File name:

KMSAuto_Net_2016_v1.5.4_Portable_password_2018.7z

Full analysis: https://app.any.run/tasks/efc83ec5-6a13-47b7-a092-627d5658bf95
Verdict: Malicious activity
Analysis date: August 14, 2024, 10:23:50
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

EE6EA04B058E3B0D38A716756597B4F8

SHA1:

D59140C07BA68A8E0945CCD66746BD106FDED491

SHA256:

056684B471526B2CC044E2CB09E3C2B42CDA9FF1547617A43CF44890BE3030C5

SSDEEP:

98304:hnRrX1d8JMu3gerrZdZcWoSWvyE3GX/gQJ69l66tV2mA3f+zqxEin4PwpYDbw3VB:VnlXb/vaylg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 6452)

    • Reads Internet Explorer settings

      • KMSAuto Net.exe (PID: 6876)

    • Starts CMD.EXE for commands execution

      • KMSAuto Net.exe (PID: 6876)
      • cmd.exe (PID: 1568)

    • Executable content was dropped or overwritten

      • KMSAuto Net.exe (PID: 6876)
      • bin.dat (PID: 644)
      • bin_x64.dat (PID: 6152)
      • AESDecoder.exe (PID: 2096)
      • bin_x64.dat (PID: 4316)
      • wzt.dat (PID: 4844)

    • Process drops legitimate windows executable

      • wzt.dat (PID: 4844)
      • bin_x64.dat (PID: 6152)
      • bin_x64.dat (PID: 4316)

    • Drops the executable file immediately after the start

      • bin.dat (PID: 644)
      • KMSAuto Net.exe (PID: 6876)
      • AESDecoder.exe (PID: 2096)
      • bin_x64.dat (PID: 6152)
      • bin_x64.dat (PID: 4316)
      • wzt.dat (PID: 4844)

    • Adds/modifies Windows certificates

      • certmgr.exe (PID: 1568)
      • certmgr.exe (PID: 6028)

    • Drops 7-zip archiver for unpacking

      • KMSAuto Net.exe (PID: 6876)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3184)
      • cmd.exe (PID: 6276)
      • cmd.exe (PID: 3104)
      • cmd.exe (PID: 840)

    • Drops a system driver (possible attempt to evade defenses)

      • bin_x64.dat (PID: 6152)
      • bin_x64.dat (PID: 4316)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • KMSAuto Net.exe (PID: 6876)

    • Application launched itself

      • cmd.exe (PID: 1568)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • KMSAuto Net.exe (PID: 6876)

    • Creates or modifies Windows services

      • KMSAuto Net.exe (PID: 6876)

    • Executes as Windows Service

      • KMSSS.exe (PID: 6228)

    • Uses ROUTE.EXE to modify routing table

      • cmd.exe (PID: 6804)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 6420)

    • Uses REG/REGEDIT.EXE to modify registry

      • KMSAuto Net.exe (PID: 6876)
      • cmd.exe (PID: 6564)

    • Uses ROUTE.EXE to obtain the routing table information

      • cmd.exe (PID: 5944)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6452)

    • Reads Environment values

      • KMSAuto Net.exe (PID: 6876)

    • Reads the computer name

      • KMSAuto Net.exe (PID: 6876)
      • KMSSS.exe (PID: 6228)
      • FakeClient.exe (PID: 3352)

    • Create files in a temporary directory

      • cmd.exe (PID: 6992)

    • Checks supported languages

      • KMSAuto Net.exe (PID: 6876)
      • bin.dat (PID: 644)
      • certmgr.exe (PID: 1568)
      • certmgr.exe (PID: 6028)
      • AESDecoder.exe (PID: 2096)
      • bin_x64.dat (PID: 6152)
      • KMSSS.exe (PID: 6228)
      • bin_x64.dat (PID: 4316)
      • FakeClient.exe (PID: 3352)
      • wzt.dat (PID: 4844)

    • Creates files or folders in the user directory

      • KMSAuto Net.exe (PID: 6876)

    • Reads the machine GUID from the registry

      • KMSAuto Net.exe (PID: 6876)
      • KMSSS.exe (PID: 6228)

    • Reads product name

      • KMSAuto Net.exe (PID: 6876)

    • Creates files in the program directory

      • cmd.exe (PID: 6448)
      • bin.dat (PID: 644)
      • bin_x64.dat (PID: 6152)
      • AESDecoder.exe (PID: 2096)
      • KMSSS.exe (PID: 6228)
      • bin_x64.dat (PID: 4316)
      • KMSAuto Net.exe (PID: 6876)
      • wzt.dat (PID: 4844)

    • UPX packer has been detected

      • KMSAuto Net.exe (PID: 6876)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
254
Monitored processes
114
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe kmsauto net.exe no specs THREAT kmsauto net.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs wzt.dat cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs certmgr.exe no specs cmd.exe no specs conhost.exe no specs certmgr.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs bin.dat cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs aesdecoder.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs bin_x64.dat cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs netstat.exe no specs find.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs kmsss.exe no specs cmd.exe no specs conhost.exe no specs bin_x64.dat cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs route.exe no specs cmd.exe no specs conhost.exe no specs fakeclient.exe reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs sppextcomobj.exe slui.exe no specs slui.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs route.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs netsh.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
32\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
32C:\WINDOWS\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /fC:\Windows\System32\reg.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
32"sc.exe" delete WinDivert1.1C:\Windows\SysWOW64\sc.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
188\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
644bin.dat -y -pkmsautoC:\ProgramData\KMSAuto\bin.dat
cmd.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7z Console SFX
Exit code:
0
Version:
15.14
Modules
Images
c:\programdata\kmsauto\bin.dat
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
840C:\WINDOWS\Sysnative\cmd.exe /D /c wzt.dat -y -pkmsautoC:\Windows\System32\cmd.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
876reg.exe DELETE HKLM\SYSTEM\CurrentControlSet\Services\KMSEmulator /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
888\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1020C:\WINDOWS\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"C:\Windows\System32\cmd.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1048"sc.exe" start KMSEmulatorC:\Windows\SysWOW64\sc.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
16 448
Read events
16 401
Write events
39
Delete events
8

Modification events

(PID) Process:(6452) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(6452) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(6452) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(6452) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6452) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\KMSAuto_Net_2016_v1.5.4_Portable_password_2018.7z
(PID) Process:(6452) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6452) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6452) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6452) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6452) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
28
Suspicious files
12
Text files
14
Unknown types
1

Dropped files

PID
Process
Filename
Type
6452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb6452.35728\KMSAuto Net 2016 v1.5.4 Portable\readme\readme_ua.txttext
MD5:304890B34C6E1277E6BD8B25F4080E64
SHA256:B00BBCA133BDB04B2D89477288BFC13900415EC84C7E708A2DA926E799B24C01
6452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb6452.35728\KMSAuto Net 2016 v1.5.4 Portable\readme\readme_es.txttext
MD5:12C9AEB3C00E3B094EBECF0D85BAC503
SHA256:E5570A6208DCFE1D0F59F41B4410050614464DAE270A3EEEF27D1E3D3A970F56
6452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb6452.35728\KMSAuto Net 2016 v1.5.4 Portable\readme\readme_kms.txttext
MD5:352709B6AED3902D4399F6615A7A7E70
SHA256:D3BEF0FEF19603B33B86E1CA431A25CB8A6DF047058E073BBF8BB931533217AA
6452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb6452.35728\KMSAuto Net 2016 v1.5.4 Portable\readme\readme_vi.txttext
MD5:7F4691631E5D8D0E2677C4A770D9D78D
SHA256:60C17FD8F5F6D7C95360D523CEE81998DEFC3AE04C43CC7A7C9231A53C041B98
4844wzt.datC:\ProgramData\KMSAuto\wzt\wzteam.cerbinary
MD5:76B56D90E6F1DA030A8B85E64579F25A
SHA256:FD2D7DF0220DD65EE23D0090299DFCC356F6F8F7167BAE9ADF7D08CEFAF39D02
6452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb6452.35728\KMSAuto Net 2016 v1.5.4 Portable\readme\readme_fr.txttext
MD5:4A8B83F2E300AD728DF3022B4090746C
SHA256:065F293D1F516C2723B56DD1E52F86DFD0008F474194FD51FFCB607796D24FEC
6992cmd.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb6452.35728\KMSAuto Net 2016 v1.5.4 Portable\test.testtext
MD5:9F06243ABCB89C70E0C331C61D871FA7
SHA256:837CCB607E312B170FAC7383D7CCFD61FA5072793F19A25E75FBACB56539B86B
6876KMSAuto Net.exeC:\Users\admin\AppData\Local\MSfree Inc\kmsauto.initext
MD5:AF6A20FD7DFADCD582CCF2B1BFAAF82B
SHA256:0BEE97833A70AA9BA271E93226DACE849836C64919FBFE15543D694E219D4AF2
6876KMSAuto Net.exeC:\ProgramData\KMSAuto\wzt.datexecutable
MD5:822DA2319294F2B768BFE9ED4EEBAC15
SHA256:17B74D4EA905FAC0BA6857F78F47EE1E940675AF1BC27DED69FE2941318106EF
644bin.datC:\ProgramData\KMSAuto\bin\KMSSS.exe.aesbinary
MD5:41E0D8AB5104DA2068739109EC3599F4
SHA256:38D1DBDC7C7A64253E6D4B52225B0BFD7716405C731A107F0C6BA9573A73A77F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
46
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1948
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1948
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4692
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
7164
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2064
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4088
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
whitelisted
5336
SearchApp.exe
184.86.251.17:443
www.bing.com
Akamai International B.V.
DE
unknown
5336
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1948
svchost.exe
40.126.32.134:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1948
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.18.14
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 51.104.136.2
whitelisted
www.bing.com
  • 184.86.251.17
  • 184.86.251.22
  • 184.86.251.21
  • 184.86.251.13
  • 184.86.251.18
  • 184.86.251.16
  • 184.86.251.14
  • 184.86.251.20
  • 184.86.251.19
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.134
  • 40.126.32.72
  • 20.190.160.20
  • 40.126.32.76
  • 40.126.32.74
  • 40.126.32.68
  • 20.190.160.17
  • 20.190.160.14
  • 40.126.32.133
  • 40.126.32.138
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
th.bing.com
  • 184.86.251.11
  • 184.86.251.27
  • 184.86.251.4
  • 184.86.251.24
  • 184.86.251.29
  • 184.86.251.25
  • 184.86.251.9
  • 184.86.251.28
  • 184.86.251.26
whitelisted
fd.api.iris.microsoft.com
  • 20.223.36.55
whitelisted
arc.msn.com
  • 20.103.156.88
whitelisted
slscr.update.microsoft.com
  • 40.127.169.103
whitelisted

Threats

No threats detected
Process
Message
FakeClient.exe
WdfCoInstaller: [08/14/2024 10:24.31.864] ReadComponents: WdfSection for Driver Service windivert using KMDF lib version Major 0x1, minor 0x9
FakeClient.exe
WdfCoInstaller: [08/14/2024 10:24.31.880] BootApplication: could not open service windivert, error error(1060) The specified service does not exist as an installed service.
FakeClient.exe
WdfCoInstaller: [08/14/2024 10:24.31.880] BootApplication: GetStartType error error(87) The parameter is incorrect. Driver Service name windivert
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
KMSAuto_Net_2016_v1.5.4_Portable_password_2018.7z