hxxp://keygenninja[.]net

Analysis

max time kernel
840s
max time network
847s
platform
windows7_x64
resource
win7-en-20211208
submitted
26-01-2022 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://keygenninja.net

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 7 IoCs

Processes:

KMSpico_setup.exeKMSpico_setup.tmpKMSAuto Net.exebin.datAESDecoder.exebin_x64.datKMSSS.exe

pid process

2136 KMSpico_setup.exe
1660 KMSpico_setup.tmp
1756 KMSAuto Net.exe
1376 bin.dat
1640 AESDecoder.exe
1724 bin_x64.dat
2456 KMSSS.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Loads dropped DLL 3 IoCs

Processes:

KMSpico_setup.exeKMSpico_setup.tmp

pid process

2136 KMSpico_setup.exe
1660 KMSpico_setup.tmp
1660 KMSpico_setup.tmp
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

pid	process
2136	KMSpico_setup.exe
1660	KMSpico_setup.tmp
1756	KMSAuto Net.exe
1376	bin.dat
1640	AESDecoder.exe
1724	bin_x64.dat
2456	KMSSS.exe

pid	process
2136	KMSpico_setup.exe
1660	KMSpico_setup.tmp
1660	KMSpico_setup.tmp

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

1932 NETSTAT.EXE

pid	process
1932	NETSTAT.EXE

Modifies registry class 2 IoCs

Processes:

firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	firefox.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2640 reg.exe
NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\kmspico.zip:Zone.Identifier firefox.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs

Processes:

bin.datAESDecoder.exebin_x64.dat

pid process

1376 bin.dat
1640 AESDecoder.exe
1724 bin_x64.dat

pid	process
2640	reg.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\kmspico.zip:Zone.Identifier	firefox.exe

pid	process
1376	bin.dat
1640	AESDecoder.exe
1724	bin_x64.dat

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

firefox.exeAUDIODG.EXE7zG.exe7zG.exe7zG.exeNETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	308	firefox.exe
Token: 33	2876	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2876	AUDIODG.EXE
Token: 33	2876	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2876	AUDIODG.EXE
Token: SeDebugPrivilege	308	firefox.exe
Token: SeRestorePrivilege	2752	7zG.exe
Token: 35	2752	7zG.exe
Token: SeSecurityPrivilege	2752	7zG.exe
Token: SeSecurityPrivilege	2752	7zG.exe
Token: SeRestorePrivilege	2352	7zG.exe
Token: 35	2352	7zG.exe
Token: SeSecurityPrivilege	2352	7zG.exe
Token: SeSecurityPrivilege	2352	7zG.exe
Token: SeRestorePrivilege	2144	7zG.exe
Token: 35	2144	7zG.exe
Token: SeSecurityPrivilege	2144	7zG.exe
Token: SeSecurityPrivilege	2144	7zG.exe
Token: SeDebugPrivilege	1932	NETSTAT.EXE

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

firefox.exe7zG.exe7zG.exe7zG.exe

pid process

308 firefox.exe
308 firefox.exe
308 firefox.exe
308 firefox.exe
2752 7zG.exe
2352 7zG.exe
2144 7zG.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

308 firefox.exe
308 firefox.exe
308 firefox.exe

Suspicious use of SetWindowsHookEx 33 IoCs

Processes:

firefox.exe

pid	process
308	firefox.exe
308	firefox.exe
308	firefox.exe
308	firefox.exe
308	firefox.exe
308	firefox.exe
308	firefox.exe
308	firefox.exe
308	firefox.exe
308	firefox.exe
308	firefox.exe
308	firefox.exe
308	firefox.exe
308	firefox.exe
308	firefox.exe
308	firefox.exe
308	firefox.exe
308	firefox.exe
308	firefox.exe
308	firefox.exe
308	firefox.exe
308	firefox.exe
308	firefox.exe
308	firefox.exe
308	firefox.exe
308	firefox.exe
308	firefox.exe
308	firefox.exe
308	firefox.exe
308	firefox.exe
308	firefox.exe
308	firefox.exe
308	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 840 wrote to memory of 308	840	firefox.exe	firefox.exe
PID 840 wrote to memory of 308	840	firefox.exe	firefox.exe
PID 840 wrote to memory of 308	840	firefox.exe	firefox.exe
PID 840 wrote to memory of 308	840	firefox.exe	firefox.exe
PID 840 wrote to memory of 308	840	firefox.exe	firefox.exe
PID 840 wrote to memory of 308	840	firefox.exe	firefox.exe
PID 840 wrote to memory of 308	840	firefox.exe	firefox.exe
PID 840 wrote to memory of 308	840	firefox.exe	firefox.exe
PID 840 wrote to memory of 308	840	firefox.exe	firefox.exe
PID 840 wrote to memory of 308	840	firefox.exe	firefox.exe
PID 308 wrote to memory of 364	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 364	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 364	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1492	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1740	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1740	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1740	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1740	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1740	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1740	308	firefox.exe	firefox.exe
PID 308 wrote to memory of 1740	308	firefox.exe	firefox.exe

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" http://keygenninja.net
1⤵
- Suspicious use of WriteProcessMemory
PID:840

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" http://keygenninja.net
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:308

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="308.0.822689118\1966570420" -parentBuildID 20200403170909 -prefsHandle 1180 -prefMapHandle 1172 -prefsLen 1 -prefMapSize 219799 -appdir "C:\Program Files\Mozilla Firefox\browser" - 308 "\\.\pipe\gecko-crash-server-pipe.308" 1280 gpu
3⤵
PID:364

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="308.3.1222573183\813548288" -childID 1 -isForBrowser -prefsHandle 1808 -prefMapHandle 1804 -prefsLen 156 -prefMapSize 219799 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 308 "\\.\pipe\gecko-crash-server-pipe.308" 1648 tab
3⤵
PID:1492

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="308.13.2109433713\926855469" -childID 2 -isForBrowser -prefsHandle 2560 -prefMapHandle 2556 -prefsLen 7013 -prefMapSize 219799 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 308 "\\.\pipe\gecko-crash-server-pipe.308" 2576 tab
3⤵
PID:1740

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="308.20.1071875879\190878888" -childID 3 -isForBrowser -prefsHandle 3132 -prefMapHandle 3152 -prefsLen 7875 -prefMapSize 219799 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 308 "\\.\pipe\gecko-crash-server-pipe.308" 3416 tab
3⤵
PID:2092

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="308.27.347763080\1106597963" -childID 4 -isForBrowser -prefsHandle 1752 -prefMapHandle 1568 -prefsLen 8409 -prefMapSize 219799 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 308 "\\.\pipe\gecko-crash-server-pipe.308" 1092 tab
3⤵
PID:2380

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="308.34.1758617903\514560405" -childID 5 -isForBrowser -prefsHandle 7440 -prefMapHandle 7548 -prefsLen 8504 -prefMapSize 219799 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 308 "\\.\pipe\gecko-crash-server-pipe.308" 7516 tab
3⤵
PID:2592

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="308.41.1449774691\1632075558" -childID 6 -isForBrowser -prefsHandle 7252 -prefMapHandle 7248 -prefsLen 8571 -prefMapSize 219799 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 308 "\\.\pipe\gecko-crash-server-pipe.308" 7288 tab
3⤵
PID:2724

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="308.48.279558827\645288359" -childID 7 -isForBrowser -prefsHandle 7164 -prefMapHandle 7152 -prefsLen 10106 -prefMapSize 219799 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 308 "\\.\pipe\gecko-crash-server-pipe.308" 7172 tab
3⤵
PID:2416

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="308.55.1055446466\1537564088" -childID 8 -isForBrowser -prefsHandle 7008 -prefMapHandle 2336 -prefsLen 11171 -prefMapSize 219799 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 308 "\\.\pipe\gecko-crash-server-pipe.308" 7052 tab
3⤵
PID:2128

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="308.62.955202421\835879923" -childID 9 -isForBrowser -prefsHandle 6444 -prefMapHandle 6600 -prefsLen 11845 -prefMapSize 219799 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 308 "\\.\pipe\gecko-crash-server-pipe.308" 6456 tab
3⤵
PID:2088

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="308.69.1469650015\1556999625" -childID 10 -isForBrowser -prefsHandle 6852 -prefMapHandle 7096 -prefsLen 11854 -prefMapSize 219799 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 308 "\\.\pipe\gecko-crash-server-pipe.308" 3712 tab
3⤵
PID:1992

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x500
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\kmspico\" -spe -an -ai#7zMap20235:76:7zEvent14476
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2752

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\kmspico\KMSpico_setup\" -spe -an -ai#7zMap19002:104:7zEvent2812
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2352

C:\Users\Admin\Downloads\kmspico\KMSpico_setup.exe
"C:\Users\Admin\Downloads\kmspico\KMSpico_setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136

C:\Users\Admin\AppData\Local\Temp\is-O5O58.tmp\KMSpico_setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-O5O58.tmp\KMSpico_setup.tmp" /SL5="$A0120,2869954,69120,C:\Users\Admin\Downloads\kmspico\KMSpico_setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\kmspico\KMSAuto Net\" -spe -an -ai#7zMap15554:100:7zEvent31037
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2144

C:\Users\Admin\Downloads\kmspico\KMSAuto Net.exe
"C:\Users\Admin\Downloads\kmspico\KMSAuto Net.exe"
1⤵
- Executes dropped EXE
PID:1756

C:\Windows\SysWOW64\cmd.exe
cmd /c md "C:\Users\Admin\AppData\Local\MSfree Inc"
2⤵
PID:704

C:\Windows\SysWOW64\cmd.exe
cmd /c echo test>>"C:\Users\Admin\Downloads\kmspico\test.test"
2⤵
PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "test.test"
2⤵
PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c md "C:\ProgramData\KMSAuto"
2⤵
PID:2552

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin.dat -y -pkmsauto
2⤵
PID:2480

C:\ProgramData\KMSAuto\bin.dat
bin.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1376

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin.dat"
2⤵
PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c AESDecoder.exe
2⤵
PID:1948

C:\ProgramData\KMSAuto\bin\AESDecoder.exe
AESDecoder.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1640

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "AESDecoder.exe"
2⤵
PID:2192

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:392

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c for /f "tokens=5 delims=, " %i in ('netstat -ano ^| find ":1688 "') do taskkill /pid %i /f
2⤵
PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netstat -ano | find ":1688 "
3⤵
PID:364

C:\Windows\system32\NETSTAT.EXE
netstat -ano
4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\system32\find.exe
find ":1688 "
4⤵
PID:1992

C:\Windows\system32\Netsh.exe
C:\Windows\Sysnative\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCP
2⤵
PID:2060

C:\Windows\system32\Netsh.exe
C:\Windows\Sysnative\Netsh Advfirewall Firewall add rule name="0pen Port KMS" dir=in action=allow protocol=TCP localport=1688
2⤵
PID:1096

C:\Windows\SysWOW64\sc.exe
"sc.exe" create KMSEmulator binpath= temp.exe type= own start= auto
2⤵
PID:2844

C:\Windows\SysWOW64\sc.exe
"sc.exe" start KMSEmulator
2⤵
PID:2948

C:\Windows\system32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55C92734-D682-4D71-983E-D6EC3F16059F" /f
2⤵
PID:2664

C:\Windows\system32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f
2⤵
PID:3064

C:\Windows\system32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59A52881-A989-479D-AF46-F275C6370663" /f
2⤵
PID:1852

C:\Windows\system32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f
2⤵
PID:2604

C:\Windows\system32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
2⤵
PID:2740

C:\Windows\system32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
2⤵
PID:1652

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop KMSEmulator
2⤵
PID:2424

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete KMSEmulator
2⤵
PID:2816

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c reg.exe DELETE HKLM\SYSTEM\CurrentControlSet\Services\KMSEmulator /f
2⤵
PID:2700

C:\Windows\system32\reg.exe
reg.exe DELETE HKLM\SYSTEM\CurrentControlSet\Services\KMSEmulator /f
3⤵
- Modifies registry key
PID:2640

C:\Windows\system32\Netsh.exe
C:\Windows\Sysnative\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCP
2⤵
PID:2848

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q
2⤵
PID:1200

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q
2⤵
PID:1836

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q
2⤵
PID:1176

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q
2⤵
PID:2116

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q
2⤵
PID:2228

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q
2⤵
PID:2204

C:\Windows\system32\Netsh.exe
C:\Windows\Sysnative\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCP
2⤵
PID:2940

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q
2⤵
PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd /c schtasks.exe /end /TN KMSAutoNet
2⤵
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /end /TN KMSAutoNet
3⤵
PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd /c schtasks.exe /delete /TN KMSAutoNet /F
2⤵
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /TN KMSAutoNet /F
3⤵
PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "kmsauto.ini"
2⤵
PID:1212

C:\ProgramData\KMSAuto\bin\KMSSS.exe
"C:\ProgramData\KMSAuto\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 -Log -IP
1⤵
- Executes dropped EXE
PID:2456

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\system32\slmgr.vbs" -dlv
1⤵
PID:2636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\KMSAuto\KMSAUT~1.EXE
MD5
2fb86be791b4bb4389e55df0fec04eb7

SHA1
375dc8189059602f9eb571b473d723fad3ad3d8c

SHA256
b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31

SHA512
3230ab05eb876879aefc5e15bb726292640c1ddf476e4108f5c8eed2f373cb852964163ccb006e3d22bc1dc2f97ac2db391af9b289f21a7b099df4c4dd94ee38

Download Submit
C:\ProgramData\KMSAuto\bin.dat
MD5
2a96e417738225fa806a6ef275443bc8

SHA1
3cb5cb736878623e490c9e53ca1c696e9ab49639

SHA256
839d31305d8fa842c832e8ec0f61d6bc575734449eb774b7c8dd79669594e25b

SHA512
cf32c908069970bd02aa87cefcfcb6aebc24843a15181a5a4d4c007aeba9aa822179f446d4902e2b1bd13e8fff35e678658455c53f4a467aa8dc11e3fcc64e80

Download Submit
C:\ProgramData\KMSAuto\bin.dat
MD5
2a96e417738225fa806a6ef275443bc8

SHA1
3cb5cb736878623e490c9e53ca1c696e9ab49639

SHA256
839d31305d8fa842c832e8ec0f61d6bc575734449eb774b7c8dd79669594e25b

SHA512
cf32c908069970bd02aa87cefcfcb6aebc24843a15181a5a4d4c007aeba9aa822179f446d4902e2b1bd13e8fff35e678658455c53f4a467aa8dc11e3fcc64e80

Download Submit
C:\ProgramData\KMSAuto\bin\AESDecoder.exe
MD5
b90ed3e4dbb23a464723706f12c86065

SHA1
96aa9e1d2f2e51aaf094a268df19163cb94f623a

SHA256
8391d5b724d235ba52531d9a6d85e466382ce15cbd6ba97c4ad1278ed1f03bd7

SHA512
92e0f414f1eca28788c885cb193e6baccf37641bcdc120f4db5a80849a61c6bd861987631753a0a93149c669d5814d7b7a79f1cd5087480fbb31465be53bb992

Download Submit
C:\ProgramData\KMSAuto\bin\AESDecoder.exe
MD5
b90ed3e4dbb23a464723706f12c86065

SHA1
96aa9e1d2f2e51aaf094a268df19163cb94f623a

SHA256
8391d5b724d235ba52531d9a6d85e466382ce15cbd6ba97c4ad1278ed1f03bd7

SHA512
92e0f414f1eca28788c885cb193e6baccf37641bcdc120f4db5a80849a61c6bd861987631753a0a93149c669d5814d7b7a79f1cd5087480fbb31465be53bb992

Download Submit
C:\ProgramData\KMSAuto\bin\KMSSS.exe
MD5
add80e5d9fad482705c3807bacfe1993

SHA1
c41c16d39994a4a8d7d0aeab64afd00ae634d013

SHA256
bb3830b14df80838fb201c611abf0c1f3714c6b8b103ed084eafc170036631be

SHA512
3f0cc9cbe1b518728eb09c6db8259e0768ac7d67d39d9055125e62ca8a76c00a0a613c7013698826d0b0e436d2dbc7d0f3ea9a993e0427cfd9a0ad8ffb836e53

Download Submit
C:\ProgramData\KMSAuto\bin\KMSSS.exe
MD5
add80e5d9fad482705c3807bacfe1993

SHA1
c41c16d39994a4a8d7d0aeab64afd00ae634d013

SHA256
bb3830b14df80838fb201c611abf0c1f3714c6b8b103ed084eafc170036631be

SHA512
3f0cc9cbe1b518728eb09c6db8259e0768ac7d67d39d9055125e62ca8a76c00a0a613c7013698826d0b0e436d2dbc7d0f3ea9a993e0427cfd9a0ad8ffb836e53

Download Submit
C:\ProgramData\KMSAuto\bin\KMSSS.exe.aes
MD5
9192d6947f2a3abf00084deda48a2c6f

SHA1
0da74fc0329bba4f951e0df2923bf2ab303044ce

SHA256
ded5e9e73b2ba3bd188c98a58335c65fe149d2082b88c3d91516ed25e5a379ee

SHA512
3e7ff017cd67820752c1adf2a3910c5187de4d0e3ab6ac8e2e1399bfa7e7499b88664aee6b62f49890e172ef44e18219b7a021ec3537ee71baa94f7021c7e2c8

Download Submit
C:\ProgramData\KMSAuto\bin\KMSSS.log
MD5
cc137e754471f2b1bd4afd75db99b66d

SHA1
eabb4484b129b7a494af37c146a9e21e179b14cf

SHA256
c568a2d3c46a320aae13f276f17e0ce65617847661a52e375fb2b9e2a856cdbe

SHA512
08edd477be7affba3fc7e84d538039dcf3e0ed6366f3d504237033979478a89c57c1d594f9b53361049c20e0e755f42e6e3948c1edbdc3e4ac0f7a44a0927073

Download Submit
C:\ProgramData\KMSAuto\bin\TUNMIR~1.EXE
MD5
fb5f055633e4f7890004972e108a07cd

SHA1
b5ab55db9d323c00541e61412a55f3e4bdbeb61d

SHA256
02145c3f60e704df17919cd26cb79bd31a12b98d66b0b7fd1cf7ea894ad1f871

SHA512
ea2bd32f7db116f0224d2f7055414601c066e0369ce04cbaf7f1aa2ee780b257d6cff1a78953cd623885d9ceda6f8bc6c65c4d8436a62dd0320a8e49597f92fb

Download Submit
C:\ProgramData\KMSAuto\bin\TUNMIR~2.EXE
MD5
3b33e3ab6e91806df4cae19405ab8846

SHA1
766747faf6a370270909891912ed2c5b2e6b2881

SHA256
d9cd47831faba4053225dac181709fd7ab9d066c3de6f541968fffeeee4a9bf9

SHA512
5e2b0c2a32ed522d1dec9bf1ea986d993868a97df1802ecd12877434a74f10c45dd370abcddd405083ac0c427a383e195a1fade34a95a80fcddb29e03d4a516f

Download Submit
C:\ProgramData\KMSAuto\bin\TunMirror.exe.aes
MD5
6d6e295744d3750355227efd55824be1

SHA1
bd589d54c2578403bd9b58050ff33961a3fd9781

SHA256
f67f0232100f7cc7e469dc14079edf7d72ec25e48ca3b5ac9b40ed025f1ba0ef

SHA512
3cc436491433375fd23f2c204981d6489a412e5a62f7b92409080672a531019260366aca8df43b45d4d3dc538f76d883053ba8c4c9146bb4371305f2a27d9e7b

Download Submit
C:\ProgramData\KMSAuto\bin\TunMirror2.exe.aes
MD5
a1a5afa53b578db6abf400a88548f487

SHA1
b73ae3c93a43074afe54e611bad938da98eee385

SHA256
a9e76d637e0c0a65036d7f2d5c3d7b1c53218b94716554f4d9f6630dcff8c75a

SHA512
c9cff93b807d0db06d8a67e4e1b2e934f84a509a5f9af4bd0f4ad84eaec6874412c0c094c034d8637cacd3219bb7c82723a25f35907cba5024293e46991d4e2c

Download Submit
C:\ProgramData\KMSAuto\bin\driver\oas_sert.cer
MD5
0041584e5f66762b1fa9be8910d0b92b

SHA1
8788377c653a5b79ef04c05c15d3ca52d6253469

SHA256
bb27684b569cbb72dec63ea6fdef8e5f410cdaeb73717eee1b36478dbcff94cc

SHA512
fc32985bd3b626a1baa5353595a25d85339bc8aeb8f8d9fdd881e514d7f4cdd90fe5de273f702c9f673cd625a7e90cd3979d695d4daabe72fa952c8318f64b71

Download Submit
C:\ProgramData\KMSAuto\bin\driver\tap0901.cer
MD5
3d5ffd53be77c32cbb147f32423c0a86

SHA1
ec4f1d31686625ecc004993cd0e89a4136dd3344

SHA256
669c56db590c0308ea25c4508375bb88611b06b1ae689a895dc6b19f4df5619c

SHA512
bc2a1bf2dd5d4b135b7cc2b5d8cc24f1a6b6fed7fcfa092e5cfc5965dd368da86b24550338f925a36c458e154c3c4694d369d06cbc5e72e40983b760a39ee2d7

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\OemVista.inf
MD5
864625122184689b4854483b51bd4c09

SHA1
2f041412e1e24d2398af1a6c934979d7d8c2bebe

SHA256
4a4cc81dd6655906e817ebaede1692871a79b7000a5f9188b30082c06c71894b

SHA512
6f43d345a7351a89d0888c8a33c75b299d34a53f4d579579fb820fc792274e880a8a475811026ae801540b265ec42fe80b8408e74a02f70b02b97737fb085381

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\devcon.exe
MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\ptun0901.cat
MD5
28b3a205c15d9d722319d270b3500bd0

SHA1
d5740e1b21b121914e379bba4105f8f520cc67b1

SHA256
438b3cdb66a5e1ce7b659744b81a570eb7cb0c8b403738a17dd2629625b0c765

SHA512
2e172aab51badc0331fbd8b96e58077e3dc3134ea8f125dc6e61679d2eda428c767f961ca241618eeddd02daa107be66f305799f732075463143124a2347bdf3

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\ptun0901.sys
MD5
d8eb393983b644879de0546122cc16df

SHA1
f179bbf33dad96131b823f07a0ec44856fd52534

SHA256
4a11ddfb016b560e770660183af1ada4831d97daeaf560e60259f81f2727cbfc

SHA512
09cd4fcf28fc55d9712d17fd633827781bfdce372602042cc6c76d7845e2120149180fb7719e4b923b1e45368da789d10015b6954c3d2e77be185845f9b4d661

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\devcon.exe
MD5
7f0c8f7b6f6d22ecd83013f2f26a71ae

SHA1
dbda3a84c97777a5b47f87868aea2a7cd4c6739b

SHA256
a4e561f666c08353c2226e8e264555c406893b0ad1b74fd05f4f29655e128809

SHA512
e9dea69961b1bb8ab41067870db9b0c661a42ecba633429d6ea6aaa19a10c60cbcd4acbf9e5e1545c86f1d836696eac5b5a445baae2499418c2eef76d1de6d5a

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\tapoas.cat
MD5
8dc91f1bf59f58554dc195c9ffcb59ec

SHA1
7f73c23c96d4a326a07c5a1bf81b3ea98c6ab87f

SHA256
0b42f01e4c8732d246260b6ba76a5e096e1da3047898dff6fb71eede68951c87

SHA512
4b207802936d443f25b42e27030c28687f3a3d63bb8202a16dc5c74446f9ebdcdce3f753a4bfe5d62715ffc82063d0f187b1d27696743f890f30b8333630a8bf

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\tapoas.inf
MD5
61243cb103543ee3163bf16df69bcb54

SHA1
4ffbe472cc93ff8a827a12e63ff79fc48c684402

SHA256
1652b1de2f15eeacbd06e0ab14ada5a466316ffd3ab88d4a2a46cfcbd25fdfa1

SHA512
419aa9fd6d3df2785353fe2efcffb5525d161d9b07e0284857065d6461fcc9e9932d7cca9b20a0ec46c8bebff9aa0d8e9d1a29face8cecff23c15e57fc7f430e

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\tapoas.sys
MD5
927d0cdb3f96efc1e98fb1a2c9fb67ad

SHA1
9bbb2d28f2f9736d59b94ea260abd4ded7d7b5be

SHA256
58f14daa0ea21ea2f2a1d3d62c88bd8e5a0e0ef498b7b8d367beeade6a46843c

SHA512
a3f977390e251cefbb9bad7e338cba23b8129907475d559bda187985aa552afbd2b14db1ee4e288e7ecb5fb9a23547bf4bbacf38049cd05152e635fd0d36af97

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FAKECL~1.EXE
MD5
b85f4ce841f3ae1ebdf76835d2eadbef

SHA1
65c215dd7b7a3e8cb76003c252e13fa1e8e50c7c

SHA256
ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79

SHA512
c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WDFCOI~1.DLL
MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WINDIV~1.DLL
MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WINDIV~1.INF
MD5
a94d989905a248afca52bc3cbfcb248b

SHA1
cbb7b37584a58060da6a3dd748f17334384647e7

SHA256
6c9f7dea4f9a47788d5d2ba110b08457fd00dbabe4812ebca6f022300843a75d

SHA512
864eae03a01ac79917e91913fa7d83847f67f259ce8b5b42853c7ffd9a1f6847b9a4adec4d31a6ec882265fd369214bdbd147c6dc76b89bdf1bb2001046ec43f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WINDIV~1.SYS
MD5
a0d15d8727d0780c51628df46b7268b3

SHA1
c85f24ef961db67c829a676a941cbead24c62b21

SHA256
5e23f3ed1d6620c39a644f9879404a22ded86b3b076ec4a898b4b6be244afd64

SHA512
a7a6173bc2652d7b45fdc3009d00be9f7d3a9f42ad99cd569bfa2d23902f77866dd3b090f6debb11c802fc85b2230d5321309b0bf50d1dd8665ca8ab19c78361

Download Submit
C:\ProgramData\KMSAuto\bin_x64.dat
MD5
200a90e767924a342c25662487d8c215

SHA1
aa48cbcdea041799f0153cbdc7726eeec1db9906

SHA256
184b7a8be9204f9fefa3666cd3ccaf01bab26fdbc0e2a87320acf84792fdfa84

SHA512
e2735cea38138db29f6666b00862911623ef0d3b0069322b890dea1b66c039da7f4f905010aa4d2c4c8663df4b36f788bc3cdbed228b54406cf4db379609a063

Download Submit
C:\ProgramData\KMSAuto\bin_x64.dat
MD5
200a90e767924a342c25662487d8c215

SHA1
aa48cbcdea041799f0153cbdc7726eeec1db9906

SHA256
184b7a8be9204f9fefa3666cd3ccaf01bab26fdbc0e2a87320acf84792fdfa84

SHA512
e2735cea38138db29f6666b00862911623ef0d3b0069322b890dea1b66c039da7f4f905010aa4d2c4c8663df4b36f788bc3cdbed228b54406cf4db379609a063

Download Submit
C:\Users\Admin\AppData\Local\MSfree Inc\kmsauto.ini
MD5
af6a20fd7dfadcd582ccf2b1bfaaf82b

SHA1
056b1de541d17a522f2595d107a2cb3aaa71a570

SHA256
0bee97833a70aa9ba271e93226dace849836c64919fbfe15543d694e219d4af2

SHA512
66510aa69c7f8d6ed34903e588949bdd2c74dc55d9c1192a7f335757a942b5b52ff2409114cef1e588f2e05d9c7e0b88bef396e51d57b704f9803b3acff76980

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O5O58.tmp\KMSpico_setup.tmp
MD5
1778c1f66ff205875a6435a33229ab3c

SHA1
5b6189159b16c6f85feed66834af3e06c0277a19

SHA256
95c06acac4fe4598840e5556f9613d43aa1039c52dac64536f59e45a70f79da6

SHA512
8844de1296ce707e3c5c71823f5118f8f2e50287ace3a2ee1ec0b69df0ec48ebcf5b755db669d2cd869d345fb06a9c07b36e98eda8c32a9b26b8fe22bdc105a0

Download Submit
C:\Users\Admin\Downloads\kmspico.zip
MD5
60f10babded9030a8746dfe2741a75a0

SHA1
c047713ad80cd242062f5ca3c14b8f0133621e7e

SHA256
0c2fc39c8bbaca993a49c1088cc4e8a88b7a0eaa3ff020be69e02f624b26ad54

SHA512
20e11ce33c213b78828bab93fc0c6a6e7fbe3684472cd1a42d7ab954c38e8ea3971f1d0cc82bb9e4a14a0e5d13d681993b9c6e06317915db41b4d2b14a26c363

Download Submit
C:\Users\Admin\Downloads\kmspico\KMSAuto Net.exe
MD5
2fb86be791b4bb4389e55df0fec04eb7

SHA1
375dc8189059602f9eb571b473d723fad3ad3d8c

SHA256
b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31

SHA512
3230ab05eb876879aefc5e15bb726292640c1ddf476e4108f5c8eed2f373cb852964163ccb006e3d22bc1dc2f97ac2db391af9b289f21a7b099df4c4dd94ee38

Download Submit
C:\Users\Admin\Downloads\kmspico\KMSAuto Net.exe
MD5
2fb86be791b4bb4389e55df0fec04eb7

SHA1
375dc8189059602f9eb571b473d723fad3ad3d8c

SHA256
b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31

SHA512
3230ab05eb876879aefc5e15bb726292640c1ddf476e4108f5c8eed2f373cb852964163ccb006e3d22bc1dc2f97ac2db391af9b289f21a7b099df4c4dd94ee38

Download Submit
C:\Users\Admin\Downloads\kmspico\KMSpico_setup.exe
MD5
fb7569d1c2c1fa36a97fdc732f51a637

SHA1
791be97580fd001a065e7af87d5428dfaa071341

SHA256
0be6bfda2deeb7607c9da6e00b5d4849bece939d6a0c75f822596d6d4436acb0

SHA512
0ba40c32abab362846b04006ac4032d80884e524bfa6aa45fa091620b2a7ca3a06ad11186e3d22a009c347809cf1301b41e7f06fe891a88aa38d9f928308a92c

Download Submit
C:\Users\Admin\Downloads\kmspico\KMSpico_setup.exe
MD5
fb7569d1c2c1fa36a97fdc732f51a637

SHA1
791be97580fd001a065e7af87d5428dfaa071341

SHA256
0be6bfda2deeb7607c9da6e00b5d4849bece939d6a0c75f822596d6d4436acb0

SHA512
0ba40c32abab362846b04006ac4032d80884e524bfa6aa45fa091620b2a7ca3a06ad11186e3d22a009c347809cf1301b41e7f06fe891a88aa38d9f928308a92c

Download Submit
C:\Users\Admin\Downloads\kmspico\test.test
MD5
9f06243abcb89c70e0c331c61d871fa7

SHA1
fde773a18bb29f5ed65e6f0a7aa717fd1fa485d4

SHA256
837ccb607e312b170fac7383d7ccfd61fa5072793f19a25e75fbacb56539b86b

SHA512
b947b99d1baddd347550c9032e9ab60b6be56551cf92c076b38e4e11f436051a4af51c47e54f8641316a720b043641a3b3c1e1b01ba50445ea1ba60bfd1b7a86

Download Submit
\Users\Admin\AppData\Local\Temp\is-O5O58.tmp\KMSpico_setup.tmp
MD5
1778c1f66ff205875a6435a33229ab3c

SHA1
5b6189159b16c6f85feed66834af3e06c0277a19

SHA256
95c06acac4fe4598840e5556f9613d43aa1039c52dac64536f59e45a70f79da6

SHA512
8844de1296ce707e3c5c71823f5118f8f2e50287ace3a2ee1ec0b69df0ec48ebcf5b755db669d2cd869d345fb06a9c07b36e98eda8c32a9b26b8fe22bdc105a0

Download Submit
\Users\Admin\AppData\Local\Temp\is-SECUE.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-SECUE.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1660-67-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1756-71-0x0000000000390000-0x0000000000BF0000-memory.dmp

Filesize
8.4MB

Download
memory/1756-73-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/1756-75-0x00000000056B5000-0x00000000056C6000-memory.dmp

Filesize
68KB

Download
memory/2136-60-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2136-59-0x0000000076491000-0x0000000076493000-memory.dmp

Filesize
8KB

Download
memory/2752-54-0x000007FEFC451000-0x000007FEFC453000-memory.dmp

Filesize
8KB

Download