    • Reads the machine GUID from the registry

      • KMSELDI.exe (PID: 3188)
      • csc.exe (PID: 4968)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7360)

    • Local mutex for internet shortcut management

      • WinRAR.exe (PID: 1868)

    • Checks proxy server information

      • WinRAR.exe (PID: 1868)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 4804)
      • WMIC.exe (PID: 5580)
      • WMIC.exe (PID: 4520)
      • WMIC.exe (PID: 1348)
      • WMIC.exe (PID: 1476)
      • WMIC.exe (PID: 5308)
      • WMIC.exe (PID: 540)
      • WMIC.exe (PID: 7724)
      • WMIC.exe (PID: 2392)
      • WMIC.exe (PID: 3656)
      • WMIC.exe (PID: 7496)
      • WMIC.exe (PID: 3080)
      • WMIC.exe (PID: 3124)
      • WMIC.exe (PID: 5872)
      • WMIC.exe (PID: 5592)
      • WMIC.exe (PID: 2796)
      • WMIC.exe (PID: 1296)
      • WMIC.exe (PID: 6728)
      • WMIC.exe (PID: 6904)
      • WMIC.exe (PID: 7832)
      • WMIC.exe (PID: 7380)
      • WMIC.exe (PID: 1220)
      • WMIC.exe (PID: 6360)
      • WMIC.exe (PID: 7348)
      • WMIC.exe (PID: 6152)
      • WMIC.exe (PID: 1804)
      • WMIC.exe (PID: 5880)
      • WMIC.exe (PID: 4576)
      • WMIC.exe (PID: 6748)
      • WMIC.exe (PID: 5740)
      • WMIC.exe (PID: 6744)
      • WMIC.exe (PID: 5916)

    • Checks operating system version

      • cmd.exe (PID: 3840)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 7920)
      • mode.com (PID: 7380)
      • mode.com (PID: 5872)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 8004)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 8004)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 8004)

    • Gets the hash of the file via CERTUTIL.EXE

      • certutil.exe (PID: 4576)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
665
Monitored processes
524
Malicious processes
15
Suspicious processes
3

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe kmspico.exe kmspico.tmp kmspico.exe kmspico.tmp no specs kmspico.exe #LUMMA core.exe kmspico.tmp msedge.exe no specs msedge.exe no specs msedge.exe no specs svchost.exe powershell.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs cmd.exe no specs uninshs.exe no specs conhost.exe no specs conhost.exe no specs kmseldi.exe sc.exe no specs schtasks.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs autopico.exe msedge.exe no specs secoh-qad.exe no specs sppextcomobj.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs findstr.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs find.exe no specs wmic.exe no specs powershell.exe no specs find.exe no specs reg.exe no specs cscript.exe no specs rundll32.exe no specs cmd.exe conhost.exe no specs cmd.exe no specs findstr.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs find.exe no specs wmic.exe no specs powershell.exe no specs find.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs find.exe no specs reg.exe no specs find.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs reg.exe no specs mode.com no specs reg.exe no specs reg.exe no specs findstr.exe no specs findstr.exe no specs find.exe no specs reg.exe no specs findstr.exe no specs findstr.exe no specs find.exe no specs reg.exe no specs findstr.exe no specs findstr.exe no specs find.exe no specs reg.exe no specs findstr.exe no specs findstr.exe no specs find.exe no specs reg.exe no specs findstr.exe no specs find.exe no specs reg.exe no specs findstr.exe no specs find.exe no specs reg.exe no specs findstr.exe no specs find.exe no specs reg.exe no specs findstr.exe no specs find.exe no specs cmd.exe no specs choice.exe no specs msedge.exe no specs mode.com no specs reg.exe no specs reg.exe no specs findstr.exe no specs findstr.exe no specs find.exe no specs reg.exe no specs findstr.exe no specs findstr.exe no specs find.exe no specs reg.exe no specs findstr.exe no specs findstr.exe no specs find.exe no specs reg.exe no specs findstr.exe no specs findstr.exe no specs find.exe no specs reg.exe no specs findstr.exe no specs find.exe no specs reg.exe no specs findstr.exe no specs find.exe no specs reg.exe no specs findstr.exe no specs find.exe no specs reg.exe no specs findstr.exe no specs find.exe no specs choice.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs mode.com no specs reg.exe no specs reg.exe no specs findstr.exe no specs findstr.exe no specs find.exe no specs reg.exe no specs findstr.exe no specs findstr.exe no specs find.exe no specs reg.exe no specs findstr.exe no specs findstr.exe no specs find.exe no specs reg.exe no specs findstr.exe no specs findstr.exe no specs find.exe no specs reg.exe no specs findstr.exe no specs find.exe no specs reg.exe no specs findstr.exe no specs find.exe no specs reg.exe no specs findstr.exe no specs find.exe no specs reg.exe no specs findstr.exe no specs find.exe no specs choice.exe no specs powershell.exe no specs reg.exe no specs sc.exe no specs find.exe no specs sc.exe no specs find.exe no specs wmic.exe no specs powershell.exe csc.exe cvtres.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs reg.exe no specs find.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs reg.exe no specs findstr.exe no specs reg.exe no specs findstr.exe no specs reg.exe no specs findstr.exe no specs reg.exe no specs wmic.exe no specs find.exe no specs wmic.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs wmic.exe no specs findstr.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs wmic.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs wmic.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs wmic.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs wmic.exe no specs wmic.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs cmd.exe no specs wmic.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs cmd.exe no specs wmic.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs wmic.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs wmic.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs certutil.exe no specs findstr.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs wmic.exe no specs findstr.exe no specs sc.exe no specs find.exe no specs net.exe no specs net1.exe no specs sc.exe no specs find.exe no specs reg.exe no specs reg.exe no specs wmic.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs schtasks.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188powershell -nop -c $ExecutionContext.SessionState.LanguageMode C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
436findstr /I /C:"MondoVolume" "C:\WINDOWS\Temp\c2rchk.txt" C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
488reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_ActivationInterval /t REG_DWORD /d 43200 C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
524reg query HKLM\SYSTEM\CurrentControlSet\Services\WinMgmt /v Start C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
524reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServicePort /t REG_SZ /d "1688" /reg:32 C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
524find /i "STOPPED" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
540powershell -nop -c "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=31;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
540wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL" get Name /value C:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
624reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
640findstr /I /C:"VisioStdXVolume" "C:\WINDOWS\Temp\c2rchk.txt" C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
55 692
Read events
55 467
Write events
202
Delete events
23

Modification events

(PID) Process:(6240) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(6240) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(6240) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(6240) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(6240) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
D353719C4D8A2F00
(PID) Process:(6240) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
74567E9C4D8A2F00
(PID) Process:(6240) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328474
Operation:writeName:WindowTabManagerFileMappingId
Value:
{34A590F2-C393-4801-8F4F-17E01FF4A8D6}
(PID) Process:(6240) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328474
Operation:writeName:WindowTabManagerFileMappingId
Value:
{55C97141-51B2-4544-A3ED-8C6EC5F8D275}
(PID) Process:(6240) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328474
Operation:writeName:WindowTabManagerFileMappingId
Value:
{6E8ECC38-CF57-4143-8CD0-564E5ECD9258}
(PID) Process:(6240) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
5F0AC59C4D8A2F00
Executable files
57
Suspicious files
741
Text files
906
Unknown types
0

Dropped files

PID
Process
Filename
Type
6240msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF1353a1.TMP
MD5:
SHA256:
6240msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
6240msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF1353b1.TMP
MD5:
SHA256:
6240msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
6240msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF1353b1.TMP
MD5:
SHA256:
6240msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
6240msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF1353b1.TMP
MD5:
SHA256:
6240msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
6240msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF1353c1.TMP
MD5:
SHA256:
6240msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
63
TCP/UDP connections
237
DNS requests
227
Threats
19

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6608
msedge.exe
GET
200
45.12.1.24:80
http://kmspico.io/wp-content/uploads/2020/10/download-kmspico.png
unknown
malicious
6608
msedge.exe
GET
200
45.12.1.24:80
http://kmspico.io/wp-content/uploads/2020/10/kmspico-software-1024x553.png
unknown
malicious
6608
msedge.exe
GET
200
45.12.1.24:80
http://kmspico.io/wp-content/uploads/2020/10/kmspico-activator-1024x703.png
unknown
malicious
6608
msedge.exe
GET
200
45.12.1.24:80
http://kmspico.io/wp-content/uploads/2020/10/how-to-install-kmspico-1024x590.png
unknown
malicious
6608
msedge.exe
GET
200
45.12.1.24:80
http://kmspico.io/wp-content/uploads/2020/10/kms-pico-1024x576.png
unknown
malicious
6608
msedge.exe
GET
200
45.12.1.24:80
http://kmspico.io/wp-content/uploads/2020/10/kmspico-official-download-1024x574.png
unknown
malicious
6608
msedge.exe
GET
200
45.12.1.24:80
http://kmspico.io/wp-content/uploads/2020/10/kmspico-windows-10-1024x576.png
unknown
malicious
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5004
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
23.218.209.163:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.179:443
www.bing.com
Akamai International B.V.
DE
whitelisted
6608
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6240
msedge.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 23.218.209.163
whitelisted
www.bing.com
  • 104.126.37.179
  • 104.126.37.161
  • 104.126.37.160
  • 104.126.37.137
  • 104.126.37.177
  • 104.126.37.145
  • 104.126.37.170
  • 104.126.37.129
  • 104.126.37.171
  • 2.23.227.208
  • 2.23.227.215
  • 104.126.37.128
  • 104.126.37.185
  • 104.126.37.123
  • 104.126.37.144
  • 104.126.37.130
  • 104.126.37.176
  • 104.126.37.169
  • 104.126.37.163
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
kmspico.io
  • 45.12.1.24
malicious
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
whitelisted

Threats

PID
Process
Class
Message
6608
msedge.exe
Misc Attack
ET Threatview.io High Confidence Cobalt Strike C2 IP group 13
6608
msedge.exe
Misc Attack
ET Threatview.io High Confidence Cobalt Strike C2 IP group 12
6608
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
6608
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
6608
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
6608
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
6608
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
6608
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
6608
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
6608
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
kmspico.io