File name:

KMS_VL_ALL_AIO-37.7z

Full analysis: https://app.any.run/tasks/8835dd04-9cd7-4d8e-adca-e778bf9c03f8
Verdict: Malicious activity
Analysis date: February 05, 2020, 11:10:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

242254A93493D5A4E62FF2A5B4CC66E6

SHA1:

9271A629F461331FB3020568FC05C7298E03ACD0

SHA256:

C17C382C99BD7EF78E98518126CF68F63E81B2B3B9AA3AD9FC31BB7500B68678

SSDEEP:

1536:zFu5LKufxlbdymJwFHEfslCEqcCktrCPhnQIdep1WPYnh:zFu9zfxZjwFBCExptInQIdep1GW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes PowerShell scripts

      • cmd.exe (PID: 956)

    • Starts Visual C# compiler

      • powershell.exe (PID: 256)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 956)

    • Loads the Task Scheduler COM API

      • sppsvc.exe (PID: 2544)
      • OSPPSVC.EXE (PID: 3716)
      • sppsvc.exe (PID: 2628)

    • Loads dropped or rewritten executable

      • sppsvc.exe (PID: 2544)
      • OSPPSVC.EXE (PID: 3716)
      • sppsvc.exe (PID: 2628)

  • SUSPICIOUS

    • Executes scripts

      • cmd.exe (PID: 2412)

    • Starts CMD.EXE for commands execution

      • cscript.exe (PID: 1792)
      • WinRAR.exe (PID: 2524)
      • cmd.exe (PID: 956)

    • Uses RUNDLL32.EXE to load library

      • cscript.exe (PID: 1792)

    • Application launched itself

      • cmd.exe (PID: 956)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 956)
      • cmd.exe (PID: 2412)
      • cmd.exe (PID: 348)
      • cmd.exe (PID: 2568)
      • cmd.exe (PID: 1604)
      • cmd.exe (PID: 1748)
      • cmd.exe (PID: 2988)
      • cmd.exe (PID: 2880)
      • cmd.exe (PID: 3980)
      • cmd.exe (PID: 4052)

    • Creates files in the user directory

      • powershell.exe (PID: 3436)
      • powershell.exe (PID: 256)
      • powershell.exe (PID: 3684)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 956)

    • Creates files in the Windows directory

      • powershell.exe (PID: 256)
      • cmd.exe (PID: 956)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 256)

    • Starts CHOICE.EXE (used to create a delay)

      • cmd.exe (PID: 956)

    • Removes files from Windows directory

      • cmd.exe (PID: 956)

    • Uses WMIC.EXE to obtain a system information

      • cmd.exe (PID: 956)
      • cmd.exe (PID: 2640)
      • cmd.exe (PID: 1748)
      • cmd.exe (PID: 3420)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • sppsvc.exe (PID: 2628)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
180
Monitored processes
141
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs cmd.exe no specs reg.exe no specs cscript.exe no specs rundll32.exe no specs cmd.exe reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs mode.com no specs cmd.exe no specs findstr.exe no specs findstr.exe no specs choice.exe no specs mode.com no specs powershell.exe no specs sc.exe no specs find.exe no specs sc.exe no specs find.exe no specs find.exe no specs sc.exe no specs sc.exe no specs find.exe no specs powershell.exe csc.exe cvtres.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powershell.exe no specs sc.exe no specs find.exe no specs find.exe no specs sc.exe no specs sc.exe no specs find.exe no specs find.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs wmic.exe no specs findstr.exe no specs sppsvc.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs osppsvc.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs wmic.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs find.exe no specs net.exe no specs net1.exe no specs find.exe no specs sc.exe no specs sc.exe no specs find.exe no specs net.exe no specs net1.exe no specs sc.exe no specs find.exe no specs sc.exe no specs sppsvc.exe no specs mode.com no specs reg.exe no specs reg.exe no specs findstr.exe no specs findstr.exe no specs choice.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
256powershell -nop -ep bypass -c "$f=[io.file]::ReadAllText('C:\Users\admin\AppData\Local\Temp\Rar$DIb2524.4243\KMS_VL_ALL_AIO.cmd') -split ':x86dll\:.*';iex ($f[1]);X 1;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
348C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v DesktopC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
404find /i "STOPPED" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\find.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
404wmic path SoftwareLicensingProduct where ID='b92e9980-b9d5-4821-9c94-140f632f6312' get LicenseStatus C:\Windows\System32\Wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\imm32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\ulib.dll
c:\windows\system32\kernelbase.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
536wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL) get Name C:\Windows\System32\Wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
572sc query osppsvc C:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
664findstr /i "b92e9980-b9d5-4821-9c94-140f632f6312" C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\findstr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
772C:\Windows\system32\cmd.exe /c verC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
872reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v Debugger C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
872find /i "Office 14" "C:\Windows\Temp\sppchk.txt" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\imm32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
Total events
1 652
Read events
1 431
Write events
221
Delete events
0

Modification events

(PID) Process:(2524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2524) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(2524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\KMS_VL_ALL_AIO-37.7z
(PID) Process:(2524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2524) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:@C:\Windows\System32\acppage.dll,-6003
Value:
Windows Command Script
Executable files
1
Suspicious files
10
Text files
8
Unknown types
3

Dropped files

PID
Process
Filename
Type
3436powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\19J84OA4Y6MVA8X6EYX5.temp
MD5:
SHA256:
256powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V0S6L8UI9DBL1DRBEFC0.temp
MD5:
SHA256:
3332csc.exeC:\Users\admin\AppData\Local\Temp\iroct2qk.dll
MD5:
SHA256:
3332csc.exeC:\Users\admin\AppData\Local\Temp\iroct2qk.out
MD5:
SHA256:
3684powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P427TGUN4CWFNJ9QVGGR.temp
MD5:
SHA256:
256powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:
SHA256:
256powershell.exeC:\Users\admin\AppData\Local\Temp\iroct2qk.cmdlinetext
MD5:
SHA256:
3224cvtres.exeC:\Users\admin\AppData\Local\Temp\RESC82B.tmpo
MD5:
SHA256:
3332csc.exeC:\Users\admin\AppData\Local\Temp\CSCC82A.tmpres
MD5:
SHA256:
3332csc.exeC:\Users\admin\AppData\Local\Temp\iroct2qk.pdbpdb
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
KMS_VL_ALL_AIO-37.7z