URL:

https://kmspi.co/kmspico-11/

Full analysis: https://app.any.run/tasks/1cf7b040-044c-4fc5-aea4-936902d19075
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Malware Trends Tracker     >>>
Analysis date: August 22, 2024, 18:05:49
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
miner
amadey
botnet
stealer
silentcryptominer
xor-url
generic
upx
Indicators:
MD5:

A61428445AAA2C4AD8FEA9DF88CD5E41

SHA1:

60B8CD4730CDAC1BD13A10498CED6FBC7E56F030

SHA256:

E180703B26D72E1E79DA4B5024351878D05452EFFE8D0919F2DFBB7DB7883643

SSDEEP:

3:N8N/eT:2deT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds extension to the Windows Defender exclusion list

      • rkduajedzcrd.exe (PID: 7540)
      • RegistryHost.exe (PID: 6380)

    • MINER has been detected (SURICATA)

      • svchost.exe (PID: 2256)
      • explorer.exe (PID: 7724)

    • AMADEY has been detected (SURICATA)

      • explorer.exe (PID: 7724)

    • SILENTCRYPTOMINER has been detected (SURICATA)

      • explorer.exe (PID: 7724)

    • Connects to the CnC server

      • explorer.exe (PID: 7724)

    • XORed URL has been found (YARA)

      • explorer.exe (PID: 7724)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 7588)

    • Changes image file execution options

      • KMSELDI.exe (PID: 4524)
      • AutoPico.exe (PID: 7200)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • cookie_exporter.exe (PID: 7368)
      • WinRAR.exe (PID: 7300)
      • KMSPicoSetup11.2.1.exe (PID: 1440)
      • KMSpicosetup.tmp (PID: 3672)

    • Executable content was dropped or overwritten

      • KMSPicoSetup11.2.1.exe (PID: 1440)
      • KMSpicosetup.exe (PID: 2816)
      • KMSpicosetup.exe (PID: 4880)
      • KMSpicosetup.tmp (PID: 5700)
      • RegistryHost.exe (PID: 6380)
      • rkduajedzcrd.exe (PID: 7540)
      • KMSELDI.exe (PID: 4524)

    • The process creates files with name similar to system file names

      • KMSPicoSetup11.2.1.exe (PID: 1440)

    • Reads the date of Windows installation

      • KMSPicoSetup11.2.1.exe (PID: 1440)
      • KMSpicosetup.tmp (PID: 3672)

    • Powershell scripting: start process

      • RegistryHost.exe (PID: 2396)

    • Starts POWERSHELL.EXE for commands execution

      • RegistryHost.exe (PID: 2396)
      • RegistryHost.exe (PID: 6380)
      • rkduajedzcrd.exe (PID: 7540)

    • Detected use of alternative data streams (AltDS)

      • powershell.exe (PID: 4076)

    • Drops the executable file immediately after the start

      • KMSpicosetup.exe (PID: 2816)
      • KMSPicoSetup11.2.1.exe (PID: 1440)
      • KMSpicosetup.tmp (PID: 5700)
      • KMSpicosetup.exe (PID: 4880)
      • RegistryHost.exe (PID: 6380)
      • rkduajedzcrd.exe (PID: 7540)
      • KMSELDI.exe (PID: 4524)

    • Reads the Windows owner or organization settings

      • KMSpicosetup.tmp (PID: 5700)

    • Process drops legitimate windows executable

      • KMSpicosetup.tmp (PID: 5700)

    • Starts CMD.EXE for commands execution

      • RegistryHost.exe (PID: 6380)
      • rkduajedzcrd.exe (PID: 7540)
      • KMSpicosetup.tmp (PID: 5700)

    • Starts SC.EXE for service management

      • RegistryHost.exe (PID: 6380)
      • cmd.exe (PID: 7576)

    • Process uninstalls Windows update

      • wusa.exe (PID: 8156)
      • wusa.exe (PID: 7896)

    • Executes as Windows Service

      • rkduajedzcrd.exe (PID: 7540)

    • Script adds exclusion path to Windows Defender

      • RegistryHost.exe (PID: 6380)
      • rkduajedzcrd.exe (PID: 7540)

    • Script adds exclusion extension to Windows Defender

      • RegistryHost.exe (PID: 6380)
      • rkduajedzcrd.exe (PID: 7540)

    • Drops a system driver (possible attempt to evade defenses)

      • rkduajedzcrd.exe (PID: 7540)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 2256)
      • explorer.exe (PID: 7724)

    • Modifies the phishing filter of IE

      • KMSpicosetup.tmp (PID: 5700)

    • Executing commands from ".cmd" file

      • KMSpicosetup.tmp (PID: 5700)

    • Connects to unusual port

      • explorer.exe (PID: 7724)

    • Crypto Currency Mining Activity Detected

      • explorer.exe (PID: 7724)

  • INFO

    • Checks proxy server information

      • cookie_exporter.exe (PID: 7368)

    • Reads Environment values

      • cookie_exporter.exe (PID: 7368)
      • identity_helper.exe (PID: 7664)
      • KMSELDI.exe (PID: 4524)
      • AutoPico.exe (PID: 7200)

    • The process uses the downloaded file

      • msedge.exe (PID: 6696)
      • WinRAR.exe (PID: 7300)
      • msedge.exe (PID: 4316)

    • Reads the computer name

      • identity_helper.exe (PID: 7664)
      • cookie_exporter.exe (PID: 7368)
      • KMSPicoSetup11.2.1.exe (PID: 1440)
      • KMSpicosetup.tmp (PID: 3672)
      • KMSpicosetup.tmp (PID: 5700)
      • KMSELDI.exe (PID: 4524)
      • AutoPico.exe (PID: 7200)

    • Checks supported languages

      • cookie_exporter.exe (PID: 7368)
      • identity_helper.exe (PID: 7664)
      • KMSPicoSetup11.2.1.exe (PID: 1440)
      • KMSpicosetup.exe (PID: 2816)
      • KMSpicosetup.tmp (PID: 3672)
      • RegistryHost.exe (PID: 2396)
      • KMSpicosetup.tmp (PID: 5700)
      • KMSpicosetup.exe (PID: 4880)
      • RegistryHost.exe (PID: 6380)
      • rkduajedzcrd.exe (PID: 7540)
      • UninsHs.exe (PID: 5400)
      • KMSELDI.exe (PID: 4524)
      • AutoPico.exe (PID: 7200)
      • SECOH-QAD.exe (PID: 6108)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 6696)
      • KMSELDI.exe (PID: 4524)
      • AutoPico.exe (PID: 7200)

    • Application launched itself

      • msedge.exe (PID: 6696)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7300)

    • Create files in a temporary directory

      • KMSPicoSetup11.2.1.exe (PID: 1440)
      • KMSpicosetup.exe (PID: 2816)
      • KMSpicosetup.tmp (PID: 5700)
      • KMSpicosetup.exe (PID: 4880)

    • Process checks computer location settings

      • KMSPicoSetup11.2.1.exe (PID: 1440)
      • KMSpicosetup.tmp (PID: 3672)

    • The executable file from the user directory is run by the Powershell process

      • RegistryHost.exe (PID: 6380)

    • Creates files in the program directory

      • RegistryHost.exe (PID: 6380)
      • KMSpicosetup.tmp (PID: 5700)
      • KMSELDI.exe (PID: 4524)
      • AutoPico.exe (PID: 7200)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 3140)
      • powershell.exe (PID: 6356)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3140)
      • powershell.exe (PID: 6356)

    • UPX packer has been detected

      • explorer.exe (PID: 7724)

    • Creates a software uninstall entry

      • KMSpicosetup.tmp (PID: 5700)

    • Reads the machine GUID from the registry

      • KMSELDI.exe (PID: 4524)
      • AutoPico.exe (PID: 7200)

    • Reads product name

      • KMSELDI.exe (PID: 4524)
      • AutoPico.exe (PID: 7200)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(7724) explorer.exe
Decrypted-URLs (1)https://206.12
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
246
Monitored processes
102
Malicious processes
12
Suspicious processes
3

Behavior graph

Click at the process to see the details
start iexplore.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cookie_exporter.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe msedge.exe no specs msedge.exe no specs kmspicosetup11.2.1.exe registryhost.exe no specs powershell.exe no specs kmspicosetup.exe conhost.exe no specs kmspicosetup.tmp no specs kmspicosetup.exe kmspicosetup.tmp registryhost.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe no specs conhost.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs wusa.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs rkduajedzcrd.exe powershell.exe no specs conhost.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs #XOR-URL explorer.exe wusa.exe no specs #MINER svchost.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs uninshs.exe no specs kmseldi.exe sc.exe no specs schtasks.exe no specs msedge.exe no specs msedge.exe no specs autopico.exe secoh-qad.exe no specs sppextcomobj.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
508C:\WINDOWS\system32\sc.exe stop eventlogC:\Windows\System32\sc.exeRegistryHost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1051
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
608\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1020\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1044"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5672 --field-trial-handle=2452,i,13576902805915908532,17816386157089299394,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1164"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6368 --field-trial-handle=2452,i,13576902805915908532,17816386157089299394,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1440"C:\Users\admin\AppData\Local\Temp\Rar$EXb7300.32522\KMSPicoSetup11.2.1.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb7300.32522\KMSPicoSetup11.2.1.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb7300.32522\kmspicosetup11.2.1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3996_none_91a79472cc852ba0\gdiplus.dll
1644"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=7120 --field-trial-handle=2452,i,13576902805915908532,17816386157089299394,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2136"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=792 --field-trial-handle=2452,i,13576902805915908532,17816386157089299394,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2396"C:\Users\admin\AppData\Local\Temp\RarSFX0\RegistryHost.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\RegistryHost.exeKMSPicoSetup11.2.1.exe
User:
admin
Company:
MS Inc.
Integrity Level:
MEDIUM
Description:
Registry Host
Exit code:
0
Version:
70,0,3538,110
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\registryhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
Total events
55 448
Read events
55 119
Write events
309
Delete events
20

Modification events

(PID) Process:(6532) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:L1WatermarkLowPart
Value:
0
(PID) Process:(6532) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:L1WatermarkHighPart
Value:
0
(PID) Process:(6532) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
0
(PID) Process:(6532) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
0
(PID) Process:(6532) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
6789277
(PID) Process:(6532) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31126718
(PID) Process:(6532) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6532) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6532) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6532) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
Executable files
34
Suspicious files
345
Text files
860
Unknown types
9

Dropped files

PID
Process
Filename
Type
6696msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF11dbe6.TMP
MD5:
SHA256:
6696msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF11dbe6.TMP
MD5:
SHA256:
6696msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF11dbe6.TMP
MD5:
SHA256:
6696msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
6696msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF11dbe6.TMP
MD5:
SHA256:
6696msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
6696msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
6696msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
6696msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF11dc34.TMP
MD5:
SHA256:
6696msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
33
TCP/UDP connections
143
DNS requests
138
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5116
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7944
svchost.exe
HEAD
200
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/47f9eec4-45e7-4567-b813-2cac77a54a3d?P1=1724900017&P2=404&P3=2&P4=eIZKxX7JpWo%2beXaVYJvglzDWsBvwvpGq5ajOhNoek8MkV6H1GeHKEhcowd5x9fVccp2MBC8SnF6MfrnzIxykMA%3d%3d
unknown
whitelisted
7992
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6192
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7944
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/47f9eec4-45e7-4567-b813-2cac77a54a3d?P1=1724900017&P2=404&P3=2&P4=eIZKxX7JpWo%2beXaVYJvglzDWsBvwvpGq5ajOhNoek8MkV6H1GeHKEhcowd5x9fVccp2MBC8SnF6MfrnzIxykMA%3d%3d
unknown
whitelisted
7944
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/47f9eec4-45e7-4567-b813-2cac77a54a3d?P1=1724900017&P2=404&P3=2&P4=eIZKxX7JpWo%2beXaVYJvglzDWsBvwvpGq5ajOhNoek8MkV6H1GeHKEhcowd5x9fVccp2MBC8SnF6MfrnzIxykMA%3d%3d
unknown
whitelisted
7944
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/47f9eec4-45e7-4567-b813-2cac77a54a3d?P1=1724900017&P2=404&P3=2&P4=eIZKxX7JpWo%2beXaVYJvglzDWsBvwvpGq5ajOhNoek8MkV6H1GeHKEhcowd5x9fVccp2MBC8SnF6MfrnzIxykMA%3d%3d
unknown
whitelisted
7944
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/47f9eec4-45e7-4567-b813-2cac77a54a3d?P1=1724900017&P2=404&P3=2&P4=eIZKxX7JpWo%2beXaVYJvglzDWsBvwvpGq5ajOhNoek8MkV6H1GeHKEhcowd5x9fVccp2MBC8SnF6MfrnzIxykMA%3d%3d
unknown
whitelisted
7944
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/47f9eec4-45e7-4567-b813-2cac77a54a3d?P1=1724900017&P2=404&P3=2&P4=eIZKxX7JpWo%2beXaVYJvglzDWsBvwvpGq5ajOhNoek8MkV6H1GeHKEhcowd5x9fVccp2MBC8SnF6MfrnzIxykMA%3d%3d
unknown
whitelisted
7944
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/47f9eec4-45e7-4567-b813-2cac77a54a3d?P1=1724900017&P2=404&P3=2&P4=eIZKxX7JpWo%2beXaVYJvglzDWsBvwvpGq5ajOhNoek8MkV6H1GeHKEhcowd5x9fVccp2MBC8SnF6MfrnzIxykMA%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2120
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5144
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1488
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6968
msedge.exe
169.150.247.36:443
kmspico.b-cdn.net
unknown
6968
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6696
msedge.exe
239.255.255.250:1900
whitelisted
6968
msedge.exe
188.114.96.3:443
kmspi.co
CLOUDFLARENET
NL
unknown
6968
msedge.exe
204.79.197.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
6968
msedge.exe
2.23.209.176:443
www.bing.com
Akamai International B.V.
GB
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.78
whitelisted
kmspi.co
  • 188.114.96.3
  • 188.114.97.3
unknown
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.60
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
bzib.nelreports.net
  • 2.19.126.145
  • 2.19.126.152
whitelisted
kmspico.b-cdn.net
  • 169.150.247.36
whitelisted
www.bing.com
  • 2.23.209.176
  • 2.23.209.187
  • 2.23.209.182
  • 2.23.209.185
  • 2.23.209.177
  • 2.23.209.189
  • 2.23.209.158
  • 2.23.209.140
  • 2.23.209.135
  • 2.23.209.179
  • 2.23.209.130
whitelisted
www.statcounter.com
  • 104.20.95.138
  • 104.20.94.138
whitelisted

Threats

PID
Process
Class
Message
6968
msedge.exe
Misc activity
ET INFO Commonly Abused File Sharing Domain (wasabisys .com) in DNS Lookup
6968
msedge.exe
Misc activity
ET INFO Commonly Abused File Sharing Domain (wasabisys .com) in DNS Lookup
6968
msedge.exe
Misc activity
ET INFO Commonly Abused File Sharing Domain (wasabisys .com) in DNS Lookup
6968
msedge.exe
Misc activity
ET INFO Commonly Abused File Sharing Domain (wasabisys .com) in TLS SNI
6968
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
6968
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
2256
svchost.exe
Potential Corporate Privacy Violation
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
7724
explorer.exe
A Network Trojan was detected
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M3
7724
explorer.exe
A Network Trojan was detected
ET MALWARE SilentCryptoMiner Agent Config Inbound
7724
explorer.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://kmspi.co/kmspico-11/