File name:

KMSX2.zip

Full analysis: https://app.any.run/tasks/9b879911-8f21-40aa-bb64-96a6e0edb736
Verdict: Malicious activity
Analysis date: July 18, 2019, 06:44:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

ACD20E9E26C18B888A09A703220CAF72

SHA1:

EFB3895CD3B9BB8D91FBABA5954DE5E9A92E50B2

SHA256:

B366F923B9ACC9D80DE8B075F21EA4AB60333DDAE3EB22F9115A4BC7342A8166

SSDEEP:

393216:6J6XfBqGh2okF4tkRa9MTCMQyfpGeoEnTw8Ye1C2MIbHTISa:w4f9co04tkVCMEhETwS11M4zO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exe (PID: 2232)
      • ¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exe (PID: 452)
      • ns4BAE.tmp (PID: 3516)
      • ns4D07.tmp (PID: 2648)
      • ns56EB.tmp (PID: 2828)
      • ns5863.tmp (PID: 1828)
      • ns59FA.tmp (PID: 2284)
      • ns5B91.tmp (PID: 2448)
      • ns5C8C.tmp (PID: 3404)
      • ns5D78.tmp (PID: 2704)
      • 7z.exe (PID: 2932)
      • 7z.exe (PID: 3204)
      • 7z.exe (PID: 4004)
      • ns5F0F.tmp (PID: 3616)
      • 7z.exe (PID: 3360)
      • 7z.exe (PID: 3412)
      • 7z.exe (PID: 3052)
      • 7z.exe (PID: 3368)
      • 7z.exe (PID: 3052)
      • 7z.exe (PID: 3368)
      • KMSpico1.exe (PID: 792)
      • SppExtComObjPatcher.exe (PID: 3580)
      • ú¿OFFICE+ñ+eú¬kms-bfú¿2018-4¦µ¦+ú¬.exe (PID: 2372)
      • ú¿OFFICE+ñ+eú¬kms-bfú¿2018-4¦µ¦+ú¬.exe (PID: 2836)
      • 7z.exe (PID: 3372)
      • KMSService.exe (PID: 2976)
      • 7z.exe (PID: 3144)
      • 7z.exe (PID: 4000)
      • nsA9AC.tmp (PID: 2492)
      • KMSpico1.exe (PID: 3096)
      • 7z.exe (PID: 3336)
      • 7z.exe (PID: 2736)
      • nsAC7D.tmp (PID: 3768)
      • 7z.exe (PID: 3796)
      • nsAB05.tmp (PID: 2720)
      • nsAD69.tmp (PID: 3308)
      • nsB358.tmp (PID: 2288)
      • 7z.exe (PID: 3012)
      • nsB3C7.tmp (PID: 3280)
      • 7z.exe (PID: 452)
      • ú¿OFFICE+ñ+eú¬kms-bfú¿2018-4¦µ¦+ú¬.exe (PID: 2392)
      • ú¿OFFICE+ñ+eú¬kms-bfú¿2018-4¦µ¦+ú¬.exe (PID: 3308)
      • nsE1D3.tmp (PID: 3576)
      • 7z.exe (PID: 3716)
      • nsAF2F.tmp (PID: 2380)
      • nsB181.tmp (PID: 2536)
      • nsB2DA.tmp (PID: 2628)
      • 7z.exe (PID: 3544)
      • nsE32C.tmp (PID: 3284)
      • 7z.exe (PID: 2432)
      • nsE418.tmp (PID: 4004)
      • 7z.exe (PID: 3352)
      • nsE92B.tmp (PID: 3300)
      • nsE570.tmp (PID: 1468)
      • KMSpico1.exe (PID: 3532)
      • nsE6D9.tmp (PID: 2604)
      • 7z.exe (PID: 3200)
      • 7z.exe (PID: 2744)
      • 7z.exe (PID: 3692)
      • nsEA94.tmp (PID: 2216)
      • 7z.exe (PID: 3312)
      • nsEB70.tmp (PID: 2812)
      • 7z.exe (PID: 3388)
      • nsEC5B.tmp (PID: 3544)
      • 7z.exe (PID: 1632)
      • KMSService.exe (PID: 2292)
      • SppExtComObjPatcher.exe (PID: 3668)

    • Loads dropped or rewritten executable

      • ¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exe (PID: 2232)
      • 7z.exe (PID: 3052)
      • 7z.exe (PID: 4004)
      • 7z.exe (PID: 3052)
      • 7z.exe (PID: 2932)
      • 7z.exe (PID: 3204)
      • 7z.exe (PID: 3360)
      • OSPPSVC.EXE (PID: 2208)
      • ú¿OFFICE+ñ+eú¬kms-bfú¿2018-4¦µ¦+ú¬.exe (PID: 2836)
      • 7z.exe (PID: 3144)
      • 7z.exe (PID: 3336)
      • 7z.exe (PID: 4000)
      • 7z.exe (PID: 2736)
      • 7z.exe (PID: 3372)
      • ú¿OFFICE+ñ+eú¬kms-bfú¿2018-4¦µ¦+ú¬.exe (PID: 2392)
      • 7z.exe (PID: 3716)
      • 7z.exe (PID: 452)
      • 7z.exe (PID: 2432)
      • 7z.exe (PID: 3352)
      • 7z.exe (PID: 2744)
      • 7z.exe (PID: 3200)
      • 7z.exe (PID: 1632)
      • OSPPSVC.EXE (PID: 2400)

    • Changes Image File Execution Options

      • KMSpico1.exe (PID: 792)
      • KMSpico1.exe (PID: 3532)

    • Loads the Task Scheduler COM API

      • OSPPSVC.EXE (PID: 2208)
      • OSPPSVC.EXE (PID: 2400)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3224)
      • ¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exe (PID: 2232)
      • 7z.exe (PID: 3204)
      • 7z.exe (PID: 3360)
      • ú¿OFFICE+ñ+eú¬kms-bfú¿2018-4¦µ¦+ú¬.exe (PID: 2836)
      • KMSpico1.exe (PID: 792)
      • ú¿OFFICE+ñ+eú¬kms-bfú¿2018-4¦µ¦+ú¬.exe (PID: 2392)
      • 7z.exe (PID: 3352)
      • KMSpico1.exe (PID: 3532)

    • Starts application with an unusual extension

      • ¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exe (PID: 2232)
      • ú¿OFFICE+ñ+eú¬kms-bfú¿2018-4¦µ¦+ú¬.exe (PID: 2836)
      • ú¿OFFICE+ñ+eú¬kms-bfú¿2018-4¦µ¦+ú¬.exe (PID: 2392)

    • Creates files in the Windows directory

      • 7z.exe (PID: 3204)
      • KMSpico1.exe (PID: 792)
      • KMSpico1.exe (PID: 3532)

    • Creates files in the user directory

      • 7z.exe (PID: 3052)
      • 7z.exe (PID: 2736)
      • 7z.exe (PID: 2744)

    • Uses WMIC.EXE to obtain a system information

      • KMSpico1.exe (PID: 792)
      • KMSpico1.exe (PID: 3532)

    • Creates files in the program directory

      • 7z.exe (PID: 3052)
      • 7z.exe (PID: 452)
      • 7z.exe (PID: 1632)

    • Uses NETSH.EXE for network configuration

      • KMSpico1.exe (PID: 792)
      • KMSpico1.exe (PID: 3532)

    • Executed as Windows Service

      • KMSService.exe (PID: 2976)
      • SppExtComObjPatcher.exe (PID: 3580)
      • KMSService.exe (PID: 2292)
      • SppExtComObjPatcher.exe (PID: 3668)

    • Executes scripts

      • KMSpico1.exe (PID: 792)
      • KMSpico1.exe (PID: 3532)

    • Removes files from Windows directory

      • KMSpico1.exe (PID: 3532)

    • Uses TASKKILL.EXE to kill process

      • KMSpico1.exe (PID: 3532)

  • INFO

    • Manual execution by user

      • ¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exe (PID: 2232)
      • ¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exe (PID: 452)
      • ú¿OFFICE+ñ+eú¬kms-bfú¿2018-4¦µ¦+ú¬.exe (PID: 2836)
      • ú¿OFFICE+ñ+eú¬kms-bfú¿2018-4¦µ¦+ú¬.exe (PID: 2372)
      • ú¿OFFICE+ñ+eú¬kms-bfú¿2018-4¦µ¦+ú¬.exe (PID: 2392)
      • ú¿OFFICE+ñ+eú¬kms-bfú¿2018-4¦µ¦+ú¬.exe (PID: 3308)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2018:04:13 17:16:14
ZipCRC: 0x0a0dabc0
ZipCompressedSize: 8054581
ZipUncompressedSize: 8067700
ZipFileName: ??OFFICE???kms-bf??2018-4?汾??.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
179
Monitored processes
89
Malicious processes
10
Suspicious processes
18

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe ¦¬+t+ñ+ev17.0-2019-6-22¦µ¦+.exe no specs ¦¬+t+ñ+ev17.0-2019-6-22¦µ¦+.exe ns4bae.tmp no specs 7z.exe no specs ns4d07.tmp no specs 7z.exe ns56eb.tmp no specs 7z.exe kmspico1.exe ns5863.tmp no specs 7z.exe no specs ns59fa.tmp no specs 7z.exe no specs ns5b91.tmp no specs 7z.exe no specs wmic.exe no specs ns5c8c.tmp no specs 7z.exe no specs ns5d78.tmp no specs 7z.exe no specs ns5f0f.tmp no specs 7z.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs netsh.exe no specs netsh.exe no specs kmsservice.exe no specs cscript.exe no specs sppextcomobjpatcher.exe no specs osppsvc.exe no specs ú¿office+ñ+eú¬kms-bfú¿2018-4¦µ¦+ú¬.exe no specs ú¿office+ñ+eú¬kms-bfú¿2018-4¦µ¦+ú¬.exe nsa9ac.tmp no specs 7z.exe no specs nsab05.tmp no specs 7z.exe no specs nsac7d.tmp no specs 7z.exe no specs kmspico1.exe no specs nsad69.tmp no specs 7z.exe no specs nsaf2f.tmp no specs 7z.exe no specs nsb181.tmp no specs 7z.exe no specs nsb2da.tmp no specs 7z.exe no specs nsb358.tmp no specs 7z.exe no specs nsb3c7.tmp no specs 7z.exe no specs ú¿office+ñ+eú¬kms-bfú¿2018-4¦µ¦+ú¬.exe no specs ú¿office+ñ+eú¬kms-bfú¿2018-4¦µ¦+ú¬.exe nse1d3.tmp no specs 7z.exe no specs nse32c.tmp no specs 7z.exe no specs nse418.tmp no specs 7z.exe kmspico1.exe nse570.tmp no specs 7z.exe no specs nse6d9.tmp no specs 7z.exe no specs nse92b.tmp no specs 7z.exe no specs wmic.exe no specs nsea94.tmp no specs 7z.exe no specs nseb70.tmp no specs 7z.exe no specs nsec5b.tmp no specs 7z.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs netsh.exe no specs netsh.exe no specs kmsservice.exe no specs taskkill.exe no specs cscript.exe no specs sppextcomobjpatcher.exe no specs osppsvc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
452"C:\Users\admin\Desktop\¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exe" C:\Users\admin\Desktop\¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\¦¬+t+ñ+ev17.0-2019-6-22¦µ¦+.exe
c:\systemroot\system32\ntdll.dll
452"C:\Users\admin\AppData\Local\Temp\7z.exe" x -aoa -paabbccdd "C:\Users\admin\AppData\Local\Temp\Play6.dat" -o"C:\Program Files\Mozilla Firefox"C:\Users\admin\AppData\Local\Temp\7z.exensB3C7.tmp
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Console
Exit code:
0
Version:
16.02
Modules
Images
c:\users\admin\appdata\local\temp\7z.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
792C:\Users\admin\AppData\Local\Temp\KMSpico1.exeC:\Users\admin\AppData\Local\Temp\KMSpico1.exe
¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exe
User:
admin
Integrity Level:
HIGH
Description:
暴风一键激活工具
Exit code:
0
Version:
16.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\kmspico1.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\gdi32.dll
1468"C:\Users\admin\AppData\Local\Temp\nsiE127.tmp\nsE570.tmp" "C:\Users\admin\AppData\Local\Temp\7z.exe" x -aoa -paabbccdd "C:\Users\admin\AppData\Local\Temp\Play1.dat" -o"C:\Users\admin\AppData\Local"C:\Users\admin\AppData\Local\Temp\nsiE127.tmp\nsE570.tmpú¿OFFICE+ñ+eú¬kms-bfú¿2018-4¦µ¦+ú¬.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nsie127.tmp\nse570.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1632"C:\Users\admin\AppData\Local\Temp\7z.exe" x -aoa -paabbccdd "C:\Users\admin\AppData\Local\Temp\Play6.dat" -o"C:\Program Files\Mozilla Firefox"C:\Users\admin\AppData\Local\Temp\7z.exensEC5B.tmp
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Console
Exit code:
0
Version:
16.02
Modules
Images
c:\users\admin\appdata\local\temp\7z.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1828"C:\Users\admin\AppData\Local\Temp\nsd4B20.tmp\ns5863.tmp" "C:\Users\admin\AppData\Local\Temp\7z.exe" x -aoa -paabbccdd "C:\Users\admin\AppData\Local\Temp\Play1.dat" -o"C:\Users\admin\AppData\Local"C:\Users\admin\AppData\Local\Temp\nsd4B20.tmp\ns5863.tmp¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nsd4b20.tmp\ns5863.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1952wmic path SoftwareLicensingService where version='6.1.7601.17514' call SetVLActivationTypeEnabled 2C:\Windows\System32\Wbem\wmic.exeKMSpico1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
44028
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
2016wmic path SoftwareLicensingService where version='6.1.7601.17514' call SetVLActivationTypeEnabled 2C:\Windows\System32\Wbem\wmic.exeKMSpico1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
44028
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
2208"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXESppExtComObjPatcher.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Office Software Protection Platform Service
Exit code:
0
Version:
14.0.0370.400 (longhorn(wmbla).090811-1833)
Modules
Images
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2216"C:\Users\admin\AppData\Local\Temp\nsiE127.tmp\nsEA94.tmp" "C:\Users\admin\AppData\Local\Temp\7z.exe" x -aoa -paabbccdd "C:\Users\admin\AppData\Local\Temp\Play3.dat" -o""C:\Users\admin\AppData\Local\Temp\nsiE127.tmp\nsEA94.tmpú¿OFFICE+ñ+eú¬kms-bfú¿2018-4¦µ¦+ú¬.exe
User:
admin
Integrity Level:
HIGH
Exit code:
7
Modules
Images
c:\users\admin\appdata\local\temp\nsie127.tmp\nsea94.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
2 239
Read events
1 944
Write events
295
Delete events
0

Modification events

(PID) Process:(3224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3224) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Downloads\KMSX2.zip
(PID) Process:(3224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(3224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
51
Suspicious files
36
Text files
27
Unknown types
0

Dropped files

PID
Process
Filename
Type
40047z.exeC:\Users\admin\AppData\Local\Temp\Play32.dat.tmp
MD5:
SHA256:
2232¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exeC:\Users\admin\AppData\Local\Temp\nsd4B20.tmp\ns4D07.tmp
MD5:
SHA256:
3224WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3224.30988\¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exeexecutable
MD5:
SHA256:
2232¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exeC:\Users\admin\AppData\Local\Temp\nsd4B20.tmp\ns56EB.tmp
MD5:
SHA256:
3224WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3224.30988\ú¿OFFICE+ñ+eú¬kms-bfú¿2018-4¦µ¦+ú¬.exeexecutable
MD5:
SHA256:
2232¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exeC:\Users\admin\AppData\Local\Temp\Play1.datcompressed
MD5:
SHA256:
2232¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exeC:\Users\admin\AppData\Local\Temp\Play32.datcompressed
MD5:
SHA256:
2232¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exeC:\Users\admin\AppData\Local\Temp\Play2.datcompressed
MD5:713C7B3AEA6167F69457C8C9FE1CBC93
SHA256:D6D75387580B2FB3E0C2A7488F2F140CC6C69FDC31C6E05D857DBB355AA56B67
2232¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exeC:\Users\admin\AppData\Local\Temp\Play5.datcompressed
MD5:86CBDC67B7F520C41DF8193507CDAF43
SHA256:38C0BEA6DCA4E6CDB2517CDE831140758E9C261EC4C05BE9321ADAE7BF19F45D
2232¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exeC:\Users\admin\AppData\Local\Temp\Play4.datcompressed
MD5:C6B59214C6ABC60BE59659756F154422
SHA256:4CDB3149B03682EB455CA02673B0D9963E72564F57203FD930C99F7A209D54B2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
1
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2232
¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exe
GET
42.51.38.18:80
http://win3.zhfcxd.com/bs4-200-4.mp3
CN
suspicious
2392
ú¿OFFICE+ñ+eú¬kms-bfú¿2018-4¦µ¦+ú¬.exe
GET
42.51.38.18:80
http://win3.zhfcxd.com/bs4-300-4.mp3
CN
suspicious
2836
ú¿OFFICE+ñ+eú¬kms-bfú¿2018-4¦µ¦+ú¬.exe
GET
42.51.38.18:80
http://win3.zhfcxd.com/bs4-300-4.mp3
CN
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2232
¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exe
42.51.38.18:80
win3.zhfcxd.com
Henan Telcom Union Technology Co., LTD
CN
suspicious
2836
ú¿OFFICE+ñ+eú¬kms-bfú¿2018-4¦µ¦+ú¬.exe
42.51.38.18:80
win3.zhfcxd.com
Henan Telcom Union Technology Co., LTD
CN
suspicious
2392
ú¿OFFICE+ñ+eú¬kms-bfú¿2018-4¦µ¦+ú¬.exe
42.51.38.18:80
win3.zhfcxd.com
Henan Telcom Union Technology Co., LTD
CN
suspicious

DNS requests

Domain
IP
Reputation
win3.zhfcxd.com
  • 42.51.38.18
suspicious

Threats

Found threats are available for the paid subscriptions
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
KMSX2.zip