File name:

ACTIVADOR WINDOWS 10 FINAL.rar

Full analysis: https://app.any.run/tasks/21c59fe0-fa54-4d8b-94cc-e3dd9d936835
Verdict: Malicious activity
Analysis date: January 31, 2024, 19:08:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

A4476B9DB40C3420CB560EB72E6C9443

SHA1:

CF6CA5141E7F65BCE02588F924A2F1861F145781

SHA256:

8EBE70793D8E4D79B54078BB6E84EFB184C76063A9ACB918B2E32BC4B29F79CE

SSDEEP:

98304:uBj/F99Rj/T+KjXdgjHqXU3iF6NIBjRfUVcuvK4q1qDw6MlQvZi3ORAh9GR7zKhG:bZP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 572)
      • KMSAuto Net.exe (PID: 3752)
      • bin.dat (PID: 3936)
      • bin_x86.dat (PID: 2208)

    • Opens a text file (SCRIPT)

      • cscript.exe (PID: 2996)

  • SUSPICIOUS

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • cscript.exe (PID: 2996)

    • Gets full path of the running script (SCRIPT)

      • cscript.exe (PID: 2996)

    • The process executes VB scripts

      • KMSAuto Net.exe (PID: 3752)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • cscript.exe (PID: 2996)

    • Checks whether a specific file exists (SCRIPT)

      • cscript.exe (PID: 2996)

    • Reads data from a binary Stream object (SCRIPT)

      • cscript.exe (PID: 2996)

    • Executes WMI query (SCRIPT)

      • cscript.exe (PID: 2996)

    • Executable content was dropped or overwritten

      • KMSAuto Net.exe (PID: 3752)
      • bin_x86.dat (PID: 2208)
      • bin.dat (PID: 3936)

    • Drops 7-zip archiver for unpacking

      • KMSAuto Net.exe (PID: 3752)

    • Starts application with an unusual extension

      • cmd.exe (PID: 120)
      • cmd.exe (PID: 2292)

    • Process drops legitimate windows executable

      • bin_x86.dat (PID: 2208)

    • Application launched itself

      • cmd.exe (PID: 3724)

    • Drops a system driver (possible attempt to evade defenses)

      • bin_x86.dat (PID: 2208)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 3724)
      • KMSAuto Net.exe (PID: 3752)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • KMSAuto Net.exe (PID: 3752)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • KMSAuto Net.exe (PID: 3752)

    • Executes as Windows Service

      • KMSSS.exe (PID: 880)

    • Creates or modifies Windows services

      • KMSAuto Net.exe (PID: 3752)

    • Starts SC.EXE for service management

      • KMSAuto Net.exe (PID: 3752)

    • Uses REG/REGEDIT.EXE to modify registry

      • KMSAuto Net.exe (PID: 3752)
      • cmd.exe (PID: 2776)

    • Reads Internet Explorer settings

      • KMSAuto Net.exe (PID: 3752)

  • INFO

    • Reads the machine GUID from the registry

      • KMSAuto Net.exe (PID: 3752)
      • KMSSS.exe (PID: 880)

    • Manual execution by a user

      • KMSAuto Net.exe (PID: 1932)
      • KMSAuto Net.exe (PID: 3752)

    • Checks supported languages

      • KMSAuto Net.exe (PID: 3752)
      • bin.dat (PID: 3936)
      • bin_x86.dat (PID: 2208)
      • KMSSS.exe (PID: 880)

    • Reads the computer name

      • KMSAuto Net.exe (PID: 3752)
      • KMSSS.exe (PID: 880)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 572)

    • Creates files in the program directory

      • KMSAuto Net.exe (PID: 3752)
      • cmd.exe (PID: 2444)
      • bin_x86.dat (PID: 2208)
      • bin.dat (PID: 3936)
      • KMSSS.exe (PID: 880)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 2996)

    • Creates files or folders in the user directory

      • KMSAuto Net.exe (PID: 3752)

    • Reads product name

      • KMSAuto Net.exe (PID: 3752)

    • Reads Environment values

      • KMSAuto Net.exe (PID: 3752)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 302
UncompressedSize: 387
OperatingSystem: Win32
ModifyDate: 2015:07:30 19:10:36
PackingMethod: Normal
ArchivedFileName: ACTIVADOR WINDOWS 10 FINAL\ACTIVADOR WINDOWS 10 FINAL\KMSAuto Net 2015 v1.3.5\Importante!.txt
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
112
Monitored processes
37
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe kmsauto net.exe no specs kmsauto net.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cmd.exe no specs bin.dat cmd.exe no specs cmd.exe no specs bin_x86.dat cmd.exe no specs cmd.exe no specs cmd.exe no specs netstat.exe no specs find.exe no specs netsh.exe no specs netsh.exe no specs sc.exe no specs sc.exe no specs kmsss.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs reg.exe no specs netsh.exe no specs cmd.exe no specs cmd.exe no specs PhotoViewer.dll no specs

Process information

PID
CMD
Path
Indicators
Parent process
120C:\Windows\System32\cmd.exe /c bin.dat -y -pkmsautoC:\Windows\System32\cmd.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
124C:\Windows\System32\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /fC:\Windows\System32\reg.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
316C:\Windows\System32\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59A52881-A989-479D-AF46-F275C6370663" /fC:\Windows\System32\reg.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
548C:\Windows\System32\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /fC:\Windows\System32\reg.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
560cmd /c echo test>>"C:\Users\admin\Desktop\ACTIVADOR WINDOWS 10 FINAL\ACTIVADOR WINDOWS 10 FINAL\KMSAuto Net 2015 v1.3.5\test.test"C:\Windows\System32\cmd.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
572"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\ACTIVADOR WINDOWS 10 FINAL.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
696C:\Windows\System32\cmd.exe /c del /F /Q "bin_x86.dat"C:\Windows\System32\cmd.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
880"C:\ProgramData\KMSAuto\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IPC:\ProgramData\KMSAuto\bin\KMSSS.exeservices.exe
User:
SYSTEM
Company:
MDL Forum, mod by Ratiborus
Integrity Level:
SYSTEM
Description:
KMS Server Emulator Service (XP)
Exit code:
0
Version:
1.2.1.0
Modules
Images
c:\programdata\kmsauto\bin\kmsss.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
1376reg.exe DELETE HKLM\SYSTEM\CurrentControlSet\Services\KMSEmulator /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1380"sc.exe" stop KMSEmulatorC:\Windows\System32\sc.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
3 351
Read events
3 186
Write events
161
Delete events
4

Modification events

(PID) Process:(572) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(572) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(572) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(572) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(572) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(572) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(572) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(572) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(572) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(572) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
16
Suspicious files
7
Text files
13
Unknown types
0

Dropped files

PID
Process
Filename
Type
572WinRAR.exeC:\Users\admin\Desktop\ACTIVADOR WINDOWS 10 FINAL\ACTIVADOR WINDOWS 10 FINAL\KMSAuto Net 2015 v1.3.5\Importante!.txttext
MD5:52537AD40E30E02696E304454819408F
SHA256:67A7785A6DB50CEE1C7E656D437E55F74A1F3A76F5183F77B61DC50553579C2A
572WinRAR.exeC:\Users\admin\Desktop\ACTIVADOR WINDOWS 10 FINAL\ACTIVADOR WINDOWS 10 FINAL\KMSAuto Net 2015 v1.3.5\readme\KMSAutoNet135.PNGimage
MD5:C669E33BE9AC2930C1E4933434B4BFBF
SHA256:9E43A49A896AE58745B44BBC69E27DF0885EAE3B769CEF86792EB7C1FAE868F6
572WinRAR.exeC:\Users\admin\Desktop\ACTIVADOR WINDOWS 10 FINAL\ACTIVADOR WINDOWS 10 FINAL\KMSAuto Net 2015 v1.3.5\readme\readme_es.txttext
MD5:DB8F9EF6B7AD971FABB9C5E59080D42A
SHA256:1A5CB8028C69B3F0A7A2C406411EF35843AEF460330BBAA0185E4FC04D0A15E8
572WinRAR.exeC:\Users\admin\Desktop\ACTIVADOR WINDOWS 10 FINAL\ACTIVADOR WINDOWS 10 FINAL\KMSAuto Net 2015 v1.3.5\readme\readme_cn.txttext
MD5:53B95C350114CCA14AFDA7CBA393D8A3
SHA256:A5010CA12FF3477DC893C86512783A1459FB612A6172A13020DF02E621D15E37
572WinRAR.exeC:\Users\admin\Desktop\ACTIVADOR WINDOWS 10 FINAL\ACTIVADOR WINDOWS 10 FINAL\KMSAuto Net 2015 v1.3.5\readme\readme_en.txttext
MD5:A4214551779E4D027C4C21A65FEAC0C6
SHA256:8545638E4E191996B7D5148C838AB513C6F93C22753C83BCEE5887B82F4B1719
572WinRAR.exeC:\Users\admin\Desktop\ACTIVADOR WINDOWS 10 FINAL\ACTIVADOR WINDOWS 10 FINAL\KMSAuto Net 2015 v1.3.5\readme\readme_vi.txttext
MD5:B4131EE2CC8BA85BB9818D0685E4899B
SHA256:5542B96ECF12B8BCE7478D6877E532A704E43C261F9E8FF849C17C94456161D7
572WinRAR.exeC:\Users\admin\Desktop\ACTIVADOR WINDOWS 10 FINAL\ACTIVADOR WINDOWS 10 FINAL\KMSAuto Net 2015 v1.3.5\readme\readme_ua.txttext
MD5:14334F28805CA1FE963156436F4DD77A
SHA256:07F48B8DDE0B8A3465E253C2B4CFABF66E8FDBA9803692DEEE9F1504A7D1B9FF
572WinRAR.exeC:\Users\admin\Desktop\ACTIVADOR WINDOWS 10 FINAL\ACTIVADOR WINDOWS 10 FINAL\KMSAuto Net 2015 v1.3.5\readme\readme_ru.txttext
MD5:59B53B8361CDFB5846CB1830A4572707
SHA256:91ADA9BB250D4C465B8B8C2B62D8FEF151DAB0C50F5EB12F0E7E6107976F4632
572WinRAR.exeC:\Users\admin\Desktop\ACTIVADOR WINDOWS 10 FINAL\ACTIVADOR WINDOWS 10 FINAL\KMSAuto Net 2015 v1.3.5\KMSAuto Net.exeexecutable
MD5:0CA71A9F5914ECA4E62D52694B3C2302
SHA256:0CADA35DCB0F46630296241F4D2E1974B99C104CB0A6438F575C0BCE51098362
572WinRAR.exeC:\Users\admin\Desktop\ACTIVADOR WINDOWS 10 FINAL\ACTIVADOR WINDOWS 10 FINAL\KMSAuto Net 2015 v1.3.5\readme\readme_fr.txttext
MD5:3FA39B8942AD44C33E4BA2ACDAC95CF8
SHA256:872D9C79021FDC8BAB4CD1C5D95BFDDBECADD8062D93E32B843D4D4F1FCE38A9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ACTIVADOR WINDOWS 10 FINAL.rar