File name:

HEU KMS Activator 42.exe

Full analysis: https://app.any.run/tasks/b007c8bb-c443-4c69-a756-c4b32d8a39e6
Verdict: Malicious activity
Analysis date: March 22, 2025, 07:09:56
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
autoit
qrcode
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

820A4C7E7786AA77B6EB06D1081C9821

SHA1:

673264E81C920C2E84A219CB4257249523B9E902

SHA256:

0EBA428EEDC5D77A7BCB424235B5F01C8F71AAFF1CDF31A955CA79BC30CD1FE3

SSDEEP:

98304:GP/mp7t3T4+B/btosJwIA4hHmZlKH2Tw/Pq83zw0bCjvkMc5qrmpxYLkdZfp9an4:/T9B2Bv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • net.exe (PID: 5668)
      • cmd.exe (PID: 5868)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • HEU KMS Activator 42.exe (PID: 2980)

    • Executable content was dropped or overwritten

      • HEU KMS Activator 42.exe (PID: 2980)
      • 7Z.EXE (PID: 1116)

    • Drops 7-zip archiver for unpacking

      • HEU KMS Activator 42.exe (PID: 2980)

    • Detected use of alternative data streams (AltDS)

      • kms_x64.exe (PID: 5800)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • cscript.exe (PID: 5608)
      • cscript.exe (PID: 5228)

    • Windows service management via SC.EXE

      • sc.exe (PID: 4224)
      • sc.exe (PID: 920)
      • sc.exe (PID: 4784)
      • sc.exe (PID: 3008)
      • sc.exe (PID: 1348)
      • sc.exe (PID: 1240)
      • sc.exe (PID: 4688)
      • sc.exe (PID: 4428)
      • sc.exe (PID: 2108)
      • sc.exe (PID: 6044)
      • sc.exe (PID: 4464)
      • sc.exe (PID: 4212)
      • sc.exe (PID: 6768)

    • Starts CMD.EXE for commands execution

      • kms_x64.exe (PID: 5800)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 5552)
      • cmd.exe (PID: 780)
      • cmd.exe (PID: 5436)
      • cmd.exe (PID: 2800)
      • cmd.exe (PID: 3332)
      • cmd.exe (PID: 1052)
      • cmd.exe (PID: 1280)
      • cmd.exe (PID: 3332)
      • cmd.exe (PID: 5868)
      • cmd.exe (PID: 5376)
      • cmd.exe (PID: 4880)
      • cmd.exe (PID: 472)
      • cmd.exe (PID: 2984)

    • Application launched itself

      • ClipUp.exe (PID: 6404)

  • INFO

    • The sample compiled with chinese language support

      • HEU KMS Activator 42.exe (PID: 2980)
      • 7Z.EXE (PID: 1116)

    • Checks supported languages

      • HEU KMS Activator 42.exe (PID: 2980)
      • 7Z.EXE (PID: 1116)
      • kms_x64.exe (PID: 5800)

    • Reads mouse settings

      • HEU KMS Activator 42.exe (PID: 2980)
      • kms_x64.exe (PID: 5800)

    • The process uses AutoIt

      • HEU KMS Activator 42.exe (PID: 2980)

    • Reads the computer name

      • HEU KMS Activator 42.exe (PID: 2980)
      • 7Z.EXE (PID: 1116)
      • kms_x64.exe (PID: 5800)

    • The sample compiled with english language support

      • HEU KMS Activator 42.exe (PID: 2980)

    • Create files in a temporary directory

      • HEU KMS Activator 42.exe (PID: 2980)
      • 7Z.EXE (PID: 1116)
      • kms_x64.exe (PID: 5800)
      • ClipUp.exe (PID: 6736)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 5608)
      • cscript.exe (PID: 5228)

    • Reads Environment values

      • kms_x64.exe (PID: 5800)

    • Reads product name

      • kms_x64.exe (PID: 5800)

    • Creates files in the program directory

      • ClipUp.exe (PID: 6736)
      • kms_x64.exe (PID: 5800)

    • Process checks computer location settings

      • kms_x64.exe (PID: 5800)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (44)
.exe | Win32 EXE Yoda's Crypter (42.3)
.exe | Win32 Executable (generic) (7.1)
.exe | Generic Win/DOS Executable (3.1)
.exe | DOS Executable Generic (3.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:11:15 16:28:12+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 633856
InitializedDataSize: 4678144
UninitializedDataSize: -
EntryPoint: 0x20577
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 42.0.0.0
ProductVersionNumber: 42.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 42.0.0.0
Comments: KMS/数字权利/KMS38/OEM激活
FileDescription: HEU KMS Activator™
ProductVersion: 42.0.0.0
LegalCopyright: 知彼而知己
Productname: HEU KMS Activator
CompanyName: 知彼而知己
OriginalFileName: HEU_KMS_Activator_v42.0.0
InternalName: HEU_KMS_Activator_v42.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
197
Monitored processes
61
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start heu kms activator 42.exe sppextcomobj.exe no specs slui.exe no specs 7z.exe conhost.exe no specs kms_x64.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs clipup.exe no specs clipup.exe no specs conhost.exe no specs heu kms activator 42.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
472C:\WINDOWS\system32\cmd.exe /c sc query WinmgmtC:\Windows\System32\cmd.exekms_x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
680\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeClipUp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
736\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
736\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
780C:\WINDOWS\system32\cmd.exe /c sc query sppsvcC:\Windows\System32\cmd.exekms_x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
920sc query ClipSVCC:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1040C:\WINDOWS\system32\cmd.exe /c C:\WINDOWS\System32\cscript.exe //nologo //Job:WmiQuery "C:\Users\admin\AppData\Local\Temp\_temp_heu168yyds\xml\wim.xml?.wsf" SoftwareLicensingService VersionC:\Windows\System32\cmd.exekms_x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1040C:\WINDOWS\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SystemRoot\System32\WindowsPowerShell\v1.0\" & Powershell Set-WinHomeLocation -GeoId 244C:\Windows\System32\cmd.exekms_x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1052C:\WINDOWS\system32\cmd.exe /c sc query wuauservC:\Windows\System32\cmd.exekms_x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1116"C:\Users\admin\AppData\Local\Temp\_temp_heu168yyds\7Z.EXE" x "C:\Users\admin\AppData\Local\Temp\_temp_heu168yyds\KMSmini.7z" -y -o"C:\Users\admin\AppData\Local\Temp\_temp_heu168yyds"C:\Users\admin\AppData\Local\Temp\_temp_heu168yyds\7Z.EXE
HEU KMS Activator 42.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Standalone Console
Exit code:
0
Version:
19.00
Modules
Images
c:\users\admin\appdata\local\temp\_temp_heu168yyds\7z.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
Total events
1 516
Read events
1 516
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
8
Text files
88
Unknown types
0

Dropped files

PID
Process
Filename
Type
2980HEU KMS Activator 42.exeC:\Users\admin\AppData\Local\Temp\splashlogo.jpgimage
MD5:2BC3F059E8A844879F91D900FFA6EFFB
SHA256:A222634FD0145551CFBDAAEB101421CDE0037E77A9A33DA407219B99CF0985E1
2980HEU KMS Activator 42.exeC:\Users\admin\AppData\Local\Temp\~DF8224208F501764B9.TMPbinary
MD5:59831EA14884D8B99FFE4AC7A3B8F3EC
SHA256:26CA93951CF1D113D355CB1374B33B6FA4498016891956A395AC6F7CCE7BAAFE
2980HEU KMS Activator 42.exeC:\Users\admin\AppData\Local\Temp\_temp_heu168yyds\KMSmini.7zcompressed
MD5:EDEAE2AED4A7EA9B8626C5DE7958400B
SHA256:5077215A3EFF623561A54649D2E15EC2CC88F6BB990837DE96747F0F7BBB04BB
2980HEU KMS Activator 42.exeC:\Users\admin\AppData\Local\Temp\autEBEA.tmpcompressed
MD5:C7926C9B1DFE047575916F8016F36555
SHA256:C02C302C2F9861B4120664AD32B74280A5F13DAE54735AD858691837AA496888
11167Z.EXEC:\Users\admin\AppData\Local\Temp\_temp_heu168yyds\Office2010OSPP\SLERROR.XMLtext
MD5:DF1EF05879E06C5F09F3E1022F37B5CB
SHA256:D49ADF2DABBBF6AA43CE4E336AF4F768207DF75302EBF568A94A5350AAC988C5
2980HEU KMS Activator 42.exeC:\Users\admin\AppData\Local\Temp\_temp_heu168yyds\files.7zcompressed
MD5:C7926C9B1DFE047575916F8016F36555
SHA256:C02C302C2F9861B4120664AD32B74280A5F13DAE54735AD858691837AA496888
2980HEU KMS Activator 42.exeC:\Users\admin\AppData\Local\Temp\autEC59.tmpbinary
MD5:E25E09DF3DB990F98A165990B2F48B02
SHA256:52F64C84948068514240283D6C7FA1204E81CA0549CF0159FCACC556A950CD94
2980HEU KMS Activator 42.exeC:\Users\admin\AppData\Local\Temp\_temp_heu168yyds\7Z.EXEexecutable
MD5:43141E85E7C36E31B52B22AB94D5E574
SHA256:EA308C76A2F927B160A143D94072B0DCE232E04B751F0C6432A94E05164E716D
11167Z.EXEC:\Users\admin\AppData\Local\Temp\_temp_heu168yyds\Office2010OSPP\OSPP.VBStext
MD5:572E9A87757AC96C7677FD1B1B113C55
SHA256:008CF05944053116A095AD466561D3FD4BE8A7DE79E5ADA7C5DAAB492F730465
2980HEU KMS Activator 42.exeC:\Users\admin\AppData\Local\Temp\ScriptTemp.initext
MD5:E6E1021C656F2AA3997D32D6E232FA0F
SHA256:CA471AD642601988929882B3178C472192885447FF8D1676440892D87956EC53
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
23
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.164.51:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.16.164.51:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
2.16.164.51:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2644
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2284
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
2644
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.164.51:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.16.164.51:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 2.16.164.51
  • 2.16.164.106
  • 2.16.164.91
  • 2.16.164.57
  • 2.16.164.113
  • 2.16.164.74
  • 2.16.164.75
  • 2.16.164.72
  • 2.16.164.65
whitelisted
google.com
  • 142.250.184.238
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
login.live.com
  • 20.190.160.22
  • 20.190.160.132
  • 20.190.160.17
  • 20.190.160.4
  • 40.126.32.74
  • 20.190.160.5
  • 40.126.32.136
  • 20.190.160.67
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HEU KMS Activator 42.exe