File name:

KMSMatrix_7.0.zip

Full analysis: https://app.any.run/tasks/b1aecb58-571f-4dc1-b8f9-d5df0e059f9b
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: February 06, 2025, 19:31:16
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-doc
evasion
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

01ED3C13FB1143DCB401BC4CD71FE1FE

SHA1:

EF54187C6145B3980BA35B599A6FA5705F87BAE6

SHA256:

DDCBC440238F3D1F5CF1C5BA1E0AF46D6E6A48557D9C71577320118441D176B1

SSDEEP:

98304:74/TDuxGnGBYn9ZYgjUF/GEU9QM0yc7fcmGQaMS9IJCrl0GUvh3mVPD+tggDYAqd:7o0AH97V

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Unrestricted)

      • KMSMatrix7.exe (PID: 6708)

    • Adds process to the Windows Defender exclusion list

      • cmd.exe (PID: 1796)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 1796)

    • Actions looks like stealing of personal data

      • 7z.exe (PID: 7128)
      • csrss.exe (PID: 616)
      • cmd.exe (PID: 1796)
      • cmd.exe (PID: 5008)
      • vzone.exe (PID: 6340)
      • conhost.exe (PID: 6136)
      • Windows Driver Foundation (WUD).exe (PID: 6164)
      • vzone.exe (PID: 3988)

    • Changes the login/logoff helper path in the registry

      • reg.exe (PID: 6980)

    • Steals credentials from Web Browsers

      • cmd.exe (PID: 5008)
      • vzone.exe (PID: 3988)
      • vzone.exe (PID: 6340)

    • Scans artifacts that could help determine the target

      • office.exe (PID: 4204)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • KMSMatrix7.exe (PID: 6708)

    • Process drops legitimate windows executable

      • KMSMatrix7.exe (PID: 6708)
      • 7z.exe (PID: 7128)

    • Executable content was dropped or overwritten

      • KMSMatrix7.exe (PID: 6708)
      • curl.exe (PID: 7064)
      • 7z2201.exe (PID: 4764)
      • 7z.exe (PID: 7128)

    • Executing commands from ".cmd" file

      • KMSMatrix7.exe (PID: 6708)
      • cmd.exe (PID: 2796)
      • vzone.exe (PID: 3988)

    • The process executes Powershell scripts

      • KMSMatrix7.exe (PID: 6708)

    • Uses WMIC.EXE

      • cmd.exe (PID: 6468)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 2796)

    • Reads security settings of Internet Explorer

      • KMSMatrix7.exe (PID: 6708)
      • vzone.exe (PID: 3988)
      • office.exe (PID: 4204)
      • vzone.exe (PID: 6340)

    • Starts POWERSHELL.EXE for commands execution

      • KMSMatrix7.exe (PID: 6708)
      • cmd.exe (PID: 1796)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2796)
      • cmd.exe (PID: 6324)
      • KMSMatrix7.exe (PID: 6708)
      • vzone.exe (PID: 3988)

    • Application launched itself

      • cmd.exe (PID: 6324)
      • cmd.exe (PID: 2796)
      • office.exe (PID: 3620)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 6200)

    • Get information on the list of running processes

      • cmd.exe (PID: 5972)
      • cmd.exe (PID: 2084)
      • cmd.exe (PID: 2796)
      • cmd.exe (PID: 5616)

    • The process verifies whether the antivirus software is installed

      • cmd.exe (PID: 2796)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 6764)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2796)
      • cmd.exe (PID: 1796)

    • Checks for external IP

      • curl.exe (PID: 6560)
      • svchost.exe (PID: 2192)
      • curl.exe (PID: 6632)

    • The process executes VB scripts

      • powershell.exe (PID: 5532)
      • cmd.exe (PID: 4308)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • cscript.exe (PID: 1576)

    • Gets full path of the running script (SCRIPT)

      • cscript.exe (PID: 1576)
      • cscript.exe (PID: 6016)

    • Reads data from a binary Stream object (SCRIPT)

      • cscript.exe (PID: 1576)

    • Execution of CURL command

      • cmd.exe (PID: 2796)

    • Gets content of a file (POWERSHELL)

      • powershell.exe (PID: 5532)

    • The executable file from the user directory is run by the CMD process

      • 7z2201.exe (PID: 4764)
      • vzone.exe (PID: 3988)
      • vzone.exe (PID: 6340)

    • Drops 7-zip archiver for unpacking

      • 7z2201.exe (PID: 4764)

    • Creates/Modifies COM task schedule object

      • 7z2201.exe (PID: 4764)

    • Creates a software uninstall entry

      • 7z2201.exe (PID: 4764)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • cscript.exe (PID: 6016)

    • Gets a collection of all available drive names (SCRIPT)

      • cscript.exe (PID: 6016)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • cscript.exe (PID: 6016)

    • Gets the drive type (SCRIPT)

      • cscript.exe (PID: 6016)

    • Accesses computer name via WMI (SCRIPT)

      • cscript.exe (PID: 6016)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 2796)

    • Script adds exclusion process to Windows Defender

      • cmd.exe (PID: 1796)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 1796)

    • Executes application which crashes

      • cscript.exe (PID: 6016)

    • The process creates files with name similar to system file names

      • WerFault.exe (PID: 432)

    • The process drops C-runtime libraries

      • 7z.exe (PID: 7128)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 5008)

    • Starts a Microsoft application from unusual location

      • office.exe (PID: 4204)
      • office.exe (PID: 3620)

    • SQL CE related mutex has been found

      • KMSMatrix7.exe (PID: 6708)

    • Checks Windows Trust Settings

      • office.exe (PID: 4204)

    • Searches for installed software

      • office.exe (PID: 4204)

    • Uses WMIC.EXE to obtain Windows Installer data

      • Windows Driver Foundation (WUD).exe (PID: 6164)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 6660)

    • Connects to unusual port

      • Windows Driver Foundation (WUD).exe (PID: 6164)

  • INFO

    • Manual execution by a user

      • WinRAR.exe (PID: 6508)
      • WinRAR.exe (PID: 6580)
      • KMSMatrix7.exe (PID: 6656)
      • KMSMatrix7.exe (PID: 6708)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6580)

    • Checks supported languages

      • KMSMatrix7.exe (PID: 6708)
      • curl.exe (PID: 6560)
      • curl.exe (PID: 6632)
      • curl.exe (PID: 7152)
      • curl.exe (PID: 7064)
      • curl.exe (PID: 5256)
      • 7z2201.exe (PID: 4764)
      • 7z.exe (PID: 6232)
      • curl.exe (PID: 6908)
      • curl.exe (PID: 2280)
      • vzone.exe (PID: 3988)
      • office.exe (PID: 3620)
      • office.exe (PID: 4204)
      • 7z.exe (PID: 7128)
      • OfficeClickToRun.exe (PID: 3920)
      • vzone.exe (PID: 6340)
      • Windows Driver Foundation (WUD).exe (PID: 6164)

    • Reads the machine GUID from the registry

      • KMSMatrix7.exe (PID: 6708)
      • office.exe (PID: 4204)

    • Checks operating system version

      • cmd.exe (PID: 2796)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 6416)
      • cscript.exe (PID: 1576)
      • cscript.exe (PID: 6016)
      • WMIC.exe (PID: 6660)

    • Process checks computer location settings

      • KMSMatrix7.exe (PID: 6708)
      • vzone.exe (PID: 3988)
      • office.exe (PID: 4204)
      • vzone.exe (PID: 6340)

    • Reads the computer name

      • KMSMatrix7.exe (PID: 6708)
      • curl.exe (PID: 6632)
      • curl.exe (PID: 7152)
      • curl.exe (PID: 7064)
      • curl.exe (PID: 6560)
      • curl.exe (PID: 5256)
      • 7z2201.exe (PID: 4764)
      • 7z.exe (PID: 6232)
      • 7z.exe (PID: 7128)
      • vzone.exe (PID: 3988)
      • office.exe (PID: 4204)
      • OfficeClickToRun.exe (PID: 3920)
      • curl.exe (PID: 6908)
      • vzone.exe (PID: 6340)
      • Windows Driver Foundation (WUD).exe (PID: 6164)
      • curl.exe (PID: 2280)

    • Create files in a temporary directory

      • KMSMatrix7.exe (PID: 6708)
      • curl.exe (PID: 7064)
      • curl.exe (PID: 5256)
      • 7z.exe (PID: 6232)
      • curl.exe (PID: 6908)
      • office.exe (PID: 4204)
      • OfficeClickToRun.exe (PID: 3920)

    • Execution of CURL command

      • cmd.exe (PID: 4012)
      • cmd.exe (PID: 3436)
      • cmd.exe (PID: 7132)
      • cmd.exe (PID: 2796)
      • cmd.exe (PID: 1796)

    • Checks proxy server information

      • powershell.exe (PID: 5532)
      • cscript.exe (PID: 6016)
      • WerFault.exe (PID: 432)
      • KMSMatrix7.exe (PID: 6708)
      • office.exe (PID: 4204)
      • OfficeClickToRun.exe (PID: 3920)

    • Disables trace logs

      • powershell.exe (PID: 5532)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5532)
      • powershell.exe (PID: 3832)
      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 6340)
      • powershell.exe (PID: 6524)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 5532)

    • Reads the software policy settings

      • cscript.exe (PID: 6016)
      • WerFault.exe (PID: 432)
      • KMSMatrix7.exe (PID: 6708)
      • office.exe (PID: 4204)

    • Creates files in the program directory

      • 7z2201.exe (PID: 4764)
      • KMSMatrix7.exe (PID: 6708)

    • Creates files or folders in the user directory

      • cscript.exe (PID: 6016)
      • WerFault.exe (PID: 432)
      • KMSMatrix7.exe (PID: 6708)
      • 7z.exe (PID: 7128)
      • office.exe (PID: 4204)
      • OfficeClickToRun.exe (PID: 3920)

    • The sample compiled with english language support

      • 7z2201.exe (PID: 4764)
      • 7z.exe (PID: 7128)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 3832)
      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 6524)
      • powershell.exe (PID: 6340)

    • Reads Microsoft Office registry keys

      • office.exe (PID: 4204)
      • OfficeClickToRun.exe (PID: 3920)

    • Reads Environment values

      • office.exe (PID: 4204)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:02:04 15:04:54
ZipCRC: 0x5ae56bf0
ZipCompressedSize: 16
ZipUncompressedSize: 16
ZipFileName: 123456.txt
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
234
Monitored processes
105
Malicious processes
16
Suspicious processes
4

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe no specs winrar.exe kmsmatrix7.exe no specs kmsmatrix7.exe cmd.exe no specs conhost.exe no specs taskkill.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs attrib.exe no specs findstr.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs cmd.exe no specs attrib.exe no specs find.exe no specs attrib.exe no specs cmd.exe no specs attrib.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs fltmc.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs tasklist.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs tasklist.exe no specs cmd.exe no specs tasklist.exe no specs cmd.exe no specs curl.exe svchost.exe cscript.exe no specs cmd.exe no specs curl.exe cmd.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs curl.exe curl.exe cmd.exe no specs conhost.exe no specs cscript.exe 7z2201.exe curl.exe 7z.exe no specs cmd.exe powershell.exe no specs werfault.exe powershell.exe no specs powershell.exe no specs powershell.exe no specs curl.exe 7z.exe reg.exe vzone.exe curl.exe cmd.exe conhost.exe no specs ping.exe no specs office.exe no specs conhost.exe no specs office.exe conhost.exe no specs officeclicktorun.exe Delivery Optimization User no specs vzone.exe windows driver foundation (wud).exe conhost.exe wmic.exe no specs csrss.exe

Process information

PID
CMD
Path
Indicators
Parent process
432C:\WINDOWS\system32\cmd.exe /S /D /c" echo "C:\Users\admin\AppData\Local\Temp\kmsauto.cmd" "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
432C:\WINDOWS\system32\WerFault.exe -u -p 6016 -s 1348C:\Windows\System32\WerFault.exe
cscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
616%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\System32\csrss.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Client Server Runtime Process
Version:
10.0.19041.1 (WinBuild.160101.0800)
732\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeoffice.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1156attrib +h "C:\Users\admin\AppData\Local\Temp\s_o.cmd"C:\Windows\System32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Attribute Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
1468tasklist /fi "imagename eq QHActiveDefense.exe" /fo csv /nhC:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1576"C:\WINDOWS\system32\cscript.exe" slmgr.vbs /dliC:\Windows\System32\cscript.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1796C:\WINDOWS\system32\cmd.exe /K "C:\Users\admin\AppData\Local\Temp\m.bat"C:\Windows\System32\cmd.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
1808\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2084C:\WINDOWS\system32\cmd.exe /c tasklist /fi "imagename eq ekrn.exe" /fo csv /nhC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
Total events
55 219
Read events
54 861
Write events
254
Delete events
104

Modification events

(PID) Process:(3808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(3808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(3808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(3808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\KMSMatrix_7.0.zip
(PID) Process:(3808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Preferences
(PID) Process:(3808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:1
Value:
C:\Users\admin\Desktop\ext
Executable files
14
Suspicious files
27
Text files
132
Unknown types
1

Dropped files

PID
Process
Filename
Type
3808WinRAR.exeC:\Users\admin\Desktop\KMSMatrix.7z
MD5:
SHA256:
6508WinRAR.exeC:\Users\admin\Desktop\KMSMatrix.7z
MD5:
SHA256:
3808WinRAR.exeC:\Users\admin\Desktop\123456.txttext
MD5:BF3B087F23380F75BFF90D47FE1A0882
SHA256:BFCDE9E0EB889CC554FA92C6F28CF554B59B453B274C3FF449D6B018B67D0E4A
6508WinRAR.exeC:\Users\admin\Desktop\123456.txttext
MD5:BF3B087F23380F75BFF90D47FE1A0882
SHA256:BFCDE9E0EB889CC554FA92C6F28CF554B59B453B274C3FF449D6B018B67D0E4A
6708KMSMatrix7.exeC:\Users\admin\AppData\Local\Temp\kmsauto.cmdtext
MD5:66765B0A90B5FDFBFD2E6A1342C089D1
SHA256:C805C42235E9FE0AD284A0A33946F232F9AF3287FC64DCD63F708CC3BADF57D6
6708KMSMatrix7.exeC:\Users\admin\AppData\Local\Temp\Office 365 Setup Config.xmltext
MD5:145794A5197D071CD0C8BC79C2BEDCF1
SHA256:005A90A2FF999EF0356E9267769F20701953D8528A88A36AAF3AF8ABD6B75FDC
6708KMSMatrix7.exeC:\Users\admin\AppData\Local\Temp\s_w.ps1text
MD5:C434CBFC2C3916C8A5297A129E93F0DE
SHA256:78E6F53810638B2FD79E35756DEC514B1BADF515C4CF7ECE1B9B3163BA98BE91
6708KMSMatrix7.exeC:\Windows\System32\wbem\textvaluelist.xlsxml
MD5:08BCD4BBED3D4C8630F3DAFBF525D664
SHA256:D7F6A65E64534DD362E6A5D44C67C184A67627F7CFD0D69F6BA9E642A470AD57
6580WinRAR.exeC:\Users\admin\Desktop\KMSMatrix7.exeexecutable
MD5:972A76EAE6FCCCE0A2D80FBDB282F8DE
SHA256:17B974250C56648F5440C70FF600AD9E9C82B43AC487B779B322A22ECD2BE55C
6708KMSMatrix7.exeC:\Users\admin\AppData\Local\Temp\inf.cmdtext
MD5:D0442CF34C746B5CD4BA51DC876293CF
SHA256:B4F4BE7737C8B6355880DA31DEE586B9EE090E30ABC0AFDBE138671361E6E8B6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
360
TCP/UDP connections
48
DNS requests
30
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.209.214.100:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6016
cscript.exe
GET
200
2.16.241.14:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
GET
200
23.209.214.100:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
644
svchost.exe
GET
200
23.209.214.100:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4204
office.exe
HEAD
200
2.22.242.130:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.16026.20146.cab
unknown
whitelisted
6016
cscript.exe
GET
200
2.16.241.14:80
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl
unknown
whitelisted
4204
office.exe
HEAD
200
2.22.242.130:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18429.20132.cab
unknown
whitelisted
6428
svchost.exe
GET
206
2.22.242.130:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18429.20132.cab
unknown
whitelisted
6428
svchost.exe
HEAD
200
2.22.242.130:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18429.20132.cab
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2.21.65.153:443
www.bing.com
Akamai International B.V.
NL
whitelisted
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
23.209.214.100:80
www.microsoft.com
PT. Telekomunikasi Selular
ID
whitelisted
4712
MoUsoCoreWorker.exe
23.209.214.100:80
www.microsoft.com
PT. Telekomunikasi Selular
ID
whitelisted
644
svchost.exe
23.209.214.100:80
www.microsoft.com
PT. Telekomunikasi Selular
ID
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 2.19.11.105
  • 2.19.11.120
  • 2.16.241.14
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 23.209.214.100
  • 95.101.149.131
  • 23.219.150.101
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
ipinfo.io
  • 34.117.59.81
whitelisted
c.zeltitmp.net
  • 141.136.39.211
malicious
translate.googleapis.com
  • 216.58.206.42
whitelisted
github.com
  • 140.82.121.4
whitelisted
objects.githubusercontent.com
  • 185.199.110.133
  • 185.199.111.133
  • 185.199.109.133
  • 185.199.108.133
whitelisted
zeltitmp.net
  • 141.136.39.211
malicious

Threats

PID
Process
Class
Message
2192
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
6560
curl.exe
Device Retrieving External IP Address Detected
ET INFO Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
6560
curl.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup SSL Cert Observed (ipinfo .io)
6632
curl.exe
Device Retrieving External IP Address Detected
ET INFO Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
6632
curl.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup SSL Cert Observed (ipinfo .io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
KMSMatrix_7.0.zip