Malware analysis https://kmsauto.org/download-file/?b1=KMSAuto-Net-Portable.zip&c1=53523&d1=31.21%20MB&e1=1.8.6 Malicious activity

Add for printing

URL:	https://kmsauto.org/download-file/?b1=KMSAuto-Net-Portable.zip&c1=53523&d1=31.21%20MB&e1=1.8.6
Full analysis:	https://app.any.run/tasks/fed9689d-4caf-4663-a571-795746bad0a6
Verdict:	Malicious activity
Threats:	CryptBot is an advanced Windows-targeting infostealer delivered via pirate sites with "cracked" software. It has been first observed in the wild in 2019. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	September 05, 2024, 13:01:47
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer cryptbot crypto-regex upx
Indicators:
MD5:	3F9A23D206CEC5FBFFBF98F671940BC9
SHA1:	F1571EC374164205F8B2644C51BE1D2AECB2C9CD
SHA256:	97CB1DDE87EBAF06F8E3649D55699922675D6262FD4EB2A097CD15FA513845C7
SSDEEP:	3:N8Nf+50DU0fxAZpCUYJaAuTn:2ZZmXCUuaFn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- CRYPTBOT has been detected (SURICATA)
  - activate.exe (PID: 8016)
- CRYPTBOT has been detected (YARA)
  - activate.exe (PID: 8016)
- Connects to the CnC server
  - activate.exe (PID: 8016)
- Uses Task Scheduler to run other applications
  - activate.exe (PID: 8016)
- Actions looks like stealing of personal data
  - activate.exe (PID: 8016)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 7408)
  - KMSAuto.exe (PID: 4604)
  - activate.exe (PID: 8016)
- Application launched itself
  - WinRAR.exe (PID: 7408)
- The process creates files with name similar to system file names
  - WinRAR.exe (PID: 7204)
- Searches for installed software
  - activate.exe (PID: 8016)
- Executable content was dropped or overwritten
  - KMSAuto.exe (PID: 4604)
- Starts CMD.EXE for commands execution
  - KMSAuto1.exe (PID: 7356)
- Starts SC.EXE for service management
  - KMSAuto1.exe (PID: 7356)
- Uses WMIC.EXE
  - KMSAuto1.exe (PID: 7356)
- The process executes via Task Scheduler
  - service123.exe (PID: 7668)
- Found regular expressions for crypto-addresses (YARA)
  - service123.exe (PID: 5212)
INFO
- Reads the computer name
  - identity_helper.exe (PID: 4364)
  - KMSAuto.exe (PID: 4604)
  - activate.exe (PID: 8016)
  - KMSAuto1.exe (PID: 7356)
- Checks supported languages
  - identity_helper.exe (PID: 4364)
  - KMSAuto.exe (PID: 4604)
  - activate.exe (PID: 8016)
  - service123.exe (PID: 5212)
  - KMSAuto1.exe (PID: 7356)
  - service123.exe (PID: 7668)
- Reads Environment values
  - identity_helper.exe (PID: 4364)
  - KMSAuto1.exe (PID: 7356)
- The process uses the downloaded file
  - msedge.exe (PID: 1780)
  - WinRAR.exe (PID: 7408)
  - WinRAR.exe (PID: 7204)
  - KMSAuto.exe (PID: 4604)
  - activate.exe (PID: 8016)
- Manual execution by a user
  - WinRAR.exe (PID: 7408)
  - KMSAuto.exe (PID: 4604)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 7204)
- Process checks computer location settings
  - KMSAuto.exe (PID: 4604)
  - activate.exe (PID: 8016)
- Application launched itself
  - msedge.exe (PID: 4668)
- Create files in a temporary directory
  - activate.exe (PID: 8016)
- Reads the machine GUID from the registry
  - service123.exe (PID: 5212)
  - service123.exe (PID: 7668)
- Reads CPU info
  - activate.exe (PID: 8016)
- Reads product name
  - KMSAuto1.exe (PID: 7356)
- Reads security settings of Internet Explorer
  - WMIC.exe (PID: 5732)
- UPX packer has been detected
  - KMSAuto1.exe (PID: 7356)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

CryptBot

(PID) Process(8016) activate.exe

C2 (1)sevenv7ht.top

Strings (364)RegEnumKeyExW

_vscwprintf

InternetReadFile

SHAnsiToUnicode

GET

wnsprintfW

CreateStreamOnHGlobal

advapi32.dll

CopyFileExA

/c schtasks /create /tn \Service\Data /tr """"%wS""" """%wS"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f

Wallets

InternetOpenA

GetLastError

ShellExecuteA

FindFirstFileNameA

\ServiceData\Clip.au3

HttpQueryInfoA

URLOpenBlockingStreamA

htons

GetTempFileNameW

SetErrorMode

FindNextFileNameA

/index.php

GetCurrentDirectoryW

MoveFileA

_wtoi

ExtractFilesW

CreateFileMappingW

GetFileSizeEx

_swprintf

SleepEx

ReadFile

GetEnvironmentVariableA

WSACleanup

sprintf_s

Extract

FCIDestroy

WinExec

SHGetFolderPathA

WinHttpQueryOption

CloseHandle

System Error

HttpOpenRequestW

clock

HTTP

atoi

SystemTimeToFileTime

cabinet.dll

FindFirstFileA

RmStartSession

VirtualFree

EnumDisplaySettingsW

WinHttpSendRequest

URLDownloadToFileA

SaveImageToStream

InternetCrackUrlA

"encrypted_key":"

GetTempFileNameA

FindNextFileW

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36

GlobalMemoryStatusEx

CreateDirectoryA

GetObjectA

advpack.dll

abs

SetFilePointer

GetProcessHeap

RegQueryInfoKeyW

msvcrt.dll

AppData

SetFilePointerEx

UserProfile

FindFirstFileExA

/v1/upload.php

ReleaseDC

GetProcAddress

closesocket

WSAStartup

malloc

_snprintf

LkgwUi

wininet.dll

GetModuleHandleExW

WinHttpCrackUrl

VirtualAllocEx

analforeverlovyu.top

IsWow64Process

\ServiceData\Clip.exe

CreateDirectoryW

InternetOpenUrlW

CoInitialize

LoadLibraryA

VirtualFreeEx

WinHttpQueryHeaders

ws2_32.dll

IStream_Size

GetLocalTime

_vscprintf

IsBadReadPtr

FindNextFileNameW

GdipGetImageEncodersSize

GetFileAttributesExA

GetFileSize

WinHttpOpenRequest

ole32.dll

RegQueryValueExW

PathFileExistsA

VirtualProtectEx

StretchBlt

RmRegisterResources

End.txt

/gate.php

winhttp.dll

Others

RmGetList

PathIsDirectoryW

EnumDisplaySettingsA

Desktop

shlwapi.dll

StrStrIW

FindFirstFileNameW

RegOpenKeyExA

Apps

CoUninitialize

GetDriveTypeW

vsnprintf

listen

FindFirstFileW

QueryPerformanceCounter

socket

winsqlite3.dll

GetEnvironmentVariableW

GetModuleFileNameExW

UserID.txt

WinHttpConnect

GetModuleFileNameA

WinHttpCloseHandle

HttpOpenRequestA

InternetConnectW

GetSystemWow64DirectoryA

HeapSize

RegEnumKeyExA

recv

GetObjectW

GetDeviceCaps

\ServiceData

GetModuleFileNameW

crypt32.dll

user32.dll

POST

InternetCrackUrlW

RegQueryValueExA

RegCloseKey

urlmon.dll

HttpSendRequestW

GetLogicalDriveStringsA

WriteConsoleW

gdi32.dll

sevenv7ht.top

GetTempPathW

ReleaseMutex

curl/8.0.1

ShellExecuteW

GetFileInformationByHandle

CreateProcessA

GetUserNameW

ExtractFilesA

CreateFileA

GetBitmapBits

ReadConsoleA

WriteConsoleA

DPAPI

GetComputerNameW

MoveFileW

DeleteFileW

FCICreate

WinHttpOpen

SHCreateMemStream

Content-Length: %lu

GetTickCount

FindFirstFileExW

DeleteObject

ExitProcess

IsWow64Process2

GetDriveTypeA

OpenThread

FreeLibrary

HeapFree

WinHttpAddRequestHeaders

UnmapViewOfFile

sprintf

Process32FirstW

ReadConsoleW

ScreenShot.jpeg

CopyFileA

Process32FirstA

InternetOpenUrlA

FileTimeToSystemTime

PathIsDirectoryA

GetCurrentDirectoryA

ComSpec

WaitForSingleObject

LocalFree

GetLogicalDriveStringsW

GetUserDefaultLocaleName

CreateCompatibleBitmap

MapViewOfFile

GetVolumeInformationA

wsprintfW

GetThreadId

NULL

IStream_Reset

GdipCreateBitmapFromHBITMAP

\cdbLuHnjMw

GetTempPathA

DuplicateHandle

bind

GetExitCodeThread

CreateMutexW

LocalAppData

WinHttpSetOption

HttpQueryInfoW

GetCurrentThread

swprintf_s

IStream_Read

Sleep

LoadLibraryExW

CreateProcessW

CreateDCW

$CREEN.JPEG

FileTimeToDosDateTime

WinHttpReadData

LoadLibraryW

gdiplus.dll

GetSystemInfo

RemoveDirectoryW

WideCharToMultiByte

GdipLoadImageFromFile

LocalAlloc

free

HeapAlloc

WSAGetLastError

ntdll.dll

Browsers

GetUserNameA

GetModuleHandleW

BitBlt

VirtualProtect

RemoveDirectoryA

FCIAddFile

GetVolumeInformationW

GetDIBits

HttpSendRequestA

LoadLibraryExA

rstrtmgr.dll

CreateFileW

RtlGetVersion

HeapCreate

GetCommandLineW

GetConsoleMode

Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; rv:11.0) like Gecko

FCIFlushCabinet

Process32NextA

CreateMutexA

MoveFileExA

WinHttpReadDataEx

OpenProcess

GdipSaveImageToStream

isspace

Debug.txt

InternetReadFileExW

_snwprintf_s

CopyFileW

printf

GetDiskFreeSpaceExA

ExpandEnvironmentStringsA

An error occurred while starting the application (0xc000007b). To exit the application, click OK.

FindNextFileA

InternetReadFileExA

/zip.php

MultiByteToWideChar

send

GetLocaleInfoW

HTTPS

wsprintfA

RegOpenKeyExW

HeapReAlloc

GetLocaleInfoA

DISPLAY

WriteFile

GdiplusStartup

CryptUnprotectData

GetComputerNameA

ExpandEnvironmentStringsW

TerminateProcess

InternetCloseHandle

GdipSaveImageToFile

GetProcessId

URLOpenBlockingStreamW

FindClose

GetCommandLineA

CreateFileMappingA

ExitThread

MessageBoxA

GetSystemDirectoryW

wnsprintfA

inet_addr

CreateThread

GetTimeZoneInformation

log.txt

WinHttpReceiveResponse

DeleteDC

CreateCompatibleDC

GetNativeSystemInfo

MessageBoxW

GetFileAttributesExW

swprintf

calloc

SHUnicodeToAnsi

GetModuleHandleExA

GdipGetImageEncoders

CreateRemoteThread

Temp

vswprintf

GetFileAttributesW

strtod

wprintf

URLDownloadToFileW

Process32NextW

DeleteFileA

kernel32.dll

InternetOpenW

User's Computer Information.txt

_snwprintf

GetDiskFreeSpaceExW

GetSystemDirectoryA

SHGetFolderPathW

Files

recvfrom

SelectObject

VirtualAlloc

CreateToolhelp32Snapshot

MoveFileExW

RmEndSession

realloc

PathFileExistsW

CopyFileExW

GetTickCount64

GetFileAttributesA

FCIFlushFolder

GetSystemMetrics

GetModuleHandleA

CreateRemoteThreadEx

GetCurrentProcess

RegQueryInfoKeyA

CreateDCA

GdiplusShutdown

GetKeyboardLayoutList

GetModuleFileNameExA

InternetConnectA

StrStrIA

shell32.dll

GetSystemWow64DirectoryW

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

212

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4252 --field-trial-handle=2144,i,1135048453834710045,7446740378616090192,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5452 --field-trial-handle=2144,i,1135048453834710045,7446740378616090192,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

236

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7172 --field-trial-handle=2144,i,1135048453834710045,7446740378616090192,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

644

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2712 --field-trial-handle=2144,i,1135048453834710045,7446740378616090192,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

736

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5536 --field-trial-handle=2144,i,1135048453834710045,7446740378616090192,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

812

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7532 --field-trial-handle=2144,i,1135048453834710045,7446740378616090192,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1360

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=7060 --field-trial-handle=2144,i,1135048453834710045,7446740378616090192,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1556

"C:\WINDOWS\Sysnative\sc.exe" query WinDefend

C:\Windows\System32\sc.exe

—

KMSAuto1.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Service Control Manager Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

1688

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6672 --field-trial-handle=2144,i,1135048453834710045,7446740378616090192,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1776

"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6936 --field-trial-handle=2144,i,1135048453834710045,7446740378616090192,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

PWA Identity Proxy Host

Exit code:

3221226029

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll

Add for printing

Total events

11 999

Read events

11 821

Write events

160

Delete events

Modification events


(PID) Process:	(4668) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(4668) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(4668) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(4668) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:	write	Name:	user_experience_metrics.stability.exited_cleanly
Value: 0
(PID) Process:	(4668) msedge.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:	write	Name:	S-1-5-21-1693682860-607145093-2874071422-1001
Value: 4DBF7D2DF57F2F00
(PID) Process:	(4668) msedge.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:	write	Name:	S-1-5-21-1693682860-607145093-2874071422-1001
Value: F875832DF57F2F00
(PID) Process:	(4668) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\394192
Operation:	write	Name:	WindowTabManagerFileMappingId
Value: {5A410FC7-704E-47D8-ABD3-6E057D8E350D}
(PID) Process:	(4668) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\394192
Operation:	write	Name:	WindowTabManagerFileMappingId
Value: {753DBCDA-05ED-4EAB-BD18-43E83BDB3FA4}
(PID) Process:	(4668) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\394192
Operation:	write	Name:	WindowTabManagerFileMappingId
Value: {8C0BB53A-94CA-4A2E-AE9C-CC378106061C}
(PID) Process:	(4668) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\394192
Operation:	write	Name:	WindowTabManagerFileMappingId
Value: {B807EC09-3021-4486-93BB-407BCF2ECD51}

Add for printing

Executable files

Suspicious files

768

Text files

585

Unknown types

Dropped files

PID	Process	Filename		Type
4668	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF129f55.TMP		—
		MD5:—	SHA256:—
4668	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old		—
		MD5:—	SHA256:—
4668	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF129f74.TMP		—
		MD5:—	SHA256:—
4668	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old		—
		MD5:—	SHA256:—
4668	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF129f84.TMP		—
		MD5:—	SHA256:—
4668	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—
4668	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF129f94.TMP		—
		MD5:—	SHA256:—
4668	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old		—
		MD5:—	SHA256:—
4668	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF129fa3.TMP		—
		MD5:—	SHA256:—
4668	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

134

DNS requests

172

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2476	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	US	binary	471 b	whitelisted
6676	msedge.exe	GET	304	195.138.255.18:80	http://apps.identrust.com/roots/dstrootcax3.p7c	DE	—	—	whitelisted
2120	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	DE	binary	973 b	whitelisted
6676	msedge.exe	GET	304	69.192.161.44:80	http://x1.i.lencr.org/	DE	—	—	whitelisted
6676	msedge.exe	GET	304	69.192.161.44:80	http://r3.i.lencr.org/	DE	—	—	whitelisted
7208	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	DE	binary	419 b	whitelisted
7208	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	DE	binary	407 b	whitelisted
6172	svchost.exe	HEAD	200	23.48.23.5:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/73f47a5d-1fd2-4670-96a7-99c5c2d99d14?P1=1726127335&P2=404&P3=2&P4=Qpsf1wgmssZawYADP2Iz74gIq0DZRMTHQ9JRonU9Q8LnnRQxJo3y4wLkt14HsA2q5aW288KfrUZQk7GTaPcT8Q%3d%3d	DE	—	—	whitelisted
6172	svchost.exe	GET	206	23.48.23.5:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/73f47a5d-1fd2-4670-96a7-99c5c2d99d14?P1=1726127335&P2=404&P3=2&P4=Qpsf1wgmssZawYADP2Iz74gIq0DZRMTHQ9JRonU9Q8LnnRQxJo3y4wLkt14HsA2q5aW288KfrUZQk7GTaPcT8Q%3d%3d	DE	binary	1.09 Kb	whitelisted
6172	svchost.exe	GET	206	23.48.23.5:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/73f47a5d-1fd2-4670-96a7-99c5c2d99d14?P1=1726127335&P2=404&P3=2&P4=Qpsf1wgmssZawYADP2Iz74gIq0DZRMTHQ9JRonU9Q8LnnRQxJo3y4wLkt14HsA2q5aW288KfrUZQk7GTaPcT8Q%3d%3d	DE	binary	1.65 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
6160	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4324	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6676	msedge.exe	188.114.96.3:443	kmsauto.org	—	—	unknown
6676	msedge.exe	13.107.42.16:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4668	msedge.exe	239.255.255.250:1900	—	—	—	whitelisted
6676	msedge.exe	13.107.246.45:443	edge-mobile-static.azureedge.net	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 20.73.194.208	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
google.com	142.250.181.238	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
kmsauto.org	188.114.96.3 188.114.97.3	unknown
edge.microsoft.com	204.79.197.239 13.107.21.239	whitelisted
api.edgeoffer.microsoft.com	40.71.99.188	whitelisted
business.bing.com	13.107.6.158	whitelisted
edge-mobile-static.azureedge.net	13.107.246.45	whitelisted
bzib.nelreports.net	23.48.23.51 23.48.23.46	whitelisted

Threats

PID	Process	Class	Message
6676	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
6676	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
6676	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
6676	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
6676	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
6676	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
6676	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
6676	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
6676	msedge.exe	Potentially Bad Traffic	ET DNS Query for .cc TLD
6676	msedge.exe	Misc activity	SUSPICIOUS [ANY.RUN] Tracking Service (.popin .cc)

Add for printing

No debug info

General Info

https://kmsauto.org/download-file/?b1=KMSAuto-Net-Portable.zip&c1=53523&d1=31.21%20MB&e1=1.8.6

3F9A23D206CEC5FBFFBF98F671940BC9

F1571EC374164205F8B2644C51BE1D2AECB2C9CD

97CB1DDE87EBAF06F8E3649D55699922675D6262FD4EB2A097CD15FA513845C7

3:N8Nf+50DU0fxAZpCUYJaAuTn:2ZZmXCUuaFn

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

CRYPTBOT has been detected (SURICATA)

CRYPTBOT has been detected (YARA)

Connects to the CnC server

Uses Task Scheduler to run other applications

Actions looks like stealing of personal data

SUSPICIOUS

Reads security settings of Internet Explorer

Application launched itself

The process creates files with name similar to system file names

Searches for installed software

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

Starts SC.EXE for service management

Uses WMIC.EXE

The process executes via Task Scheduler

Found regular expressions for crypto-addresses (YARA)

INFO

Reads the computer name

Checks supported languages

Reads Environment values

The process uses the downloaded file

Manual execution by a user

Executable content was dropped or overwritten

Process checks computer location settings

Application launched itself

Create files in a temporary directory

Reads the machine GUID from the registry

Reads CPU info

Reads product name

Reads security settings of Internet Explorer

UPX packer has been detected

Malware configuration

CryptBot

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats