File name:

KMSauto-setup.exe

Full analysis: https://app.any.run/tasks/d69bd405-b600-4258-9c50-ef578385ec7d
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: June 28, 2023, 00:37:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

E3579686292A5970AD407DA9A72A3DB5

SHA1:

F905E7CF8176DBBA96DDC6F76E3BFE6740ACC838

SHA256:

8BF4E04B7E1B2B2C7F2DCC121E6AD045D9E707771E5B39AC6A6A3E4FCDBC515A

SSDEEP:

98304:JR/Z+x4tc1xa5e/pPx4x9KdfYsMmkfm5qsuDKZuxYdFinT:vZ1axaypP2kfY1fbscauxWC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • build.exe (PID: 3792)
      • KMSAuto Net.exe (PID: 2468)
      • KMSAuto Net.exe (PID: 1148)
      • wzt.dat (PID: 2796)
      • bin_x86.dat (PID: 2876)
      • bin.dat (PID: 3512)
      • certmgr.exe (PID: 596)
      • certmgr.exe (PID: 2896)
      • AESDecoder.exe (PID: 1360)
      • KMSSS.exe (PID: 2404)

    • Unusual connection from system programs

      • wscript.exe (PID: 3864)

    • Steals credentials

      • build.exe (PID: 3792)

    • Steals credentials from Web Browsers

      • build.exe (PID: 3792)

    • Actions looks like stealing of personal data

      • build.exe (PID: 3792)

  • SUSPICIOUS

    • The process executes VB scripts

      • KMSauto-setup.exe (PID: 3412)

    • Executable content was dropped or overwritten

      • KMSauto-setup.exe (PID: 3412)
      • KMSAuto Net.exe (PID: 2468)
      • bin.dat (PID: 3512)
      • AESDecoder.exe (PID: 1360)
      • wzt.dat (PID: 2796)
      • bin_x86.dat (PID: 2876)

    • Reads the Internet Settings

      • KMSauto-setup.exe (PID: 3412)
      • wscript.exe (PID: 3864)
      • build.exe (PID: 3792)

    • Reads Internet Explorer settings

      • KMSAuto Net.exe (PID: 2468)

    • Starts CMD.EXE for commands execution

      • KMSAuto Net.exe (PID: 2468)
      • cmd.exe (PID: 2032)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3608)
      • cmd.exe (PID: 3828)
      • cmd.exe (PID: 944)

    • Drops a system driver (possible attempt to evade defenses)

      • bin_x86.dat (PID: 2876)

    • Application launched itself

      • cmd.exe (PID: 2032)

    • Creates or modifies Windows services

      • KMSAuto Net.exe (PID: 2468)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • KMSAuto Net.exe (PID: 2468)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • KMSAuto Net.exe (PID: 2468)

    • Starts SC.EXE for service management

      • KMSAuto Net.exe (PID: 2468)

    • Uses REG/REGEDIT.EXE to modify registry

      • KMSAuto Net.exe (PID: 2468)
      • cmd.exe (PID: 3120)

    • Executes as Windows Service

      • KMSSS.exe (PID: 2404)

  • INFO

    • The process checks LSA protection

      • KMSauto-setup.exe (PID: 3412)
      • KMSAuto Net.exe (PID: 2468)
      • build.exe (PID: 3792)
      • netsh.exe (PID: 3488)
      • netsh.exe (PID: 2484)
      • KMSSS.exe (PID: 2404)
      • netsh.exe (PID: 876)

    • Checks supported languages

      • KMSauto-setup.exe (PID: 3412)
      • build.exe (PID: 3792)
      • KMSAuto Net.exe (PID: 2468)
      • certmgr.exe (PID: 2896)
      • certmgr.exe (PID: 596)
      • bin.dat (PID: 3512)
      • AESDecoder.exe (PID: 1360)
      • bin_x86.dat (PID: 2876)
      • wzt.dat (PID: 2796)
      • KMSSS.exe (PID: 2404)

    • Reads the computer name

      • KMSauto-setup.exe (PID: 3412)
      • KMSAuto Net.exe (PID: 2468)
      • build.exe (PID: 3792)
      • KMSSS.exe (PID: 2404)

    • Creates files or folders in the user directory

      • KMSauto-setup.exe (PID: 3412)
      • KMSAuto Net.exe (PID: 2468)

    • Reads the machine GUID from the registry

      • KMSAuto Net.exe (PID: 2468)
      • build.exe (PID: 3792)
      • KMSSS.exe (PID: 2404)

    • Reads Environment values

      • KMSAuto Net.exe (PID: 2468)
      • build.exe (PID: 3792)

    • Checks proxy server information

      • wscript.exe (PID: 3864)
      • build.exe (PID: 3792)

    • Reads product name

      • KMSAuto Net.exe (PID: 2468)
      • build.exe (PID: 3792)

    • Creates files in the program directory

      • build.exe (PID: 3792)
      • cmd.exe (PID: 2800)
      • bin.dat (PID: 3512)
      • AESDecoder.exe (PID: 1360)
      • wzt.dat (PID: 2796)
      • KMSAuto Net.exe (PID: 2468)
      • bin_x86.dat (PID: 2876)
      • KMSSS.exe (PID: 2404)

    • [YARA] Network interface manipulation strings were found

      • KMSAuto Net.exe (PID: 2468)

    • [YARA] Firewall manipulation strings were found

      • KMSAuto Net.exe (PID: 2468)

    • Reads CPU info

      • build.exe (PID: 3792)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x1e1f9
UninitializedDataSize: -
InitializedDataSize: 78848
CodeSize: 198144
LinkerVersion: 14
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2020:03:26 10:02:47+00:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 26-Mar-2020 10:02:47
Detected languages:
  • Process Default Language
Debug artifacts:
  • D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000118

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 26-Mar-2020 10:02:47
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00030581
0x00030600
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.70021
.rdata
0x00032000
0x0000A332
0x0000A400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.23888
.data
0x0003D000
0x000238B0
0x00001200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.83994
.gfids
0x00061000
0x000000E8
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
2.12166
.rsrc
0x00062000
0x00005870
0x00005A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.53498
.reloc
0x00068000
0x0000210C
0x00002200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.61039

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.25329
1875
Latin 1 / Western European
UNKNOWN
RT_MANIFEST
7
3.66634
508
Latin 1 / Western European
UNKNOWN
RT_STRING
8
3.71728
582
Latin 1 / Western European
UNKNOWN
RT_STRING
9
3.73856
422
Latin 1 / Western European
UNKNOWN
RT_STRING
10
3.55807
220
Latin 1 / Western European
UNKNOWN
RT_STRING
11
3.89762
1124
Latin 1 / Western European
UNKNOWN
RT_STRING
12
3.68258
356
Latin 1 / Western European
UNKNOWN
RT_STRING
13
3.61824
272
Latin 1 / Western European
UNKNOWN
RT_STRING
14
3.61995
344
Latin 1 / Western European
UNKNOWN
RT_STRING
15
3.4037
232
Latin 1 / Western European
UNKNOWN
RT_STRING

Imports

KERNEL32.dll
USER32.dll (delay-loaded)
gdiplus.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
53
Malicious processes
12
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start start kmsauto-setup.exe wscript.exe build.exe kmsauto net.exe no specs kmsauto net.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs wzt.dat cmd.exe no specs cmd.exe no specs certmgr.exe no specs cmd.exe no specs certmgr.exe no specs cmd.exe no specs cmd.exe no specs bin.dat cmd.exe no specs cmd.exe no specs aesdecoder.exe cmd.exe no specs cmd.exe no specs bin_x86.dat cmd.exe no specs cmd.exe no specs cmd.exe no specs netstat.exe no specs find.exe no specs netsh.exe no specs netsh.exe no specs sc.exe no specs sc.exe no specs kmsss.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs reg.exe no specs netsh.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
124"C:\Windows\System32\cmd.exe" /c rd "C:\ProgramData\KMSAuto\wzt" /S /QC:\Windows\System32\cmd.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
452find ":1688 "C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\ulib.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
596certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine TRUSTEDPUBLISHERC:\ProgramData\KMSAuto\wzt\certmgr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
ECM Certificate Manager
Exit code:
0
Version:
6.3.9600.17298 (winblue.141024-1500)
Modules
Images
c:\programdata\kmsauto\wzt\certmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
624C:\Windows\System32\cmd.exe /D /c del /F /Q "bin.dat"C:\Windows\System32\cmd.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\cmd.exe
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
876C:\Windows\System32\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCPC:\Windows\System32\netsh.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
944C:\Windows\System32\cmd.exe /D /c wzt.dat -y -pkmsautoC:\Windows\System32\cmd.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\winbrand.dll
1048C:\Windows\System32\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59A52881-A989-479D-AF46-F275C6370663" /fC:\Windows\System32\reg.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\reg.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1060"sc.exe" start KMSEmulatorC:\Windows\System32\sc.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
1148"C:\Users\admin\AppData\Roaming\KMSAuto Net.exe" C:\Users\admin\AppData\Roaming\KMSAuto Net.exeKMSauto-setup.exe
User:
admin
Company:
MSFree Inc.
Integrity Level:
MEDIUM
Description:
KMSAuto Net
Exit code:
3221226540
Version:
1.5.1
Modules
Images
c:\users\admin\appdata\roaming\kmsauto net.exe
c:\windows\system32\ntdll.dll
1360AESDecoder.exeC:\ProgramData\KMSAuto\bin\AESDecoder.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\programdata\kmsauto\bin\aesdecoder.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
Total events
5 122
Read events
4 891
Write events
223
Delete events
8

Modification events

(PID) Process:(3412) KMSauto-setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3412) KMSauto-setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3412) KMSauto-setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3412) KMSauto-setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3864) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3864) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3864) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3864) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3864) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3864) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000003D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
20
Suspicious files
11
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
3108cmd.exeC:\Users\admin\AppData\Roaming\test.testtext
MD5:9F06243ABCB89C70E0C331C61D871FA7
SHA256:837CCB607E312B170FAC7383D7CCFD61FA5072793F19A25E75FBACB56539B86B
3792build.exeC:\ProgramData\VJ9BIDZ656\ldbinary
MD5:CC104C4E4E904C3AD7AD5C45FBFA7087
SHA256:321BE844CECC903EF1E7F875B729C96BB3ED0D4986314384CD5944A29A670C9B
2468KMSAuto Net.exeC:\ProgramData\KMSAuto\wzt.datexecutable
MD5:822DA2319294F2B768BFE9ED4EEBAC15
SHA256:17B74D4EA905FAC0BA6857F78F47EE1E940675AF1BC27DED69FE2941318106EF
3412KMSauto-setup.exeC:\Users\admin\AppData\Roaming\KMSAuto Net.exeexecutable
MD5:93A3A8CE440197D31168FAC569082937
SHA256:22EF521964080E77D7006F9341D720683FA98409361C62A7BC4FE81EC474B1B2
3792build.exeC:\ProgramData\VJ9BIDZ656\files\passwords.txttext
MD5:E0EE1892004A327AE8878494352A35E6
SHA256:E1B782EB670A6D8ED01FEB9CD9DDEF9AE20569B72A1E33E078906D07627F7850
3412KMSauto-setup.exeC:\Users\admin\AppData\Roaming\build.exeexecutable
MD5:A6B5C87539EAC134BA4E9E5357360C39
SHA256:8A097CC7EBC19503EE7EFCCAB9F05FD25D7024F735C8C8C19372595C9FE9D779
2468KMSAuto Net.exeC:\Users\admin\AppData\Local\MSfree Inc\kmsauto.initext
MD5:AF6A20FD7DFADCD582CCF2B1BFAAF82B
SHA256:0BEE97833A70AA9BA271E93226DACE849836C64919FBFE15543D694E219D4AF2
2796wzt.datC:\ProgramData\KMSAuto\wzt\wzteam.cerbinary
MD5:76B56D90E6F1DA030A8B85E64579F25A
SHA256:FD2D7DF0220DD65EE23D0090299DFCC356F6F8F7167BAE9ADF7D08CEFAF39D02
3512bin.datC:\ProgramData\KMSAuto\bin\TunMirror.exeexecutable
MD5:2ED9C12A91E795804B1B770958C647AC
SHA256:CB56C248A38292C234D1AABE5E33A671FE8AE8AED28E0C8C4FBE767E4E7B82F5
2468KMSAuto Net.exeC:\ProgramData\KMSAuto\bin_x86.datexecutable
MD5:6C227B04F0605AF1A1B75F8FE16D1424
SHA256:DCFDAB4ED4F5E5A821EB8FF9E85453A426AF3E725A0849CC4B0599746C879456
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
3672
svchost.exe
239.255.255.250:1900
whitelisted
1076
svchost.exe
224.0.0.252:5355
unknown
3864
wscript.exe
148.251.234.93:443
ezstat.ru
Hetzner Online GmbH
DE
malicious
3792
build.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
malicious

DNS requests

Domain
IP
Reputation
ezstat.ru
  • 148.251.234.93
shared
newcoldstart.com
malicious
ip-api.com
  • 208.95.112.1
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
KMSauto-setup.exe