File name:

KMSAuto_Net_2016_v1.5.4_Portable_password_2018.7z

Full analysis: https://app.any.run/tasks/efc83ec5-6a13-47b7-a092-627d5658bf95
Verdict: Malicious activity
Analysis date: August 14, 2024, 10:23:50
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

EE6EA04B058E3B0D38A716756597B4F8

SHA1:

D59140C07BA68A8E0945CCD66746BD106FDED491

SHA256:

056684B471526B2CC044E2CB09E3C2B42CDA9FF1547617A43CF44890BE3030C5

SSDEEP:

98304:hnRrX1d8JMu3gerrZdZcWoSWvyE3GX/gQJ69l66tV2mA3f+zqxEin4PwpYDbw3VB:VnlXb/vaylg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 6452)

    • Executable content was dropped or overwritten

      • wzt.dat (PID: 4844)
      • bin.dat (PID: 644)
      • AESDecoder.exe (PID: 2096)
      • bin_x64.dat (PID: 6152)
      • bin_x64.dat (PID: 4316)
      • KMSAuto Net.exe (PID: 6876)

    • Reads Internet Explorer settings

      • KMSAuto Net.exe (PID: 6876)

    • Starts CMD.EXE for commands execution

      • KMSAuto Net.exe (PID: 6876)
      • cmd.exe (PID: 1568)

    • Drops the executable file immediately after the start

      • wzt.dat (PID: 4844)
      • KMSAuto Net.exe (PID: 6876)
      • bin.dat (PID: 644)
      • AESDecoder.exe (PID: 2096)
      • bin_x64.dat (PID: 6152)
      • bin_x64.dat (PID: 4316)

    • Process drops legitimate windows executable

      • wzt.dat (PID: 4844)
      • bin_x64.dat (PID: 6152)
      • bin_x64.dat (PID: 4316)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3184)
      • cmd.exe (PID: 6276)
      • cmd.exe (PID: 3104)
      • cmd.exe (PID: 840)

    • Adds/modifies Windows certificates

      • certmgr.exe (PID: 1568)
      • certmgr.exe (PID: 6028)

    • Drops 7-zip archiver for unpacking

      • KMSAuto Net.exe (PID: 6876)

    • Drops a system driver (possible attempt to evade defenses)

      • bin_x64.dat (PID: 6152)
      • bin_x64.dat (PID: 4316)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • KMSAuto Net.exe (PID: 6876)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • KMSAuto Net.exe (PID: 6876)

    • Executes as Windows Service

      • KMSSS.exe (PID: 6228)

    • Creates or modifies Windows services

      • KMSAuto Net.exe (PID: 6876)

    • Application launched itself

      • cmd.exe (PID: 1568)

    • Uses ROUTE.EXE to modify routing table

      • cmd.exe (PID: 6804)

    • Uses ROUTE.EXE to obtain the routing table information

      • cmd.exe (PID: 5944)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 6420)

    • Uses REG/REGEDIT.EXE to modify registry

      • KMSAuto Net.exe (PID: 6876)
      • cmd.exe (PID: 6564)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6452)

    • Reads the machine GUID from the registry

      • KMSAuto Net.exe (PID: 6876)
      • KMSSS.exe (PID: 6228)

    • Reads the computer name

      • KMSAuto Net.exe (PID: 6876)
      • KMSSS.exe (PID: 6228)
      • FakeClient.exe (PID: 3352)

    • Checks supported languages

      • KMSAuto Net.exe (PID: 6876)
      • certmgr.exe (PID: 1568)
      • certmgr.exe (PID: 6028)
      • AESDecoder.exe (PID: 2096)
      • bin.dat (PID: 644)
      • bin_x64.dat (PID: 6152)
      • KMSSS.exe (PID: 6228)
      • bin_x64.dat (PID: 4316)
      • FakeClient.exe (PID: 3352)
      • wzt.dat (PID: 4844)

    • Creates files or folders in the user directory

      • KMSAuto Net.exe (PID: 6876)

    • Create files in a temporary directory

      • cmd.exe (PID: 6992)

    • Reads Environment values

      • KMSAuto Net.exe (PID: 6876)

    • UPX packer has been detected

      • KMSAuto Net.exe (PID: 6876)

    • Creates files in the program directory

      • KMSAuto Net.exe (PID: 6876)
      • bin.dat (PID: 644)
      • AESDecoder.exe (PID: 2096)
      • bin_x64.dat (PID: 6152)
      • KMSSS.exe (PID: 6228)
      • bin_x64.dat (PID: 4316)
      • cmd.exe (PID: 6448)
      • wzt.dat (PID: 4844)

    • Reads product name

      • KMSAuto Net.exe (PID: 6876)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
254
Monitored processes
114
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe kmsauto net.exe no specs THREAT kmsauto net.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs wzt.dat cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs certmgr.exe no specs cmd.exe no specs conhost.exe no specs certmgr.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs bin.dat cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs aesdecoder.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs bin_x64.dat cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs netstat.exe no specs find.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs kmsss.exe no specs cmd.exe no specs conhost.exe no specs bin_x64.dat cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs route.exe no specs cmd.exe no specs conhost.exe no specs fakeclient.exe reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs sppextcomobj.exe slui.exe no specs slui.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs route.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs netsh.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
32\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
32C:\WINDOWS\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /fC:\Windows\System32\reg.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
32"sc.exe" delete WinDivert1.1C:\Windows\SysWOW64\sc.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
188\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
644bin.dat -y -pkmsautoC:\ProgramData\KMSAuto\bin.dat
cmd.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7z Console SFX
Exit code:
0
Version:
15.14
Modules
Images
c:\programdata\kmsauto\bin.dat
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
840C:\WINDOWS\Sysnative\cmd.exe /D /c wzt.dat -y -pkmsautoC:\Windows\System32\cmd.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
876reg.exe DELETE HKLM\SYSTEM\CurrentControlSet\Services\KMSEmulator /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
888\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1020C:\WINDOWS\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"C:\Windows\System32\cmd.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1048"sc.exe" start KMSEmulatorC:\Windows\SysWOW64\sc.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
16 448
Read events
16 401
Write events
39
Delete events
8

Modification events

(PID) Process:(6452) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(6452) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(6452) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(6452) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6452) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\KMSAuto_Net_2016_v1.5.4_Portable_password_2018.7z
(PID) Process:(6452) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6452) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6452) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6452) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6452) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
28
Suspicious files
12
Text files
14
Unknown types
1

Dropped files

PID
Process
Filename
Type
6452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb6452.35728\KMSAuto Net 2016 v1.5.4 Portable\readme\readme_cn.txttext
MD5:885D124CF780E65EBC33A59D2A2A9D80
SHA256:0DD95284F0C9A0F1A0BACDF526CFF9B79CCA2FCCA4AB2B7ADCFED8F0EDACE8C4
6452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb6452.35728\KMSAuto Net 2016 v1.5.4 Portable\readme\readme_vi.txttext
MD5:7F4691631E5D8D0E2677C4A770D9D78D
SHA256:60C17FD8F5F6D7C95360D523CEE81998DEFC3AE04C43CC7A7C9231A53C041B98
6452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb6452.35728\KMSAuto Net 2016 v1.5.4 Portable\readme\readme_es.txttext
MD5:12C9AEB3C00E3B094EBECF0D85BAC503
SHA256:E5570A6208DCFE1D0F59F41B4410050614464DAE270A3EEEF27D1E3D3A970F56
6452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb6452.35728\KMSAuto Net 2016 v1.5.4 Portable\readme\readme_bg.txttext
MD5:F9D04EBA921936FCF472F194DD210AB4
SHA256:97DBA3DDA1780D80B35B669BB50E01BA4FFB4510C0A90B0A0C0FAE9CD019C15C
6452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb6452.35728\KMSAuto Net 2016 v1.5.4 Portable\readme\readme_kms.txttext
MD5:352709B6AED3902D4399F6615A7A7E70
SHA256:D3BEF0FEF19603B33B86E1CA431A25CB8A6DF047058E073BBF8BB931533217AA
6452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb6452.35728\KMSAuto Net 2016 v1.5.4 Portable\readme\readme_en.txttext
MD5:941EB5AC92A658BA07EF0A10B35FD84B
SHA256:5EFB338DA2B217FA29F6937E09C604AAE14334C71A6ABF9B94F696BDAB3BA545
6452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb6452.35728\KMSAuto Net 2016 v1.5.4 Portable\readme\readme_ua.txttext
MD5:304890B34C6E1277E6BD8B25F4080E64
SHA256:B00BBCA133BDB04B2D89477288BFC13900415EC84C7E708A2DA926E799B24C01
6452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb6452.35728\KMSAuto Net 2016 v1.5.4 Portable\readme\readme_fr.txttext
MD5:4A8B83F2E300AD728DF3022B4090746C
SHA256:065F293D1F516C2723B56DD1E52F86DFD0008F474194FD51FFCB607796D24FEC
6876KMSAuto Net.exeC:\ProgramData\KMSAuto\bin.datexecutable
MD5:4D2E5AFFE6D1CCB42F6650FD57448A9B
SHA256:3CBF7C0231B3266B4A6946DCF9AAA39C2BF077F6E459CA9EAD39C516CBFCE74C
6876KMSAuto Net.exeC:\Users\admin\AppData\Local\MSfree Inc\kmsauto.initext
MD5:AF6A20FD7DFADCD582CCF2B1BFAAF82B
SHA256:0BEE97833A70AA9BA271E93226DACE849836C64919FBFE15543D694E219D4AF2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
46
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1948
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1948
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7164
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
4692
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2064
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4088
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
whitelisted
5336
SearchApp.exe
184.86.251.17:443
www.bing.com
Akamai International B.V.
DE
unknown
5336
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1948
svchost.exe
40.126.32.134:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1948
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.18.14
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 51.104.136.2
whitelisted
www.bing.com
  • 184.86.251.17
  • 184.86.251.22
  • 184.86.251.21
  • 184.86.251.13
  • 184.86.251.18
  • 184.86.251.16
  • 184.86.251.14
  • 184.86.251.20
  • 184.86.251.19
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.134
  • 40.126.32.72
  • 20.190.160.20
  • 40.126.32.76
  • 40.126.32.74
  • 40.126.32.68
  • 20.190.160.17
  • 20.190.160.14
  • 40.126.32.133
  • 40.126.32.138
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
th.bing.com
  • 184.86.251.11
  • 184.86.251.27
  • 184.86.251.4
  • 184.86.251.24
  • 184.86.251.29
  • 184.86.251.25
  • 184.86.251.9
  • 184.86.251.28
  • 184.86.251.26
whitelisted
fd.api.iris.microsoft.com
  • 20.223.36.55
whitelisted
arc.msn.com
  • 20.103.156.88
whitelisted
slscr.update.microsoft.com
  • 40.127.169.103
whitelisted

Threats

No threats detected
Process
Message
FakeClient.exe
WdfCoInstaller: [08/14/2024 10:24.31.864] ReadComponents: WdfSection for Driver Service windivert using KMDF lib version Major 0x1, minor 0x9
FakeClient.exe
WdfCoInstaller: [08/14/2024 10:24.31.880] BootApplication: could not open service windivert, error error(1060) The specified service does not exist as an installed service.
FakeClient.exe
WdfCoInstaller: [08/14/2024 10:24.31.880] BootApplication: GetStartType error error(87) The parameter is incorrect. Driver Service name windivert
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
KMSAuto_Net_2016_v1.5.4_Portable_password_2018.7z