File name:

KMSoffline_x64.exe

Full analysis: https://app.any.run/tasks/2a9f1bf2-217d-4fe3-9974-0ac70d3aa730
Verdict: Malicious activity
Analysis date: November 14, 2024, 20:44:40
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
netreactor
kms
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

E235A059784EF2B5F0DBB44A86E6C381

SHA1:

37EFB7037EE1B020FC64F9E2AD733BECEEB9E8DE

SHA256:

827DB0A3581D5C7B83F37D585A452512B3C270ADC076C99CE531C14F9186EA7D

SSDEEP:

98304:q5edcu/rTSR23A2RId23n9y90w0sB3T746e+riEQ3ddB8qoVshB1QVdT3Cv0dAIZ:qMj29No/IhP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • cmd.exe (PID: 6404)
      • cmd.exe (PID: 624)
      • net.exe (PID: 4684)
      • net.exe (PID: 1396)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • KMSoffline_x64.exe (PID: 4868)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 7164)
      • cmd.exe (PID: 2652)

    • Starts CMD.EXE for commands execution

      • KMSoffline_x64.exe (PID: 4868)

    • Executable content was dropped or overwritten

      • KMSoffline_x64.exe (PID: 4868)
      • cmd.exe (PID: 4448)

    • KMS tool has been detected

      • KMSoffline_x64.exe (PID: 4868)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • KMSoffline_x64.exe (PID: 4868)

    • Uses REG/REGEDIT.EXE to modify registry

      • KMSoffline_x64.exe (PID: 4868)

    • Uses TASKKILL.EXE to kill process

      • KMSoffline_x64.exe (PID: 4868)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • KMSoffline_x64.exe (PID: 4868)

  • INFO

    • Create files in a temporary directory

      • KMSoffline_x64.exe (PID: 4868)

    • Reads the machine GUID from the registry

      • KMSoffline_x64.exe (PID: 4868)

    • Reads the computer name

      • KMSoffline_x64.exe (PID: 4868)

    • Checks supported languages

      • KMSoffline_x64.exe (PID: 4868)

    • The process uses the downloaded file

      • KMSoffline_x64.exe (PID: 4868)

    • .NET Reactor protector has been detected

      • KMSoffline_x64.exe (PID: 4868)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (81.9)
.exe | Win16/32 Executable Delphi generic (6.1)
.exe | Generic Win/DOS Executable (5.9)
.exe | DOS Executable Generic (5.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:10:08 05:45:41+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware
PEType: PE32+
LinkerVersion: 6
CodeSize: 3855872
InitializedDataSize: 74240
UninitializedDataSize: -
EntryPoint: 0x0000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.4.5.0
ProductVersionNumber: 2.4.5.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: KMSoffline
FileVersion: 2.4.5.0
InternalName: KMSoffline.exe
LegalCopyright: Copyright © 2019-2024
LegalTrademarks: -
OriginalFileName: KMSoffline.exe
ProductName: KMSoffline
ProductVersion: 2.4.5.0
AssemblyVersion: 1.0.1.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
210
Monitored processes
74
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start kmsoffline_x64.exe cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs taskkill.exe no specs conhost.exe no specs cmd.exe conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs taskkill.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs sppextcomobj.exe no specs slui.exe no specs slui.exe no specs slui.exe no specs kmsoffline_x64.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
512"C:\WINDOWS\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "VerifierDlls" /t REG_SZ /d "SppExtComObjHook.dll"C:\Windows\System32\reg.exeKMSoffline_x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
528\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
528"C:\WINDOWS\System32\Netsh.exe" Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCPC:\Windows\System32\netsh.exeKMSoffline_x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
624\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
624"C:\WINDOWS\System32\cmd.exe" /c net.exe stop osppsvc.exe /yC:\Windows\System32\cmd.exeKMSoffline_x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
624"C:\WINDOWS\System32\Netsh.exe" Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCPC:\Windows\System32\netsh.exeKMSoffline_x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
632\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1068C:\WINDOWS\system32\net1 stop SppExtComObj.exe /yC:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\samcli.dll
c:\windows\system32\ucrtbase.dll
1332C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\verifier.dll
c:\windows\system32\sppextcomobjhook.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1396net.exe stop osppsvc.exe /yC:\Windows\System32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mpr.dll
Total events
3 164
Read events
3 150
Write events
14
Delete events
0

Modification events

(PID) Process:(2376) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe
Operation:writeName:KMS_Emulation
Value:
1
(PID) Process:(1764) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe
Operation:writeName:GlobalFlag
Value:
256
(PID) Process:(4304) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe
Operation:writeName:KMS_ActivationInterval
Value:
120
(PID) Process:(4032) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe
Operation:writeName:KMS_RenewalInterval
Value:
10080
(PID) Process:(7112) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe
Operation:writeName:VerifierDlls
Value:
SppExtComObjHook.dll
(PID) Process:(7144) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe
Operation:writeName:KMS_HWID
Value:
7000B60096041C9B
(PID) Process:(6864) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform
Operation:writeName:KeyManagementServicePort
Value:
1688
(PID) Process:(3000) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe
Operation:writeName:KMS_Emulation
Value:
1
(PID) Process:(4684) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe
Operation:writeName:GlobalFlag
Value:
256
(PID) Process:(5464) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe
Operation:writeName:KMS_ActivationInterval
Value:
120
Executable files
2
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
4868KMSoffline_x64.exeC:\Users\admin\AppData\Local\Temp\KMSoffline.initext
MD5:1353E6DBB94A36C74958634258BA1857
SHA256:78D7BB6CDED6169DBA4350C7450C5DA45BA95C5E4E94E7716B21777EDD62A2A7
4868KMSoffline_x64.exeC:\Users\admin\AppData\Local\Temp\SppExtComObjHook.dllexecutable
MD5:95F143EC661A5DA85C3C8199D9FE06E7
SHA256:F239C27B50CEF792FEA5B34378FBAC83BCC06B8442D508BD9ADD7DDF8CA5C632
4448cmd.exeC:\Windows\System32\SppExtComObjHook.dllexecutable
MD5:95F143EC661A5DA85C3C8199D9FE06E7
SHA256:F239C27B50CEF792FEA5B34378FBAC83BCC06B8442D508BD9ADD7DDF8CA5C632
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
38
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1880
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6944
svchost.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6912
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4700
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6912
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
3396
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5488
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6944
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5488
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4360
SearchApp.exe
92.123.104.63:443
www.bing.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 69.192.161.161
whitelisted
www.bing.com
  • 92.123.104.63
  • 92.123.104.56
  • 92.123.104.62
  • 92.123.104.47
  • 92.123.104.51
  • 92.123.104.60
  • 92.123.104.61
  • 92.123.104.54
  • 92.123.104.52
  • 92.123.104.43
  • 92.123.104.44
  • 92.123.104.36
  • 92.123.104.38
  • 92.123.104.35
  • 92.123.104.34
  • 92.123.104.33
  • 92.123.104.42
  • 92.123.104.32
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.160.17
  • 20.190.160.22
  • 40.126.32.133
  • 40.126.32.140
  • 40.126.32.134
  • 40.126.32.76
  • 40.126.32.72
  • 40.126.32.68
whitelisted
th.bing.com
  • 92.123.104.12
  • 92.123.104.19
  • 92.123.104.14
  • 92.123.104.13
  • 92.123.104.16
  • 92.123.104.25
  • 92.123.104.15
  • 92.123.104.18
  • 92.123.104.20
whitelisted
go.microsoft.com
  • 23.52.181.141
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
KMSoffline_x64.exe