File name:

KMS-2038 & Digital & Online Activation Suite 9.0.rar

Full analysis: https://app.any.run/tasks/00597c60-a3c4-4831-80c4-8880e760dacd
Verdict: Malicious activity
Analysis date: October 17, 2024, 19:24:27
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

AC4D7A43A72966C236586D807086E021

SHA1:

A5D6777F0F3D77CCAB51226F3B40E5227ECEA00E

SHA256:

680FC77FB02F32DF4B6833D8FA0BBDF80D057404DE7756E93E871910803E334D

SSDEEP:

12288:mEjTtHniZJIritsmALs4jEseD2zYPuM0a:mEjTtHniZJIrcsmALtgseKzYGM0a

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 5828)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 5828)
      • cmd.exe (PID: 5616)
      • powershell.exe (PID: 6180)
      • cmd.exe (PID: 6128)

    • Executing commands from ".cmd" file

      • WinRAR.exe (PID: 5828)
      • cmd.exe (PID: 5616)
      • powershell.exe (PID: 6180)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 5616)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 5616)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 5616)
      • cmd.exe (PID: 7128)
      • cmd.exe (PID: 6128)

    • Starts NET.EXE to display or manage information about active sessions

      • cmd.exe (PID: 5616)
      • net.exe (PID: 3912)

    • Manipulates environment variables

      • powershell.exe (PID: 6100)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 5616)
      • cmd.exe (PID: 7128)
      • cmd.exe (PID: 6128)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 920)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 920)
      • xcopy.exe (PID: 6356)
      • expand.exe (PID: 3108)

    • Unpacks CAB file

      • expand.exe (PID: 3108)

    • Process drops legitimate windows executable

      • expand.exe (PID: 3108)

    • Application launched itself

      • cmd.exe (PID: 5616)
      • cmd.exe (PID: 6128)

    • Powershell scripting: start process

      • cmd.exe (PID: 7128)

    • The executable file from the user directory is run by the CMD process

      • center.exe (PID: 7052)

    • The process executes VB scripts

      • cmd.exe (PID: 6128)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 540)
      • cmd.exe (PID: 7052)
      • cmd.exe (PID: 5220)
      • cmd.exe (PID: 6852)
      • cmd.exe (PID: 5516)
      • cmd.exe (PID: 4312)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 6128)

  • INFO

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 5624)
      • mode.com (PID: 2376)
      • mode.com (PID: 5036)
      • mode.com (PID: 6124)
      • mode.com (PID: 3824)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
190
Monitored processes
56
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs mode.com no specs powershell.exe no specs csc.exe cvtres.exe no specs expand.exe xcopy.exe cmd.exe no specs reg.exe no specs powershell.exe no specs cmd.exe conhost.exe no specs mode.com no specs powershell.exe no specs center.exe no specs wscript.exe no specs disablex.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs mode.com no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs mode.com no specs cmd.exe no specs findstr.exe no specs findstr.exe no specs reg.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs choice.exe no specs sppextcomobj.exe no specs slui.exe no specs reg.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs mode.com no specs cmd.exe no specs reg.exe no specs choice.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
512\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
540"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\5911\bin\DisableX.vbs" C:\Windows\System32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
540C:\WINDOWS\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get Version /format:LIST"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
616C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
692findstr /R "[| ` ~ ! @ % \ / ^ & ( ) \[ \] { } + = ; : ' , |]*^"C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
920"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\3ekxbpcm.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
920wmic Path Win32_OperatingSystem Get Version /format:LISTC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2376mode con cols=92 lines=35C:\Windows\System32\mode.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
DOS Device MODE Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mode.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ureg.dll
2376C:\WINDOWS\system32\cmd.exe /c time /tC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2660cmd /v:on /c echo(^!param^!C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
Total events
18 489
Read events
18 482
Write events
7
Delete events
0

Modification events

(PID) Process:(5828) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(5828) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\KMS-2038 & Digital & Online Activation Suite 9.0.rar
(PID) Process:(5828) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(5828) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(5828) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(5828) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6128) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:writeName:VBSFile
Value:
Executable files
28
Suspicious files
4
Text files
51
Unknown types
0

Dropped files

PID
Process
Filename
Type
5828WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa5828.39250\KMS_Suite.v9.EN.cmdtext
MD5:F9906448D778C93D1B96F87E92E9B436
SHA256:54C33E9C26EF68F0521CB6D6A416FCD2A6C22537D49ADE62DB6935CCC4129927
920csc.exeC:\Users\admin\AppData\Local\Temp\CSC34D45373CD84AC09CD2A48D41BABFDA.TMPbinary
MD5:2C70A082220082927C69FD6DE65EC73C
SHA256:9FA8DBB7DE5CD283699816C128E256C8A988FC53E24C3F15477D2E33C04B04B5
920csc.exeC:\Users\admin\AppData\Local\Temp\3ekxbpcm.dllexecutable
MD5:F54836F5816C388F70AA455E72A06BF7
SHA256:71F3A30B5EC132B08F736D6ED339CE5731B55CAC9798DA6E55D6A3BCF8210E68
6100powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_g2dyfg4e.uyv.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6100powershell.exeC:\Users\admin\AppData\Local\Temp\3ekxbpcm.cmdlinetext
MD5:25D3829B640CEB273807424E28F15D7B
SHA256:5548D640AF872814E57CC894ECB47B0030188E8420671E811EF6D1EAB3A361E9
3108expand.exeC:\Users\admin\AppData\Local\Temp\KMS_Suite\bin\Digital\bin\gatherosstate.exeexecutable
MD5:15CE0753A16DD4F9B9F0F9926DD37C4E
SHA256:028C8FBE58F14753B946475DE9F09A9C7A05FD62E81A1339614C9E138FC2A21D
3108expand.exeC:\Users\admin\AppData\Local\Temp\KMS_Suite\bin\Digital\OEM_Digital\$OEM$\$\Setup\Scripts\digi.cmdtext
MD5:7ACB31D34D4D1E86A98B8C4C4E214D10
SHA256:3372925083552A8E3CB65B56F7E1886E567E00D6ADBE241401C361ABD65DE7ED
3108expand.exeC:\Users\admin\AppData\Local\Temp\KMS_Suite\bin\DisableX.exeexecutable
MD5:00C9837407663587C69DF18793248D52
SHA256:09933212238BC7D0CCE57469F9927C0325D5670B21FC7787428574C4A52E5F6D
3108expand.exeC:\Users\admin\AppData\Local\Temp\KMS_Suite\bin\Digital\Digital_KMS38.cmdtext
MD5:7ACB31D34D4D1E86A98B8C4C4E214D10
SHA256:3372925083552A8E3CB65B56F7E1886E567E00D6ADBE241401C361ABD65DE7ED
3108expand.exeC:\Users\admin\AppData\Local\Temp\KMS_Suite\bin\Digital\bin\slc.dllexecutable
MD5:B21C40AAF16BA46B2732618D089DB3A4
SHA256:9395A37C42E83568DC5ECB25D9E9FCA4C6C1C4F47E336FB6CCAE62DF5C696B4D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
55
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7028
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6944
svchost.exe
GET
200
2.23.9.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6236
SIHClient.exe
GET
200
2.23.9.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1176
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6236
SIHClient.exe
GET
200
2.23.9.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4292
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
2.23.9.218:80
www.microsoft.com
AKAMAI-AS
CZ
whitelisted
4360
SearchApp.exe
23.212.110.144:443
www.bing.com
Akamai International B.V.
CZ
whitelisted
4360
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
7028
svchost.exe
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 2.23.9.218
whitelisted
www.bing.com
  • 23.212.110.144
  • 23.212.110.146
  • 23.212.110.209
  • 23.212.110.138
  • 23.212.110.145
  • 23.212.110.139
  • 23.212.110.147
  • 23.212.110.217
  • 23.212.110.137
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.133
  • 40.126.32.134
  • 40.126.32.74
  • 40.126.32.136
  • 40.126.32.72
  • 20.190.160.17
  • 40.126.32.76
  • 40.126.32.140
whitelisted
th.bing.com
  • 23.212.110.137
  • 23.212.110.144
  • 23.212.110.146
  • 23.212.110.209
  • 23.212.110.138
  • 23.212.110.145
  • 23.212.110.139
  • 23.212.110.147
  • 23.212.110.217
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
KMS-2038 & Digital & Online Activation Suite 9.0.rar