File name:

KMSAuto Net.exe

Full analysis: https://app.any.run/tasks/03102ab1-7be3-4518-9e5a-ffe1ba43b5fd
Verdict: Malicious activity
Analysis date: October 05, 2023, 16:31:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

F1FE671BCEFD4630E5ED8B87C9283534

SHA1:

9FF0546074213231E695E67324ABA64E2E65D2C2

SHA256:

58D6FEC4BA24C32D38C9A0C7C39DF3CB0E91F500B323E841121D703C7B718681

SSDEEP:

196608:C38lywCAfywOweqyw3ywsywXywZywnywZywBywEyw4ywwywmIBywyywsyw/ywiyj:EDwCAqwUnwiwxwCwUwywUw8wJwVwtwie

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • KMSAuto Net.exe (PID: 2184)
      • wzt.dat (PID: 3284)
      • bin.dat (PID: 1560)
      • AESDecoder.exe (PID: 2372)
      • bin_x86.dat (PID: 2648)
      • wzt.dat (PID: 2420)
      • bin.dat (PID: 3840)
      • AESDecoder.exe (PID: 3832)
      • bin_x86.dat (PID: 3564)

    • Application was dropped or rewritten from another process

      • wzt.dat (PID: 3284)
      • certmgr.exe (PID: 3812)
      • bin.dat (PID: 1560)
      • bin_x86.dat (PID: 2648)
      • certmgr.exe (PID: 3296)
      • KMSSS.exe (PID: 948)
      • AESDecoder.exe (PID: 2372)
      • wzt.dat (PID: 2420)
      • certmgr.exe (PID: 3636)
      • bin.dat (PID: 3840)
      • AESDecoder.exe (PID: 3832)
      • certmgr.exe (PID: 2800)
      • bin_x86.dat (PID: 3564)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 3656)
      • cmd.exe (PID: 3008)
      • cmd.exe (PID: 120)
      • cmd.exe (PID: 1232)

  • SUSPICIOUS

    • Reads Internet Explorer settings

      • KMSAuto Net.exe (PID: 2184)

    • Starts CMD.EXE for commands execution

      • KMSAuto Net.exe (PID: 2184)
      • cmd.exe (PID: 3168)

    • Drops 7-zip archiver for unpacking

      • KMSAuto Net.exe (PID: 2184)

    • Starts application with an unusual extension

      • cmd.exe (PID: 2212)
      • cmd.exe (PID: 2752)
      • cmd.exe (PID: 1632)
      • cmd.exe (PID: 3540)
      • cmd.exe (PID: 888)
      • cmd.exe (PID: 1240)

    • Process drops legitimate windows executable

      • wzt.dat (PID: 3284)
      • bin_x86.dat (PID: 2648)
      • wzt.dat (PID: 2420)
      • bin_x86.dat (PID: 3564)

    • Drops a system driver (possible attempt to evade defenses)

      • bin_x86.dat (PID: 2648)
      • bin_x86.dat (PID: 3564)

    • Application launched itself

      • cmd.exe (PID: 3168)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • KMSAuto Net.exe (PID: 2184)

    • Creates or modifies Windows services

      • KMSAuto Net.exe (PID: 2184)

    • Starts SC.EXE for service management

      • KMSAuto Net.exe (PID: 2184)

    • Executes as Windows Service

      • KMSSS.exe (PID: 948)

    • Uses REG/REGEDIT.EXE to modify registry

      • KMSAuto Net.exe (PID: 2184)
      • cmd.exe (PID: 3244)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • KMSAuto Net.exe (PID: 2184)

  • INFO

    • Reads the machine GUID from the registry

      • KMSAuto Net.exe (PID: 2184)
      • KMSSS.exe (PID: 948)
      • wmpnscfg.exe (PID: 3084)

    • Reads the computer name

      • KMSAuto Net.exe (PID: 2184)
      • wmpnscfg.exe (PID: 3084)
      • KMSSS.exe (PID: 948)

    • Checks supported languages

      • KMSAuto Net.exe (PID: 2184)
      • wzt.dat (PID: 3284)
      • certmgr.exe (PID: 3296)
      • certmgr.exe (PID: 3812)
      • bin.dat (PID: 1560)
      • AESDecoder.exe (PID: 2372)
      • bin_x86.dat (PID: 2648)
      • KMSSS.exe (PID: 948)
      • wmpnscfg.exe (PID: 3084)
      • wzt.dat (PID: 2420)
      • certmgr.exe (PID: 3636)
      • certmgr.exe (PID: 2800)
      • bin.dat (PID: 3840)
      • AESDecoder.exe (PID: 3832)
      • bin_x86.dat (PID: 3564)

    • Reads Environment values

      • KMSAuto Net.exe (PID: 2184)

    • Creates files or folders in the user directory

      • KMSAuto Net.exe (PID: 2184)

    • Reads product name

      • KMSAuto Net.exe (PID: 2184)

    • Creates files in the program directory

      • cmd.exe (PID: 3476)
      • KMSAuto Net.exe (PID: 2184)
      • wzt.dat (PID: 3284)
      • bin.dat (PID: 1560)
      • AESDecoder.exe (PID: 2372)
      • bin_x86.dat (PID: 2648)
      • KMSSS.exe (PID: 948)
      • wzt.dat (PID: 2420)
      • bin.dat (PID: 3840)
      • AESDecoder.exe (PID: 3832)
      • cmd.exe (PID: 2388)
      • bin_x86.dat (PID: 3564)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3084)

    • Create files in a temporary directory

      • KMSAuto Net.exe (PID: 2184)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (33.3)
.exe | UPX compressed Win32 Executable (32.6)
.scr | Windows screen saver (15.8)
.dll | Win32 Dynamic Link Library (generic) (7.9)
.exe | Win32 Executable (generic) (5.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:10:15 08:57:50+02:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 80
CodeSize: 8259584
InitializedDataSize: 49152
UninitializedDataSize: -
EntryPoint: 0x7e2656
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.5.4.0
ProductVersionNumber: 1.5.4.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: MSFree Inc.
FileDescription: KMSAuto Net
FileVersion: 1.5.4
InternalName: KMSAuto Net.exe
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: KMSAuto Net.exe
ProductName: KMSAuto Net
ProductVersion: 1.5.4
AssemblyVersion: 1.5.4.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
183
Monitored processes
83
Malicious processes
21
Suspicious processes
3

Behavior graph

Click at the process to see the details
start kmsauto net.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs wzt.dat no specs cmd.exe no specs cmd.exe no specs certmgr.exe no specs cmd.exe no specs certmgr.exe no specs cmd.exe no specs cmd.exe no specs bin.dat no specs cmd.exe no specs cmd.exe no specs aesdecoder.exe no specs cmd.exe no specs cmd.exe no specs bin_x86.dat no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs netstat.exe no specs find.exe no specs netsh.exe no specs netsh.exe no specs sc.exe no specs sc.exe no specs kmsss.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs wmpnscfg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs netsh.exe no specs reg.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs schtasks.exe no specs cmd.exe no specs schtasks.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs wzt.dat no specs cmd.exe no specs cmd.exe no specs certmgr.exe no specs cmd.exe no specs certmgr.exe no specs cmd.exe no specs cmd.exe no specs bin.dat no specs cmd.exe no specs cmd.exe no specs aesdecoder.exe no specs cmd.exe no specs cmd.exe no specs bin_x86.dat no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs schtasks.exe no specs cmd.exe no specs schtasks.exe no specs cmd.exe no specs cmd.exe no specs kmsauto net.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
120C:\Windows\System32\cmd /c schtasks.exe /change /TN KMSAutoNet /RI 14400C:\Windows\System32\cmd.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
240C:\Windows\System32\cmd.exe /D /c del /F /Q "test.test"C:\Windows\System32\cmd.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
888C:\Windows\System32\cmd.exe /D /c bin.dat -y -pkmsautoC:\Windows\System32\cmd.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
940C:\Windows\System32\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55C92734-D682-4D71-983E-D6EC3F16059F" /fC:\Windows\System32\reg.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
948"C:\ProgramData\KMSAuto\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 -Log -IPC:\ProgramData\KMSAuto\bin\KMSSS.exeservices.exe
User:
SYSTEM
Company:
MSFree Inc.
Integrity Level:
SYSTEM
Description:
KMS emulator by Ratiborus.
Exit code:
0
Version:
2.0.7.0
Modules
Images
c:\programdata\kmsauto\bin\kmsss.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
1048C:\Windows\System32\cmd.exe /D /c del /F /Q "kmsauto.ini"C:\Windows\System32\cmd.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1232C:\Windows\System32\cmd /c schtasks.exe /create /TN KMSAutoNet /XML xmlfile.xmlC:\Windows\System32\cmd.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
c:\windows\system32\imm32.dll
1240C:\Windows\System32\cmd.exe /D /c bin_x86.dat -y -pkmsautoC:\Windows\System32\cmd.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
1536C:\Windows\System32\cmd.exe /D /c del /F /Q "bin_x86.dat"C:\Windows\System32\cmd.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1560bin.dat -y -pkmsautoC:\ProgramData\KMSAuto\bin.datcmd.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7z Console SFX
Exit code:
0
Version:
15.14
Modules
Images
c:\programdata\kmsauto\bin.dat
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
5 793
Read events
5 603
Write events
177
Delete events
13

Modification events

(PID) Process:(1836) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3560) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2184) KMSAuto Net.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KMSEmulator
Operation:writeName:ImagePath
Value:
temp.exe
(PID) Process:(2184) KMSAuto Net.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform
Operation:delete valueName:KeyManagementServiceName
Value:
127.0.0.2
(PID) Process:(2184) KMSAuto Net.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform
Operation:delete valueName:KeyManagementServicePort
Value:
1688
(PID) Process:(2184) KMSAuto Net.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform
Operation:delete valueName:KeyManagementServiceName
Value:
127.0.0.2
(PID) Process:(2184) KMSAuto Net.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform
Operation:delete valueName:KeyManagementServicePort
Value:
1688
(PID) Process:(3084) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{1C2A8177-C7BE-45DA-9B6D-A1620AD897FD}\{61E6F204-A64F-48CD-9794-31014319A722}
Operation:delete keyName:(default)
Value:
(PID) Process:(3084) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{1C2A8177-C7BE-45DA-9B6D-A1620AD897FD}
Operation:delete keyName:(default)
Value:
(PID) Process:(3084) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{DFB335DC-4680-48EA-90A1-73C5C494D93F}
Operation:delete keyName:(default)
Value:
Executable files
36
Suspicious files
17
Text files
8
Unknown types
1

Dropped files

PID
Process
Filename
Type
2844cmd.exeC:\Users\admin\AppData\Local\Temp\test.testtext
MD5:9F06243ABCB89C70E0C331C61D871FA7
SHA256:837CCB607E312B170FAC7383D7CCFD61FA5072793F19A25E75FBACB56539B86B
2184KMSAuto Net.exeC:\ProgramData\KMSAuto\bin.datexecutable
MD5:4D2E5AFFE6D1CCB42F6650FD57448A9B
SHA256:3CBF7C0231B3266B4A6946DCF9AAA39C2BF077F6E459CA9EAD39C516CBFCE74C
1560bin.datC:\ProgramData\KMSAuto\bin\TunMirror2.exe.aesbinary
MD5:A1A5AFA53B578DB6ABF400A88548F487
SHA256:A9E76D637E0C0A65036D7F2D5C3D7B1C53218B94716554F4D9F6630DCFF8C75A
3284wzt.datC:\ProgramData\KMSAuto\wzt\wzteam.cerbinary
MD5:76B56D90E6F1DA030A8B85E64579F25A
SHA256:FD2D7DF0220DD65EE23D0090299DFCC356F6F8F7167BAE9ADF7D08CEFAF39D02
3284wzt.datC:\ProgramData\KMSAuto\wzt\certmgr.exeexecutable
MD5:9D4F1124B2D870583268D19317D564AE
SHA256:EBAD2237B3E7CDF65385CCCE5099E82C7EC5080E737C97CE4E542CDBEA8D418D
1560bin.datC:\ProgramData\KMSAuto\bin\KMSSS.exe.aesbinary
MD5:41E0D8AB5104DA2068739109EC3599F4
SHA256:38D1DBDC7C7A64253E6D4B52225B0BFD7716405C731A107F0C6BA9573A73A77F
2372AESDecoder.exeC:\ProgramData\KMSAuto\bin\TunMirror2.exeexecutable
MD5:3B33E3AB6E91806DF4CAE19405AB8846
SHA256:D9CD47831FABA4053225DAC181709FD7AB9D066C3DE6F541968FFFEEEE4A9BF9
1560bin.datC:\ProgramData\KMSAuto\bin\AESDecoder.exeexecutable
MD5:B90ED3E4DBB23A464723706F12C86065
SHA256:8391D5B724D235BA52531D9A6D85E466382CE15CBD6BA97C4AD1278ED1F03BD7
2372AESDecoder.exeC:\ProgramData\KMSAuto\bin\KMSSS.exeexecutable
MD5:01A80AAD5DABED1C1580F7E00213CF9D
SHA256:FD7499214ABAA13BF56D006AB7DE78EB8D6ADF17926C24ACE024D067049BC81D
1560bin.datC:\ProgramData\KMSAuto\bin\TunMirror.exeexecutable
MD5:2ED9C12A91E795804B1B770958C647AC
SHA256:CB56C248A38292C234D1AABE5E33A671FE8AE8AED28E0C8C4FBE767E4E7B82F5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2656
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
KMSAuto Net.exe