Malware analysis KMSAuto Net 2016 1.4.9 Portable + 1.5.1.zip Malicious activity

Add for printing

File name:	KMSAuto Net 2016 1.4.9 Portable + 1.5.1.zip
Full analysis:	https://app.any.run/tasks/f47cfdf6-25bd-45cd-9691-ddadcf95e267
Verdict:	Malicious activity
Analysis date:	August 30, 2020, 18:46:57
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract
MD5:	146C2759347E0D52625CCB4076E97EBB
SHA1:	37A5E26C83CDD143C9265AB454196A4AFC6FF79E
SHA256:	322E6E04DB88AADBA5EF0C92CA471F2A11046C1884DDE3D3FA05C35F3418EF36
SSDEEP:	196608:dhAfd4e3KegPHGl9sDgXWEtydP0QLFjReeoSuANd+BOJMuMmeu2iOQhNO+Qu7Yy5:dhe2lnmoEXWEw+8FFeeKduuu2hztu7YM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.17843 KB3058515
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)
srvpost (2.12.71)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Hyphenation Parent Package English
IE Spelling Parent Package English
IE Troubleshooters Package
InternetExplorer Optional Package
InternetExplorer Package TopLevel
KB2533623
KB2534111
KB2639308
KB2729094
KB2731771
KB2786081
KB2834140
KB2882822
KB2888049
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
PlatformUpdate Win7 SRV08R2 Package TopLevel
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - KMSAuto Net.exe (PID: 2828)
  - KMSAuto Net 1.5.1.exe (PID: 4008)
  - KMSAuto Net.exe (PID: 2488)
  - KMSAuto Net 1.5.1.exe (PID: 2680)
  - AESDecoder.exe (PID: 3356)
  - bin.dat (PID: 3868)
  - KMSSS.exe (PID: 4032)
SUSPICIOUS
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 3380)
  - KMSAuto Net.exe (PID: 2488)
  - bin.dat (PID: 3868)
  - bin_x86.dat (PID: 3040)
  - AESDecoder.exe (PID: 3356)
- Starts CMD.EXE for commands execution
  - KMSAuto Net.exe (PID: 2488)
  - cmd.exe (PID: 2836)
- Starts CMD.EXE for self-deleting
  - KMSAuto Net.exe (PID: 2488)
- Starts application with an unusual extension
  - cmd.exe (PID: 3032)
  - cmd.exe (PID: 2808)
- Reads internet explorer settings
  - KMSAuto Net.exe (PID: 2488)
- Reads Environment values
  - KMSAuto Net.exe (PID: 2488)
- Creates files in the program directory
  - KMSAuto Net.exe (PID: 2488)
  - bin.dat (PID: 3868)
  - AESDecoder.exe (PID: 3356)
  - bin_x86.dat (PID: 3040)
  - KMSSS.exe (PID: 4032)
- Application launched itself
  - cmd.exe (PID: 2836)
- Uses NETSH.EXE for network configuration
  - KMSAuto Net.exe (PID: 2488)
- Starts SC.EXE for service management
  - KMSAuto Net.exe (PID: 2488)
- Creates or modifies windows services
  - KMSAuto Net.exe (PID: 2488)
- Executed as Windows Service
  - KMSSS.exe (PID: 4032)
- Uses NETSTAT.EXE to discover network connections
  - cmd.exe (PID: 3300)
- Uses REG.EXE to modify Windows registry
  - KMSAuto Net.exe (PID: 2488)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipFileName:	KMSAuto Net 2016 1.4.9 Portable + 1.5.1/
ZipUncompressedSize:	-
ZipCompressedSize:	-
ZipCRC:	0x00000000
ZipModifyDate:	2017:10:11 22:05:07
ZipCompression:	None
ZipBitFlag:	-
ZipRequiredVersion:	10

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

114

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

3380

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\KMSAuto Net 2016 1.4.9 Portable + 1.5.1.zip"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.60.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll

2680

"C:\Users\admin\AppData\Local\Temp\Rar$EXb3380.8143\KMSAuto Net 2016 1.4.9 Portable + 1.5.1\KMSAuto Net 1.5.1.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXb3380.8143\KMSAuto Net 2016 1.4.9 Portable + 1.5.1\KMSAuto Net 1.5.1.exe

—

WinRAR.exe

User:

admin

Company:

MSFree Inc.

Integrity Level:

MEDIUM

Description:

KMSAuto Net

Exit code:

3221226540

Version:

1.5.1

Modules

Images
c:\users\admin\appdata\local\temp\rar$exb3380.8143\kmsauto net 2016 1.4.9 portable + 1.5.1\kmsauto net 1.5.1.exe
c:\systemroot\system32\ntdll.dll

4008

"C:\Users\admin\AppData\Local\Temp\Rar$EXb3380.8143\KMSAuto Net 2016 1.4.9 Portable + 1.5.1\KMSAuto Net 1.5.1.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXb3380.8143\KMSAuto Net 2016 1.4.9 Portable + 1.5.1\KMSAuto Net 1.5.1.exe

WinRAR.exe

User:

admin

Company:

MSFree Inc.

Integrity Level:

HIGH

Description:

KMSAuto Net

Exit code:

Version:

1.5.1

Modules

Images
c:\users\admin\appdata\local\temp\rar$exb3380.8143\kmsauto net 2016 1.4.9 portable + 1.5.1\kmsauto net 1.5.1.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

2828

"C:\Users\admin\AppData\Local\Temp\Rar$EXb3380.9558\KMSAuto Net 2016 1.4.9 Portable + 1.5.1\KMSAuto Net.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXb3380.9558\KMSAuto Net 2016 1.4.9 Portable + 1.5.1\KMSAuto Net.exe

—

WinRAR.exe

User:

admin

Company:

MSFree Inc.

Integrity Level:

MEDIUM

Description:

KMSAuto Net

Exit code:

3221226540

Version:

1.4.9

Modules

Images
c:\users\admin\appdata\local\temp\rar$exb3380.9558\kmsauto net 2016 1.4.9 portable + 1.5.1\kmsauto net.exe
c:\systemroot\system32\ntdll.dll

2488

"C:\Users\admin\AppData\Local\Temp\Rar$EXb3380.9558\KMSAuto Net 2016 1.4.9 Portable + 1.5.1\KMSAuto Net.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXb3380.9558\KMSAuto Net 2016 1.4.9 Portable + 1.5.1\KMSAuto Net.exe

WinRAR.exe

User:

admin

Company:

MSFree Inc.

Integrity Level:

HIGH

Description:

KMSAuto Net

Version:

1.4.9

Modules

Images
c:\users\admin\appdata\local\temp\rar$exb3380.9558\kmsauto net 2016 1.4.9 portable + 1.5.1\kmsauto net.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

1352

cmd /c md "C:\Users\admin\AppData\Local\MSfree Inc"

C:\Windows\system32\cmd.exe

—

KMSAuto Net.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

2816

cmd /c echo test>>"C:\Users\admin\AppData\Local\Temp\Rar$EXb3380.9558\KMSAuto Net 2016 1.4.9 Portable + 1.5.1\test.test"

C:\Windows\system32\cmd.exe

—

KMSAuto Net.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

1384

C:\Windows\System32\cmd.exe /D /c del /F /Q "test.test"

C:\Windows\System32\cmd.exe

—

KMSAuto Net.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

2852

C:\Windows\System32\cmd.exe /D /c md "C:\ProgramData\KMSAuto"

C:\Windows\System32\cmd.exe

—

KMSAuto Net.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

3032

C:\Windows\System32\cmd.exe /D /c bin.dat -y -pkmsauto

C:\Windows\System32\cmd.exe

—

KMSAuto Net.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

Add for printing

Total events

688

Read events

551

Write events

129

Delete events

Modification events


(PID) Process:	(3380) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(3380) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(3380) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\139\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(3380) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\139\52C64B7E
Operation:	write	Name:	@C:\Windows\system32\NetworkExplorer.dll,-1
Value: Network
(PID) Process:	(3380) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\KMSAuto Net 2016 1.4.9 Portable + 1.5.1.zip
(PID) Process:	(3380) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(3380) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(3380) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(3380) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(3380) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\139\52C64B7E
Operation:	write	Name:	@C:\Windows\system32\notepad.exe,-469
Value: Text Document

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3380	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb3380.8143\KMSAuto Net 2016 1.4.9 Portable + 1.5.1\readme\readme_fr.txt		text
		MD5:474FB9BCC634EA9BC1F2B77382A0D03B	SHA256:D0B8BBE89016B3E05FF1C376C9A3CCE7CA2E4070BFFC11BFD9A91808B6DC060C
3380	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb3380.8143\KMSAuto Net 2016 1.4.9 Portable + 1.5.1\readme\readme_bg.txt		text
		MD5:D6761E218D57B85236345F74EA44A684	SHA256:E03107D2DEC7EB59033B4D0CACF9DD320C3BE1D9389295F87F069E667F138201
3380	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb3380.8143\KMSAuto Net 2016 1.4.9 Portable + 1.5.1\readme\readme_cn.txt		text
		MD5:67FA7B665E63269A86043ABA1C462EFA	SHA256:752D7FF42C648AFAC4D40A418512DB6E49896FA24BB1949442DDF50FF64B01AA
3380	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb3380.8143\KMSAuto Net 2016 1.4.9 Portable + 1.5.1\readme\readme_ru.txt		text
		MD5:9024969540F646D708D921640A9B98A7	SHA256:996076E53F85FC0C818D09C97902864EB2CBB0E58D519C795CEAB09308749A91
3380	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb3380.9558\KMSAuto Net 2016 1.4.9 Portable + 1.5.1\readme\readme_en.txt		text
		MD5:2A710AB80A87F13F5AED664D04E5C6A6	SHA256:F9F41A1ADF235066F7B1C477CAE36A7AE9C344E7DEF7059A9148E74669809924
3380	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb3380.8143\KMSAuto Net 2016 1.4.9 Portable + 1.5.1\readme\readme_kms.txt		text
		MD5:352709B6AED3902D4399F6615A7A7E70	SHA256:D3BEF0FEF19603B33B86E1CA431A25CB8A6DF047058E073BBF8BB931533217AA
3380	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb3380.8143\KMSAuto Net 2016 1.4.9 Portable + 1.5.1\KMSAuto Net 1.5.1.exe		executable
		MD5:93A3A8CE440197D31168FAC569082937	SHA256:22EF521964080E77D7006F9341D720683FA98409361C62A7BC4FE81EC474B1B2
3380	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb3380.9558\KMSAuto Net 2016 1.4.9 Portable + 1.5.1\readme\readme_ru.txt		text
		MD5:9024969540F646D708D921640A9B98A7	SHA256:996076E53F85FC0C818D09C97902864EB2CBB0E58D519C795CEAB09308749A91
3380	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb3380.8143\KMSAuto Net 2016 1.4.9 Portable + 1.5.1\readme\readme_es.txt		text
		MD5:A99B01CEFE99E1DBCE3285F625320A43	SHA256:8B422282263EFC65C9F688F78632D8F931AC27E58FAFCBA49A7A9F1DCE012D1D
3380	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb3380.9558\KMSAuto Net 2016 1.4.9 Portable + 1.5.1\readme\readme_fr.txt		text
		MD5:474FB9BCC634EA9BC1F2B77382A0D03B	SHA256:D0B8BBE89016B3E05FF1C376C9A3CCE7CA2E4070BFFC11BFD9A91808B6DC060C

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected

Add for printing

No debug info

General Info

KMSAuto Net 2016 1.4.9 Portable + 1.5.1.zip

146C2759347E0D52625CCB4076E97EBB

37A5E26C83CDD143C9265AB454196A4AFC6FF79E

322E6E04DB88AADBA5EF0C92CA471F2A11046C1884DDE3D3FA05C35F3418EF36

196608:dhAfd4e3KegPHGl9sDgXWEtydP0QLFjReeoSuANd+BOJMuMmeu2iOQhNO+Qu7Yy5:dhe2lnmoEXWEw+8FFeeKduuu2hztu7YM

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

SUSPICIOUS

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

Starts CMD.EXE for self-deleting

Starts application with an unusual extension

Reads internet explorer settings

Reads Environment values

Creates files in the program directory

Application launched itself

Uses NETSH.EXE for network configuration

Starts SC.EXE for service management

Creates or modifies windows services

Executed as Windows Service

Uses NETSTAT.EXE to discover network connections

Uses REG.EXE to modify Windows registry

INFO

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings