File name:

Kms_P1co.rar

Full analysis: https://app.any.run/tasks/3d28ed71-1b3d-47a3-b5ca-916c833f842e
Verdict: Malicious activity
Threats:

CryptBot is an advanced Windows-targeting infostealer delivered via pirate sites with "cracked" software. It has been first observed in the wild in 2019.

Malware Trends Tracker     >>>
Analysis date: October 05, 2023, 15:52:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
cryptbot
autoit
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

D60DAFB0433BFA2B680F794CF45F1C86

SHA1:

370F524E1781412D491E4F9ECC319831FEDF9A84

SHA256:

FB6575B6281A746833EC4341BB8EF1DA5D5CCAAC0DD437746A1B923B4BA529AD

SSDEEP:

98304:c9VR0H665vA6Wxyq5eFNiJwH3ci+HOMinV2jK/UBSauhj3JN9fKbgrZU6THHcH9q:B+yX1opfQBcimmLua09BQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to the CnC server

      • activate.exe (PID: 4076)

    • CRYPTBOT was detected

      • activate.exe (PID: 4076)

    • Drops the executable file immediately after the start

      • activate.exe (PID: 4076)
      • tap-windows-9.21.0.exe (PID: 2512)
      • devcon.exe (PID: 3388)
      • drvinst.exe (PID: 3316)
      • drvinst.exe (PID: 3228)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 2372)

    • Application was dropped or rewritten from another process

      • Gedapoko.exe (PID: 3324)
      • tap-windows-9.21.0.exe (PID: 3140)
      • tap-windows-9.21.0.exe (PID: 2512)
      • devcon.exe (PID: 3388)
      • devcon.exe (PID: 1284)

    • Unusual connection from system programs

      • rundll32.exe (PID: 3268)

    • Actions looks like stealing of personal data

      • activate.exe (PID: 4076)

    • Creates a writable file the system directory

      • drvinst.exe (PID: 3316)
      • drvinst.exe (PID: 3228)

  • SUSPICIOUS

    • Searches for installed software

      • activate.exe (PID: 4076)

    • Reads the Internet Settings

      • activate.exe (PID: 4076)
      • rundll32.exe (PID: 1480)
      • rundll32.exe (PID: 3268)

    • Starts CMD.EXE for commands execution

      • activate.exe (PID: 4076)
      • WinRAR.exe (PID: 1648)

    • Drops the AutoIt3 executable file

      • activate.exe (PID: 4076)

    • Uses RUNDLL32.EXE to load library

      • WinRAR.exe (PID: 1648)

    • Start notepad (likely ransomware note)

      • WinRAR.exe (PID: 1648)

    • Executing commands from ".cmd" file

      • WinRAR.exe (PID: 1648)

    • The process executes via Task Scheduler

      • Gedapoko.exe (PID: 3324)

    • Reads settings of System Certificates

      • rundll32.exe (PID: 3268)
      • devcon.exe (PID: 3388)
      • rundll32.exe (PID: 3332)

    • The process creates files with name similar to system file names

      • tap-windows-9.21.0.exe (PID: 2512)

    • Drops a system driver (possible attempt to evade defenses)

      • tap-windows-9.21.0.exe (PID: 2512)
      • devcon.exe (PID: 3388)
      • drvinst.exe (PID: 3316)
      • drvinst.exe (PID: 3228)

    • Starts application with an unusual extension

      • tap-windows-9.21.0.exe (PID: 2512)

    • Process drops legitimate windows executable

      • msedge.exe (PID: 2648)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • tap-windows-9.21.0.exe (PID: 2512)

    • Reads security settings of Internet Explorer

      • devcon.exe (PID: 3388)

    • Checks Windows Trust Settings

      • devcon.exe (PID: 3388)
      • drvinst.exe (PID: 3316)
      • drvinst.exe (PID: 3228)

    • Creates files in the driver directory

      • drvinst.exe (PID: 3316)
      • drvinst.exe (PID: 3228)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3684)

  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 1648)
      • msedge.exe (PID: 3272)
      • msedge.exe (PID: 2648)

    • Checks supported languages

      • activate.exe (PID: 4016)
      • activate.exe (PID: 4076)
      • Gedapoko.exe (PID: 3324)
      • tap-windows-9.21.0.exe (PID: 2512)
      • ns2113.tmp (PID: 2008)
      • ns2018.tmp (PID: 3768)
      • devcon.exe (PID: 1284)
      • devcon.exe (PID: 3388)
      • drvinst.exe (PID: 3316)
      • drvinst.exe (PID: 3228)

    • Reads product name

      • activate.exe (PID: 4076)

    • Reads the computer name

      • activate.exe (PID: 4076)
      • devcon.exe (PID: 1284)
      • devcon.exe (PID: 3388)
      • tap-windows-9.21.0.exe (PID: 2512)
      • drvinst.exe (PID: 3316)
      • drvinst.exe (PID: 3228)

    • Reads CPU info

      • activate.exe (PID: 4076)

    • Reads Environment values

      • activate.exe (PID: 4076)
      • drvinst.exe (PID: 3228)

    • Checks proxy server information

      • activate.exe (PID: 4076)

    • Reads the machine GUID from the registry

      • activate.exe (PID: 4076)
      • devcon.exe (PID: 3388)
      • drvinst.exe (PID: 3316)
      • drvinst.exe (PID: 3228)

    • Creates files or folders in the user directory

      • activate.exe (PID: 4076)
      • rundll32.exe (PID: 3268)

    • Reads mouse settings

      • Gedapoko.exe (PID: 3324)

    • Reads security settings of Internet Explorer

      • rundll32.exe (PID: 3268)
      • rundll32.exe (PID: 3332)

    • Application launched itself

      • msedge.exe (PID: 3272)

    • Create files in a temporary directory

      • tap-windows-9.21.0.exe (PID: 2512)
      • devcon.exe (PID: 3388)

    • Loads dropped or rewritten executable

      • tap-windows-9.21.0.exe (PID: 2512)

    • Creates files in the program directory

      • tap-windows-9.21.0.exe (PID: 2512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
92
Monitored processes
45
Malicious processes
12
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start start winrar.exe no specs #CRYPTBOT activate.exe activate.exe no specs regedit.exe no specs regedit.exe cmd.exe no specs schtasks.exe no specs rundll32.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs notepad.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs msedge.exe no specs msedge.exe no specs gedapoko.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe tap-windows-9.21.0.exe no specs tap-windows-9.21.0.exe ns2018.tmp no specs devcon.exe no specs msedge.exe no specs ns2113.tmp no specs devcon.exe no specs drvinst.exe no specs rundll32.exe no specs vssvc.exe no specs drvinst.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd8,0x6cf6f598,0x6cf6f5a8,0x6cf6f5b4C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
396"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3344 --field-trial-handle=1244,i,12331054116738006116,14303850040422449046,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
592"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3864 --field-trial-handle=1244,i,12331054116738006116,14303850040422449046,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
876"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1276 --field-trial-handle=1244,i,12331054116738006116,14303850040422449046,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1120"regedit.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIb1648.23572\DisableSmartScreen.reg"C:\Windows\regedit.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll
1284"C:\Program Files\TAP-Windows\bin\devcon.exe" hwids tap0901C:\Program Files\TAP-Windows\bin\devcon.exens2018.tmp
User:
admin
Company:
Windows (R) Win 7 DDK provider
Integrity Level:
HIGH
Description:
Windows Setup API
Exit code:
0
Version:
6.1.7600.16385 built by: WinDDK
Modules
Images
c:\program files\tap-windows\bin\devcon.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1480"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\Rar$DIb1648.26138\DM.binC:\Windows\System32\rundll32.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
1648"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Kms_P1co.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1956"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2512 --field-trial-handle=1244,i,12331054116738006116,14303850040422449046,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2008"C:\Users\admin\AppData\Local\Temp\nsw461.tmp\ns2113.tmp" "C:\Program Files\TAP-Windows\bin\devcon.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901C:\Users\admin\AppData\Local\Temp\nsw461.tmp\ns2113.tmptap-windows-9.21.0.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nsw461.tmp\ns2113.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\gdi32.dll
Total events
27 662
Read events
27 355
Write events
256
Delete events
51

Modification events

(PID) Process:(1648) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1648) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(1648) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1648) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(1648) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1648) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1648) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1648) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1648) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1648) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
38
Suspicious files
215
Text files
1 088
Unknown types
0

Dropped files

PID
Process
Filename
Type
1648WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1648.18269\Kms_P1co\activate.exe
MD5:
SHA256:
1648WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1648.18269\Kms_P1co\cert\kmscert2010\Excel\ExcelVLReg32.regtext
MD5:28BD0428CA20C5E612D7EC795BBB9EA9
SHA256:3D1A428865F4F4FB5AFDB7CD69F0619C9A5F466EBA160F63DB8ED376C721563C
1648WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1648.18269\Kms_P1co\cert\kmscert2010\Excel\ExcelVLReg64.regtext
MD5:E7102112F58F9A4FE2E6C28AE9F29343
SHA256:2080AEC1D6D2DC9F4BBF825560981F00181F1918426DD8129F99F0EF4CADFADD
1648WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1648.18269\Kms_P1co\cert\kmscert2010\Access\AccessVLRegWOW.regtext
MD5:50122EA723FFE7367AD811FC333594C2
SHA256:18B8099777C8956C4299DA79A44BF9CB3ADDE96B652A0C6D063BF6C9A925B0B8
1648WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1648.18269\Kms_P1co\cert\kmscert2010\Access\Access_KMS_Client.OOB.xrm-msxml
MD5:3958FF865F2BFBE00BB97D50E250B241
SHA256:A0213A19815ECB6BE15D08ABFA18FD23BB203937C4700637ABB29B5F5F3DB27F
1648WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1648.18269\Kms_P1co\cert\kmscert2010\Excel\Excel_KMS_Client.PL.xrm-msxml
MD5:172B4FDA35D922C837A254AC561DE21E
SHA256:39825A0E6C6EBDFEB7F6F038568DB4516AB17DC4FF1C4A56AA28FE9A2859D270
1648WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1648.18269\Kms_P1co\cert\kmscert2010\Access\Access_KMS_Client.RAC_Priv.xrm-msxml
MD5:A279AB8F8C617DF9C5411FDC199E7676
SHA256:9084E7F35F7220EC760719B29721A267943178972578E739BDAC2D6475A573E3
1648WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1648.18269\Kms_P1co\cert\kmscert2010\Access\Access_KMS_Client.PPDLIC.xrm-msxml
MD5:B9B7F8BBE224421D24F0883A5149B9DC
SHA256:55CE78CAA24FBC6ECE43F336D73372AD47BB6C1748D7B72513BEB77CB355E8F5
1648WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1648.18269\Kms_P1co\cert\kmscert2010\Excel\ExcelVLRegWOW.regtext
MD5:D176B75D51FD47CD9C933F84FF55907A
SHA256:03CAF6C2A36E70C0DFBF53BCCD1956D2823965FC01DF4629308887DD1F0F8AFB
1648WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1648.18269\Kms_P1co\cert\kmscert2010\Access\Access_KMS_Client.PL.xrm-msxml
MD5:CEE2D16BF6FBA85A5DE6ED12CBADA5BB
SHA256:40040A704FA891D7EA4F5791759023527B3C024A94EE76F1CDCB01C71B8E9898
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
43
DNS requests
65
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3896
msedge.exe
GET
302
23.35.238.131:80
http://go.microsoft.com/fwlink/?LinkId=57426&Ext=bin
unknown
unknown
3896
msedge.exe
GET
301
2.21.20.150:80
http://shell.windows.com/fileassoc/fileassoc.asp?Ext=bin
unknown
unknown
864
svchost.exe
HEAD
200
8.241.121.126:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d9a961cd-afbe-4cd8-8aee-c21eaf7d7c04?P1=1696921869&P2=404&P3=2&P4=TK3DoIkp6g1CjPCi%2bDblBWEv4CVe%2bj9w0e6bmBBsura8qeUXYFbN7oNV18v%2fTofbPFHUGapUZGoGSXps0b6v3g%3d%3d
unknown
unknown
864
svchost.exe
HEAD
8.241.121.126:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/c50698d5-282c-4c8d-9fa6-c155f2d8d379?P1=1696921866&P2=404&P3=2&P4=k1oHJ0sTMSLbGn2IO9C9iQzVyMGu3vtXyXk8lwZtc3z%2fDeIL9JxW%2fQ2AHUhyB31f0saZTl7akSH1aooKJKIT9g%3d%3d
unknown
unknown
864
svchost.exe
GET
206
8.241.121.126:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d9a961cd-afbe-4cd8-8aee-c21eaf7d7c04?P1=1696921869&P2=404&P3=2&P4=TK3DoIkp6g1CjPCi%2bDblBWEv4CVe%2bj9w0e6bmBBsura8qeUXYFbN7oNV18v%2fTofbPFHUGapUZGoGSXps0b6v3g%3d%3d
unknown
binary
6.35 Kb
unknown
3268
rundll32.exe
GET
200
192.229.221.95:80
http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt
unknown
binary
1.69 Kb
unknown
4076
activate.exe
POST
200
193.106.174.220:80
http://qqseven7ht.top/zip.php
unknown
text
2 b
unknown
864
svchost.exe
GET
206
8.241.121.126:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d9a961cd-afbe-4cd8-8aee-c21eaf7d7c04?P1=1696921869&P2=404&P3=2&P4=TK3DoIkp6g1CjPCi%2bDblBWEv4CVe%2bj9w0e6bmBBsura8qeUXYFbN7oNV18v%2fTofbPFHUGapUZGoGSXps0b6v3g%3d%3d
unknown
binary
10.2 Kb
unknown
864
svchost.exe
GET
206
8.241.121.126:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d9a961cd-afbe-4cd8-8aee-c21eaf7d7c04?P1=1696921869&P2=404&P3=2&P4=TK3DoIkp6g1CjPCi%2bDblBWEv4CVe%2bj9w0e6bmBBsura8qeUXYFbN7oNV18v%2fTofbPFHUGapUZGoGSXps0b6v3g%3d%3d
unknown
binary
7.86 Kb
unknown
864
svchost.exe
GET
206
8.241.121.126:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d9a961cd-afbe-4cd8-8aee-c21eaf7d7c04?P1=1696921869&P2=404&P3=2&P4=TK3DoIkp6g1CjPCi%2bDblBWEv4CVe%2bj9w0e6bmBBsura8qeUXYFbN7oNV18v%2fTofbPFHUGapUZGoGSXps0b6v3g%3d%3d
unknown
binary
47.2 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2656
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
4076
activate.exe
193.106.174.220:80
qqseven7ht.top
IQHost Ltd
RU
unknown
3896
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3272
msedge.exe
239.255.255.250:1900
whitelisted
3896
msedge.exe
23.35.238.131:80
go.microsoft.com
AKAMAI-AS
DE
unknown
3896
msedge.exe
204.79.197.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
3896
msedge.exe
20.103.180.120:443
nav-edge.smartscreen.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
3896
msedge.exe
51.104.176.40:443
data-edge.smartscreen.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown

DNS requests

Domain
IP
Reputation
qqseven7ht.top
  • 193.106.174.220
unknown
config.edge.skype.com
  • 13.107.42.16
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
nav-edge.smartscreen.microsoft.com
  • 20.103.180.120
whitelisted
data-edge.smartscreen.microsoft.com
  • 51.104.176.40
whitelisted
shell.windows.com
  • 2.21.20.141
  • 2.21.20.150
whitelisted
www.bing.com
  • 92.123.104.58
  • 92.123.104.36
  • 92.123.104.7
  • 92.123.104.30
  • 92.123.104.8
  • 92.123.104.59
  • 92.123.104.66
  • 92.123.104.32
  • 92.123.104.31
  • 204.79.197.200
  • 13.107.21.200
  • 92.123.104.34
whitelisted
self.events.data.microsoft.com
  • 20.42.72.131
whitelisted
msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com
  • 8.248.137.252
  • 8.248.149.252
  • 8.248.115.252
whitelisted

Threats

PID
Process
Class
Message
1088
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
4076
activate.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
4076
activate.exe
A Network Trojan was detected
ET MALWARE Win32/Cryptbot CnC Activity (POST)
4076
activate.exe
A Network Trojan was detected
ET HUNTING Observed Malicious Filename in Outbound POST Request (Information.txt)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Kms_P1co.rar