File name:

KMSMatrix_7.0.zip

Full analysis: https://app.any.run/tasks/b1aecb58-571f-4dc1-b8f9-d5df0e059f9b
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: February 06, 2025, 19:31:16
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-doc
evasion
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

01ED3C13FB1143DCB401BC4CD71FE1FE

SHA1:

EF54187C6145B3980BA35B599A6FA5705F87BAE6

SHA256:

DDCBC440238F3D1F5CF1C5BA1E0AF46D6E6A48557D9C71577320118441D176B1

SSDEEP:

98304:74/TDuxGnGBYn9ZYgjUF/GEU9QM0yc7fcmGQaMS9IJCrl0GUvh3mVPD+tggDYAqd:7o0AH97V

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Unrestricted)

      • KMSMatrix7.exe (PID: 6708)

    • Adds process to the Windows Defender exclusion list

      • cmd.exe (PID: 1796)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 1796)

    • Actions looks like stealing of personal data

      • 7z.exe (PID: 7128)
      • vzone.exe (PID: 3988)
      • csrss.exe (PID: 616)
      • cmd.exe (PID: 5008)
      • cmd.exe (PID: 1796)
      • vzone.exe (PID: 6340)
      • conhost.exe (PID: 6136)
      • Windows Driver Foundation (WUD).exe (PID: 6164)

    • Steals credentials from Web Browsers

      • vzone.exe (PID: 3988)
      • cmd.exe (PID: 5008)
      • vzone.exe (PID: 6340)

    • Changes the login/logoff helper path in the registry

      • reg.exe (PID: 6980)

    • Scans artifacts that could help determine the target

      • office.exe (PID: 4204)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • KMSMatrix7.exe (PID: 6708)

    • Starts CMD.EXE for commands execution

      • KMSMatrix7.exe (PID: 6708)
      • cmd.exe (PID: 2796)
      • cmd.exe (PID: 6324)
      • vzone.exe (PID: 3988)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 6764)

    • Executable content was dropped or overwritten

      • KMSMatrix7.exe (PID: 6708)
      • curl.exe (PID: 7064)
      • 7z2201.exe (PID: 4764)
      • 7z.exe (PID: 7128)

    • Process drops legitimate windows executable

      • KMSMatrix7.exe (PID: 6708)
      • 7z.exe (PID: 7128)

    • Reads security settings of Internet Explorer

      • KMSMatrix7.exe (PID: 6708)
      • vzone.exe (PID: 3988)
      • office.exe (PID: 4204)
      • vzone.exe (PID: 6340)

    • Starts POWERSHELL.EXE for commands execution

      • KMSMatrix7.exe (PID: 6708)
      • cmd.exe (PID: 1796)

    • Executing commands from ".cmd" file

      • KMSMatrix7.exe (PID: 6708)
      • cmd.exe (PID: 2796)
      • vzone.exe (PID: 3988)

    • The process executes Powershell scripts

      • KMSMatrix7.exe (PID: 6708)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 6200)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 2796)

    • Application launched itself

      • cmd.exe (PID: 2796)
      • cmd.exe (PID: 6324)
      • office.exe (PID: 3620)

    • Uses WMIC.EXE

      • cmd.exe (PID: 6468)

    • Get information on the list of running processes

      • cmd.exe (PID: 5972)
      • cmd.exe (PID: 2796)
      • cmd.exe (PID: 5616)
      • cmd.exe (PID: 2084)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2796)
      • cmd.exe (PID: 1796)

    • The process verifies whether the antivirus software is installed

      • cmd.exe (PID: 2796)

    • Checks for external IP

      • svchost.exe (PID: 2192)
      • curl.exe (PID: 6632)
      • curl.exe (PID: 6560)

    • Gets full path of the running script (SCRIPT)

      • cscript.exe (PID: 1576)
      • cscript.exe (PID: 6016)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • cscript.exe (PID: 1576)

    • Reads data from a binary Stream object (SCRIPT)

      • cscript.exe (PID: 1576)

    • Execution of CURL command

      • cmd.exe (PID: 2796)

    • The process executes VB scripts

      • powershell.exe (PID: 5532)
      • cmd.exe (PID: 4308)

    • Gets content of a file (POWERSHELL)

      • powershell.exe (PID: 5532)

    • Creates/Modifies COM task schedule object

      • 7z2201.exe (PID: 4764)

    • The executable file from the user directory is run by the CMD process

      • 7z2201.exe (PID: 4764)
      • vzone.exe (PID: 3988)
      • vzone.exe (PID: 6340)

    • Drops 7-zip archiver for unpacking

      • 7z2201.exe (PID: 4764)

    • Creates a software uninstall entry

      • 7z2201.exe (PID: 4764)

    • Script adds exclusion process to Windows Defender

      • cmd.exe (PID: 1796)

    • Gets the drive type (SCRIPT)

      • cscript.exe (PID: 6016)

    • Gets a collection of all available drive names (SCRIPT)

      • cscript.exe (PID: 6016)

    • Accesses computer name via WMI (SCRIPT)

      • cscript.exe (PID: 6016)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • cscript.exe (PID: 6016)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 2796)

    • Executes application which crashes

      • cscript.exe (PID: 6016)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • cscript.exe (PID: 6016)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 1796)

    • The process creates files with name similar to system file names

      • WerFault.exe (PID: 432)

    • The process drops C-runtime libraries

      • 7z.exe (PID: 7128)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 5008)

    • Starts a Microsoft application from unusual location

      • office.exe (PID: 3620)
      • office.exe (PID: 4204)

    • Searches for installed software

      • office.exe (PID: 4204)

    • SQL CE related mutex has been found

      • KMSMatrix7.exe (PID: 6708)

    • Checks Windows Trust Settings

      • office.exe (PID: 4204)

    • Uses WMIC.EXE to obtain Windows Installer data

      • Windows Driver Foundation (WUD).exe (PID: 6164)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 6660)

    • Connects to unusual port

      • Windows Driver Foundation (WUD).exe (PID: 6164)

  • INFO

    • Manual execution by a user

      • WinRAR.exe (PID: 6580)
      • WinRAR.exe (PID: 6508)
      • KMSMatrix7.exe (PID: 6656)
      • KMSMatrix7.exe (PID: 6708)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6580)

    • Reads the computer name

      • KMSMatrix7.exe (PID: 6708)
      • curl.exe (PID: 6560)
      • curl.exe (PID: 6632)
      • curl.exe (PID: 7152)
      • curl.exe (PID: 7064)
      • curl.exe (PID: 5256)
      • 7z2201.exe (PID: 4764)
      • 7z.exe (PID: 6232)
      • curl.exe (PID: 6908)
      • 7z.exe (PID: 7128)
      • curl.exe (PID: 2280)
      • vzone.exe (PID: 3988)
      • office.exe (PID: 4204)
      • OfficeClickToRun.exe (PID: 3920)
      • vzone.exe (PID: 6340)
      • Windows Driver Foundation (WUD).exe (PID: 6164)

    • Checks supported languages

      • KMSMatrix7.exe (PID: 6708)
      • curl.exe (PID: 6560)
      • curl.exe (PID: 6632)
      • curl.exe (PID: 7064)
      • curl.exe (PID: 7152)
      • curl.exe (PID: 5256)
      • 7z2201.exe (PID: 4764)
      • 7z.exe (PID: 6232)
      • curl.exe (PID: 6908)
      • 7z.exe (PID: 7128)
      • curl.exe (PID: 2280)
      • vzone.exe (PID: 3988)
      • office.exe (PID: 3620)
      • office.exe (PID: 4204)
      • OfficeClickToRun.exe (PID: 3920)
      • vzone.exe (PID: 6340)
      • Windows Driver Foundation (WUD).exe (PID: 6164)

    • Process checks computer location settings

      • KMSMatrix7.exe (PID: 6708)
      • vzone.exe (PID: 3988)
      • office.exe (PID: 4204)
      • vzone.exe (PID: 6340)

    • Create files in a temporary directory

      • KMSMatrix7.exe (PID: 6708)
      • curl.exe (PID: 7064)
      • curl.exe (PID: 5256)
      • 7z.exe (PID: 6232)
      • curl.exe (PID: 6908)
      • office.exe (PID: 4204)
      • OfficeClickToRun.exe (PID: 3920)

    • Reads the machine GUID from the registry

      • KMSMatrix7.exe (PID: 6708)
      • office.exe (PID: 4204)

    • Execution of CURL command

      • cmd.exe (PID: 4012)
      • cmd.exe (PID: 3436)
      • cmd.exe (PID: 7132)
      • cmd.exe (PID: 2796)
      • cmd.exe (PID: 1796)

    • Checks operating system version

      • cmd.exe (PID: 2796)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 6416)
      • cscript.exe (PID: 1576)
      • cscript.exe (PID: 6016)
      • WMIC.exe (PID: 6660)

    • Disables trace logs

      • powershell.exe (PID: 5532)

    • Checks proxy server information

      • powershell.exe (PID: 5532)
      • cscript.exe (PID: 6016)
      • WerFault.exe (PID: 432)
      • KMSMatrix7.exe (PID: 6708)
      • office.exe (PID: 4204)
      • OfficeClickToRun.exe (PID: 3920)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 5532)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5532)
      • powershell.exe (PID: 3832)
      • powershell.exe (PID: 6524)
      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 6340)

    • Reads the software policy settings

      • cscript.exe (PID: 6016)
      • WerFault.exe (PID: 432)
      • KMSMatrix7.exe (PID: 6708)
      • office.exe (PID: 4204)

    • Creates files in the program directory

      • 7z2201.exe (PID: 4764)
      • KMSMatrix7.exe (PID: 6708)

    • Creates files or folders in the user directory

      • cscript.exe (PID: 6016)
      • 7z.exe (PID: 7128)
      • KMSMatrix7.exe (PID: 6708)
      • WerFault.exe (PID: 432)
      • office.exe (PID: 4204)
      • OfficeClickToRun.exe (PID: 3920)

    • The sample compiled with english language support

      • 7z2201.exe (PID: 4764)
      • 7z.exe (PID: 7128)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 3832)
      • powershell.exe (PID: 6524)
      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 6340)

    • Reads Microsoft Office registry keys

      • office.exe (PID: 4204)
      • OfficeClickToRun.exe (PID: 3920)

    • Reads Environment values

      • office.exe (PID: 4204)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:02:04 15:04:54
ZipCRC: 0x5ae56bf0
ZipCompressedSize: 16
ZipUncompressedSize: 16
ZipFileName: 123456.txt
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
234
Monitored processes
105
Malicious processes
16
Suspicious processes
4

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe no specs winrar.exe kmsmatrix7.exe no specs kmsmatrix7.exe cmd.exe no specs conhost.exe no specs taskkill.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs attrib.exe no specs findstr.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs cmd.exe no specs attrib.exe no specs find.exe no specs attrib.exe no specs cmd.exe no specs attrib.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs fltmc.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs tasklist.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs tasklist.exe no specs cmd.exe no specs tasklist.exe no specs cmd.exe no specs curl.exe svchost.exe cscript.exe no specs cmd.exe no specs curl.exe cmd.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs curl.exe curl.exe cmd.exe no specs conhost.exe no specs cscript.exe 7z2201.exe curl.exe 7z.exe no specs cmd.exe powershell.exe no specs werfault.exe powershell.exe no specs powershell.exe no specs powershell.exe no specs curl.exe 7z.exe reg.exe vzone.exe curl.exe cmd.exe conhost.exe no specs ping.exe no specs office.exe no specs conhost.exe no specs office.exe conhost.exe no specs officeclicktorun.exe Delivery Optimization User no specs vzone.exe windows driver foundation (wud).exe conhost.exe wmic.exe no specs csrss.exe

Process information

PID
CMD
Path
Indicators
Parent process
432C:\WINDOWS\system32\cmd.exe /S /D /c" echo "C:\Users\admin\AppData\Local\Temp\kmsauto.cmd" "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
432C:\WINDOWS\system32\WerFault.exe -u -p 6016 -s 1348C:\Windows\System32\WerFault.exe
cscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
616%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\System32\csrss.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Client Server Runtime Process
Version:
10.0.19041.1 (WinBuild.160101.0800)
732\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeoffice.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1156attrib +h "C:\Users\admin\AppData\Local\Temp\s_o.cmd"C:\Windows\System32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Attribute Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
1468tasklist /fi "imagename eq QHActiveDefense.exe" /fo csv /nhC:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1576"C:\WINDOWS\system32\cscript.exe" slmgr.vbs /dliC:\Windows\System32\cscript.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1796C:\WINDOWS\system32\cmd.exe /K "C:\Users\admin\AppData\Local\Temp\m.bat"C:\Windows\System32\cmd.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
1808\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2084C:\WINDOWS\system32\cmd.exe /c tasklist /fi "imagename eq ekrn.exe" /fo csv /nhC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
Total events
55 219
Read events
54 861
Write events
254
Delete events
104

Modification events

(PID) Process:(3808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(3808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(3808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(3808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\KMSMatrix_7.0.zip
(PID) Process:(3808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Preferences
(PID) Process:(3808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:1
Value:
C:\Users\admin\Desktop\ext
Executable files
14
Suspicious files
27
Text files
132
Unknown types
1

Dropped files

PID
Process
Filename
Type
3808WinRAR.exeC:\Users\admin\Desktop\KMSMatrix.7z
MD5:
SHA256:
6508WinRAR.exeC:\Users\admin\Desktop\KMSMatrix.7z
MD5:
SHA256:
6708KMSMatrix7.exeC:\Users\admin\AppData\Local\Temp\cnftext
MD5:9FC2CA28EEF3E5366E58A34FDED118FA
SHA256:03B70295A6131D8CFE6629F7B05D0146113776231C442963FB226B115044D4A5
6708KMSMatrix7.exeC:\Users\admin\AppData\Local\Temp\kmsauto.cmdtext
MD5:66765B0A90B5FDFBFD2E6A1342C089D1
SHA256:C805C42235E9FE0AD284A0A33946F232F9AF3287FC64DCD63F708CC3BADF57D6
6708KMSMatrix7.exeC:\Users\admin\AppData\Local\Temp\s_w.ps1text
MD5:C434CBFC2C3916C8A5297A129E93F0DE
SHA256:78E6F53810638B2FD79E35756DEC514B1BADF515C4CF7ECE1B9B3163BA98BE91
6580WinRAR.exeC:\Users\admin\Desktop\KMSMatrix7.exeexecutable
MD5:972A76EAE6FCCCE0A2D80FBDB282F8DE
SHA256:17B974250C56648F5440C70FF600AD9E9C82B43AC487B779B322A22ECD2BE55C
6708KMSMatrix7.exeC:\Users\admin\AppData\Local\Temp\Office 365 Setup Config.xmltext
MD5:145794A5197D071CD0C8BC79C2BEDCF1
SHA256:005A90A2FF999EF0356E9267769F20701953D8528A88A36AAF3AF8ABD6B75FDC
6952powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:1B7CC732527CC468CF3D60974D1E047B
SHA256:FA0995E15995D30D2D7080BF557229B378DA85EF4F1ECE7D60F62163553E1FC0
6952powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_txtee1ls.dbr.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6708KMSMatrix7.exeC:\Users\admin\AppData\Local\Temp\matrix_1.mp3binary
MD5:65798C7F75C29DA5F9F9088E835CF890
SHA256:B2AD159D0CF9B6376ED0E5D6000AA7EC7813024BD8D861329E58C81F46371DE6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
360
TCP/UDP connections
48
DNS requests
30
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.209.214.100:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.209.214.100:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
644
svchost.exe
GET
200
23.209.214.100:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6016
cscript.exe
GET
200
2.16.241.14:80
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl
unknown
whitelisted
6016
cscript.exe
GET
200
2.16.241.14:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
432
WerFault.exe
GET
200
2.16.241.14:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
432
WerFault.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4204
office.exe
HEAD
200
2.22.242.130:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.16026.20146.cab
unknown
whitelisted
5064
SearchApp.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2.21.65.153:443
www.bing.com
Akamai International B.V.
NL
whitelisted
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
23.209.214.100:80
www.microsoft.com
PT. Telekomunikasi Selular
ID
whitelisted
4712
MoUsoCoreWorker.exe
23.209.214.100:80
www.microsoft.com
PT. Telekomunikasi Selular
ID
whitelisted
644
svchost.exe
23.209.214.100:80
www.microsoft.com
PT. Telekomunikasi Selular
ID
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 2.19.11.105
  • 2.19.11.120
  • 2.16.241.14
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 23.209.214.100
  • 95.101.149.131
  • 23.219.150.101
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
ipinfo.io
  • 34.117.59.81
whitelisted
c.zeltitmp.net
  • 141.136.39.211
malicious
translate.googleapis.com
  • 216.58.206.42
whitelisted
github.com
  • 140.82.121.4
whitelisted
objects.githubusercontent.com
  • 185.199.110.133
  • 185.199.111.133
  • 185.199.109.133
  • 185.199.108.133
whitelisted
zeltitmp.net
  • 141.136.39.211
malicious

Threats

PID
Process
Class
Message
2192
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
6560
curl.exe
Device Retrieving External IP Address Detected
ET INFO Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
6560
curl.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup SSL Cert Observed (ipinfo .io)
6632
curl.exe
Device Retrieving External IP Address Detected
ET INFO Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
6632
curl.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup SSL Cert Observed (ipinfo .io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
KMSMatrix_7.0.zip