vidar | bb39616af00afba184ec39118d17080a9c1b47e6d044fd7b850dde5903d929c4

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
09-02-2023 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KMSpico.exe
Size

3.5MB
MD5

34e53fd5d5b3534989b6b94c52d9d52a
SHA1

d4a166025f313d6a03ee9c52e025fc3bbf55014e
SHA256

bb39616af00afba184ec39118d17080a9c1b47e6d044fd7b850dde5903d929c4
SHA512

3de85bb1687d2e8fad0f68b27efedefa3a9bb7c8ddfc3bb0a6b8103d2d83563a8e6a69076d6276a8f39f526fac00a177e68f551ff7e1924250c1b3016e7d676a
SSDEEP

98304:zBC/1XczAVcz5iituNDynYX6KUXNnbe8awz:zcN/VOfYN+YX6KUXNnq8z

Score

10^/10

vidar 14 discovery persistence spyware stealer upx

Malware Config

Extracted

Family

vidar

Version

2.4

Botnet

Attributes

profile_id
14

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Blocklisted process makes network request 2 IoCs

Processes:

WScript.exe

flow pid process

15 3744 WScript.exe
17 3744 WScript.exe
Creates new service(s) 1 TTPs
persistence

New Service
T1050

flow	pid	process
15	3744	WScript.exe
17	3744	WScript.exe

Sets file execution options in registry 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

AutoPico.exeKMSELDI.exeKMSELDI.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	AutoPico.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	AutoPico.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	KMSELDI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	KMSELDI.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	KMSELDI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\Debugger = "C:\\Windows\\SECOH-QAD.exe"	AutoPico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\Debugger = "C:\\Windows\\SECOH-QAD.exe"	KMSELDI.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	KMSELDI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\Debugger = "C:\\Windows\\SECOH-QAD.exe"	KMSELDI.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

KMSpico.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation KMSpico.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	KMSpico.exe

Executes dropped EXE 9 IoCs

Processes:

KMSpico.exeKMSpico.tmpUninsHs.exeKMSELDI.exeSECOH-QAD.exeAutoPico.exeMEGAsync.exeMEGAsync.exeKMSELDI.exe

pid	process
1852	KMSpico.exe
1848	KMSpico.tmp
1420	UninsHs.exe
376	KMSELDI.exe
4120	SECOH-QAD.exe
5048	AutoPico.exe
4964	MEGAsync.exe
1512	MEGAsync.exe
4952	KMSELDI.exe

Loads dropped DLL 3 IoCs

Processes:

SppExtComObj.exeMEGAsync.exe

pid process

4948 SppExtComObj.exe
1512 MEGAsync.exe
1512 MEGAsync.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4948	SppExtComObj.exe
1512	MEGAsync.exe
1512	MEGAsync.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4844-132-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/4844-133-0x0000000000400000-0x0000000000435000-memory.dmp	upx
C:\Program Files\KMSpico\UninsHs.exe	upx
C:\Program Files\KMSpico\UninsHs.exe	upx
behavioral2/memory/1420-150-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral2/memory/4844-203-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 3 IoCs

Processes:

KMSpico.tmp

description	ioc	process
File opened for modification	C:\Windows\system32\Vestris.ResourceLib.dll	KMSpico.tmp
File created	C:\Windows\system32\is-N7K67.tmp	KMSpico.tmp
File created	C:\Windows\system32\is-KMVVO.tmp	KMSpico.tmp

Suspicious use of SetThreadContext 1 IoCs

Processes:

MEGAsync.exe

description pid process target process

PID 4964 set thread context of 1512 4964 MEGAsync.exe MEGAsync.exe

description	pid	process	target process
PID 4964 set thread context of 1512	4964	MEGAsync.exe	MEGAsync.exe

Drops file in Program Files directory 64 IoCs

Processes:

KMSpico.tmpKMSELDI.exe

description	ioc	process
File created	C:\Program Files\KMSpico\cert\kmscertW6\Business\is-44PK1.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-EMCIH.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW81\EmbeddedIndustry\is-RG3F4.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-E0OTB.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\ProjectPro\is-CAI47.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\OneNote\is-HRDNF.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-V887Q.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Standard\is-BIJC6.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Word\is-EMIC6.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\Word\is-Q7CRO.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW10\Enterprise\is-OUD3I.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Access\is-6N0D3.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Access\is-TE6D9.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW10\EnterpriseS\is-EHA9B.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\logs\is-Q405C.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\Mondo\is-23E6I.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-0V4EJ.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\is-8E5PH.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\Access\is-241HN.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-JUV8K.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW8\is-4L0FE.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW8\Professional\is-6I6AR.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW81\EmbeddedIndustry\is-M0F5K.tmp	KMSpico.tmp
File opened for modification	C:\Program Files\KMSpico\Vestris.ResourceLib.dll	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Publisher\is-6KQ6R.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-MCHSM.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\PowerPoint\is-GHLKO.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\Business\is-M18GB.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-FQLAM.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-7JI2D.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Outlook\is-4EFKI.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\InfoPath\is-27FEM.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW10\Enterprise\is-J6QD1.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\driver\is-OBBVI.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-0681S.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-9VL3G.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\Outlook\is-K70FU.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW10\Education\is-E9RE0.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-S9U2S.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW8\EnterpriseN\is-LH67J.tmp	KMSpico.tmp
File opened for modification	C:\Program Files\KMSpico\KMSELDI.exe	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-QSN8T.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-1GAMU.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\scripts\is-1A3O6.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\sounds\is-CVU33.tmp	KMSpico.tmp
File opened for modification	C:\Program Files\KMSpico\logs\KMSELDI.log	KMSELDI.exe
File created	C:\Program Files\KMSpico\unins000.dat	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-24J7P.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\Outlook\is-P0KOQ.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\is-98GS6.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\ProPlus\is-9QRK7.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW7\Embedded\is-V82CT.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW81\Enterprise\is-5C568.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-T2AF6.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\InfoPath\is-J1EH4.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\is-J03AL.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-CU2QK.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Publisher\is-CJIOS.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\PowerPoint\is-H8FIF.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\Standard\is-HL927.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW8\CoreN\is-59E18.tmp	KMSpico.tmp
File opened for modification	C:\Program Files\KMSpico\DevComponents.DotNetBar2.dll	KMSpico.tmp
File opened for modification	C:\Program Files\KMSpico\driver\tap-windows-9.21.0.exe	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW81\ProfessionalWMC\is-PP80T.tmp	KMSpico.tmp

Drops file in Windows directory 2 IoCs

Processes:

KMSELDI.exe

description ioc process

File created C:\Windows\SECOH-QAD.dll KMSELDI.exe
File created C:\Windows\SECOH-QAD.exe KMSELDI.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4760 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4304 1512 WerFault.exe MEGAsync.exe

description	ioc	process
File created	C:\Windows\SECOH-QAD.dll	KMSELDI.exe
File created	C:\Windows\SECOH-QAD.exe	KMSELDI.exe

pid	process
4760	sc.exe

pid	pid_target	process	target process
4304	1512	WerFault.exe	MEGAsync.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MEGAsync.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MEGAsync.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MEGAsync.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2800 schtasks.exe

pid	process
2800	schtasks.exe

Modifies Control Panel 3 IoCs

evasion

Processes:

KMSELDI.exeAutoPico.exeKMSELDI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\PaintDesktopVersion = "0"	KMSELDI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\PaintDesktopVersion = "0"	AutoPico.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\PaintDesktopVersion = "0"	KMSELDI.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

KMSpico.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter	KMSpico.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0"	KMSpico.tmp

Modifies data under HKEY_USERS 21 IoCs

Processes:

SppExtComObj.exeAutoPico.exeKMSELDI.exeKMSELDI.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	SppExtComObj.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\d450596f-894d-49e0-966a-fd39ed4c4c64\DiscoveredKeyManagementServiceIpAddress	AutoPico.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\85dd8b5f-eaa4-4af3-a628-cce9e77c9a03\DiscoveredKeyManagementServiceIpAddress = "10.28.141.49"	SppExtComObj.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\d450596f-894d-49e0-966a-fd39ed4c4c64\DiscoveredKeyManagementServiceIpAddress	KMSELDI.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588\DiscoveredKeyManagementServiceIpAddress	KMSELDI.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\d450596f-894d-49e0-966a-fd39ed4c4c64\DiscoveredKeyManagementServiceIpAddress = "fe80::d14a:cc4f:4afe:6f36%3"	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f	SppExtComObj.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588\DiscoveredKeyManagementServiceIpAddress	AutoPico.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\d450596f-894d-49e0-966a-fd39ed4c4c64\DiscoveredKeyManagementServiceIpAddress	KMSELDI.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588\DiscoveredKeyManagementServiceIpAddress = "10.29.106.238"	SppExtComObj.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\d450596f-894d-49e0-966a-fd39ed4c4c64\DiscoveredKeyManagementServiceIpAddress = "10.29.106.238"	SppExtComObj.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588\DiscoveredKeyManagementServiceIpAddress = "10.28.141.49"	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\85dd8b5f-eaa4-4af3-a628-cce9e77c9a03	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\d450596f-894d-49e0-966a-fd39ed4c4c64	SppExtComObj.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\d450596f-894d-49e0-966a-fd39ed4c4c64\DiscoveredKeyManagementServiceIpAddress = "10.28.141.49"	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT	SppExtComObj.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588\DiscoveredKeyManagementServiceIpAddress	KMSELDI.exe

Modifies registry class 1 IoCs

Processes:

KMSpico.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings KMSpico.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	KMSpico.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

MEGAsync.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	MEGAsync.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	MEGAsync.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	MEGAsync.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee404000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	MEGAsync.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 5c00000001000000040000000008000004000000010000001000000091de0625abdafd32170cbb25172a84670300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877619000000010000001000000063664b080559a094d10f0a3c5f4f629020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	MEGAsync.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

KMSpico.tmpSECOH-QAD.exeKMSELDI.exeAutoPico.exeMEGAsync.exeKMSELDI.exe

pid	process
1848	KMSpico.tmp
1848	KMSpico.tmp
4120	SECOH-QAD.exe
4120	SECOH-QAD.exe
4120	SECOH-QAD.exe
4120	SECOH-QAD.exe
4120	SECOH-QAD.exe
4120	SECOH-QAD.exe
376	KMSELDI.exe
5048	AutoPico.exe
1512	MEGAsync.exe
1512	MEGAsync.exe
4952	KMSELDI.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

KMSELDI.exe

pid process

4952 KMSELDI.exe

pid	process
4952	KMSELDI.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

KMSELDI.exeAutoPico.exeAUDIODG.EXEKMSELDI.exe

description	pid	process
Token: SeDebugPrivilege	376	KMSELDI.exe
Token: SeSystemtimePrivilege	5048	AutoPico.exe
Token: SeDebugPrivilege	5048	AutoPico.exe
Token: 33	2252	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2252	AUDIODG.EXE
Token: SeDebugPrivilege	4952	KMSELDI.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

KMSpico.tmp

pid process

1848 KMSpico.tmp

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

KMSpico.exeKMSpico.exeKMSpico.tmpcmd.execmd.exeSECOH-QAD.exeSppExtComObj.exeMEGAsync.exe

description	pid	process	target process
PID 4844 wrote to memory of 3744	4844	KMSpico.exe	WScript.exe
PID 4844 wrote to memory of 3744	4844	KMSpico.exe	WScript.exe
PID 4844 wrote to memory of 3744	4844	KMSpico.exe	WScript.exe
PID 4844 wrote to memory of 1852	4844	KMSpico.exe	KMSpico.exe
PID 4844 wrote to memory of 1852	4844	KMSpico.exe	KMSpico.exe
PID 4844 wrote to memory of 1852	4844	KMSpico.exe	KMSpico.exe
PID 1852 wrote to memory of 1848	1852	KMSpico.exe	KMSpico.tmp
PID 1852 wrote to memory of 1848	1852	KMSpico.exe	KMSpico.tmp
PID 1852 wrote to memory of 1848	1852	KMSpico.exe	KMSpico.tmp
PID 1848 wrote to memory of 3928	1848	KMSpico.tmp	cmd.exe
PID 1848 wrote to memory of 3928	1848	KMSpico.tmp	cmd.exe
PID 1848 wrote to memory of 4600	1848	KMSpico.tmp	cmd.exe
PID 1848 wrote to memory of 4600	1848	KMSpico.tmp	cmd.exe
PID 1848 wrote to memory of 1420	1848	KMSpico.tmp	UninsHs.exe
PID 1848 wrote to memory of 1420	1848	KMSpico.tmp	UninsHs.exe
PID 1848 wrote to memory of 1420	1848	KMSpico.tmp	UninsHs.exe
PID 1848 wrote to memory of 376	1848	KMSpico.tmp	KMSELDI.exe
PID 1848 wrote to memory of 376	1848	KMSpico.tmp	KMSELDI.exe
PID 3928 wrote to memory of 4760	3928	cmd.exe	sc.exe
PID 3928 wrote to memory of 4760	3928	cmd.exe	sc.exe
PID 4600 wrote to memory of 2800	4600	cmd.exe	schtasks.exe
PID 4600 wrote to memory of 2800	4600	cmd.exe	schtasks.exe
PID 4120 wrote to memory of 4948	4120	SECOH-QAD.exe	SppExtComObj.exe
PID 4120 wrote to memory of 4948	4120	SECOH-QAD.exe	SppExtComObj.exe
PID 4120 wrote to memory of 4948	4120	SECOH-QAD.exe	SppExtComObj.exe
PID 4948 wrote to memory of 1992	4948	SppExtComObj.exe	SLUI.exe
PID 4948 wrote to memory of 1992	4948	SppExtComObj.exe	SLUI.exe
PID 1848 wrote to memory of 5048	1848	KMSpico.tmp	AutoPico.exe
PID 1848 wrote to memory of 5048	1848	KMSpico.tmp	AutoPico.exe
PID 4948 wrote to memory of 4652	4948	SppExtComObj.exe	SLUI.exe
PID 4948 wrote to memory of 4652	4948	SppExtComObj.exe	SLUI.exe
PID 4844 wrote to memory of 4964	4844	KMSpico.exe	MEGAsync.exe
PID 4844 wrote to memory of 4964	4844	KMSpico.exe	MEGAsync.exe
PID 4844 wrote to memory of 4964	4844	KMSpico.exe	MEGAsync.exe
PID 4964 wrote to memory of 1512	4964	MEGAsync.exe	MEGAsync.exe
PID 4964 wrote to memory of 1512	4964	MEGAsync.exe	MEGAsync.exe
PID 4964 wrote to memory of 1512	4964	MEGAsync.exe	MEGAsync.exe
PID 4964 wrote to memory of 1512	4964	MEGAsync.exe	MEGAsync.exe
PID 4964 wrote to memory of 1512	4964	MEGAsync.exe	MEGAsync.exe
PID 4964 wrote to memory of 1512	4964	MEGAsync.exe	MEGAsync.exe
PID 4964 wrote to memory of 1512	4964	MEGAsync.exe	MEGAsync.exe
PID 4964 wrote to memory of 1512	4964	MEGAsync.exe	MEGAsync.exe
PID 4964 wrote to memory of 1512	4964	MEGAsync.exe	MEGAsync.exe
PID 4948 wrote to memory of 4308	4948	SppExtComObj.exe	SLUI.exe
PID 4948 wrote to memory of 4308	4948	SppExtComObj.exe	SLUI.exe
PID 4948 wrote to memory of 1532	4948	SppExtComObj.exe	SLUI.exe
PID 4948 wrote to memory of 1532	4948	SppExtComObj.exe	SLUI.exe

C:\Users\Admin\AppData\Local\Temp\KMSpico.exe
"C:\Users\Admin\AppData\Local\Temp\KMSpico.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\kmspico\script.vbs"
2⤵
- Blocklisted process makes network request
PID:3744

C:\Users\Admin\AppData\Roaming\kmspico\KMSpico.exe
"C:\Users\Admin\AppData\Roaming\kmspico\KMSpico.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852

C:\Users\Admin\AppData\Local\Temp\is-BE601.tmp\KMSpico.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BE601.tmp\KMSpico.tmp" /SL5="$C0066,2952592,69120,C:\Users\Admin\AppData\Roaming\kmspico\KMSpico.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer Phishing Filter
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Service.cmd""
4⤵
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\system32\sc.exe
sc create "Service KMSELDI" binPath= "C:\Program Files\KMSpico\Service_KMS.exe" type= own error= normal start= auto DisplayName= "Service KMSELDI"
5⤵
- Launches sc.exe
PID:4760

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Task.cmd""
4⤵
- Suspicious use of WriteProcessMemory
PID:4600

C:\Windows\system32\schtasks.exe
SCHTASKS /Create /TN "AutoPico Daily Restart" /TR "'C:\Program Files\KMSpico\AutoPico.exe' /silent" /SC DAILY /ST 23:59:59 /RU "NT AUTHORITY\SYSTEM" /RL Highest /F
5⤵
- Creates scheduled task(s)
PID:2800

C:\Program Files\KMSpico\UninsHs.exe
"C:\Program Files\KMSpico\UninsHs.exe" /r0=KMSpico,default,C:\Users\Admin\AppData\Roaming\kmspico\KMSpico.exe
4⤵
- Executes dropped EXE
PID:1420

C:\Program Files\KMSpico\KMSELDI.exe
"C:\Program Files\KMSpico\KMSELDI.exe" /silent /backup
4⤵
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Program Files\KMSpico\AutoPico.exe
"C:\Program Files\KMSpico\AutoPico.exe" /silent
4⤵
- Sets file execution options in registry
- Executes dropped EXE
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Users\Admin\AppData\Roaming\kmspico\MEGAsync.exe
"C:\Users\Admin\AppData\Roaming\kmspico\MEGAsync.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4964

C:\Users\Admin\AppData\Roaming\kmspico\MEGAsync.exe
"C:\Users\Admin\AppData\Roaming\kmspico\MEGAsync.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 2292
4⤵
- Program crash
PID:4304

C:\Windows\SECOH-QAD.exe
C:\Windows\SECOH-QAD.exe C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4120

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
3⤵
PID:1992

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=379cccfb-d4e0-48fe-b0f2-0136097be147;Action=CleanupState;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;Trigger=TimerEvent
3⤵
PID:4652

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
3⤵
PID:4308

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=379cccfb-d4e0-48fe-b0f2-0136097be147;Action=CleanupState;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;Trigger=TimerEvent
3⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1512 -ip 1512
1⤵
PID:1420

C:\Program Files\KMSpico\KMSELDI.exe
"C:\Program Files\KMSpico\KMSELDI.exe"
1⤵
- Sets file execution options in registry
- Executes dropped EXE
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a0 0x4a4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\KMSpico\AutoPico.exe
Filesize
728KB

MD5
cfe1c391464c446099a5eb33276f6d57

SHA1
9999bfcded2c953e025eabaa66b4971dab122c24

SHA256
4a714d98ce40f5f3577c306a66cb4a6b1ff3fd01047c7f4581f8558f0bcdf5fa

SHA512
4119a1722202bbc33339747ea02fd35b327890d55bb472cd1e2146ca446d8ba6fddb1e8cf8bbfaeb08aec8ed2a9d5c0fa71b73510d409ffacd3908fa72bb53b4

Download Submit
C:\Program Files\KMSpico\AutoPico.exe
Filesize
728KB

MD5
cfe1c391464c446099a5eb33276f6d57

SHA1
9999bfcded2c953e025eabaa66b4971dab122c24

SHA256
4a714d98ce40f5f3577c306a66cb4a6b1ff3fd01047c7f4581f8558f0bcdf5fa

SHA512
4119a1722202bbc33339747ea02fd35b327890d55bb472cd1e2146ca446d8ba6fddb1e8cf8bbfaeb08aec8ed2a9d5c0fa71b73510d409ffacd3908fa72bb53b4

Download Submit
C:\Program Files\KMSpico\DevComponents.DotNetBar2.dll
Filesize
5.2MB

MD5
1397b23f30681f97049df61f94f54d05

SHA1
5cb1ce6966e3d6d8b8c398cbd537c814312f194d

SHA256
fa76151a783250014ac8fa55d4c833100a623fcad1d6e2ddadcde259f5709609

SHA512
7d001b5942dad8ce1a83831b5a87f2fa6a1571bc133ce3c1ebe9988a43a7fcefc5cdb7870a6e692ef89fb815cfcff0e9c4b41f24ba0716c6808f190ea3c53535

Download Submit
C:\Program Files\KMSpico\KMSELDI.exe
Filesize
921KB

MD5
f0280de3880ef581bf14f9cc72ec1c16

SHA1
43d348e164c35f9e02370f6f66186fbfb15ae2a3

SHA256
50ebfa1dd5b147e40244607d5d5be25709edf2cc66247a78beb920c77ac514cc

SHA512
ac31a972e9e93e6671f44d403139b0db89d950097c848fbaf6b9965b722215f74e9ed9bb9e083d31328101e6fcfe7f960a08b3bea0813900f11d5c1bb40539a6

Download Submit
C:\Program Files\KMSpico\KMSELDI.exe
Filesize
921KB

MD5
f0280de3880ef581bf14f9cc72ec1c16

SHA1
43d348e164c35f9e02370f6f66186fbfb15ae2a3

SHA256
50ebfa1dd5b147e40244607d5d5be25709edf2cc66247a78beb920c77ac514cc

SHA512
ac31a972e9e93e6671f44d403139b0db89d950097c848fbaf6b9965b722215f74e9ed9bb9e083d31328101e6fcfe7f960a08b3bea0813900f11d5c1bb40539a6

Download Submit
C:\Program Files\KMSpico\KMSELDI.exe
Filesize
921KB

MD5
f0280de3880ef581bf14f9cc72ec1c16

SHA1
43d348e164c35f9e02370f6f66186fbfb15ae2a3

SHA256
50ebfa1dd5b147e40244607d5d5be25709edf2cc66247a78beb920c77ac514cc

SHA512
ac31a972e9e93e6671f44d403139b0db89d950097c848fbaf6b9965b722215f74e9ed9bb9e083d31328101e6fcfe7f960a08b3bea0813900f11d5c1bb40539a6

Download Submit
C:\Program Files\KMSpico\UninsHs.exe
Filesize
29KB

MD5
245824502aefe21b01e42f61955aa7f4

SHA1
a58682a8aae6302f1c934709c5aa1f6c86b2be99

SHA256
0a265b4bb8acceafaffb001632fa7e4c3f8ac39a71eda37f253e15bc1b8db90d

SHA512
204b39e31f22ba99cf09c5c8458fc94ea21b47aacc4abd305f71ba20a35d36bfc0ff53b95180542911c9c6f259db897dee76090d953f7ee18a8079caefda7981

Download Submit
C:\Program Files\KMSpico\UninsHs.exe
Filesize
29KB

MD5
245824502aefe21b01e42f61955aa7f4

SHA1
a58682a8aae6302f1c934709c5aa1f6c86b2be99

SHA256
0a265b4bb8acceafaffb001632fa7e4c3f8ac39a71eda37f253e15bc1b8db90d

SHA512
204b39e31f22ba99cf09c5c8458fc94ea21b47aacc4abd305f71ba20a35d36bfc0ff53b95180542911c9c6f259db897dee76090d953f7ee18a8079caefda7981

Download Submit
C:\Program Files\KMSpico\cert\kmscert2016\ProPlus\ProPlusVL_KMS_Client-ppd.xrm-ms
Filesize
10KB

MD5
6ba22dbe6a7804b7d2e6f2a416d5235e

SHA1
5e5eb958d16a18f5be2437b8ee0397edcf3e850c

SHA256
7f13c766991b4f23618844f83cb659cf7b3d5321da8925a82ea5357d8f7364d7

SHA512
341fc408e00b97d81a1d0b1aa75520f238ed24f4a3b68006b7967c75ea80cb089b5722e081a3668a083dd7e016e4af94a004f39221eb9093d9bce174a1570904

Download Submit
C:\Program Files\KMSpico\cert\kmscert2016\ProPlus\ProPlusVL_KMS_Client-ul-oob.xrm-ms
Filesize
11KB

MD5
f24231ee95d34878b9e88d2647a61861

SHA1
3ce6bb335d12db05fa604fbd13cea6616ebdaadd

SHA256
37a1eeb50f69f20a4bf0bafb63b13308d51dbdc8f992832ffa64b87ffed84e2e

SHA512
e4ee5f4feaaa7a730be00754416f98fef52803d6343a642102d9c020ff8ea4452320c0d18b1e4872589e410b795c295b82d7f422f8892a06a1181c063fb3e1f0

Download Submit
C:\Program Files\KMSpico\cert\kmscert2016\ProPlus\ProPlusVL_KMS_Client-ul.xrm-ms
Filesize
9KB

MD5
a08a813759a501db6500133ededcd0fe

SHA1
399c186e5c00cba369aaeece635f9ad319f30b01

SHA256
3aecba9f064a51d12785341fec10f7ac57ec156019dd71711ca1a8e0d844470e

SHA512
8f96292c2bf483f55d08a55bc94eb2afa2fdbc2db60de68369becdb4eecd117dc4f4d86876b98d56ba4c1dcdc5ba4c9e99d24e8cd770d52b8bf1ffd77805d890

Download Submit
C:\Program Files\KMSpico\cert\kmscert2016\client-issuance-bridge-office.xrm-ms
Filesize
3KB

MD5
33c1695d278f5917f28067d27b4868ee

SHA1
55137aa9a24d6a622f05315dfbb65fb1a0c74e03

SHA256
65bccc008f5b44d2dbd880c0c33afcfff27c07dd24dc0cc7dda2b3bfa7e9ae74

SHA512
84389ef315ff2f9d86062470ea6033dcb409a3061b898ab677987aa881e2f6d4be1dacc4fad0c606dde6a301f04dfa2f1ff54af86e3a3767ab9bcf6ac368e2f2

Download Submit
C:\Program Files\KMSpico\cert\kmscert2016\client-issuance-root-bridge-test.xrm-ms
Filesize
3KB

MD5
c8a546ad00a2f81bd39f23ac1d70b24a

SHA1
cfbb628b1c014d0264536d908f6557dd6a01f4a9

SHA256
f050e6022511f0f16661f82809ba65ab8d912bd9971d3747f6b58f2042a4a921

SHA512
5b5cab22e808835a37fc1f1e17718baca95c03f1659022d51deca23685503cd4313fbf1363385e3f5c404c9958f6b6bd6b4b0efa7c1548113dd46f13f9ba33b0

Download Submit
C:\Program Files\KMSpico\cert\kmscert2016\client-issuance-root.xrm-ms
Filesize
3KB

MD5
aee8dc4536129edc9c1df17cb288e3e9

SHA1
13c872ac505add867c944da550e96bc69c8a4165

SHA256
6e058fd0c8a4c2aafac6502de3ea739340917c6e75e6ec26ee60298c01baa826

SHA512
a27811053173d30b56ce85837017305cc2d58a673498e4ef7e562e23147a22ed416e0e4dae9d062064bec77b3cf89e46302807cb2f0022189b88fcc8e31f0124

Download Submit
C:\Program Files\KMSpico\cert\kmscert2016\client-issuance-stil.xrm-ms
Filesize
3KB

MD5
072b400f6cbb1123397d1c452740da04

SHA1
5f5615f5840252f4998c1c07ea717dfd7da970cc

SHA256
afe8c45943567e747425f87e43f774c783c07392888078693188882bde1339e3

SHA512
e7b8481e37f5ecc775b1e0e946c22051ff7c2b320c7deecd2fe6ae33b69abb230782ca397e5d799d8863026eee62f331000f7bf5b6f4f5b6614195c78dd2142f

Download Submit
C:\Program Files\KMSpico\cert\kmscert2016\client-issuance-ul-oob.xrm-ms
Filesize
4KB

MD5
582e03b41356083d04ce6191f560092a

SHA1
607b41ac3d642b91655e0af54556f441682acacf

SHA256
d40dbfddc97849f246a397e59187a3f97f70fa1687d578b3dacb92044fd51bea

SHA512
c28f7d286369d8d4f9a9f79ed67912d2390030013ac4e3b549176cff8378ab0c34db37f2bf6712b5d9eb9b06cb7fe72203e85340889e38b85623e1dbb7d33887

Download Submit
C:\Program Files\KMSpico\cert\kmscert2016\client-issuance-ul.xrm-ms
Filesize
4KB

MD5
90642c5fd30ae5a2a34d4c217b4cab7f

SHA1
b89cf6d9033a7bb52b4eb9e98c97b8978d91af43

SHA256
08e15263cdd59b78c18c21777fd67579d14e65dfac15531312bed2c9c5497c0d

SHA512
8ceadd13adafe4a582d64481dd357c9906e5a082629e4ebf576a9cb84c30b8bc9bd17f28b186594aae164415e4c42ffe78dcf83048a1f8377b97a4c24fa422dd

Download Submit
C:\Program Files\KMSpico\cert\kmscert2016\pkeyconfig-office.xrm-ms
Filesize
576KB

MD5
6a46a4977e1b2780b9907de0530f5ee7

SHA1
22b19e90035112dd43d6c6dc100ebbbd2b57676c

SHA256
90ba4e3c11f7a8260ae8fb93a73ab5af5fcfbb45b9fb2b15800c38485d3384f4

SHA512
34a54f48dda9d1422c2949b4add88ec03f77f4f7c6b83386e395c1764cf9eedb5c75ed04119fbf6f53ee3670abefec60af1fbff49f54ba4854e4354f44ea1c6c

Download Submit
C:\Program Files\KMSpico\logs\AutoPico.log
Filesize
3B

MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\Program Files\KMSpico\logs\KMSELDI.log
Filesize
17KB

MD5
62306c351542dbaca25a586a0c04521a

SHA1
4e4c64319faf0d4a5a295382fcc4f37c9cfe6601

SHA256
32cb303e178fb352b699be7b2d8a4a811cc8cc8d0cd7f9f71bf954665783f881

SHA512
956071713fd84de3ad2414624aafb1dde8af399444910daf63e805de2c9149b507703048e973badb90d39744ae0f88fb64108214a71adde6ad0b633e4210c157

Download Submit
C:\Program Files\KMSpico\scripts\Install_Service.cmd
Filesize
213B

MD5
9107cd31951f2cf90e0892740b9087c9

SHA1
efac5c2e59ddef2f0a7782ad1dea8f6b25a07395

SHA256
11578521b14c17fbbb070c13887161586d57196f4d408c41a0f02ed07ee32f2c

SHA512
f6b66dcbbb8aa55793b63f20fc3718038d7c35f94570cf487b6e8393f67be6bd004dd64f3b8fc8345b7e02e2e8ec2d48ceed2494d9f1282ca020dbbaa621f457

Download Submit
C:\Program Files\KMSpico\scripts\Install_Task.cmd
Filesize
220B

MD5
ade709ca6a00370a4a6fea2425f948c1

SHA1
5919c95ef78bd4ab200f8071b98970ff9541a24a

SHA256
5b067073b968361fe489017d173040655f21890605d39cdb012a030dd75b52a8

SHA512
860f9f12bc4995fae7c74481c2b24a346e763e32a782b3826c0f0772ad90be48377faefd883c9a28b221f8476fd203782932fee859b079fb7d4b1b152cce7b53

Download Submit
C:\Program Files\KMSpico\sounds\affirmative.mp3
Filesize
4KB

MD5
249dca86cbb375d84b52ed4eb5cefdc6

SHA1
244c2ce65343dcfa613c26c94fa8255c7e6789fe

SHA256
e7fc9406c360d22ed281fb415a2eec396b6a7d0c733c828b2a8c106a30753de5

SHA512
84cb0128518618b3142276e7f84f0fdf42b4e662699d822b96957f7ee31630d55eb432148c7f204bd3be46efedc2eea5ea703f3795ffd9edb7181a1e748fb947

Download Submit
C:\Program Files\KMSpico\sounds\begin.mp3
Filesize
9KB

MD5
f33f2a16a46920b5c8227ffd558060b2

SHA1
a8f7192d34d585a981b5a2ea92b04a21a17b67a8

SHA256
443d23bd2705246cd64ff39d61b999ab74be6d60db1703d6782bb0d36a20eef3

SHA512
9cf3f48adfae4c7ff8bf60f313939c956b331373bd262f5b4a25fbb04d79b86abc5d73204d5c21a8e6f8f3fd51e503016a1f930e1dc2ea6696c3c7e056af7361

Download Submit
C:\Program Files\KMSpico\sounds\complete.mp3
Filesize
5KB

MD5
0d0e8e30d6007cf99f3951424e1d88e6

SHA1
56a6a3a39a5c9210e97a27190464cd25014db68c

SHA256
4d73c58c680396759508b34b169d1fd9c6aa292141c7c58634842a92d68d3c7b

SHA512
8c2ad7488e52af3aabcbbfddefe0e82c594401e279b07f5f4096b695e6f365e932085a8b4b01c91b3e29cba0fa3b0f160537d4962daed70a74854b55e67f8541

Download Submit
C:\Program Files\KMSpico\sounds\diagnostic.mp3
Filesize
13KB

MD5
06c9a7d36b9b6390faa90ca9c0650bee

SHA1
a27a0fdc48c678a9bd34b379d4f4e2c0e9776a9c

SHA256
2445c403447490dd7227617f7e8017da429ad65985fe013c6662906af15da4b0

SHA512
00aec80c11219c86f52c1984f8f40f992e24b6aeda1a953b20891ecd8976cdd767aa78c066924ee5c732e10149449dadc4dc7425e5ba3be9c8ca0fc150498bc9

Download Submit
C:\Program Files\KMSpico\sounds\inputok.mp3
Filesize
2KB

MD5
28a23b81aefec1336a1046671dc5af30

SHA1
5c89b9b708d26cd44af9635fce8c0abd1fb71433

SHA256
0131a883e4b66e77becc17594a386bcd69e04f1e5185e4ae8a554fc3a39bb81a

SHA512
bc300f57b91a13ec31c9722c87004ea560fee7c6bedb12703281827163734819edaf3a22e322dd7f39c192ac0c319b34171a36dd9190985be33d106fa19a30bb

Download Submit
C:\Program Files\KMSpico\sounds\processing.mp3
Filesize
6KB

MD5
fa3dfa3bd735d73281f10a91d593d52a

SHA1
4e859fc874b61d09f0c63714385cb73843fb07e7

SHA256
9390c99249423929fb82c2aad89e19249e493e4845d0c8babc99e1b594643f34

SHA512
bb3908c9458e1494a83a33532e6e165a05acacfe44820cda5c82d70e3662e7b9571c7020d9720a694f8b91e41284779b5df09d300193a46e70656d449310aa4f

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\KMSELDI.exe.log
Filesize
2KB

MD5
e266f25216f4826820e8525161f370f6

SHA1
d66237df98d220919ec0c50b375f9820dda183e1

SHA256
6b4b34bb1d0be3455fc808e752bdf21f9a0496521fcb1c0838134fc7728bd86a

SHA512
26dabb589a8d6222529e41b2a357aad6f4d73e5b50b29cf34bf2baae52c10b4fd4256b31e417351d56d395794e54d3f48993c77f2609db4e75923cb118603da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BE601.tmp\KMSpico.tmp
Filesize
703KB

MD5
1778c1f66ff205875a6435a33229ab3c

SHA1
5b6189159b16c6f85feed66834af3e06c0277a19

SHA256
95c06acac4fe4598840e5556f9613d43aa1039c52dac64536f59e45a70f79da6

SHA512
8844de1296ce707e3c5c71823f5118f8f2e50287ace3a2ee1ec0b69df0ec48ebcf5b755db669d2cd869d345fb06a9c07b36e98eda8c32a9b26b8fe22bdc105a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BE601.tmp\KMSpico.tmp
Filesize
703KB

MD5
1778c1f66ff205875a6435a33229ab3c

SHA1
5b6189159b16c6f85feed66834af3e06c0277a19

SHA256
95c06acac4fe4598840e5556f9613d43aa1039c52dac64536f59e45a70f79da6

SHA512
8844de1296ce707e3c5c71823f5118f8f2e50287ace3a2ee1ec0b69df0ec48ebcf5b755db669d2cd869d345fb06a9c07b36e98eda8c32a9b26b8fe22bdc105a0

Download Submit
C:\Users\Admin\AppData\Roaming\kmspico\KMSpico.exe
Filesize
3.1MB

MD5
a02164371a50c5ff9fa2870ef6e8cfa3

SHA1
060614723f8375ecaad8b249ff07e3be082d7f25

SHA256
64c731adbe1b96cb5765203b1e215093dcf268d020b299445884a4ae62ed2d3a

SHA512
6c6903f3a3092fd3d63c373189f2c06e12de032ee4fd6b80a15f58eaeb2079f3ae8a8bcdac85a358b1f9070b192b1c8260f9aa127d009b5afce475f966e91326

Download Submit
C:\Users\Admin\AppData\Roaming\kmspico\KMSpico.exe
Filesize
3.1MB

MD5
a02164371a50c5ff9fa2870ef6e8cfa3

SHA1
060614723f8375ecaad8b249ff07e3be082d7f25

SHA256
64c731adbe1b96cb5765203b1e215093dcf268d020b299445884a4ae62ed2d3a

SHA512
6c6903f3a3092fd3d63c373189f2c06e12de032ee4fd6b80a15f58eaeb2079f3ae8a8bcdac85a358b1f9070b192b1c8260f9aa127d009b5afce475f966e91326

Download Submit
C:\Users\Admin\AppData\Roaming\kmspico\MEGAsync.exe
Filesize
437KB

MD5
4343f876095c2d22d822830ec9a0f82d

SHA1
28f641d256b0b08fb3c1f6ac0725df20071f81d8

SHA256
fc89b9e1eece162d0c71323c56458e653cc4b4af1a49a9e3f8e24a4efa8d099c

SHA512
b33d712ba04e2695416c85e5636991badd73ebdac6d45c94a6f91130b87755dbb81e29f72125ee066b3cbf7f42447aca007b1b25bf22b9f5b5dc06a270f281c7

Download Submit
C:\Users\Admin\AppData\Roaming\kmspico\MEGAsync.exe
Filesize
437KB

MD5
4343f876095c2d22d822830ec9a0f82d

SHA1
28f641d256b0b08fb3c1f6ac0725df20071f81d8

SHA256
fc89b9e1eece162d0c71323c56458e653cc4b4af1a49a9e3f8e24a4efa8d099c

SHA512
b33d712ba04e2695416c85e5636991badd73ebdac6d45c94a6f91130b87755dbb81e29f72125ee066b3cbf7f42447aca007b1b25bf22b9f5b5dc06a270f281c7

Download Submit
C:\Users\Admin\AppData\Roaming\kmspico\MEGAsync.exe
Filesize
437KB

MD5
4343f876095c2d22d822830ec9a0f82d

SHA1
28f641d256b0b08fb3c1f6ac0725df20071f81d8

SHA256
fc89b9e1eece162d0c71323c56458e653cc4b4af1a49a9e3f8e24a4efa8d099c

SHA512
b33d712ba04e2695416c85e5636991badd73ebdac6d45c94a6f91130b87755dbb81e29f72125ee066b3cbf7f42447aca007b1b25bf22b9f5b5dc06a270f281c7

Download Submit
C:\Users\Admin\AppData\Roaming\kmspico\script.vbs
Filesize
680B

MD5
eb4967a7a7f168ceecd72e2c6e04ea38

SHA1
485c7a3ef47d5c29c4508e332fb526561d7607a8

SHA256
846278491cc82d234e1145ffdea7584aeced3f5d604849d1b6f790dfbeda199f

SHA512
6a82951f214e1c999c6957da73ea5f1bd3b6e2cfd68cbc515e68b9c3729f4660e3674e298e04f845513731d4574fdba748775d4b69e52315d8d58b628505d937

Download Submit
C:\Windows\SECOH-QAD.dll
Filesize
3KB

MD5
6d7fdbf9ceac51a76750fd38cf801f30

SHA1
6ef8310627537b1d24409574bc3c398cd97c474c

SHA256
0398221231cff97e1fdc03d357ac4610afb8f3cdde4c90a9ec4d7823b405699e

SHA512
b48d7eb268f8b46ff6a4782070bf6f2109ccc43166b8c64beb73348533b98f69aab5630386f4b5966b6e706f906b599fec5ff885d3e4572ed24acb6c6691fec8

Download Submit
C:\Windows\SECOH-QAD.dll
Filesize
3KB

MD5
6d7fdbf9ceac51a76750fd38cf801f30

SHA1
6ef8310627537b1d24409574bc3c398cd97c474c

SHA256
0398221231cff97e1fdc03d357ac4610afb8f3cdde4c90a9ec4d7823b405699e

SHA512
b48d7eb268f8b46ff6a4782070bf6f2109ccc43166b8c64beb73348533b98f69aab5630386f4b5966b6e706f906b599fec5ff885d3e4572ed24acb6c6691fec8

Download Submit
C:\Windows\SECOH-QAD.exe
Filesize
4KB

MD5
38de5b216c33833af710e88f7f64fc98

SHA1
66c72019eafa41bbf3e708cc3824c7c4447bdab6

SHA256
9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f

SHA512
99b9a9d5970eb10a903bde703c638f7dc639eb4894dfd84d8d94ce1326087c09fa415ef5bc0db7fd0248827045de24b78a680f301a59395215e50051056d1490

Download Submit
C:\Windows\SECOH-QAD.exe
Filesize
4KB

MD5
38de5b216c33833af710e88f7f64fc98

SHA1
66c72019eafa41bbf3e708cc3824c7c4447bdab6

SHA256
9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f

SHA512
99b9a9d5970eb10a903bde703c638f7dc639eb4894dfd84d8d94ce1326087c09fa415ef5bc0db7fd0248827045de24b78a680f301a59395215e50051056d1490

Download Submit
memory/376-160-0x00007FF98F640000-0x00007FF990101000-memory.dmp

Filesize
10.8MB

Download
memory/376-154-0x0000000000090000-0x000000000017A000-memory.dmp

Filesize
936KB

Download
memory/376-173-0x00007FF98F640000-0x00007FF990101000-memory.dmp

Filesize
10.8MB

Download
memory/376-151-0x0000000000000000-mapping.dmp

Download
memory/376-174-0x000000001ACA9000-0x000000001ACAF000-memory.dmp

Filesize
24KB

Download
memory/376-181-0x00007FF98F640000-0x00007FF990101000-memory.dmp

Filesize
10.8MB

Download
memory/376-182-0x000000001ACA9000-0x000000001ACAF000-memory.dmp

Filesize
24KB

Download
memory/376-161-0x000000001B640000-0x000000001BB80000-memory.dmp

Filesize
5.2MB

Download
memory/376-162-0x000000001ACA9000-0x000000001ACAF000-memory.dmp

Filesize
24KB

Download
memory/1420-147-0x0000000000000000-mapping.dmp

Download
memory/1420-150-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1512-202-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1512-196-0x0000000000000000-mapping.dmp

Download
memory/1512-206-0x0000000050C20000-0x0000000050D13000-memory.dmp

Filesize
972KB

Download
memory/1512-204-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1512-226-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1512-200-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1512-197-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1532-227-0x0000000000000000-mapping.dmp

Download
memory/1848-141-0x0000000000000000-mapping.dmp

Download
memory/1852-136-0x0000000000000000-mapping.dmp

Download
memory/1852-144-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1852-191-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1852-139-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1992-180-0x0000000000000000-mapping.dmp

Download
memory/2800-158-0x0000000000000000-mapping.dmp

Download
memory/3744-134-0x0000000000000000-mapping.dmp

Download
memory/3928-145-0x0000000000000000-mapping.dmp

Download
memory/4308-205-0x0000000000000000-mapping.dmp

Download
memory/4600-146-0x0000000000000000-mapping.dmp

Download
memory/4652-189-0x0000000000000000-mapping.dmp

Download
memory/4760-157-0x0000000000000000-mapping.dmp

Download
memory/4844-132-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4844-203-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4844-133-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4948-179-0x0000000000000000-mapping.dmp

Download
memory/4952-241-0x000000001C989000-0x000000001C98F000-memory.dmp

Filesize
24KB

Download
memory/4952-244-0x00000000217B0000-0x00000000217C0000-memory.dmp

Filesize
64KB

Download
memory/4952-259-0x000000001C989000-0x000000001C98F000-memory.dmp

Filesize
24KB

Download
memory/4952-258-0x00007FF98E430000-0x00007FF98EEF1000-memory.dmp

Filesize
10.8MB

Download
memory/4952-233-0x00000000217B0000-0x00000000217C0000-memory.dmp

Filesize
64KB

Download
memory/4952-257-0x0000000020E30000-0x0000000020E40000-memory.dmp

Filesize
64KB

Download
memory/4952-256-0x0000000020E40000-0x0000000020E50000-memory.dmp

Filesize
64KB

Download
memory/4952-236-0x00000000217B0000-0x00000000217C0000-memory.dmp

Filesize
64KB

Download
memory/4952-237-0x0000000022710000-0x0000000022720000-memory.dmp

Filesize
64KB

Download
memory/4952-238-0x0000000021820000-0x0000000021830000-memory.dmp

Filesize
64KB

Download
memory/4952-239-0x0000000022710000-0x0000000022720000-memory.dmp

Filesize
64KB

Download
memory/4952-255-0x0000000020E30000-0x0000000020E40000-memory.dmp

Filesize
64KB

Download
memory/4952-254-0x00000000217B0000-0x00000000217C0000-memory.dmp

Filesize
64KB

Download
memory/4952-242-0x00000000217B0000-0x00000000217C0000-memory.dmp

Filesize
64KB

Download
memory/4952-243-0x00000000217B0000-0x00000000217C0000-memory.dmp

Filesize
64KB

Download
memory/4952-230-0x00007FF98E430000-0x00007FF98EEF1000-memory.dmp

Filesize
10.8MB

Download
memory/4952-245-0x00007FF98E430000-0x00007FF98EEF1000-memory.dmp

Filesize
10.8MB

Download
memory/4952-246-0x0000000022710000-0x0000000022720000-memory.dmp

Filesize
64KB

Download
memory/4952-247-0x0000000021820000-0x0000000021830000-memory.dmp

Filesize
64KB

Download
memory/4952-248-0x0000000022710000-0x0000000022720000-memory.dmp

Filesize
64KB

Download
memory/4952-249-0x000000001C989000-0x000000001C98F000-memory.dmp

Filesize
24KB

Download
memory/4952-250-0x00000000217B0000-0x00000000217C0000-memory.dmp

Filesize
64KB

Download
memory/4952-251-0x000000001C950000-0x000000001C960000-memory.dmp

Filesize
64KB

Download
memory/4964-195-0x00000000006C8000-0x00000000006FB000-memory.dmp

Filesize
204KB

Download
memory/4964-201-0x0000000002140000-0x000000000219E000-memory.dmp

Filesize
376KB

Download
memory/4964-199-0x00000000006C8000-0x00000000006FB000-memory.dmp

Filesize
204KB

Download
memory/4964-192-0x0000000000000000-mapping.dmp

Download
memory/5048-183-0x0000000000000000-mapping.dmp

Download
memory/5048-186-0x0000000000900000-0x00000000009BA000-memory.dmp

Filesize
744KB

Download
memory/5048-188-0x00007FF98F640000-0x00007FF990101000-memory.dmp

Filesize
10.8MB

Download
memory/5048-190-0x00007FF98F640000-0x00007FF990101000-memory.dmp

Filesize
10.8MB

Download