File name:

KMSAuto.Net.2015 (Activador Windows 8, 8.1 y 10 office 2010, 201.rar

Full analysis: https://app.any.run/tasks/3a97f230-5e4c-4ba5-be5a-7d12c948c463
Verdict: Malicious activity
Analysis date: March 23, 2024, 02:44:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

C617B18AA6CEE2693F2EBA7917B103B8

SHA1:

B8F3BB64C2935764A5DA9548B5F2F47AB4D01930

SHA256:

3641B4B2A5A664BE066AEC4DF2554BD9EA7FF3A95B7F21076C6399EDEF64B542

SSDEEP:

98304:5odQKiYBhlIEusQAx/ugL9EEnY2sqVWyxdqDh9CecGpqQuPU55YON6n4ZnwPQDb5:Jx5cqUohv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3956)
      • KMSAuto Net.exe (PID: 1656)
      • wzt.dat (PID: 2020)
      • AESDecoder.exe (PID: 3760)
      • bin.dat (PID: 3272)
      • bin_x86.dat (PID: 2028)
      • wzt.dat (PID: 2432)
      • bin.dat (PID: 568)
      • bin_x86.dat (PID: 2128)
      • wzt.dat (PID: 2912)
      • bin.dat (PID: 2624)
      • AESDecoder.exe (PID: 3984)
      • bin_x86.dat (PID: 3676)
      • devcon.exe (PID: 2176)
      • drvinst.exe (PID: 2112)
      • drvinst.exe (PID: 3040)
      • AESDecoder.exe (PID: 2776)

    • Creates a writable file in the system directory

      • drvinst.exe (PID: 2112)
      • drvinst.exe (PID: 3040)

    • Starts NET.EXE for service management

      • KMSAuto Net.exe (PID: 1656)
      • net.exe (PID: 1288)
      • net.exe (PID: 2204)
      • net.exe (PID: 2728)
      • net.exe (PID: 2096)

    • Changes the autorun value in the registry

      • drvinst.exe (PID: 3040)
      • devcon.exe (PID: 3796)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • KMSAuto Net.exe (PID: 1656)
      • cmd.exe (PID: 2080)
      • cmd.exe (PID: 1936)
      • cmd.exe (PID: 2776)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3956)
      • TunMirror.exe (PID: 2652)
      • devcon.exe (PID: 2176)

    • Reads Internet Explorer settings

      • KMSAuto Net.exe (PID: 1656)

    • Executable content was dropped or overwritten

      • KMSAuto Net.exe (PID: 1656)
      • wzt.dat (PID: 2020)
      • bin.dat (PID: 3272)
      • AESDecoder.exe (PID: 3760)
      • bin_x86.dat (PID: 2028)
      • wzt.dat (PID: 2432)
      • bin.dat (PID: 568)
      • AESDecoder.exe (PID: 3984)
      • bin_x86.dat (PID: 2128)
      • wzt.dat (PID: 2912)
      • bin.dat (PID: 2624)
      • bin_x86.dat (PID: 3676)
      • devcon.exe (PID: 2176)
      • drvinst.exe (PID: 2112)
      • drvinst.exe (PID: 3040)
      • AESDecoder.exe (PID: 2776)

    • Drops 7-zip archiver for unpacking

      • KMSAuto Net.exe (PID: 1656)

    • Starts application with an unusual extension

      • cmd.exe (PID: 1608)
      • cmd.exe (PID: 2956)
      • cmd.exe (PID: 3792)
      • cmd.exe (PID: 2832)
      • cmd.exe (PID: 3696)
      • cmd.exe (PID: 1484)
      • cmd.exe (PID: 3640)
      • cmd.exe (PID: 2876)
      • cmd.exe (PID: 2596)

    • Process drops legitimate windows executable

      • wzt.dat (PID: 2020)
      • bin_x86.dat (PID: 2028)
      • wzt.dat (PID: 2432)
      • bin_x86.dat (PID: 2128)
      • wzt.dat (PID: 2912)
      • bin_x86.dat (PID: 3676)

    • Adds/modifies Windows certificates

      • certmgr.exe (PID: 1036)
      • certmgr.exe (PID: 2376)
      • certmgr.exe (PID: 3516)
      • certmgr.exe (PID: 1900)
      • certmgr.exe (PID: 1492)
      • certmgr.exe (PID: 3960)
      • certutil.exe (PID: 3404)
      • devcon.exe (PID: 2176)

    • Drops a system driver (possible attempt to evade defenses)

      • bin_x86.dat (PID: 2028)
      • bin_x86.dat (PID: 3676)
      • bin_x86.dat (PID: 2128)
      • devcon.exe (PID: 2176)
      • drvinst.exe (PID: 2112)
      • drvinst.exe (PID: 3040)

    • Application launched itself

      • cmd.exe (PID: 2080)
      • cmd.exe (PID: 1936)
      • cmd.exe (PID: 2776)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • KMSAuto Net.exe (PID: 1656)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • KMSAuto Net.exe (PID: 1656)

    • Creates or modifies Windows services

      • KMSAuto Net.exe (PID: 1656)

    • Starts SC.EXE for service management

      • KMSAuto Net.exe (PID: 1656)

    • Executes as Windows Service

      • KMSSS.exe (PID: 3644)
      • KMSSS.exe (PID: 3760)
      • VSSVC.exe (PID: 2128)
      • TunMirror.exe (PID: 3652)
      • KMSSS.exe (PID: 796)

    • Uses REG/REGEDIT.EXE to modify registry

      • KMSAuto Net.exe (PID: 1656)
      • cmd.exe (PID: 3076)
      • cmd.exe (PID: 3168)
      • cmd.exe (PID: 3008)

    • Uses ROUTE.EXE to modify routing table

      • cmd.exe (PID: 1380)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3604)

    • Uses ROUTE.EXE to obtain the routing table information

      • cmd.exe (PID: 2032)

    • Reads the Internet Settings

      • WMIC.exe (PID: 1972)
      • WMIC.exe (PID: 2728)
      • WMIC.exe (PID: 3600)
      • TunMirror.exe (PID: 2652)
      • WMIC.exe (PID: 880)

    • Uses WMIC.EXE

      • cmd.exe (PID: 1900)
      • cmd.exe (PID: 2388)
      • cmd.exe (PID: 2612)
      • cmd.exe (PID: 3048)

    • Checks Windows Trust Settings

      • devcon.exe (PID: 2176)
      • drvinst.exe (PID: 2112)
      • drvinst.exe (PID: 3040)
      • TunMirror.exe (PID: 2652)

    • Reads settings of System Certificates

      • devcon.exe (PID: 2176)
      • rundll32.exe (PID: 1232)
      • TunMirror.exe (PID: 2652)

    • Creates files in the driver directory

      • drvinst.exe (PID: 2112)
      • drvinst.exe (PID: 3040)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 3408)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3956)

    • Creates files or folders in the user directory

      • KMSAuto Net.exe (PID: 1656)

    • Checks supported languages

      • KMSAuto Net.exe (PID: 1656)
      • certmgr.exe (PID: 1036)
      • certmgr.exe (PID: 2376)
      • AESDecoder.exe (PID: 3760)
      • bin_x86.dat (PID: 2028)
      • bin.dat (PID: 3272)
      • KMSSS.exe (PID: 3644)
      • wzt.dat (PID: 2432)
      • certmgr.exe (PID: 1900)
      • certmgr.exe (PID: 3516)
      • bin.dat (PID: 568)
      • wzt.dat (PID: 2020)
      • bin_x86.dat (PID: 2128)
      • AESDecoder.exe (PID: 3984)
      • KMSSS.exe (PID: 3760)
      • FakeClient.exe (PID: 3808)
      • wzt.dat (PID: 2912)
      • certmgr.exe (PID: 1492)
      • certmgr.exe (PID: 3960)
      • AESDecoder.exe (PID: 2776)
      • bin.dat (PID: 2624)
      • devcon.exe (PID: 2176)
      • drvinst.exe (PID: 2112)
      • drvinst.exe (PID: 3040)
      • TunMirror.exe (PID: 2652)
      • TunMirror.exe (PID: 3652)
      • wmpnscfg.exe (PID: 3164)
      • wmpnscfg.exe (PID: 3392)
      • wmpnscfg.exe (PID: 4044)
      • bin_x86.dat (PID: 3676)
      • KMSSS.exe (PID: 796)
      • wmpnscfg.exe (PID: 1168)
      • wmpnscfg.exe (PID: 2972)
      • TunMirror.exe (PID: 1376)
      • devcon.exe (PID: 3796)
      • wmpnscfg.exe (PID: 4048)

    • Reads the computer name

      • KMSAuto Net.exe (PID: 1656)
      • KMSSS.exe (PID: 3644)
      • KMSSS.exe (PID: 3760)
      • FakeClient.exe (PID: 3808)
      • devcon.exe (PID: 2176)
      • drvinst.exe (PID: 2112)
      • drvinst.exe (PID: 3040)
      • TunMirror.exe (PID: 2652)
      • TunMirror.exe (PID: 3652)
      • wmpnscfg.exe (PID: 4048)
      • wmpnscfg.exe (PID: 4044)
      • wmpnscfg.exe (PID: 3164)
      • KMSSS.exe (PID: 796)
      • wmpnscfg.exe (PID: 1168)
      • TunMirror.exe (PID: 1376)
      • wmpnscfg.exe (PID: 2972)
      • devcon.exe (PID: 3796)
      • wmpnscfg.exe (PID: 3392)

    • Reads Environment values

      • KMSAuto Net.exe (PID: 1656)
      • drvinst.exe (PID: 3040)

    • Reads the machine GUID from the registry

      • KMSAuto Net.exe (PID: 1656)
      • devcon.exe (PID: 2176)
      • drvinst.exe (PID: 2112)
      • drvinst.exe (PID: 3040)
      • TunMirror.exe (PID: 2652)
      • TunMirror.exe (PID: 3652)
      • TunMirror.exe (PID: 1376)

    • Reads product name

      • KMSAuto Net.exe (PID: 1656)

    • Creates files in the program directory

      • KMSAuto Net.exe (PID: 1656)
      • cmd.exe (PID: 3444)
      • wzt.dat (PID: 2020)
      • bin.dat (PID: 3272)
      • AESDecoder.exe (PID: 3760)
      • bin_x86.dat (PID: 2028)
      • KMSSS.exe (PID: 3644)
      • cmd.exe (PID: 3828)
      • wzt.dat (PID: 2432)
      • bin.dat (PID: 568)
      • bin_x86.dat (PID: 2128)
      • KMSSS.exe (PID: 3760)
      • cmd.exe (PID: 4024)
      • wzt.dat (PID: 2912)
      • bin.dat (PID: 2624)
      • AESDecoder.exe (PID: 3984)
      • AESDecoder.exe (PID: 2776)
      • TunMirror.exe (PID: 2652)
      • bin_x86.dat (PID: 3676)
      • KMSSS.exe (PID: 796)
      • TunMirror.exe (PID: 1376)

    • Reads Microsoft Office registry keys

      • KMSAuto Net.exe (PID: 1656)

    • Reads the software policy settings

      • devcon.exe (PID: 2176)
      • rundll32.exe (PID: 1232)
      • drvinst.exe (PID: 2112)
      • drvinst.exe (PID: 3040)
      • TunMirror.exe (PID: 2652)

    • Create files in a temporary directory

      • devcon.exe (PID: 2176)

    • Reads security settings of Internet Explorer

      • rundll32.exe (PID: 1232)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 4048)
      • wmpnscfg.exe (PID: 3164)
      • wmpnscfg.exe (PID: 4044)
      • wmpnscfg.exe (PID: 3392)
      • wmpnscfg.exe (PID: 1168)
      • wmpnscfg.exe (PID: 2972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
360
Monitored processes
190
Malicious processes
18
Suspicious processes
7

Behavior graph

Click at the process to see the details
start winrar.exe kmsauto net.exe no specs kmsauto net.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs wzt.dat cmd.exe no specs cmd.exe no specs certmgr.exe no specs cmd.exe no specs certmgr.exe no specs cmd.exe no specs cmd.exe no specs bin.dat cmd.exe no specs cmd.exe no specs aesdecoder.exe cmd.exe no specs cmd.exe no specs bin_x86.dat cmd.exe no specs cmd.exe no specs cmd.exe no specs netstat.exe no specs find.exe no specs netsh.exe no specs netsh.exe no specs sc.exe no specs sc.exe no specs kmsss.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs reg.exe no specs netsh.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs wzt.dat cmd.exe no specs cmd.exe no specs certmgr.exe no specs cmd.exe no specs certmgr.exe no specs cmd.exe no specs cmd.exe no specs bin.dat cmd.exe no specs cmd.exe no specs aesdecoder.exe cmd.exe no specs cmd.exe no specs bin_x86.dat cmd.exe no specs cmd.exe no specs cmd.exe no specs netstat.exe no specs find.exe no specs netsh.exe no specs netsh.exe no specs sc.exe no specs sc.exe no specs kmsss.exe no specs cmd.exe no specs route.exe no specs cmd.exe no specs fakeclient.exe reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs route.exe no specs cmd.exe no specs taskkill.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs reg.exe no specs netsh.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs wzt.dat cmd.exe no specs cmd.exe no specs certmgr.exe no specs cmd.exe no specs certmgr.exe no specs cmd.exe no specs cmd.exe no specs bin.dat cmd.exe no specs cmd.exe no specs aesdecoder.exe cmd.exe no specs cmd.exe no specs bin_x86.dat cmd.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs certutil.exe no specs cmd.exe no specs devcon.exe drvinst.exe rundll32.exe no specs vssvc.exe no specs drvinst.exe cmd.exe no specs wmic.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs tunmirror.exe no specs net.exe no specs net1.exe no specs tunmirror.exe no specs wmpnscfg.exe no specs net.exe no specs net1.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs netstat.exe no specs netsh.exe no specs netsh.exe no specs sc.exe no specs sc.exe no specs kmsss.exe no specs net.exe no specs net1.exe no specs wmpnscfg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs net.exe no specs net1.exe no specs wmpnscfg.exe no specs cmd.exe no specs tunmirror.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs devcon.exe rundll32.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs reg.exe no specs netsh.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
292C:\Windows\System32\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /fC:\Windows\System32\reg.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
452C:\Windows\system32\cmd.exe /c netstat -ano | find ":1688 "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
548C:\Windows\System32\cmd.exe /D /c FakeClient.exe 100.100.0.10C:\Windows\System32\cmd.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
568bin.dat -y -pkmsautoC:\ProgramData\KMSAuto\bin.dat
cmd.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7z Console SFX
Exit code:
0
Version:
15.09 beta
Modules
Images
c:\programdata\kmsauto\bin.dat
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
680C:\Windows\System32\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55C92734-D682-4D71-983E-D6EC3F16059F" /fC:\Windows\System32\reg.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
696"sc.exe" create KMSEmulator binpath= temp.exe type= own start= autoC:\Windows\System32\sc.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
764C:\Windows\System32\cmd.exe /D /c del /F /Q "bin_x86.dat"C:\Windows\System32\cmd.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
796"C:\ProgramData\KMSAuto\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IPC:\ProgramData\KMSAuto\bin\KMSSS.exeservices.exe
User:
SYSTEM
Company:
MDL Forum, mod by Ratiborus
Integrity Level:
SYSTEM
Description:
KMS Server Emulator Service (XP)
Exit code:
0
Version:
1.2.1.0
Modules
Images
c:\programdata\kmsauto\bin\kmsss.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
880WMIC Path Win32_NetworkAdapter WHERE ServiceName="ptun0901" get Manufacturer C:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
948"C:\Windows\System32\cmd.exe" /c rd "C:\ProgramData\KMSAuto\wzt" /S /QC:\Windows\System32\cmd.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
45 336
Read events
43 966
Write events
1 228
Delete events
142

Modification events

(PID) Process:(3956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3956) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\KMSAuto.Net.2015 (Activador Windows 8, 8.1 y 10 office 2010, 201.rar
(PID) Process:(3956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
54
Suspicious files
35
Text files
25
Unknown types
21

Dropped files

PID
Process
Filename
Type
3956WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3956.43285\KMSAuto.Net.2015 (Activador Windows 8, 8.1 y 10 office 2010, 201\readme\readme_cn.txttext
MD5:96696900C004588220E720565711EA23
SHA256:E6B15F6F0E3B2108127B0FE21D52D63159F8414E764740DB6CED08F49CFE556F
3956WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3956.43285\KMSAuto.Net.2015 (Activador Windows 8, 8.1 y 10 office 2010, 201\readme\readme_vi.txttext
MD5:AC57F63B303ABA3CA0E98FC989C69378
SHA256:3EB02AE075A08E42837D257DE0589720E5EE7AA22C1966B0A4A16CFB46513A4F
3272bin.datC:\ProgramData\KMSAuto\bin\KMSSS.exe.aesbinary
MD5:61D01B472C1B2FB783AA45A317CC4BC4
SHA256:CBD17860AF5DD667C9CEBF3FDBD96790B887CFCC7884282A254867D8CFCE9853
3956WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3956.43285\KMSAuto.Net.2015 (Activador Windows 8, 8.1 y 10 office 2010, 201\KMSAuto Net.exeexecutable
MD5:311F3BAA9BFA5B2364FEA8B254D15EB9
SHA256:BEA219F0F08ED083677A0B869E658BA09785F470668EADC659DB2885FA89F3B9
2020wzt.datC:\ProgramData\KMSAuto\wzt\wzt.cerbinary
MD5:4BF5BFBB3CAF16C6125DF0E10EE60D18
SHA256:B3DB601B90499D6D5D7CD954CA36A907ABB6AE649B5439AB2BCA93E2E026FE9F
3068cmd.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3956.43285\KMSAuto.Net.2015 (Activador Windows 8, 8.1 y 10 office 2010, 201\test.testtext
MD5:9F06243ABCB89C70E0C331C61D871FA7
SHA256:837CCB607E312B170FAC7383D7CCFD61FA5072793F19A25E75FBACB56539B86B
3272bin.datC:\ProgramData\KMSAuto\bin\TunMirror2.exe.aesbinary
MD5:DCDB16BB53846BBE61EEBA0887E8D2F0
SHA256:B85899BB189B43367E5C4172BD345BFEEA45DB3086772C4D3B81DB5C6E63DB6C
3272bin.datC:\ProgramData\KMSAuto\bin\TunMirror.exe.aesbinary
MD5:A59C42386E14D73EC83CC01A4AF1551B
SHA256:8751A3C6CF2E3A1CD8E9C7B63BB3CBA177476319A67AA766F317151C9CA83AEC
3956WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3956.43285\KMSAuto.Net.2015 (Activador Windows 8, 8.1 y 10 office 2010, 201\readme\readme_ru.txttext
MD5:F1E7B5B15040A9E6F576036B3525239F
SHA256:B48F386F8D650ACA34F125669B1EAECD19E505E68C9A6FE7D956F762CA10A251
1656KMSAuto Net.exeC:\Users\admin\AppData\Local\MSfree Inc\kmsauto.initext
MD5:B22721ECC7249380EF3032685ED19A5A
SHA256:2AC517A3388939951E5BC81489A251193C4BCB4620A9968BA0EC8F34594952D8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
32
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
FakeClient.exe
WdfCoInstaller: [03/23/2024 02:46.44.013] ReadComponents: WdfSection for Driver Service windivert using KMDF lib version Major 0x1, minor 0x9
FakeClient.exe
WdfCoInstaller: [03/23/2024 02:46.44.060] BootApplication: GetStartType error error(87) The parameter is incorrect. Driver Service name windivert
FakeClient.exe
WdfCoInstaller: [03/23/2024 02:46.44.060] BootApplication: could not open service windivert, error error(1060) The specified service does not exist as an installed service.
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
KMSAuto.Net.2015 (Activador Windows 8, 8.1 y 10 office 2010, 201.rar