File name:

KMSAuto-Net-1.5.4.zip

Full analysis: https://app.any.run/tasks/1df28b76-a7d8-46b5-8cc8-75bcb75d44ab
Verdict: Malicious activity
Analysis date: October 05, 2023, 16:41:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

97630B7C2AF0DB8685904A30258000B1

SHA1:

8F9286B1E0E8CF60B67D898AA8693486DDC2BD4E

SHA256:

8F2CDF68836AE101E4D0857A7126D1911CEDB02CDA136EC9DD737D55FA15E51C

SSDEEP:

98304:92YXkiY2d5CTaEsccPgAY7oKSgy74WArwRJoniKKUrnmioZDI7FJf4FhtXJYaz+e:y2taM8M9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • KMSAuto Net.exe (PID: 3044)
      • KMSAuto Net.exe (PID: 2288)
      • wzt.dat (PID: 1912)
      • certmgr.exe (PID: 2856)
      • certmgr.exe (PID: 3448)
      • bin.dat (PID: 2588)
      • bin_x86.dat (PID: 3380)
      • AESDecoder.exe (PID: 2456)
      • KMSSS.exe (PID: 3656)
      • wzt.dat (PID: 3168)
      • certmgr.exe (PID: 3840)
      • certmgr.exe (PID: 2008)
      • bin.dat (PID: 1836)
      • AESDecoder.exe (PID: 1488)
      • bin_x86.dat (PID: 3400)
      • KMSSS.exe (PID: 3824)
      • bin_x86.dat (PID: 3816)
      • FakeClient.exe (PID: 3400)
      • wzt.dat (PID: 3020)
      • certmgr.exe (PID: 2308)
      • certmgr.exe (PID: 3560)
      • bin.dat (PID: 2300)
      • AESDecoder.exe (PID: 128)
      • bin_x86.dat (PID: 3084)

    • Drops the executable file immediately after the start

      • KMSAuto Net.exe (PID: 2288)
      • wzt.dat (PID: 1912)
      • bin.dat (PID: 2588)
      • AESDecoder.exe (PID: 2456)
      • bin_x86.dat (PID: 3380)
      • bin.dat (PID: 1836)
      • wzt.dat (PID: 3168)
      • AESDecoder.exe (PID: 1488)
      • bin_x86.dat (PID: 3400)
      • bin_x86.dat (PID: 3816)
      • wzt.dat (PID: 3020)
      • bin.dat (PID: 2300)
      • AESDecoder.exe (PID: 128)
      • bin_x86.dat (PID: 3084)

  • SUSPICIOUS

    • Reads Internet Explorer settings

      • KMSAuto Net.exe (PID: 2288)

    • Drops 7-zip archiver for unpacking

      • KMSAuto Net.exe (PID: 2288)

    • Starts application with an unusual extension

      • cmd.exe (PID: 2128)
      • cmd.exe (PID: 2344)
      • cmd.exe (PID: 2340)
      • cmd.exe (PID: 1880)
      • cmd.exe (PID: 2800)
      • cmd.exe (PID: 3564)
      • cmd.exe (PID: 3256)
      • cmd.exe (PID: 1808)
      • cmd.exe (PID: 2264)
      • cmd.exe (PID: 2080)

    • Process drops legitimate windows executable

      • wzt.dat (PID: 1912)
      • bin_x86.dat (PID: 3380)
      • wzt.dat (PID: 3168)
      • bin_x86.dat (PID: 3400)
      • bin_x86.dat (PID: 3816)
      • wzt.dat (PID: 3020)
      • bin_x86.dat (PID: 3084)

    • Starts CMD.EXE for commands execution

      • KMSAuto Net.exe (PID: 2288)
      • cmd.exe (PID: 3468)
      • cmd.exe (PID: 3876)

    • Application launched itself

      • cmd.exe (PID: 3468)
      • cmd.exe (PID: 3876)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • KMSAuto Net.exe (PID: 2288)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • KMSAuto Net.exe (PID: 2288)

    • Starts SC.EXE for service management

      • KMSAuto Net.exe (PID: 2288)

    • Executes as Windows Service

      • KMSSS.exe (PID: 3656)
      • KMSSS.exe (PID: 3824)

    • Creates or modifies Windows services

      • KMSAuto Net.exe (PID: 2288)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 124)
      • KMSAuto Net.exe (PID: 2288)
      • cmd.exe (PID: 2212)

    • Drops a system driver (possible attempt to evade defenses)

      • bin_x86.dat (PID: 3380)
      • bin_x86.dat (PID: 3400)
      • bin_x86.dat (PID: 3816)
      • bin_x86.dat (PID: 3084)

    • Uses ROUTE.EXE to modify routing table

      • cmd.exe (PID: 3112)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3440)

    • Uses ROUTE.EXE to obtain the routing table information

      • cmd.exe (PID: 2184)

    • Uses WMIC.EXE

      • cmd.exe (PID: 328)
      • cmd.exe (PID: 4076)

    • Reads the Internet Settings

      • WMIC.exe (PID: 3700)
      • WMIC.exe (PID: 2300)

  • INFO

    • Checks supported languages

      • KMSAuto Net.exe (PID: 2288)
      • wzt.dat (PID: 1912)
      • certmgr.exe (PID: 2856)
      • certmgr.exe (PID: 3448)
      • AESDecoder.exe (PID: 2456)
      • bin.dat (PID: 2588)
      • bin_x86.dat (PID: 3380)
      • KMSSS.exe (PID: 3656)
      • wzt.dat (PID: 3168)
      • certmgr.exe (PID: 3840)
      • certmgr.exe (PID: 2008)
      • bin.dat (PID: 1836)
      • AESDecoder.exe (PID: 1488)
      • KMSSS.exe (PID: 3824)
      • bin_x86.dat (PID: 3816)
      • bin_x86.dat (PID: 3400)
      • FakeClient.exe (PID: 3400)
      • wzt.dat (PID: 3020)
      • AESDecoder.exe (PID: 128)
      • certmgr.exe (PID: 2308)
      • certmgr.exe (PID: 3560)
      • bin.dat (PID: 2300)
      • bin_x86.dat (PID: 3084)

    • Reads the computer name

      • KMSAuto Net.exe (PID: 2288)
      • KMSSS.exe (PID: 3656)
      • KMSSS.exe (PID: 3824)
      • FakeClient.exe (PID: 3400)

    • Reads the machine GUID from the registry

      • KMSAuto Net.exe (PID: 2288)
      • KMSSS.exe (PID: 3656)
      • KMSSS.exe (PID: 3824)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3640)

    • Reads Environment values

      • KMSAuto Net.exe (PID: 2288)

    • Creates files or folders in the user directory

      • KMSAuto Net.exe (PID: 2288)

    • Reads product name

      • KMSAuto Net.exe (PID: 2288)

    • Creates files in the program directory

      • cmd.exe (PID: 3288)
      • KMSAuto Net.exe (PID: 2288)
      • wzt.dat (PID: 1912)
      • bin.dat (PID: 2588)
      • bin_x86.dat (PID: 3380)
      • AESDecoder.exe (PID: 2456)
      • KMSSS.exe (PID: 3656)
      • cmd.exe (PID: 2412)
      • wzt.dat (PID: 3168)
      • bin.dat (PID: 1836)
      • AESDecoder.exe (PID: 1488)
      • KMSSS.exe (PID: 3824)
      • bin_x86.dat (PID: 3816)
      • bin_x86.dat (PID: 3400)
      • wzt.dat (PID: 3020)
      • cmd.exe (PID: 3528)
      • bin.dat (PID: 2300)
      • AESDecoder.exe (PID: 128)
      • bin_x86.dat (PID: 3084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 2018:10:15 09:59:34
ZipCRC: 0x0da1fbfe
ZipCompressedSize: 5442961
ZipUncompressedSize: 8315752
ZipFileName: KMSAuto Net.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
253
Monitored processes
125
Malicious processes
29
Suspicious processes
5

Behavior graph

Click at the process to see the details
drop and start drop and start start winrar.exe no specs kmsauto net.exe no specs kmsauto net.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs wzt.dat no specs cmd.exe no specs cmd.exe no specs certmgr.exe no specs cmd.exe no specs certmgr.exe no specs cmd.exe no specs cmd.exe no specs bin.dat no specs cmd.exe no specs cmd.exe no specs aesdecoder.exe no specs cmd.exe no specs cmd.exe no specs bin_x86.dat no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs netstat.exe no specs find.exe no specs netsh.exe no specs netsh.exe no specs sc.exe no specs sc.exe no specs kmsss.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs reg.exe no specs netsh.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs wzt.dat no specs cmd.exe no specs cmd.exe no specs certmgr.exe no specs cmd.exe no specs certmgr.exe no specs cmd.exe no specs cmd.exe no specs bin.dat no specs cmd.exe no specs cmd.exe no specs aesdecoder.exe no specs cmd.exe no specs cmd.exe no specs bin_x86.dat no specs cmd.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs netstat.exe no specs netsh.exe no specs netsh.exe no specs sc.exe no specs sc.exe no specs kmsss.exe no specs cmd.exe no specs bin_x86.dat no specs cmd.exe no specs cmd.exe no specs route.exe no specs cmd.exe no specs fakeclient.exe reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs route.exe no specs cmd.exe no specs taskkill.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs reg.exe no specs netsh.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs wzt.dat no specs cmd.exe no specs cmd.exe no specs certmgr.exe no specs cmd.exe no specs certmgr.exe no specs cmd.exe no specs cmd.exe no specs bin.dat no specs cmd.exe no specs cmd.exe no specs aesdecoder.exe no specs cmd.exe no specs cmd.exe no specs bin_x86.dat no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
124C:\Windows\System32\cmd.exe /D /c reg.exe DELETE HKLM\SYSTEM\CurrentControlSet\Services\KMSEmulator /fC:\Windows\System32\cmd.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
128AESDecoder.exeC:\ProgramData\KMSAuto\bin\AESDecoder.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\programdata\kmsauto\bin\aesdecoder.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
272C:\Windows\System32\cmd.exe /D /c del /F /Q "bin.dat"C:\Windows\System32\cmd.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\cmd.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
292C:\Windows\System32\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCPC:\Windows\System32\netsh.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
328C:\Windows\System32\cmd.exe /D /c WMIC Path Win32_NetworkAdapter WHERE ServiceName="tapoas" get Manufacturer >"C:\Users\admin\AppData\Local\Temp\KMSSettmp95.tmpC:\Windows\System32\cmd.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
576C:\Windows\System32\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /fC:\Windows\System32\reg.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
812"C:\Windows\System32\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /QC:\Windows\System32\cmd.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
852"sc.exe" delete WinDivert1.1C:\Windows\System32\sc.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
944route delete 100.100.0.10 0.0.0.0C:\Windows\System32\ROUTE.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Route Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\route.exe
c:\windows\system32\iphlpapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\user32.dll
1248C:\Windows\System32\cmd.exe /D /c AESDecoder.exeC:\Windows\System32\cmd.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
9 943
Read events
9 643
Write events
284
Delete events
16

Modification events

(PID) Process:(3640) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(3640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
57
Suspicious files
33
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
3640WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3640.11070\KMSCleaner.exeexecutable
MD5:13EA767A7BA607744EBEA7409B9F8649
SHA256:A6E2CDC0E9426D50BD72D866BFC80E0FBA941EFB3AE6D1C564D409F57D1EB117
3640WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3640.11070\KMSAuto Net.exeexecutable
MD5:F1FE671BCEFD4630E5ED8B87C9283534
SHA256:58D6FEC4BA24C32D38C9A0C7C39DF3CB0E91F500B323E841121D703C7B718681
2288KMSAuto Net.exeC:\Users\admin\AppData\Local\MSfree Inc\kmsauto.initext
MD5:AF6A20FD7DFADCD582CCF2B1BFAAF82B
SHA256:0BEE97833A70AA9BA271E93226DACE849836C64919FBFE15543D694E219D4AF2
2288KMSAuto Net.exeC:\ProgramData\KMSAuto\wzt.datexecutable
MD5:822DA2319294F2B768BFE9ED4EEBAC15
SHA256:17B74D4EA905FAC0BA6857F78F47EE1E940675AF1BC27DED69FE2941318106EF
2588bin.datC:\ProgramData\KMSAuto\bin\KMSSS.exe.aesbinary
MD5:41E0D8AB5104DA2068739109EC3599F4
SHA256:38D1DBDC7C7A64253E6D4B52225B0BFD7716405C731A107F0C6BA9573A73A77F
3880cmd.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3640.11070\test.testtext
MD5:9F06243ABCB89C70E0C331C61D871FA7
SHA256:837CCB607E312B170FAC7383D7CCFD61FA5072793F19A25E75FBACB56539B86B
1912wzt.datC:\ProgramData\KMSAuto\wzt\wzteam.cerbinary
MD5:76B56D90E6F1DA030A8B85E64579F25A
SHA256:FD2D7DF0220DD65EE23D0090299DFCC356F6F8F7167BAE9ADF7D08CEFAF39D02
2288KMSAuto Net.exeC:\ProgramData\KMSAuto\bin_x86.datexecutable
MD5:6C227B04F0605AF1A1B75F8FE16D1424
SHA256:DCFDAB4ED4F5E5A821EB8FF9E85453A426AF3E725A0849CC4B0599746C879456
3380bin_x86.datC:\ProgramData\KMSAuto\bin\driver\oas_sert.cerbinary
MD5:0041584E5F66762B1FA9BE8910D0B92B
SHA256:BB27684B569CBB72DEC63EA6FDEF8E5F410CDAEB73717EEE1B36478DBCFF94CC
2456AESDecoder.exeC:\ProgramData\KMSAuto\bin\KMSSS.exeexecutable
MD5:01A80AAD5DABED1C1580F7E00213CF9D
SHA256:FD7499214ABAA13BF56D006AB7DE78EB8D6ADF17926C24ACE024D067049BC81D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2656
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
FakeClient.exe
WdfCoInstaller: [10/05/2023 17:42.48.748] ReadComponents: WdfSection for Driver Service windivert using KMDF lib version Major 0x1, minor 0x9
FakeClient.exe
WdfCoInstaller: [10/05/2023 17:42.48.780] BootApplication: could not open service windivert, error error(1060) The specified service does not exist as an installed service.
FakeClient.exe
WdfCoInstaller: [10/05/2023 17:42.48.780] BootApplication: GetStartType error error(87) The parameter is incorrect. Driver Service name windivert
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
KMSAuto-Net-1.5.4.zip