Malware analysis DragonKMS_Defender10.rar Malicious activity

Add for printing

File name:	DragonKMS_Defender10.rar
Full analysis:	https://app.any.run/tasks/c2ccfed9-461f-47d9-9467-2772232055a5
Verdict:	Malicious activity
Analysis date:	April 14, 2025, 02:27:26
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	2F5154D910A1C969A80873EDF72B3355
SHA1:	4DF1F33BFB247BBE68C4C39BDB76114C3EA55437
SHA256:	8596F125C9AC117DB77B588561C0F14994A4FCE0F6E5C9662B9078B4450442AA
SSDEEP:	98304:YWtisVSGZXimkv7J5JNrYP7mLOs1T65JWnClf36jNf9a86+KbDkKW5PDfBJMNDs6:Hq972lrLF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Accesses name of the domain to which a computer belongs via WMI (SCRIPT)
  - cscript.exe (PID: 3008)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 4688)
  - Office一键部署工具.exe (PID: 2108)
  - Office一键部署工具.exe (PID: 5576)
  - DragonOffice.exe (PID: 5164)
- Executable content was dropped or overwritten
  - Office一键部署工具.exe (PID: 2108)
  - Office一键部署工具.exe (PID: 5576)
- Reads the date of Windows installation
  - Office一键部署工具.exe (PID: 2108)
  - Office一键部署工具.exe (PID: 5576)
- Process drops legitimate windows executable
  - Office一键部署工具.exe (PID: 5576)
  - Office一键部署工具.exe (PID: 2108)
- Connects to unusual port
  - DragonOffice.exe (PID: 5164)
  - DragonOffice.exe (PID: 5384)
  - DragonKMS v24.11.18.exe (PID: 5380)
  - SppExtComObj.Exe (PID: 3676)
- Starts CMD.EXE for commands execution
  - DragonKMS v24.11.18.exe (PID: 5380)
- The process executes VB scripts
  - cmd.exe (PID: 2136)
- Reads data from a binary Stream object (SCRIPT)
  - cscript.exe (PID: 2908)
  - cscript.exe (PID: 3008)
  - cscript.exe (PID: 2800)
- Uses WMI to retrieve WMI-managed resources (SCRIPT)
  - cscript.exe (PID: 2908)
  - cscript.exe (PID: 3008)
  - cscript.exe (PID: 2800)
- Gets full path of the running script (SCRIPT)
  - cscript.exe (PID: 2908)
  - cscript.exe (PID: 3008)
  - cscript.exe (PID: 2800)
- Creates file in the systems drive root
  - cmd.exe (PID: 2136)
  - DragonKMS v24.11.18.exe (PID: 5380)
INFO
- Reads the computer name
  - Office一键部署工具.exe (PID: 5576)
  - Office一键部署工具.exe (PID: 2108)
  - DragonOffice.exe (PID: 5164)
  - DragonOffice.exe (PID: 5384)
  - DragonKMS v24.11.18.exe (PID: 5380)
  - identity_helper.exe (PID: 6248)
- Create files in a temporary directory
  - Office一键部署工具.exe (PID: 2108)
  - Office一键部署工具.exe (PID: 5576)
- Checks supported languages
  - Office一键部署工具.exe (PID: 5576)
  - Office一键部署工具.exe (PID: 2108)
  - DragonOffice.exe (PID: 5164)
  - DragonKMS v24.11.18.exe (PID: 5380)
  - DragonOffice.exe (PID: 5384)
  - identity_helper.exe (PID: 6248)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 4688)
- Process checks computer location settings
  - Office一键部署工具.exe (PID: 2108)
  - Office一键部署工具.exe (PID: 5576)
- Reads Environment values
  - DragonOffice.exe (PID: 5384)
  - DragonOffice.exe (PID: 5164)
  - DragonKMS v24.11.18.exe (PID: 5380)
  - identity_helper.exe (PID: 6248)
- Reads the machine GUID from the registry
  - DragonOffice.exe (PID: 5384)
  - DragonOffice.exe (PID: 5164)
  - DragonKMS v24.11.18.exe (PID: 5380)
- Checks proxy server information
  - DragonOffice.exe (PID: 5384)
  - DragonKMS v24.11.18.exe (PID: 5380)
  - DragonOffice.exe (PID: 5164)
- Disables trace logs
  - DragonOffice.exe (PID: 5384)
  - DragonOffice.exe (PID: 5164)
  - DragonKMS v24.11.18.exe (PID: 5380)
- Reads product name
  - DragonKMS v24.11.18.exe (PID: 5380)
- Reads security settings of Internet Explorer
  - cscript.exe (PID: 2908)
  - cscript.exe (PID: 3008)
  - cscript.exe (PID: 2800)
- Reads Microsoft Office registry keys
  - DragonOffice.exe (PID: 5164)
- Application launched itself
  - msedge.exe (PID: 7392)
  - msedge.exe (PID: 7660)
- Manual execution by a user
  - msedge.exe (PID: 7660)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion:	RAR v5
CompressedSize:	316
UncompressedSize:	346
OperatingSystem:	Win32
ArchivedFileName:	用前必看.txt

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

187

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

536

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5140 --field-trial-handle=2396,i,2307440225020223154,4086153420293679544,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

736

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4356 --field-trial-handle=2396,i,2307440225020223154,4086153420293679544,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2108

"C:\Users\admin\AppData\Local\Temp\Rar$EXa4688.47800\Office一键部署工具.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXa4688.47800\Office一键部署工具.exe

WinRAR.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\local\temp\rar$exa4688.47800\office一键部署工具.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3996_none_91a79472cc852ba0\gdiplus.dll

2136

"cmd.exe"

C:\Windows\System32\cmd.exe

—

DragonKMS v24.11.18.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\wldp.dll

2148

"C:\Users\admin\AppData\Local\Temp\RarSFX0\DragonOffice.exe"

C:\Users\admin\AppData\Local\Temp\RarSFX0\DragonOffice.exe

—

Office一键部署工具.exe

User:

admin

Integrity Level:

MEDIUM

Description:

DragonOffice

Exit code:

3221226540

Version:

24.12.09.0

Modules

Images
c:\users\admin\appdata\local\temp\rarsfx0\dragonoffice.exe
c:\windows\system32\ntdll.dll

2800

cscript C:\WINDOWS\System32\slmgr.vbs /ato

C:\Windows\System32\cscript.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft ® Console Based Script Host

Exit code:

Version:

5.812.10240.16384

Modules

Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2908

cscript C:\WINDOWS\System32\slmgr.vbs /ipk W269N-WFGWX-YVC9B-4J6C9-T83GX

C:\Windows\System32\cscript.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft ® Console Based Script Host

Exit code:

Version:

5.812.10240.16384

Modules

Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3008

cscript C:\WINDOWS\System32\slmgr.vbs /skms win.xdym11235.com

C:\Windows\System32\cscript.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft ® Console Based Script Host

Exit code:

Version:

5.812.10240.16384

Modules

Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3240

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3268

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4192 --field-trial-handle=2396,i,2307440225020223154,4086153420293679544,262144 --variations-seed-version /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

11 003

Read events

10 943

Write events

Delete events

Modification events


(PID) Process:	(4688) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(4688) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(4688) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(4688) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\DragonKMS_Defender10.rar
(PID) Process:	(4688) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(4688) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(4688) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(4688) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(5384) DragonOffice.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\DragonOffice_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(5384) DragonOffice.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\DragonOffice_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0

Add for printing

Executable files

Suspicious files

190

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4688	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa4688.47800\DragonKMS v24.11.18.exe		executable
		MD5:4E882D0CBE18C30B79F86EF0F75B5DF8	SHA256:E3FD25169FFEBB64BEC8F32365783A8EA2913F8716E8B10E9F2C15D6227F5A71
4688	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa4688.47800\用前必看.txt		text
		MD5:511FE9AECE8FB432150763AEA7624738	SHA256:A75BB8B2E556176725D6A5AF62B3ABBC6E51DB3358A575E7F6F6ADDCECD4BC75
4688	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa4688.47836\用前必看.txt		text
		MD5:511FE9AECE8FB432150763AEA7624738	SHA256:A75BB8B2E556176725D6A5AF62B3ABBC6E51DB3358A575E7F6F6ADDCECD4BC75
4688	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa4688.47836\DragonKMS v24.11.18.exe		executable
		MD5:4E882D0CBE18C30B79F86EF0F75B5DF8	SHA256:E3FD25169FFEBB64BEC8F32365783A8EA2913F8716E8B10E9F2C15D6227F5A71
4688	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa4688.47800\一键关闭WD.exe		executable
		MD5:50FAA83BEEFD61822A917E9DCA623AC7	SHA256:08AF6526A87B060DF851BECF179D462786FEDBC1E40A6EF5D9833AADC9A13916
2108	Office一键部署工具.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\configuration\ProPlus2021Retail.xml		text
		MD5:B9495D6EECE229EF966CE765EA50C7A5	SHA256:725508B80BDAD250DD61CF9D1FE1C986C3C39ADC12952901838F916472D8267C
2108	Office一键部署工具.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\configuration\ProjectPro2019Retail.xml		text
		MD5:8E305E968E81497DF5477A1331D199BD	SHA256:95B7F6FAD1BEAAECADC725686CDD762C59CE14833DB565D4733CE6F4D7D923D1
2108	Office一键部署工具.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\configuration\OfficeSetup.exe		executable
		MD5:2BA6246A85064DB4978F19EC71C347F7	SHA256:335932E68D7A8BFA4FA00BBCDEA09256ED6ECAB2BEDD640E2580B0B43E3B7744
2108	Office一键部署工具.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\configuration\ProjectPro2024Retail.xml		text
		MD5:718A33530632B5E15396BCE88AA8E045	SHA256:2A3D825EBAA82D5A8E9408CBE12DC32A84268DD905595F0C5584F2FBF8B8E0E2
2108	Office一键部署工具.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\configuration\ProPlus2016Retail.xml		text
		MD5:FB7451F5D3086AF14DC06806C329774A	SHA256:CA74F0561F4E774E34DF9256E244797BA8E479AE5D20F5DF8471975DCECF06EC

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5496	MoUsoCoreWorker.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7972	msedge.exe	GET	200	116.255.154.157:80	http://www.yishimei.cn/themes/j-spring/source/style.css.asp	unknown	—	—	unknown
7972	msedge.exe	GET	200	116.255.154.157:80	http://www.yishimei.cn/function/c_html_js_add.asp	unknown	—	—	unknown
7972	msedge.exe	GET	200	116.255.154.157:80	http://www.yishimei.cn/script/common.js	unknown	—	—	unknown
7972	msedge.exe	GET	200	116.255.154.157:80	http://www.yishimei.cn/script/ad_daohang.js	unknown	—	—	unknown
7972	msedge.exe	GET	200	116.255.154.157:80	http://www.yishimei.cn/themes/j-spring/style/j-spring.css	unknown	—	—	unknown
7972	msedge.exe	GET	200	116.255.154.157:80	http://www.yishimei.cn/script/ad_banner.js	unknown	—	—	unknown
7972	msedge.exe	GET	200	116.255.154.157:80	http://www.yishimei.cn/script/ad_search.js	unknown	—	—	unknown
7972	msedge.exe	GET	200	116.255.154.157:80	http://www.yishimei.cn/script/ad_sidebar_up.js	unknown	—	—	unknown
7972	msedge.exe	GET	200	116.255.154.157:80	http://www.yishimei.cn/script/ad_sidebar_down.js	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5496	MoUsoCoreWorker.exe	2.16.164.120:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
—	—	2.16.164.120:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6544	svchost.exe	40.126.31.69:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6544	svchost.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
2104	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5164	DragonOffice.exe	116.255.154.157:80	www.yishimei.cn	CHINA UNICOM China169 Backbone	CN	unknown

DNS requests

Domain	IP	Reputation
google.com	216.58.206.46	whitelisted
settings-win.data.microsoft.com	40.127.240.158	whitelisted
crl.microsoft.com	2.16.164.120 2.16.164.49	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
login.live.com	40.126.31.69 20.190.159.2 20.190.159.71 40.126.31.129 20.190.159.64 20.190.159.73 40.126.31.2 20.190.159.128 20.190.160.2 20.190.160.131 20.190.160.17 40.126.32.138 20.190.160.3 20.190.160.66 20.190.160.22 20.190.160.128	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
www.yishimei.cn	116.255.154.157	unknown
win.xdym11235.com	162.14.106.167	unknown
kms.kmzs123.cn	43.154.112.29	unknown
kms.luody.info	124.90.28.143	unknown

Threats

No threats detected

Add for printing

No debug info

General Info

DragonKMS_Defender10.rar

2F5154D910A1C969A80873EDF72B3355

4DF1F33BFB247BBE68C4C39BDB76114C3EA55437

8596F125C9AC117DB77B588561C0F14994A4FCE0F6E5C9662B9078B4450442AA

98304:YWtisVSGZXimkv7J5JNrYP7mLOs1T65JWnClf36jNf9a86+KbDkKW5PDfBJMNDs6:Hq972lrLF

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Accesses name of the domain to which a computer belongs via WMI (SCRIPT)

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Reads the date of Windows installation

Process drops legitimate windows executable

Connects to unusual port

Starts CMD.EXE for commands execution

The process executes VB scripts

Reads data from a binary Stream object (SCRIPT)

Uses WMI to retrieve WMI-managed resources (SCRIPT)

Gets full path of the running script (SCRIPT)

Creates file in the systems drive root

INFO

Reads the computer name

Create files in a temporary directory

Checks supported languages

Executable content was dropped or overwritten

Process checks computer location settings

Reads Environment values

Reads the machine GUID from the registry

Checks proxy server information

Disables trace logs

Reads product name

Reads security settings of Internet Explorer

Reads Microsoft Office registry keys

Application launched itself

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings