File name: | Kontakt_Button.exe |
Full analysis: | https://app.any.run/tasks/b03a02ef-5f50-447a-b747-adddad6400f5 |
Verdict: | Malicious activity |
Analysis date: | March 07, 2025, 14:06:15 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.microsoft.portable-executable |
File info: | PE32+ executable (GUI) x86-64, for MS Windows, 7 sections |
MD5: | 13727F2FED46FCC470C680E7DAA19D73 |
SHA1: | 3E0E0BB0F53EA0AF8B4860B69C368A5F01F0C453 |
SHA256: | 56769BB068F941B8F14516614E9F2B866EB1B182F47FE613F2596D6746AC2A12 |
SSDEEP: | 98304:lWq9K7zpN+Vj3bPjOlrwf4+18Rka8FIwcAbcrCgMw38FZ5L5txL4P8F8vvYzYFpx:H3GXGHsEi2HZsMzffrMUSwtmnnR |
.exe | | | Win64 Executable (generic) (87.3) |
---|---|---|
.exe | | | Generic Win/DOS Executable (6.3) |
.exe | | | DOS Executable Generic (6.3) |
MachineType: | AMD AMD64 |
---|---|
TimeStamp: | 2021:06:11 09:16:51+00:00 |
ImageFileCharacteristics: | Executable, Large address aware |
PEType: | PE32+ |
LinkerVersion: | 14 |
CodeSize: | 223744 |
InitializedDataSize: | 115200 |
UninitializedDataSize: | - |
EntryPoint: | 0x24b40 |
OSVersion: | 5.2 |
ImageVersion: | - |
SubsystemVersion: | 5.2 |
Subsystem: | Windows GUI |
FileVersionNumber: | 7.0.0.0 |
ProductVersionNumber: | 7.0.0.0 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Win32 |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | English (U.S.) |
CharacterSet: | Windows, Latin1 |
Comments: | Kontakt Library Tools 7.0.0 |
CompanyName: | Native Instruments |
FileDescription: | Kontakt Library Tools |
FileVersion: | 7.0.0.0 |
LegalCopyright: | Bob Dule |
ProductName: | Kontakt Library Tools 7 |
ProductVersion: | 7 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
896 | "C:\Users\admin\AppData\Local\Temp\RarSFX0\Kontakt_Button.exe" | C:\Users\admin\AppData\Local\Temp\RarSFX0\Kontakt_button.exe | Kontakt_Button.exe | ||||||||||||
User: admin Company: Native Instruments Integrity Level: MEDIUM Description: Kontakt Debrider Version: 1.0.0.1 Modules
| |||||||||||||||
904 | "C:\Users\admin\AppData\Local\Temp\Kontakt_Button.exe" | C:\Users\admin\AppData\Local\Temp\Kontakt_Button.exe | explorer.exe | ||||||||||||
User: admin Company: Native Instruments Integrity Level: MEDIUM Description: Kontakt Library Tools Version: 7.0.0.0 Modules
| |||||||||||||||
2392 | "C:\Users\admin\AppData\Local\Temp\RarSFX0\Data\KTMGR\R2RKTMGR.exe" | C:\Users\admin\AppData\Local\Temp\RarSFX0\Data\KTMGR\R2RKTMGR.exe | explorer.exe | ||||||||||||
User: admin Company: TEAM R2R Integrity Level: HIGH Description: TEAM R2R Kontakt Manager Exit code: 1 Version: 1.1.5.1 Modules
| |||||||||||||||
3140 | "C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent | C:\Windows\System32\slui.exe | — | SppExtComObj.Exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
4000 | "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 | C:\Windows\System32\BackgroundTransferHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Download/Upload Host Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
5608 | reg add "HKEY_CURRENT_USER\SOFTWARE\TEAM R2R\R2RKTMGR" /v "EnableFactoryLibrary2HotFix" /t REG_DWORD /d "1" /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6872 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\Windows\System32\SppExtComObj.Exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
7036 | "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 | C:\Windows\System32\BackgroundTransferHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Download/Upload Host Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
7172 | "C:\Users\admin\AppData\Local\Temp\RarSFX0\Data\KTMGR\R2RKTMGR.exe" | C:\Users\admin\AppData\Local\Temp\RarSFX0\Data\KTMGR\R2RKTMGR.exe | — | explorer.exe | |||||||||||
User: admin Company: TEAM R2R Integrity Level: MEDIUM Description: TEAM R2R Kontakt Manager Exit code: 3221226540 Version: 1.1.5.1 Modules
| |||||||||||||||
7180 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\RarSFX0\Data\KTMGR\License OFF.bat" " | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
|
(PID) Process: | (896) Kontakt_button.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (896) Kontakt_button.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (896) Kontakt_button.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (7496) BackgroundTransferHost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (7496) BackgroundTransferHost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (7496) BackgroundTransferHost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (8060) BackgroundTransferHost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (8060) BackgroundTransferHost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (8060) BackgroundTransferHost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (7724) BackgroundTransferHost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: |
PID | Process | Filename | Type | |
---|---|---|---|---|
904 | Kontakt_Button.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\Data\Native Access.cmd | text | |
MD5:ADB15CD976D5F5CCEE9AADE5944BAD62 | SHA256:A0A01764C944C3CE9D01A17CDF0E1A5AB9F625C798E91FF8062262C440AC80E3 | |||
904 | Kontakt_Button.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\Data\Nicnt Maker\Nicnt Maker.exe | executable | |
MD5:A91146F968309552C2ABEA48EA0DD7CF | SHA256:58ADCCEE4172191838DD38398D73B0C024AD47E36D48057DB376D3E445A87C9C | |||
904 | Kontakt_Button.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\Data\KontaktLibOrganizer.exe | executable | |
MD5:02AF6843BAE1B664C1CB0D05E0144A63 | SHA256:A62D2B0230C67922D15E738F769ACAA3A980D080C671E5D42A84628735F54C9B | |||
904 | Kontakt_Button.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\Data\parser\Jsort.bat | binary | |
MD5:335E6E5897DC39D02C75EEBA68CF6251 | SHA256:4700A43EA1A532595CE0A4BCD91D72239A9EDAFADFD87FDD3D4995945D45CD90 | |||
904 | Kontakt_Button.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\Data\parser\Native_Access_Parser.bat | text | |
MD5:5B43C8E27141342EB08ABC24BF5EB25B | SHA256:028F7E2F33CE3C25914A3AA1D481196104EFFB86CD751DD838156D276AC8F727 | |||
904 | Kontakt_Button.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\Data\totalcmd\CGLPT64.SYS | executable | |
MD5:C6E5B7ECFB1AA7A104BC3C0C081E36E0 | SHA256:0108B00762DE94C189224874DD064E6EC65EE8F3BFF65801A6FB8D25AF7DE617 | |||
904 | Kontakt_Button.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\Data\parser\Native_Access_SNPID.txt | text | |
MD5:A71B30288342ECA0CA92169EFB7C475F | SHA256:36509EEC65F8268688EEF6371FF88CED8DD18B0A5E0AD04B253E3A7453FFBAE0 | |||
904 | Kontakt_Button.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\Data\parser\XML_PARSER_Native_Access.ps1 | text | |
MD5:BE25BA0AE30F1309967E687A5585B22E | SHA256:156A7979747815411816B7331917221C1B23175F2C9D52213DFAA112DB380AA6 | |||
904 | Kontakt_Button.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\Data\totalcmd\BLAKEX32.DLL | executable | |
MD5:ED972B41C29737564FB1AE411D801CF0 | SHA256:033F4AAB3E5F65C15A93B4F55834AFECC050A3E3919888CA9E8C5B49EB94CD4A | |||
904 | Kontakt_Button.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\Data\Key Adder.exe | executable | |
MD5:8907D44D562DEF8BFE7C40340EF9DE45 | SHA256:45057C04BD25C1DD25310B616ABC9197020984E57C7362AD163A85E2B3E0E333 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
5404 | backgroundTaskHost.exe | GET | 200 | 184.30.131.245:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D | unknown | — | — | whitelisted |
7668 | SIHClient.exe | GET | 200 | 23.52.120.96:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
6544 | svchost.exe | GET | 200 | 184.30.131.245:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
7724 | BackgroundTransferHost.exe | GET | 200 | 184.30.131.245:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
7668 | SIHClient.exe | GET | 200 | 23.52.120.96:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3216 | svchost.exe | 40.115.3.253:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6544 | svchost.exe | 40.126.32.138:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6544 | svchost.exe | 184.30.131.245:80 | ocsp.digicert.com | AKAMAI-AS | US | whitelisted |
5404 | backgroundTaskHost.exe | 20.103.156.88:443 | arc.msn.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5404 | backgroundTaskHost.exe | 184.30.131.245:80 | ocsp.digicert.com | AKAMAI-AS | US | whitelisted |
2104 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
7724 | BackgroundTransferHost.exe | 2.16.110.168:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
arc.msn.com |
| whitelisted |
www.bing.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |