File name:

kmsauto-net-1_5_4.zip

Full analysis: https://app.any.run/tasks/de1da4b8-c3b1-4222-beb4-c61cd08e7453
Verdict: Malicious activity
Analysis date: December 19, 2024, 06:24:52
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
kms
upx
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=AES Encrypted
MD5:

77B1A945EBA1451B24D08A1D3B99E08C

SHA1:

D20F524A697408607652377EF6568CCBE95E17E9

SHA256:

F5C4883CD596C64288B1581F6B59999CD123A6C180B89E8388063A973FFDD7B6

SSDEEP:

98304:/iDT1ubpC9gd1vqNp8CBxpxmjre32BwpwMbwuM8UVsdpf9MBp8Pr3KPrlhf+/6Si:2xdYRo34

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • KMSAuto Net.exe (PID: 7076)
      • KMSAuto Net.exe (PID: 7024)
      • FakeClient.exe (PID: 5916)

  • SUSPICIOUS

    • Reads Internet Explorer settings

      • KMSAuto Net.exe (PID: 7076)

    • KMS tool has been detected

      • KMSAuto Net.exe (PID: 7076)
      • KMSAuto Net.exe (PID: 7024)
      • KMSAuto Net.exe (PID: 7076)

    • Starts CMD.EXE for commands execution

      • KMSAuto Net.exe (PID: 7076)
      • cmd.exe (PID: 2800)

    • Process drops legitimate windows executable

      • wzt.dat (PID: 6184)
      • bin_x64.dat (PID: 4536)
      • bin_x64.dat (PID: 6424)

    • Executable content was dropped or overwritten

      • KMSAuto Net.exe (PID: 7076)
      • wzt.dat (PID: 6184)
      • bin.dat (PID: 7000)
      • bin_x64.dat (PID: 4536)
      • AESDecoder.exe (PID: 5400)
      • bin_x64.dat (PID: 6424)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6780)
      • cmd.exe (PID: 3144)
      • cmd.exe (PID: 3296)
      • cmd.exe (PID: 6196)

    • Adds/modifies Windows certificates

      • certmgr.exe (PID: 3836)
      • certmgr.exe (PID: 6440)

    • Drops 7-zip archiver for unpacking

      • KMSAuto Net.exe (PID: 7076)

    • Drops a system driver (possible attempt to evade defenses)

      • bin_x64.dat (PID: 4536)
      • bin_x64.dat (PID: 6424)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • KMSAuto Net.exe (PID: 7076)

    • Application launched itself

      • cmd.exe (PID: 2800)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • KMSAuto Net.exe (PID: 7076)

    • Executes as Windows Service

      • KMSSS.exe (PID: 6556)

    • Creates or modifies Windows services

      • KMSAuto Net.exe (PID: 7076)

    • Uses ROUTE.EXE to modify routing table

      • cmd.exe (PID: 6536)

    • Uses REG/REGEDIT.EXE to modify registry

      • KMSAuto Net.exe (PID: 7076)

  • INFO

    • The process uses the downloaded file

      • WinRAR.exe (PID: 6584)

    • Creates a new folder

      • cmd.exe (PID: 2512)
      • cmd.exe (PID: 7156)

    • Reads Environment values

      • KMSAuto Net.exe (PID: 7076)

    • Reads product name

      • KMSAuto Net.exe (PID: 7076)

    • Manual execution by a user

      • KMSAuto Net.exe (PID: 7076)
      • KMSAuto Net.exe (PID: 7024)

    • Creates files in the program directory

      • KMSAuto Net.exe (PID: 7076)
      • bin.dat (PID: 7000)
      • wzt.dat (PID: 6184)
      • bin_x64.dat (PID: 4536)
      • KMSSS.exe (PID: 6556)
      • bin_x64.dat (PID: 6424)

    • Reads the machine GUID from the registry

      • KMSAuto Net.exe (PID: 7076)

    • Reads the computer name

      • KMSAuto Net.exe (PID: 7076)

    • Creates files or folders in the user directory

      • KMSAuto Net.exe (PID: 7076)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6584)

    • UPX packer has been detected

      • KMSAuto Net.exe (PID: 7076)

    • Checks supported languages

      • KMSAuto Net.exe (PID: 7076)
      • wzt.dat (PID: 6184)
      • certmgr.exe (PID: 3836)
      • certmgr.exe (PID: 6440)
      • bin_x64.dat (PID: 6424)
      • bin.dat (PID: 7000)
      • AESDecoder.exe (PID: 5400)
      • bin_x64.dat (PID: 4536)

    • The sample compiled with english language support

      • KMSAuto Net.exe (PID: 7076)
      • wzt.dat (PID: 6184)
      • bin_x64.dat (PID: 4536)
      • bin_x64.dat (PID: 6424)

    • Adds a route via ROUTE.EXE

      • ROUTE.EXE (PID: 68)

    • Sends debugging messages

      • FakeClient.exe (PID: 5916)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Unknown (99)
ZipModifyDate: 2018:10:15 09:59:34
ZipCRC: 0x0da1fbfe
ZipCompressedSize: 5442977
ZipUncompressedSize: 8315752
ZipFileName: KMSAuto Net.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
208
Monitored processes
79
Malicious processes
4
Suspicious processes
3

Behavior graph

Click at the process to see the details
start winrar.exe kmsauto net.exe no specs kmsauto net.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs wzt.dat cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs certmgr.exe no specs cmd.exe no specs conhost.exe no specs certmgr.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs bin.dat cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs aesdecoder.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs bin_x64.dat cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs netstat.exe no specs find.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs kmsss.exe no specs cmd.exe no specs conhost.exe no specs bin_x64.dat cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs route.exe no specs cmd.exe no specs conhost.exe no specs fakeclient.exe reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs sppextcomobj.exe slui.exe slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
68route -p add 100.100.0.10 0.0.0.0 IF 1C:\Windows\System32\ROUTE.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Route Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\route.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
556C:\WINDOWS\Sysnative\cmd.exe /D /c del /F /Q "test.test"C:\Windows\System32\cmd.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
732\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1020\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1228\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1380\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1480C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exe
svchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
2132C:\WINDOWS\Sysnative\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCPC:\Windows\System32\netsh.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2148"C:\WINDOWS\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto\wzt" /S /QC:\Windows\System32\cmd.exeKMSAuto Net.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2216\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
6 253
Read events
6 223
Write events
28
Delete events
2

Modification events

(PID) Process:(6584) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6584) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6584) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6584) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\kmsauto-net-1_5_4.zip
(PID) Process:(6584) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6584) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6584) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6584) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6584) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(6584) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
Executable files
26
Suspicious files
11
Text files
6
Unknown types
2

Dropped files

PID
Process
Filename
Type
6584WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6584.32268\KMSAuto Net.exeexecutable
MD5:F1FE671BCEFD4630E5ED8B87C9283534
SHA256:58D6FEC4BA24C32D38C9A0C7C39DF3CB0E91F500B323E841121D703C7B718681
6184wzt.datC:\ProgramData\KMSAuto\wzt\wzteam.cerbinary
MD5:76B56D90E6F1DA030A8B85E64579F25A
SHA256:FD2D7DF0220DD65EE23D0090299DFCC356F6F8F7167BAE9ADF7D08CEFAF39D02
7076KMSAuto Net.exeC:\Users\admin\AppData\Local\MSfree Inc\kmsauto.initext
MD5:AF6A20FD7DFADCD582CCF2B1BFAAF82B
SHA256:0BEE97833A70AA9BA271E93226DACE849836C64919FBFE15543D694E219D4AF2
7000bin.datC:\ProgramData\KMSAuto\bin\KMSSS.exe.aesbinary
MD5:41E0D8AB5104DA2068739109EC3599F4
SHA256:38D1DBDC7C7A64253E6D4B52225B0BFD7716405C731A107F0C6BA9573A73A77F
7076KMSAuto Net.exeC:\ProgramData\KMSAuto\bin.datexecutable
MD5:4D2E5AFFE6D1CCB42F6650FD57448A9B
SHA256:3CBF7C0231B3266B4A6946DCF9AAA39C2BF077F6E459CA9EAD39C516CBFCE74C
6184wzt.datC:\ProgramData\KMSAuto\wzt\certmgr.exeexecutable
MD5:9D4F1124B2D870583268D19317D564AE
SHA256:EBAD2237B3E7CDF65385CCCE5099E82C7EC5080E737C97CE4E542CDBEA8D418D
4536bin_x64.datC:\ProgramData\KMSAuto\bin\driver\x64TAP1\tap0901.catbinary
MD5:C757503BC0C5A6679E07FE15B93324D6
SHA256:91EBEA8AD199E97832CF91EA77328ED7FF49A1B5C06DDAACB0E420097A9B079E
7000bin.datC:\ProgramData\KMSAuto\bin\TunMirror2.exe.aesbinary
MD5:A1A5AFA53B578DB6ABF400A88548F487
SHA256:A9E76D637E0C0A65036D7F2D5C3D7B1C53218B94716554F4D9F6630DCFF8C75A
7000bin.datC:\ProgramData\KMSAuto\bin\TunMirror.exeexecutable
MD5:2ED9C12A91E795804B1B770958C647AC
SHA256:CB56C248A38292C234D1AABE5E33A671FE8AE8AED28E0C8C4FBE767E4E7B82F5
5400AESDecoder.exeC:\ProgramData\KMSAuto\bin\KMSSS.exeexecutable
MD5:01A80AAD5DABED1C1580F7E00213CF9D
SHA256:FD7499214ABAA13BF56D006AB7DE78EB8D6ADF17926C24ACE024D067049BC81D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
34
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6264
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6264
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6084
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6084
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1520
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5064
SearchApp.exe
2.23.209.183:443
www.bing.com
Akamai International B.V.
GB
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.16.164.106
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
www.bing.com
  • 2.23.209.183
  • 2.23.209.186
  • 2.23.209.189
  • 2.23.209.181
  • 2.23.209.185
  • 2.23.209.130
  • 2.23.209.187
  • 2.23.209.140
  • 2.23.209.182
whitelisted
google.com
  • 142.250.185.78
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.72
  • 20.190.160.14
  • 40.126.32.140
  • 40.126.32.133
  • 40.126.32.76
  • 20.190.160.20
  • 20.190.160.17
  • 20.190.160.22
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
fd.api.iris.microsoft.com
  • 20.74.47.205
whitelisted

Threats

No threats detected
Process
Message
FakeClient.exe
WdfCoInstaller: [12/19/2024 06:25.35.149] ReadComponents: WdfSection for Driver Service windivert using KMDF lib version Major 0x1, minor 0x9
FakeClient.exe
WdfCoInstaller: [12/19/2024 06:25.35.164] BootApplication: GetStartType error error(87) The parameter is incorrect. Driver Service name windivert
FakeClient.exe
WdfCoInstaller: [12/19/2024 06:25.35.164] BootApplication: could not open service windivert, error error(1060) The specified service does not exist as an installed service.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
kmsauto-net-1_5_4.zip