cryptbot | ea8b966254f89ce69425210fec17037d47b68f5ebb5e6b40c408f28d3900bd0b

Resubmissions

23-06-2024 14:21

240623-rpelzstfpc 10

23-06-2024 14:17

240623-rlz4hsxekp 10

23-06-2024 14:14

240623-rj5k8atekh 3

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-06-2024 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

КМSрiсо.exe
Size

9.3MB
MD5

9a82eec3b97942751c99fe42a8699cdf
SHA1

62fa4445db34eac1e333af921454357704496261
SHA256

ea8b966254f89ce69425210fec17037d47b68f5ebb5e6b40c408f28d3900bd0b
SHA512

ad3b16ca24d29e1f9be6cdae9744cdd065a8f4545468aeaa99509b5c08a28b16d7c846978b71f60fe54d17b770af24529ba261133f02155048b45b7e0a79c246
SSDEEP

196608:hbCPcnPEu6Bqimbj+P6EDTvLhe8dYoANmvP2WNChdb+WRTBl:hWrmb0vTvLnhmWkK+TBl

Score

10^/10

cryptbot discovery evasion execution exploit persistence spyware stealer themida trojan upx

Malware Config

Extracted

Family

cryptbot

xokecn54.top

morekt05.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

Setup1.exeIntelRapid.exeSetup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	IntelRapid.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Possible privilege escalation attempt 12 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exe

pid process

2212 icacls.exe
2060 takeown.exe
1368 icacls.exe
1044 icacls.exe
1612 icacls.exe
264 icacls.exe
2112 icacls.exe
888 takeown.exe
2276 takeown.exe
2356 takeown.exe
2608 icacls.exe
1676 icacls.exe

pid	process
2212	icacls.exe
2060	takeown.exe
1368	icacls.exe
1044	icacls.exe
1612	icacls.exe
264	icacls.exe
2112	icacls.exe
888	takeown.exe
2276	takeown.exe
2356	takeown.exe
2608	icacls.exe
1676	icacls.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

IntelRapid.exeSetup.exeSetup1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IntelRapid.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setup1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IntelRapid.exe

Drops startup file 1 IoCs

Processes:

Setup1.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk Setup1.exe
Executes dropped EXE 10 IoCs

Processes:

Setup.exeKMSpico.exeKMSpico.tmpSetup1.exeIntelRapid.exeUninsHs.exeKMSELDI.exeAutoPico.exeKMSELDI.exeKMSELDI.exe

pid process

2884 Setup.exe
2776 KMSpico.exe
2192 KMSpico.tmp
2592 Setup1.exe
2836 IntelRapid.exe
768 UninsHs.exe
812 KMSELDI.exe
2668 AutoPico.exe
852 KMSELDI.exe
1348 KMSELDI.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk	Setup1.exe

pid	process
2884	Setup.exe
2776	KMSpico.exe
2192	KMSpico.tmp
2592	Setup1.exe
2836	IntelRapid.exe
768	UninsHs.exe
812	KMSELDI.exe
2668	AutoPico.exe
852	KMSELDI.exe
1348	KMSELDI.exe

Loads dropped DLL 25 IoCs

Processes:

КМSрiсо.exeKMSpico.exeKMSpico.tmpSetup1.exeUninsHs.exe

pid	process
2148	КМSрiсо.exe
2148	КМSрiсо.exe
2148	КМSрiсо.exe
2148	КМSрiсо.exe
2148	КМSрiсо.exe
2148	КМSрiсо.exe
2148	КМSрiсо.exe
2776	KMSpico.exe
2192	KMSpico.tmp
2192	KMSpico.tmp
2148	КМSрiсо.exe
2148	КМSрiсо.exe
864
2592	Setup1.exe
2592	Setup1.exe
2592	Setup1.exe
2192	KMSpico.tmp
2192	KMSpico.tmp
2192	KMSpico.tmp
2192	KMSpico.tmp
768	UninsHs.exe
768	UninsHs.exe
768	UninsHs.exe
2192	KMSpico.tmp
2192	KMSpico.tmp

Modifies file permissions 1 TTPs 12 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

1612 icacls.exe
264 icacls.exe
2608 icacls.exe
2212 icacls.exe
1368 icacls.exe
2276 takeown.exe
2356 takeown.exe
2112 icacls.exe
888 takeown.exe
1676 icacls.exe
2060 takeown.exe
1044 icacls.exe

pid	process
1612	icacls.exe
264	icacls.exe
2608	icacls.exe
2212	icacls.exe
1368	icacls.exe
2276	takeown.exe
2356	takeown.exe
2112	icacls.exe
888	takeown.exe
1676	icacls.exe
2060	takeown.exe
1044	icacls.exe

Themida packer 21 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Program Files (x86)\folder1\Setup.exe	themida
behavioral1/memory/2148-9-0x0000000003A80000-0x000000000415E000-memory.dmp	themida
behavioral1/memory/2884-38-0x0000000000320000-0x00000000009FE000-memory.dmp	themida
C:\Program Files (x86)\folder1\Setup1.exe	themida
behavioral1/memory/2148-59-0x0000000003A80000-0x00000000043A4000-memory.dmp	themida
behavioral1/memory/2884-57-0x0000000000320000-0x00000000009FE000-memory.dmp	themida
behavioral1/memory/2884-56-0x0000000000320000-0x00000000009FE000-memory.dmp	themida
behavioral1/memory/2884-62-0x0000000000320000-0x00000000009FE000-memory.dmp	themida
behavioral1/memory/2884-61-0x0000000000320000-0x00000000009FE000-memory.dmp	themida
behavioral1/memory/2592-60-0x000000013F8E0000-0x0000000140204000-memory.dmp	themida
behavioral1/memory/2592-65-0x000000013F8E0000-0x0000000140204000-memory.dmp	themida
behavioral1/memory/2592-64-0x000000013F8E0000-0x0000000140204000-memory.dmp	themida
behavioral1/memory/2592-63-0x000000013F8E0000-0x0000000140204000-memory.dmp	themida
behavioral1/memory/2836-83-0x000000013FC40000-0x0000000140564000-memory.dmp	themida
behavioral1/memory/2592-81-0x000000013F8E0000-0x0000000140204000-memory.dmp	themida
behavioral1/memory/2836-86-0x000000013FC40000-0x0000000140564000-memory.dmp	themida
behavioral1/memory/2836-85-0x000000013FC40000-0x0000000140564000-memory.dmp	themida
behavioral1/memory/2836-84-0x000000013FC40000-0x0000000140564000-memory.dmp	themida
behavioral1/memory/2884-88-0x0000000000320000-0x00000000009FE000-memory.dmp	themida
behavioral1/memory/2836-108-0x000000013FC40000-0x0000000140564000-memory.dmp	themida
behavioral1/memory/2836-1127-0x000000013FC40000-0x0000000140564000-memory.dmp	themida

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Program Files\KMSpico\UninsHs.exe	upx
behavioral1/memory/768-881-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/768-888-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/768-886-0x0000000000020000-0x0000000000037000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Setup.exeSetup1.exeIntelRapid.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IntelRapid.exe

Drops file in System32 directory 4 IoCs

Processes:

KMSpico.tmp

description	ioc	process
File opened for modification	C:\Windows\system32\Vestris.ResourceLib.dll	KMSpico.tmp
File created	C:\Windows\system32\is-FHSVT.tmp	KMSpico.tmp
File created	C:\Windows\system32\is-ALLFT.tmp	KMSpico.tmp
File created	C:\Windows\system32\is-3PMA5.tmp	KMSpico.tmp

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

Setup.exeSetup1.exeIntelRapid.exe

pid process

2884 Setup.exe
2592 Setup1.exe
2836 IntelRapid.exe

pid	process
2884	Setup.exe
2592	Setup1.exe
2836	IntelRapid.exe

Drops file in Program Files directory 64 IoCs

Processes:

KMSpico.tmpКМSрiсо.exeAutoPico.exe

description	ioc	process
File created	C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-NFH6A.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\OneNote\is-TJDGG.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW8\EnterpriseN\is-HVNT4.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW8\ProfessionalN\is-T7MJ2.tmp	KMSpico.tmp
File created	C:\Program Files (x86)\folder1\__tmp_rar_sfx_access_check_259461518	КМSрiсо.exe
File created	C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-9KLLJ.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\ProjectPro\is-3TV8O.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW81\ProfessionalWMC\is-EVJUE.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-OB1M3.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-NIJGN.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\PowerPoint\is-ME944.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\is-D99MO.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\Excel\is-O30ET.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\Excel\is-CCLS1.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\Business\is-JTKM3.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-U89DI.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Outlook\is-59JNP.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\Outlook\is-UGPCR.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW8\Professional\is-C2NTM.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\sounds\is-IHNK5.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-QUMF2.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\PowerPoint\is-2JCU9.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\sounds\is-0LOKJ.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\is-UUO0U.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Word\is-0UJMI.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\is-KU3FF.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW7\Embedded\is-5KU9V.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\OneNote\is-4TU94.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW7\Embedded\is-KFOC9.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW8\CoreN\is-OS7L0.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\ProjectPro\is-SVADQ.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\driver\is-6OG1R.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\scripts\is-F2CAC.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\sounds\is-I9NVE.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-5HL90.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\SkypeforBusiness\is-TE2S9.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\is-F2806.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-6843O.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-FO8UB.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-H8D43.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\OneNote\is-DFUMU.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\icons\is-8IOQQ.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\sounds\is-HMNF4.tmp	KMSpico.tmp
File opened for modification	C:\Program Files\KMSpico\logs\AutoPico.log	AutoPico.exe
File created	C:\Program Files\KMSpico\is-E2383.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\PowerPoint\is-0C20A.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\Publisher\is-GENOL.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW81\Core\is-32V4T.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-K53SF.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\is-A7VOH.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\scripts\is-TD9Q2.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-83SNH.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\is-71VUC.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW8\CoreN\is-TO6U6.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-J7FT4.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-C3GNG.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\Access\is-OJSP8.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW8\CoreSingleLanguage\is-3CTJ8.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Publisher\is-Q5MH4.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Publisher\is-TDGLR.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\Outlook\is-263HU.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW10\Core\is-VFD39.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\icons\is-CEI69.tmp	KMSpico.tmp
File opened for modification	C:\Program Files\KMSpico\driver\tap-windows-9.21.0.exe	KMSpico.tmp

Drops file in Windows directory 3 IoCs

Processes:

KMSELDI.exe

description	ioc	process
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat	KMSELDI.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat	KMSELDI.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat	KMSELDI.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1632 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1632	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2420 timeout.exe

pid	process
2420	timeout.exe

Modifies Control Panel 4 IoCs

evasion

Processes:

AutoPico.exeKMSELDI.exeKMSELDI.exeKMSELDI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\PaintDesktopVersion = "0"	AutoPico.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\PaintDesktopVersion = "0"	KMSELDI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\PaintDesktopVersion = "0"	KMSELDI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\PaintDesktopVersion = "0"	KMSELDI.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

KMSpico.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter	KMSpico.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0"	KMSpico.tmp

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2196 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

IntelRapid.exe

pid process

2836 IntelRapid.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Setup.exeKMSpico.tmp

pid process

2884 Setup.exe
2192 KMSpico.tmp
2192 KMSpico.tmp
Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

KMSELDI.exeAutoPico.exeKMSELDI.exeKMSELDI.exe

description pid process

Token: SeSystemtimePrivilege 812 KMSELDI.exe
Token: SeSystemtimePrivilege 2668 AutoPico.exe
Token: SeSystemtimePrivilege 852 KMSELDI.exe
Token: SeSystemtimePrivilege 1348 KMSELDI.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

KMSpico.tmp

pid process

2192 KMSpico.tmp

pid	process
2196	schtasks.exe

pid	process
2836	IntelRapid.exe

pid	process
2884	Setup.exe
2192	KMSpico.tmp
2192	KMSpico.tmp

description	pid	process
Token: SeSystemtimePrivilege	812	KMSELDI.exe
Token: SeSystemtimePrivilege	2668	AutoPico.exe
Token: SeSystemtimePrivilege	852	KMSELDI.exe
Token: SeSystemtimePrivilege	1348	KMSELDI.exe

pid	process
2192	KMSpico.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

КМSрiсо.exeKMSpico.exeSetup1.exeSetup.execmd.exeKMSpico.tmpcmd.execmd.exe

description	pid	process	target process
PID 2148 wrote to memory of 2884	2148	КМSрiсо.exe	Setup.exe
PID 2148 wrote to memory of 2884	2148	КМSрiсо.exe	Setup.exe
PID 2148 wrote to memory of 2884	2148	КМSрiсо.exe	Setup.exe
PID 2148 wrote to memory of 2884	2148	КМSрiсо.exe	Setup.exe
PID 2148 wrote to memory of 2884	2148	КМSрiсо.exe	Setup.exe
PID 2148 wrote to memory of 2884	2148	КМSрiсо.exe	Setup.exe
PID 2148 wrote to memory of 2884	2148	КМSрiсо.exe	Setup.exe
PID 2148 wrote to memory of 2776	2148	КМSрiсо.exe	KMSpico.exe
PID 2148 wrote to memory of 2776	2148	КМSрiсо.exe	KMSpico.exe
PID 2148 wrote to memory of 2776	2148	КМSрiсо.exe	KMSpico.exe
PID 2148 wrote to memory of 2776	2148	КМSрiсо.exe	KMSpico.exe
PID 2148 wrote to memory of 2776	2148	КМSрiсо.exe	KMSpico.exe
PID 2148 wrote to memory of 2776	2148	КМSрiсо.exe	KMSpico.exe
PID 2148 wrote to memory of 2776	2148	КМSрiсо.exe	KMSpico.exe
PID 2776 wrote to memory of 2192	2776	KMSpico.exe	KMSpico.tmp
PID 2776 wrote to memory of 2192	2776	KMSpico.exe	KMSpico.tmp
PID 2776 wrote to memory of 2192	2776	KMSpico.exe	KMSpico.tmp
PID 2776 wrote to memory of 2192	2776	KMSpico.exe	KMSpico.tmp
PID 2776 wrote to memory of 2192	2776	KMSpico.exe	KMSpico.tmp
PID 2776 wrote to memory of 2192	2776	KMSpico.exe	KMSpico.tmp
PID 2776 wrote to memory of 2192	2776	KMSpico.exe	KMSpico.tmp
PID 2148 wrote to memory of 2592	2148	КМSрiсо.exe	Setup1.exe
PID 2148 wrote to memory of 2592	2148	КМSрiсо.exe	Setup1.exe
PID 2148 wrote to memory of 2592	2148	КМSрiсо.exe	Setup1.exe
PID 2148 wrote to memory of 2592	2148	КМSрiсо.exe	Setup1.exe
PID 2592 wrote to memory of 2836	2592	Setup1.exe	IntelRapid.exe
PID 2592 wrote to memory of 2836	2592	Setup1.exe	IntelRapid.exe
PID 2592 wrote to memory of 2836	2592	Setup1.exe	IntelRapid.exe
PID 2884 wrote to memory of 2456	2884	Setup.exe	cmd.exe
PID 2884 wrote to memory of 2456	2884	Setup.exe	cmd.exe
PID 2884 wrote to memory of 2456	2884	Setup.exe	cmd.exe
PID 2884 wrote to memory of 2456	2884	Setup.exe	cmd.exe
PID 2456 wrote to memory of 2420	2456	cmd.exe	timeout.exe
PID 2456 wrote to memory of 2420	2456	cmd.exe	timeout.exe
PID 2456 wrote to memory of 2420	2456	cmd.exe	timeout.exe
PID 2456 wrote to memory of 2420	2456	cmd.exe	timeout.exe
PID 2192 wrote to memory of 1124	2192	KMSpico.tmp	cmd.exe
PID 2192 wrote to memory of 1124	2192	KMSpico.tmp	cmd.exe
PID 2192 wrote to memory of 1124	2192	KMSpico.tmp	cmd.exe
PID 2192 wrote to memory of 1124	2192	KMSpico.tmp	cmd.exe
PID 2192 wrote to memory of 1992	2192	KMSpico.tmp	cmd.exe
PID 2192 wrote to memory of 1992	2192	KMSpico.tmp	cmd.exe
PID 2192 wrote to memory of 1992	2192	KMSpico.tmp	cmd.exe
PID 2192 wrote to memory of 1992	2192	KMSpico.tmp	cmd.exe
PID 2192 wrote to memory of 768	2192	KMSpico.tmp	UninsHs.exe
PID 2192 wrote to memory of 768	2192	KMSpico.tmp	UninsHs.exe
PID 2192 wrote to memory of 768	2192	KMSpico.tmp	UninsHs.exe
PID 2192 wrote to memory of 768	2192	KMSpico.tmp	UninsHs.exe
PID 2192 wrote to memory of 768	2192	KMSpico.tmp	UninsHs.exe
PID 2192 wrote to memory of 768	2192	KMSpico.tmp	UninsHs.exe
PID 2192 wrote to memory of 768	2192	KMSpico.tmp	UninsHs.exe
PID 2192 wrote to memory of 812	2192	KMSpico.tmp	KMSELDI.exe
PID 2192 wrote to memory of 812	2192	KMSpico.tmp	KMSELDI.exe
PID 2192 wrote to memory of 812	2192	KMSpico.tmp	KMSELDI.exe
PID 2192 wrote to memory of 812	2192	KMSpico.tmp	KMSELDI.exe
PID 1992 wrote to memory of 2196	1992	cmd.exe	schtasks.exe
PID 1992 wrote to memory of 2196	1992	cmd.exe	schtasks.exe
PID 1992 wrote to memory of 2196	1992	cmd.exe	schtasks.exe
PID 1124 wrote to memory of 1632	1124	cmd.exe	sc.exe
PID 1124 wrote to memory of 1632	1124	cmd.exe	sc.exe
PID 1124 wrote to memory of 1632	1124	cmd.exe	sc.exe
PID 2192 wrote to memory of 2668	2192	KMSpico.tmp	AutoPico.exe
PID 2192 wrote to memory of 2668	2192	KMSpico.tmp	AutoPico.exe
PID 2192 wrote to memory of 2668	2192	KMSpico.tmp	AutoPico.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\КМSрiсо.exe
"C:\Users\Admin\AppData\Local\Temp\КМSрiсо.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2148

C:\Program Files (x86)\folder1\Setup.exe
"C:\Program Files (x86)\folder1\Setup.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\HfFjVdxrJo & timeout 4 & del /f /q "C:\Program Files (x86)\folder1\Setup.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\SysWOW64\timeout.exe
timeout 4
4⤵
- Delays execution with timeout.exe
PID:2420

C:\Program Files (x86)\folder1\KMSpico.exe
"C:\Program Files (x86)\folder1\KMSpico.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776

C:\Users\Admin\AppData\Local\Temp\is-UBF8E.tmp\KMSpico.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UBF8E.tmp\KMSpico.tmp" /SL5="$90194,2952592,69120,C:\Program Files (x86)\folder1\KMSpico.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer Phishing Filter
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Service.cmd""
4⤵
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\system32\sc.exe
sc create "Service KMSELDI" binPath= "C:\Program Files\KMSpico\Service_KMS.exe" type= own error= normal start= auto DisplayName= "Service KMSELDI"
5⤵
- Launches sc.exe
PID:1632

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Task.cmd""
4⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\system32\schtasks.exe
SCHTASKS /Create /TN "AutoPico Daily Restart" /TR "'C:\Program Files\KMSpico\AutoPico.exe' /silent" /SC DAILY /ST 23:59:59 /RU "NT AUTHORITY\SYSTEM" /RL Highest /F
5⤵
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Program Files\KMSpico\UninsHs.exe
"C:\Program Files\KMSpico\UninsHs.exe" /r0=KMSpico,default,C:\Program Files (x86)\folder1\KMSpico.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:768

C:\Program Files\KMSpico\KMSELDI.exe
"C:\Program Files\KMSpico\KMSELDI.exe" /silent /backup
4⤵
- Executes dropped EXE
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Program Files\KMSpico\AutoPico.exe
"C:\Program Files\KMSpico\AutoPico.exe" /silent
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Program Files (x86)\folder1\Setup1.exe
"C:\Program Files (x86)\folder1\Setup1.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2592

C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
PID:2836

C:\Program Files\KMSpico\KMSELDI.exe
"C:\Program Files\KMSpico\KMSELDI.exe"
1⤵
- Executes dropped EXE
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Program Files\KMSpico\KMSELDI.exe
"C:\Program Files\KMSpico\KMSELDI.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /f C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2276

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat /grant :r administrators:(d,f)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1612

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat /grant :r *S-1-1-0:(d,f)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:264

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /f C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2356

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat /grant :r administrators:(d,f)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2608

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat /grant :r *S-1-1-0:(d,f)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2112

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /f C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:888

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat /grant :r administrators:(d,f)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1676

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat /grant :r *S-1-1-0:(d,f)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2212

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /f C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2060

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat /grant :r administrators:(d,f)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1368

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat /grant :r *S-1-1-0:(d,f)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1044

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\folder1\Setup1.exe
Filesize
3.4MB

MD5
150be50312a4f6c64f292c5ddc2367ae

SHA1
c3e19926be108631b2497e6c03796fd30df6d557

SHA256
8534e712f977ab6f7caee080f4281fdaf08337f209e92d1dae23bbff80fe6c41

SHA512
2bfaece5af3a6a3fc78da6c9dabae95c5d7a8bc222f3a84531dc4619e671fb7f0ee09a3973cc2d720ed6e16ea38ae67f5937f0cc74b4278576b54c10a4658ee1

Download Submit
C:\Program Files\KMSpico\DevComponents.DotNetBar2.dll
Filesize
5.2MB

MD5
1397b23f30681f97049df61f94f54d05

SHA1
5cb1ce6966e3d6d8b8c398cbd537c814312f194d

SHA256
fa76151a783250014ac8fa55d4c833100a623fcad1d6e2ddadcde259f5709609

SHA512
7d001b5942dad8ce1a83831b5a87f2fa6a1571bc133ce3c1ebe9988a43a7fcefc5cdb7870a6e692ef89fb815cfcff0e9c4b41f24ba0716c6808f190ea3c53535

Download Submit
C:\Program Files\KMSpico\TokensBackup\Windows\Cache\cache.dat
Filesize
87KB

MD5
b9d70998a42d0e588107bc9ae01e32cb

SHA1
84357f0d368122a0ecae95e20b59f77f27dc5d93

SHA256
17432e346bd119afc1c5d6635a3d4e2e3c3232e477dba1aa06f55ad13686ac07

SHA512
795a67e6ebd2f1fac7bd665e90897ba73c8ad3bb58ab9051ef4a963663f86342f7f6125db858f4ce523f51b371d433f28c38476bebc1b7b94fdd1e104549bceb

Download Submit
C:\Program Files\KMSpico\TokensBackup\Windows\tokens.dat
Filesize
6.8MB

MD5
3926d41029971fbb973cca65ca64518c

SHA1
99a21a168160a13a1a95ff6cb63d9d6ac4a6ec74

SHA256
cc45671d6989346efec9db256a7113f9dfea83a0183b1fb2b0b4dde0c4bf5d91

SHA512
24936a912ccfe48ad76adee4eff2347c27f941deb11172ffa6a8afa7ca3adca859e4917bd669d08b9424a0b2a9d16e1f522cf12c4fef910c4451aa096fecb494

Download Submit
C:\Program Files\KMSpico\logs\AutoPico.log
Filesize
3B

MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\Program Files\KMSpico\logs\KMSELDI.log
Filesize
5KB

MD5
df7132b07fde5058edf28d6e52ae6959

SHA1
74c7ca5427d90dbcabc480197e6692a8bb0ce669

SHA256
cdb9317a6b8a66cc4c7812853a8b20a70f8b73d5d5d2c7f862840ac84d47f3c6

SHA512
7d10a28e3ebf31b8ee126467a78dcf9110c8fd8ce147f444d57be3af996fe2c8c1d51899c0cbcfbf4d530e357c5e3c1a228676910f1b3006e46d9c477abf4530

Download Submit
C:\Program Files\KMSpico\logs\KMSELDI.log
Filesize
3KB

MD5
e0c3c54559b6cccfef7f7ad54db622e9

SHA1
573aeeac0f908b1491f2d10f8d9394d58eac158b

SHA256
c50f3b552ba45ed5cc0e8713839fdc7feb00769cb3c68a726e51c9fb2a7a9030

SHA512
196150e077d61ad8ead5359afeba26a61f32556eb291d1cf041c173538d680b674c82461c8ad6e660bbccc3ae2b462b49d1b709890f40350a3eb2ee6a71d0891

Download Submit
C:\Program Files\KMSpico\logs\KMSELDI.log
Filesize
4KB

MD5
c6377751ff0f5aeb4d83ca91cdc0445b

SHA1
5b32692fd9542d93b3f3b44a5c50281aa2c9c397

SHA256
9f4666933e7208fa1d7a1c0294e9ca84eafc84b847f1c856dbef4e29391f9cf3

SHA512
d8a39785efa67500f73722da727919883c21be622a8c1705f01e6cf59f7e60c232b07e95ab0b97989498197c99aba554db3e7f55ae88792d6718bc5b28e81803

Download Submit
C:\Program Files\KMSpico\logs\KMSELDI.log
Filesize
2KB

MD5
88cd707e62b014ff46379850681f3c19

SHA1
0baab3ea70a0dad59346d7395a5f648aa66b01db

SHA256
d1d09291a8ad38754790f5aedaa2f8e19e289b8dc436e16841b445b5df30dc7b

SHA512
5c42b351f161b9ab6c15ef94a8642c9baf3192b4fce9dfb29cc867b88b8f7484d9ea19ca9f816ac156129057155e3b8d1eaa4666ecdac8cc4ec47934deb0764b

Download Submit
C:\Program Files\KMSpico\logs\KMSELDI.log
Filesize
4KB

MD5
262eb6bcc62647dba7d412bd477ba477

SHA1
c3e489f0b9b5758315135f9fdb78c718ad903119

SHA256
2e42ec40b80cb7abfbd888ff0e9a7f0ad06ef3efe6553200588785d45b6c60f2

SHA512
11773a5fa4df6285d7cfb9200eb38fb3c812daa4f453cf7fb7a06ada890d3baef5d160b772ddba22b755da11924652fb3c6627ec40cfdbfabd66e89fa5c89592

Download Submit
C:\Program Files\KMSpico\logs\KMSELDI.log
Filesize
2KB

MD5
a21cbbd759758d0823fb064a8aa332a1

SHA1
97372feb0185b438ffa18adf45936aace9202f84

SHA256
2e77ae78a2f2192440e39a95502e5b4aab756fef6fdc201c61a8341c2fb1f808

SHA512
3a45a737f9ddb6e7ae8f90c842a9e1cb5b426e1041832cfadffb3bd6adbefc308100479f4ebc674c0f553133f27fd5b28265f63e7a1bd57bce35db6f2206e0aa

Download Submit
C:\Program Files\KMSpico\scripts\Install_Service.cmd
Filesize
213B

MD5
9107cd31951f2cf90e0892740b9087c9

SHA1
efac5c2e59ddef2f0a7782ad1dea8f6b25a07395

SHA256
11578521b14c17fbbb070c13887161586d57196f4d408c41a0f02ed07ee32f2c

SHA512
f6b66dcbbb8aa55793b63f20fc3718038d7c35f94570cf487b6e8393f67be6bd004dd64f3b8fc8345b7e02e2e8ec2d48ceed2494d9f1282ca020dbbaa621f457

Download Submit
C:\Program Files\KMSpico\scripts\Install_Task.cmd
Filesize
220B

MD5
ade709ca6a00370a4a6fea2425f948c1

SHA1
5919c95ef78bd4ab200f8071b98970ff9541a24a

SHA256
5b067073b968361fe489017d173040655f21890605d39cdb012a030dd75b52a8

SHA512
860f9f12bc4995fae7c74481c2b24a346e763e32a782b3826c0f0772ad90be48377faefd883c9a28b221f8476fd203782932fee859b079fb7d4b1b152cce7b53

Download Submit
C:\Program Files\KMSpico\sounds\affirmative.mp3
Filesize
4KB

MD5
249dca86cbb375d84b52ed4eb5cefdc6

SHA1
244c2ce65343dcfa613c26c94fa8255c7e6789fe

SHA256
e7fc9406c360d22ed281fb415a2eec396b6a7d0c733c828b2a8c106a30753de5

SHA512
84cb0128518618b3142276e7f84f0fdf42b4e662699d822b96957f7ee31630d55eb432148c7f204bd3be46efedc2eea5ea703f3795ffd9edb7181a1e748fb947

Download Submit
C:\Program Files\KMSpico\sounds\begin.mp3
Filesize
9KB

MD5
f33f2a16a46920b5c8227ffd558060b2

SHA1
a8f7192d34d585a981b5a2ea92b04a21a17b67a8

SHA256
443d23bd2705246cd64ff39d61b999ab74be6d60db1703d6782bb0d36a20eef3

SHA512
9cf3f48adfae4c7ff8bf60f313939c956b331373bd262f5b4a25fbb04d79b86abc5d73204d5c21a8e6f8f3fd51e503016a1f930e1dc2ea6696c3c7e056af7361

Download Submit
C:\Program Files\KMSpico\sounds\complete.mp3
Filesize
5KB

MD5
0d0e8e30d6007cf99f3951424e1d88e6

SHA1
56a6a3a39a5c9210e97a27190464cd25014db68c

SHA256
4d73c58c680396759508b34b169d1fd9c6aa292141c7c58634842a92d68d3c7b

SHA512
8c2ad7488e52af3aabcbbfddefe0e82c594401e279b07f5f4096b695e6f365e932085a8b4b01c91b3e29cba0fa3b0f160537d4962daed70a74854b55e67f8541

Download Submit
C:\Program Files\KMSpico\sounds\diagnostic.mp3
Filesize
13KB

MD5
06c9a7d36b9b6390faa90ca9c0650bee

SHA1
a27a0fdc48c678a9bd34b379d4f4e2c0e9776a9c

SHA256
2445c403447490dd7227617f7e8017da429ad65985fe013c6662906af15da4b0

SHA512
00aec80c11219c86f52c1984f8f40f992e24b6aeda1a953b20891ecd8976cdd767aa78c066924ee5c732e10149449dadc4dc7425e5ba3be9c8ca0fc150498bc9

Download Submit
C:\Program Files\KMSpico\sounds\inputok.mp3
Filesize
2KB

MD5
28a23b81aefec1336a1046671dc5af30

SHA1
5c89b9b708d26cd44af9635fce8c0abd1fb71433

SHA256
0131a883e4b66e77becc17594a386bcd69e04f1e5185e4ae8a554fc3a39bb81a

SHA512
bc300f57b91a13ec31c9722c87004ea560fee7c6bedb12703281827163734819edaf3a22e322dd7f39c192ac0c319b34171a36dd9190985be33d106fa19a30bb

Download Submit
C:\Program Files\KMSpico\sounds\processing.mp3
Filesize
6KB

MD5
fa3dfa3bd735d73281f10a91d593d52a

SHA1
4e859fc874b61d09f0c63714385cb73843fb07e7

SHA256
9390c99249423929fb82c2aad89e19249e493e4845d0c8babc99e1b594643f34

SHA512
bb3908c9458e1494a83a33532e6e165a05acacfe44820cda5c82d70e3662e7b9571c7020d9720a694f8b91e41284779b5df09d300193a46e70656d449310aa4f

Download Submit
C:\Program Files\KMSpico\sounds\transfer.mp3
Filesize
11KB

MD5
0edd9455457490198c59d78246c5324a

SHA1
5120d61b527d2be4fc21e0524d9b56159e142e3f

SHA256
7c82082ef04cb2f4cd7cfb86f84ff5ddb931b39438d605d5b650adc0c1078ddf

SHA512
d938382b03824c6717f0b22a1fe505d42826fc9280737cb1081f1a919e1d6e3712de605da1803de566dfda8ba3ddb26d7e4ba4032478d4cf22424f15cc44342f

Download Submit
C:\Windows\System32\Vestris.ResourceLib.dll
Filesize
88KB

MD5
3d733144477cadcf77009ef614413630

SHA1
0a530a2524084f1d2a85b419f033e1892174ab31

SHA256
392d73617fd0a55218261572ece2f50301e0cfa29b5ed24c3f692130aa406af3

SHA512
be6b524d67d69385a02874a2d96d4270335846bece7b528308e136428fd67af66a4216d90da4f288aeefd00a0ba5d5f3b5493824fcb352b919ab25e7ef50b81c

Download Submit
\Program Files (x86)\folder1\KMSpico.exe
Filesize
3.1MB

MD5
a02164371a50c5ff9fa2870ef6e8cfa3

SHA1
060614723f8375ecaad8b249ff07e3be082d7f25

SHA256
64c731adbe1b96cb5765203b1e215093dcf268d020b299445884a4ae62ed2d3a

SHA512
6c6903f3a3092fd3d63c373189f2c06e12de032ee4fd6b80a15f58eaeb2079f3ae8a8bcdac85a358b1f9070b192b1c8260f9aa127d009b5afce475f966e91326

Download Submit
\Program Files (x86)\folder1\Setup.exe
Filesize
2.6MB

MD5
eb2960160f8d4ba6fbda91efc9ff91bc

SHA1
80e599ff8e0e43a30a9edab0eafda30d1bc78f8a

SHA256
e1aa011c4654ad6d4e7aa8752325c3a0a6254439bd26b47bb854aaaf512d1ad6

SHA512
9849d4e692308b9ef364926db3d0848a2992e60750da2cd74bc5691ad0c1a76417a85744a9bda8a43d8064643a0e060685d809d9f199ca2751edfc80c902468f

Download Submit
\Program Files\KMSpico\AutoPico.exe
Filesize
728KB

MD5
cfe1c391464c446099a5eb33276f6d57

SHA1
9999bfcded2c953e025eabaa66b4971dab122c24

SHA256
4a714d98ce40f5f3577c306a66cb4a6b1ff3fd01047c7f4581f8558f0bcdf5fa

SHA512
4119a1722202bbc33339747ea02fd35b327890d55bb472cd1e2146ca446d8ba6fddb1e8cf8bbfaeb08aec8ed2a9d5c0fa71b73510d409ffacd3908fa72bb53b4

Download Submit
\Program Files\KMSpico\KMSELDI.exe
Filesize
921KB

MD5
f0280de3880ef581bf14f9cc72ec1c16

SHA1
43d348e164c35f9e02370f6f66186fbfb15ae2a3

SHA256
50ebfa1dd5b147e40244607d5d5be25709edf2cc66247a78beb920c77ac514cc

SHA512
ac31a972e9e93e6671f44d403139b0db89d950097c848fbaf6b9965b722215f74e9ed9bb9e083d31328101e6fcfe7f960a08b3bea0813900f11d5c1bb40539a6

Download Submit
\Program Files\KMSpico\UninsHs.exe
Filesize
29KB

MD5
245824502aefe21b01e42f61955aa7f4

SHA1
a58682a8aae6302f1c934709c5aa1f6c86b2be99

SHA256
0a265b4bb8acceafaffb001632fa7e4c3f8ac39a71eda37f253e15bc1b8db90d

SHA512
204b39e31f22ba99cf09c5c8458fc94ea21b47aacc4abd305f71ba20a35d36bfc0ff53b95180542911c9c6f259db897dee76090d953f7ee18a8079caefda7981

Download Submit
\Users\Admin\AppData\Local\Temp\is-SJN80.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-UBF8E.tmp\KMSpico.tmp
Filesize
703KB

MD5
1778c1f66ff205875a6435a33229ab3c

SHA1
5b6189159b16c6f85feed66834af3e06c0277a19

SHA256
95c06acac4fe4598840e5556f9613d43aa1039c52dac64536f59e45a70f79da6

SHA512
8844de1296ce707e3c5c71823f5118f8f2e50287ace3a2ee1ec0b69df0ec48ebcf5b755db669d2cd869d345fb06a9c07b36e98eda8c32a9b26b8fe22bdc105a0

Download Submit
memory/768-888-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/768-885-0x0000000000020000-0x0000000000037000-memory.dmp

Filesize
92KB

Download
memory/768-886-0x0000000000020000-0x0000000000037000-memory.dmp

Filesize
92KB

Download
memory/768-881-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/812-898-0x000000001B210000-0x000000001B750000-memory.dmp

Filesize
5.2MB

Download
memory/812-896-0x0000000000040000-0x000000000012A000-memory.dmp

Filesize
936KB

Download
memory/852-1025-0x00000000010F0000-0x00000000011DA000-memory.dmp

Filesize
936KB

Download
memory/852-1026-0x000000001B3B0000-0x000000001B8F0000-memory.dmp

Filesize
5.2MB

Download
memory/1348-1082-0x000000001B450000-0x000000001B990000-memory.dmp

Filesize
5.2MB

Download
memory/2148-31-0x0000000003A80000-0x000000000415E000-memory.dmp

Filesize
6.9MB

Download
memory/2148-872-0x0000000003A80000-0x00000000043A4000-memory.dmp

Filesize
9.1MB

Download
memory/2148-59-0x0000000003A80000-0x00000000043A4000-memory.dmp

Filesize
9.1MB

Download
memory/2148-9-0x0000000003A80000-0x000000000415E000-memory.dmp

Filesize
6.9MB

Download
memory/2192-1022-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2192-90-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2192-880-0x0000000001FD0000-0x0000000001FE7000-memory.dmp

Filesize
92KB

Download
memory/2192-873-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/2192-1002-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2592-82-0x0000000002D60000-0x0000000003684000-memory.dmp

Filesize
9.1MB

Download
memory/2592-64-0x000000013F8E0000-0x0000000140204000-memory.dmp

Filesize
9.1MB

Download
memory/2592-60-0x000000013F8E0000-0x0000000140204000-memory.dmp

Filesize
9.1MB

Download
memory/2592-894-0x0000000002D60000-0x0000000003684000-memory.dmp

Filesize
9.1MB

Download
memory/2592-65-0x000000013F8E0000-0x0000000140204000-memory.dmp

Filesize
9.1MB

Download
memory/2592-73-0x0000000000170000-0x0000000000180000-memory.dmp

Filesize
64KB

Download
memory/2592-63-0x000000013F8E0000-0x0000000140204000-memory.dmp

Filesize
9.1MB

Download
memory/2592-81-0x000000013F8E0000-0x0000000140204000-memory.dmp

Filesize
9.1MB

Download
memory/2668-972-0x0000000000C50000-0x0000000000D0A000-memory.dmp

Filesize
744KB

Download
memory/2776-34-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2776-1023-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2776-89-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2836-86-0x000000013FC40000-0x0000000140564000-memory.dmp

Filesize
9.1MB

Download
memory/2836-85-0x000000013FC40000-0x0000000140564000-memory.dmp

Filesize
9.1MB

Download
memory/2836-83-0x000000013FC40000-0x0000000140564000-memory.dmp

Filesize
9.1MB

Download
memory/2836-84-0x000000013FC40000-0x0000000140564000-memory.dmp

Filesize
9.1MB

Download
memory/2836-108-0x000000013FC40000-0x0000000140564000-memory.dmp

Filesize
9.1MB

Download
memory/2836-1127-0x000000013FC40000-0x0000000140564000-memory.dmp

Filesize
9.1MB

Download
memory/2884-88-0x0000000000320000-0x00000000009FE000-memory.dmp

Filesize
6.9MB

Download
memory/2884-56-0x0000000000320000-0x00000000009FE000-memory.dmp

Filesize
6.9MB

Download
memory/2884-57-0x0000000000320000-0x00000000009FE000-memory.dmp

Filesize
6.9MB

Download
memory/2884-62-0x0000000000320000-0x00000000009FE000-memory.dmp

Filesize
6.9MB

Download
memory/2884-38-0x0000000000320000-0x00000000009FE000-memory.dmp

Filesize
6.9MB

Download
memory/2884-61-0x0000000000320000-0x00000000009FE000-memory.dmp

Filesize
6.9MB

Download