File name:

KMSAuto Lite Portable v1.4.0.rar

Full analysis: https://app.any.run/tasks/dba724f4-87b5-425b-8d95-a78568c8e487
Verdict: Malicious activity
Analysis date: July 08, 2025, 18:52:15
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
upx
kms
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

8E05AAA4753B03ABAA79AB39171F9D6D

SHA1:

A851F46BAC4801B510AD3ED07322027A4E903631

SHA256:

DB594DA05B3A24949E5362EA095ADDFA0A2FEE065AA15763181535E3A4D76180

SSDEEP:

98304:ICSquiDT4zbfx2qaVj/6Bb0zUNHRL+ju5LKJfeLc4Y9zaELSIdILaLyeT1gteE8v:mduj8QaXMkUtx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • KMSAuto x64.exe (PID: 3876)
      • KMSAuto x64.exe (PID: 3672)

    • Uses WMIC.EXE to add exclusions to the Windows Defender

      • cmd.exe (PID: 7080)
      • cmd.exe (PID: 4456)
      • cmd.exe (PID: 2432)
      • cmd.exe (PID: 4960)
      • cmd.exe (PID: 5952)
      • cmd.exe (PID: 6652)

    • Starts NET.EXE for service management

      • net.exe (PID: 6664)
      • cmd.exe (PID: 6320)

    • Changes image file execution options

      • reg.exe (PID: 7000)

    • Accesses name of the domain to which a computer belongs via WMI (SCRIPT)

      • cscript.exe (PID: 3952)

    • Disables Windows Defender

      • KMSAuto x64.exe (PID: 3672)

  • SUSPICIOUS

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • cscript.exe (PID: 3196)
      • cscript.exe (PID: 3952)
      • cscript.exe (PID: 7084)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • cscript.exe (PID: 3196)
      • cscript.exe (PID: 7084)
      • cscript.exe (PID: 3952)

    • Gets full path of the running script (SCRIPT)

      • cscript.exe (PID: 3196)
      • cscript.exe (PID: 3952)
      • cscript.exe (PID: 7084)

    • Found strings related to reading or modifying Windows Defender settings

      • KMSAuto x64.exe (PID: 3672)

    • The process executes VB scripts

      • cmd.exe (PID: 1520)
      • cmd.exe (PID: 1688)
      • cmd.exe (PID: 724)

    • Stops a currently running service

      • sc.exe (PID: 3676)
      • sc.exe (PID: 3676)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 3876)
      • KMSAuto x64.exe (PID: 3672)
      • cmd.exe (PID: 1732)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 6388)
      • cmd.exe (PID: 6404)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 4100)
      • cmd.exe (PID: 3388)
      • KMSAuto x64.exe (PID: 3672)
      • cmd.exe (PID: 2632)
      • cmd.exe (PID: 32)
      • cmd.exe (PID: 892)
      • cmd.exe (PID: 3800)
      • cmd.exe (PID: 3820)
      • cmd.exe (PID: 1732)
      • cmd.exe (PID: 6140)

    • Starts CMD.EXE for commands execution

      • KMSAuto x64.exe (PID: 3672)

    • Checks whether a specific file exists (SCRIPT)

      • cscript.exe (PID: 3196)
      • cscript.exe (PID: 3952)
      • cscript.exe (PID: 7084)

    • Executes WMI query (SCRIPT)

      • cscript.exe (PID: 3196)
      • cscript.exe (PID: 3952)
      • cscript.exe (PID: 7084)

    • Hides command output

      • cmd.exe (PID: 5460)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 5460)
      • cmd.exe (PID: 6636)
      • cmd.exe (PID: 4828)
      • cmd.exe (PID: 6716)
      • cmd.exe (PID: 3400)

    • KMS tool has been detected

      • cmd.exe (PID: 6268)
      • KMSAuto x64.exe (PID: 3672)
      • cmd.exe (PID: 6412)
      • cmd.exe (PID: 4680)

    • Windows service management via SC.EXE

      • sc.exe (PID: 5924)
      • sc.exe (PID: 3148)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 7128)
      • cmd.exe (PID: 6268)

    • Creates a new Windows service

      • sc.exe (PID: 2520)

    • Creates or modifies Windows services

      • KMSAuto x64.exe (PID: 3672)

    • Executes as Windows Service

      • KMSSS.exe (PID: 6772)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • cmd.exe (PID: 6412)
      • cmd.exe (PID: 4572)
      • cmd.exe (PID: 7136)
      • cmd.exe (PID: 4680)

    • The process downloads a VBScript from the remote host

      • cmd.exe (PID: 724)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 2512)

    • Uses ROUTE.EXE to obtain the routing table information

      • cmd.exe (PID: 3944)

  • INFO

    • Manual execution by a user

      • KMSAuto x64.exe (PID: 3876)
      • KMSAuto x64.exe (PID: 3672)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 5020)

    • Reads product name

      • KMSAuto x64.exe (PID: 3672)

    • Checks supported languages

      • KMSAuto x64.exe (PID: 3672)
      • KMSSS.exe (PID: 6772)

    • Reads Environment values

      • KMSAuto x64.exe (PID: 3672)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 1484)
      • cscript.exe (PID: 3196)
      • WMIC.exe (PID: 6940)
      • WMIC.exe (PID: 6348)
      • WMIC.exe (PID: 6900)
      • cscript.exe (PID: 3952)
      • WMIC.exe (PID: 2404)
      • cscript.exe (PID: 7084)

    • Reads the computer name

      • KMSAuto x64.exe (PID: 3672)
      • KMSSS.exe (PID: 6772)

    • Create files in a temporary directory

      • KMSAuto x64.exe (PID: 3672)

    • UPX packer has been detected

      • KMSAuto x64.exe (PID: 3672)

    • Reads the machine GUID from the registry

      • KMSSS.exe (PID: 6772)

    • Deletes a route via ROUTE.EXE

      • ROUTE.EXE (PID: 6220)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion: RAR v5
CompressedSize: 3710880
UncompressedSize: 3829096
OperatingSystem: Win32
ArchivedFileName: KMSAuto Lite Portable v1.4.0/KMSAuto x64.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
267
Monitored processes
128
Malicious processes
6
Suspicious processes
5

Behavior graph

Click at the process to see the details
start winrar.exe no specs kmsauto x64.exe no specs kmsauto x64.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs slui.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs kmsss.exe no specs reg.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs route.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
32"C:\WINDOWS\System32\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32C:\Windows\System32\cmd.exeKMSAuto x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
304\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
684\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
724"C:\WINDOWS\System32\cmd.exe" /c cscript //nologo "C:\Users\admin\AppData\Local\Temp\slmgr.vbs" /skms 10.3.0.20:1688C:\Windows\System32\cmd.exeKMSAuto x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
892"C:\WINDOWS\System32\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64C:\Windows\System32\cmd.exeKMSAuto x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1136WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionPath="C:\WINDOWS\Temp\KMSAuto_Files"C:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
2147749889
Version:
10.0.19041.1 (WinBuild.160101.0800)
1156\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1232"C:\WINDOWS\System32\cmd.exe" /c del "C:\WINDOWS\Temp\KMSAuto_Files\bin\SppExtComObjPatcher.exe" /F /QC:\Windows\System32\cmd.exeKMSAuto x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1232\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1324\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
10 539
Read events
10 497
Write events
39
Delete events
3

Modification events

(PID) Process:(5020) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(5020) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(5020) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(5020) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(5020) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(5020) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\KMSAuto Lite Portable v1.4.0.rar
(PID) Process:(5020) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(5020) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(5020) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(5020) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
7
Suspicious files
0
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
5020WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb5020.7504\KMSAuto Lite Portable v1.4.0\readme_bg.txttext
MD5:7D834E82EBA8C9DCC659F0162193CBA9
SHA256:A2295378CEC3B6E4B83AECF14FDEB07CC604C3BC923CDCBCF9BADE12C57F2E30
3672KMSAuto x64.exeC:\Windows\Temp\KMSAuto_Files\bin\SppExtComObjPatcher.exeexecutable
MD5:3D062A5923050F0885AA5E4882096744
SHA256:68B536FB2A6A8C9A2B36E17EAD46343D156020C75C559ED068483ECF5BC3F060
3672KMSAuto x64.exeC:\Windows\Temp\KMSAuto_Files\bin\KMSSS.exeexecutable
MD5:463C7CE8E2EC2C33536E9697C0EEBA7D
SHA256:D3ED9D3B8DD6A6A8DFA0A9BB02374B079E8E0C33E600677EF15BFA19264C4F04
5020WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb5020.7504\KMSAuto Lite Portable v1.4.0\KMSAuto x64.exeexecutable
MD5:F582CAAC417AFACD7EE7D2C2C3233E18
SHA256:7F4F467A8A5274CF7AE5D3565149E0EEA55E0E794649D2482A297B6A37F8791D
5020WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb5020.7504\KMSAuto Lite Portable v1.4.0\KMSAuto.exeexecutable
MD5:848874FBB3932941804E383C3A7DF4C1
SHA256:EF46ED3FAA5EF8CD58BDDE77CC7D5547DCA57E3216B7CF3D32D3B77A55C92A26
5020WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb5020.7504\KMSAuto Lite Portable v1.4.0\KMSAutoLite.initext
MD5:4D20112CA15EC58A9715BCB5AB2B8ACD
SHA256:4F320E987668AED66F8A9DF69E79541F761055C479B4ADE0405CE325D6FE53E6
5020WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb5020.7504\KMSAuto Lite Portable v1.4.0\readme_cn.txttext
MD5:0ED59376D9489FF768982479B0D9CD70
SHA256:4A6A89357A82760D0D2E6869D76BEA57012F8F3430205C21D212C33F3D2B42EA
5020WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb5020.7504\KMSAuto Lite Portable v1.4.0\readme_ru.txttext
MD5:EEC8700BFF223DC2DFC6B88EE9E541D5
SHA256:ED2CBA7C8E2CBCE9BA853C65EDF7140AB9F6031F8ECF76AC26B4ABF9BC63C863
5020WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb5020.7504\KMSAuto Lite Portable v1.4.0\readme_en.txttext
MD5:746BCDA047FF3FDD3B71FB73942252CA
SHA256:02AA25D5E5D7F28C7D01AF3A19E9361EE1BE2CC5D8E99FFA42580D39D6C331CA
3672KMSAuto x64.exeC:\Users\admin\AppData\Local\Temp\slmgr.vbstext
MD5:3903BCAB32A4A853DFA54962112D4D02
SHA256:95FC646D222D324DB46F603A7F675C329FE59A567ED27FDAED2A572A19206816
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
24
DNS requests
18
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
640
svchost.exe
GET
200
23.63.118.230:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
DE
binary
471 b
whitelisted
536
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
NL
binary
420 b
whitelisted
2940
svchost.exe
GET
200
2.23.197.184:80
http://x1.c.lencr.org/
GB
binary
734 b
whitelisted
536
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
NL
binary
408 b
whitelisted
1268
svchost.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4832
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
2.16.253.202:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
640
svchost.exe
40.126.32.76:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
640
svchost.exe
23.63.118.230:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2336
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 2.16.253.202
whitelisted
login.live.com
  • 40.126.32.76
  • 40.126.32.68
  • 20.190.160.67
  • 20.190.160.131
  • 20.190.160.14
  • 20.190.160.22
  • 20.190.160.66
  • 40.126.32.134
whitelisted
ocsp.digicert.com
  • 23.63.118.230
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.249
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.43
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
KMSAuto Lite Portable v1.4.0.rar