File name:

KMSAuto Net 2015 v1.4.2 Portable.rar

Full analysis: https://app.any.run/tasks/92bd013e-f740-4cce-a708-a0bfe0adf4c7
Verdict: Malicious activity
Analysis date: October 17, 2024, 19:30:21
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
arch-doc
arch-html
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

4119E2BF46DD5FB330D75CF24178D29E

SHA1:

CF82AF51F2775DF05BFD6B2A60AB9F0E128306C2

SHA256:

352F6B951561FBDCDD7E944FBBF9464107002BF5BA22DF6462BD964C44D060C0

SSDEEP:

98304:tDd6slZlnveKWXgYjynYVKXGQUva5SlKbH28fNXTRlsKkgnBGh859yDj4sWqRp5/:eBO4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 4072)

  • SUSPICIOUS

    • The process executes VB scripts

      • KMSAuto Net.exe (PID: 4224)

    • Executable content was dropped or overwritten

      • KMSAuto Net.exe (PID: 4224)
      • wzt.dat (PID: 5084)
      • bin.dat (PID: 1204)
      • AESDecoder.exe (PID: 6100)
      • bin_x64.dat (PID: 6864)

    • Starts application with an unusual extension

      • cmd.exe (PID: 4348)
      • cmd.exe (PID: 4080)
      • cmd.exe (PID: 6940)

    • Drops 7-zip archiver for unpacking

      • KMSAuto Net.exe (PID: 4224)

    • Starts CMD.EXE for commands execution

      • KMSAuto Net.exe (PID: 4224)
      • cmd.exe (PID: 6348)

    • Process drops legitimate windows executable

      • wzt.dat (PID: 5084)
      • bin_x64.dat (PID: 6864)

    • Drops a system driver (possible attempt to evade defenses)

      • bin_x64.dat (PID: 6864)

    • Application launched itself

      • cmd.exe (PID: 6348)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • KMSAuto Net.exe (PID: 4224)

    • Uses REG/REGEDIT.EXE to modify registry

      • KMSAuto Net.exe (PID: 4224)
      • cmd.exe (PID: 7432)

    • Executes as Windows Service

      • KMSSS.exe (PID: 1204)

    • Uses ROUTE.EXE to modify routing table

      • cmd.exe (PID: 3860)

    • Uses ROUTE.EXE to obtain the routing table information

      • cmd.exe (PID: 7948)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 8036)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • KMSAuto Net.exe (PID: 4224)

  • INFO

    • Creates a new folder

      • cmd.exe (PID: 7120)
      • cmd.exe (PID: 5084)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4072)

    • Adds a route via ROUTE.EXE

      • ROUTE.EXE (PID: 5508)

    • Deletes a route via ROUTE.EXE

      • ROUTE.EXE (PID: 8004)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 10037
UncompressedSize: 59825
OperatingSystem: Win32
ModifyDate: 2016:03:07 16:47:12
PackingMethod: Normal
ArchivedFileName: KMSAuto Net 2015 v1.4.2 Portable\Antivirus scan - VirusTotal.html
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
239
Monitored processes
99
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe kmsauto net.exe no specs kmsauto net.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs sppextcomobj.exe slui.exe no specs cscript.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs wzt.dat cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs certmgr.exe no specs cmd.exe no specs conhost.exe no specs certmgr.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs bin.dat cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs aesdecoder.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs bin_x64.dat cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs netstat.exe no specs find.exe no specs netsh.exe no specs conhost.exe no specs slui.exe no specs netsh.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs kmsss.exe no specs cmd.exe no specs conhost.exe no specs route.exe no specs cmd.exe no specs conhost.exe no specs fakeclient.exe slui.exe no specs slui.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs route.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs netsh.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
616C:\WINDOWS\Sysnative\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCPC:\Windows\System32\netsh.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
616\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
864C:\WINDOWS\Sysnative\cmd.exe /D /c certmgr.exe -add wzt.cer -n wzt -s -r localMachine TRUSTEDPUBLISHERC:\Windows\System32\cmd.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1168\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1168"C:\WINDOWS\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto\wzt" /S /QC:\Windows\System32\cmd.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1172\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1204bin.dat -y -pkmsautoC:\ProgramData\KMSAuto\bin.dat
cmd.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7z Console SFX
Exit code:
0
Version:
15.09 beta
Modules
Images
c:\programdata\kmsauto\bin.dat
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1204"C:\ProgramData\KMSAuto\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IPC:\ProgramData\KMSAuto\bin\KMSSS.exeservices.exe
User:
SYSTEM
Company:
MDL Forum, mod by Ratiborus
Integrity Level:
SYSTEM
Description:
KMS Server Emulator Service (XP)
Exit code:
0
Version:
1.2.1.0
Modules
Images
c:\programdata\kmsauto\bin\kmsss.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1332C:\WINDOWS\Sysnative\cmd.exe /D /c del /F /Q "AESDecoder.exe"C:\Windows\System32\cmd.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1332\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
7 975
Read events
7 958
Write events
13
Delete events
4

Modification events

(PID) Process:(4072) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(4072) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\KMSAuto Net 2015 v1.4.2 Portable.rar
(PID) Process:(4072) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4072) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4072) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4072) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1884) certmgr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
Operation:delete valueName:F81F111D0E5AB58D396F7BF525577FD30FDC95AA
Value:
(PID) Process:(1884) certmgr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA
Operation:writeName:Blob
Value:
030000000100000014000000F81F111D0E5AB58D396F7BF525577FD30FDC95AA2000000001000000E8010000308201E43082014DA003020102021008A8E826950F1A9940262589FCAF0B8F300D06092A864886F70D0101040500300E310C300A06035504031303575A54301E170D3135313130383038313534395A170D3339313233313233353935395A300E310C300A06035504031303575A5430819F300D06092A864886F70D010101050003818D0030818902818100A3B38E6E8CD01F282D0872986D29BF5F0EAAD61A32C045D9B23DB1C221C3679770C401DE98695E88CAD621B319730DCABEDF4C4709EEBE8126DD567A9AB387DAB7EA13B3665166464D1B8EFFFED8BC4225515A9AAA170E595EB348A496309110C8EB66D0490F113A3C79A508058448B0398BE6F9D34F84C60E694C472C72F9B70203010001A3433041303F0603551D01043830368010E4E11038D29FC50F20A0C1914BBEFF0BA110300E310C300A06035504031303575A54821008A8E826950F1A9940262589FCAF0B8F300D06092A864886F70D01010405000381810054C251E1B9CDCA11ADE10887278347C178233BFFB85A6D692CA235D68AFE76D59F2113E7C3016AC0347E7131D590047A877083536F61D90FCB2BF95856952ABD4F63DACCFCCC840950667CC68F7513F8AE72DC7676E94B61FA169158457EA2B8531A593671E79D886743E24EDDF7141E0443E22F1F6B16B0A76D720466E4B8E8
(PID) Process:(6772) certmgr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates
Operation:delete valueName:F81F111D0E5AB58D396F7BF525577FD30FDC95AA
Value:
(PID) Process:(6772) certmgr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA
Operation:writeName:Blob
Value:
030000000100000014000000F81F111D0E5AB58D396F7BF525577FD30FDC95AA2000000001000000E8010000308201E43082014DA003020102021008A8E826950F1A9940262589FCAF0B8F300D06092A864886F70D0101040500300E310C300A06035504031303575A54301E170D3135313130383038313534395A170D3339313233313233353935395A300E310C300A06035504031303575A5430819F300D06092A864886F70D010101050003818D0030818902818100A3B38E6E8CD01F282D0872986D29BF5F0EAAD61A32C045D9B23DB1C221C3679770C401DE98695E88CAD621B319730DCABEDF4C4709EEBE8126DD567A9AB387DAB7EA13B3665166464D1B8EFFFED8BC4225515A9AAA170E595EB348A496309110C8EB66D0490F113A3C79A508058448B0398BE6F9D34F84C60E694C472C72F9B70203010001A3433041303F0603551D01043830368010E4E11038D29FC50F20A0C1914BBEFF0BA110300E310C300A06035504031303575A54821008A8E826950F1A9940262589FCAF0B8F300D06092A864886F70D01010405000381810054C251E1B9CDCA11ADE10887278347C178233BFFB85A6D692CA235D68AFE76D59F2113E7C3016AC0347E7131D590047A877083536F61D90FCB2BF95856952ABD4F63DACCFCCC840950667CC68F7513F8AE72DC7676E94B61FA169158457EA2B8531A593671E79D886743E24EDDF7141E0443E22F1F6B16B0A76D720466E4B8E8
Executable files
20
Suspicious files
11
Text files
13
Unknown types
0

Dropped files

PID
Process
Filename
Type
2692cmd.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa4072.24833\KMSAuto Net 2015 v1.4.2 Portable\test.testtext
MD5:9F06243ABCB89C70E0C331C61D871FA7
SHA256:837CCB607E312B170FAC7383D7CCFD61FA5072793F19A25E75FBACB56539B86B
4224KMSAuto Net.exeC:\ProgramData\KMSAuto\wzt.datexecutable
MD5:B41540F62BDE758F2FBB8BD9372CC417
SHA256:21B5828E9B324690B1AF6352B44C4F668621EE659AB22D525D9AD175F652CB8C
5084wzt.datC:\ProgramData\KMSAuto\wzt\certmgr.exeexecutable
MD5:9D4F1124B2D870583268D19317D564AE
SHA256:EBAD2237B3E7CDF65385CCCE5099E82C7EC5080E737C97CE4E542CDBEA8D418D
1204bin.datC:\ProgramData\KMSAuto\bin\KMSSS.exe.aesbinary
MD5:61D01B472C1B2FB783AA45A317CC4BC4
SHA256:CBD17860AF5DD667C9CEBF3FDBD96790B887CFCC7884282A254867D8CFCE9853
4224KMSAuto Net.exeC:\ProgramData\KMSAuto\bin.datexecutable
MD5:BBCED89C77CA4BF6393CE721C9529DD1
SHA256:6FB83E1130EE71A0A0CF588CB34E335474FE4AF14CD67A7C845B707D7ADCB32D
5084wzt.datC:\ProgramData\KMSAuto\wzt\wzt.cerbinary
MD5:4BF5BFBB3CAF16C6125DF0E10EE60D18
SHA256:B3DB601B90499D6D5D7CD954CA36A907ABB6AE649B5439AB2BCA93E2E026FE9F
4072WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa4072.24833\KMSAuto Net 2015 v1.4.2 Portable\Antivirus scan - VirusTotal.htmlbinary
MD5:1B0EEBA9D8AFBC767635AC3636D1D833
SHA256:06A6AA7E6E472CB898413F1B75CFCAD9F92C94E858200E51BB8BF519E148ABBF
4072WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa4072.24833\KMSAuto Net 2015 v1.4.2 Portable\readme\readme_ru.txttext
MD5:F1E7B5B15040A9E6F576036B3525239F
SHA256:B48F386F8D650ACA34F125669B1EAECD19E505E68C9A6FE7D956F762CA10A251
4072WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa4072.24833\KMSAuto Net 2015 v1.4.2 Portable\KMSAuto Net.exeexecutable
MD5:311F3BAA9BFA5B2364FEA8B254D15EB9
SHA256:BEA219F0F08ED083677A0B869E658BA09785F470668EADC659DB2885FA89F3B9
4072WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa4072.24833\KMSAuto Net 2015 v1.4.2 Portable\readme\readme_bg.txttext
MD5:D7CDFA2835E66C336DE3DAEED992FCAC
SHA256:CB91C9E5B54D4311DECE177147BEB50DB0D9E134072A9262EC57EF1D81A2647F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
67
DNS requests
28
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6384
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6360
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6360
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2376
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5488
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
4360
SearchApp.exe
2.23.209.179:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4360
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
6384
svchost.exe
40.126.32.72:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 88.221.169.152
whitelisted
google.com
  • 172.217.23.110
whitelisted
www.bing.com
  • 2.23.209.179
  • 2.23.209.182
  • 2.23.209.189
  • 2.23.209.181
  • 2.23.209.187
  • 2.23.209.130
  • 2.23.209.185
  • 2.23.209.176
  • 2.23.209.193
  • 2.23.209.156
  • 2.23.209.158
  • 2.23.209.177
  • 2.23.209.160
  • 2.23.209.154
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.72
  • 40.126.32.138
  • 40.126.32.140
  • 40.126.32.136
  • 20.190.160.17
  • 20.190.160.20
  • 40.126.32.74
  • 20.190.160.22
  • 40.126.32.133
  • 20.190.160.14
  • 40.126.32.76
  • 40.126.32.68
whitelisted
th.bing.com
  • 2.23.209.187
  • 2.23.209.193
  • 2.23.209.182
  • 2.23.209.185
  • 2.23.209.189
  • 2.23.209.131
  • 2.23.209.130
  • 2.23.209.133
  • 2.23.209.181
  • 2.23.209.140
  • 2.23.209.135
  • 2.23.209.183
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted

Threats

No threats detected
Process
Message
FakeClient.exe
WdfCoInstaller: [10/17/2024 19:30.58.266] ReadComponents: WdfSection for Driver Service windivert using KMDF lib version Major 0x1, minor 0x9
FakeClient.exe
WdfCoInstaller: [10/17/2024 19:30.58.282] BootApplication: could not open service windivert, error error(1060) The specified service does not exist as an installed service.
FakeClient.exe
WdfCoInstaller: [10/17/2024 19:30.58.282] BootApplication: GetStartType error error(87) The parameter is incorrect. Driver Service name windivert
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
KMSAuto Net 2015 v1.4.2 Portable.rar