luminosity | e0c720e092c6c0265f3e2a37f0636a26a7fdefc6a49069c659dbe3c5e35aefd6

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
26-02-2023 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KMSpico_11_final_setup.exe
Size

6.6MB
MD5

78d2d7076e5c3f18ef75e4e570b1e0fe
SHA1

8e15869622584d541465f37a87030f171960b7f1
SHA256

e0c720e092c6c0265f3e2a37f0636a26a7fdefc6a49069c659dbe3c5e35aefd6
SHA512

75e4ddadc01ad2d8ed66d76e7f9899f79f1605e82ebbd60d76e15dfd8f76502f1ca0213ae36fbe3d2d6d4268ebb9621dc88d9f247b69078fdf8ad6e4e4f10997
SSDEEP

196608:A4/yHz6/hnjvDc9L+4NKg0KWT/f+89ve:TaT6pnTSLZLrWT/2uG

Score

10^/10

luminosity discovery evasion persistence rat upx

Malware Config

Signatures

Luminosity 5 IoCs

Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

rat luminosity

description	ioc	pid	Process
		1336	schtasks.exe
		1684	schtasks.exe
		764	schtasks.exe
File opened for modification	C:\Windows\SysWOW64\GDIPFONTCACHEV1.DAT		KMSpico_11_final_setup.exe
		880	schtasks.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 10 IoCs

pid	Process
1868	a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe
1308	KMSpico_setup.exe
1676	KMSpico_setup.tmp
1172	KMSpico_setup.exe
996	KMSpico_setup.tmp
1496	_setup.tmp
576	a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe
552	UninsHs.exe
1668	KMSELDI.exe
2864	AutoPico.exe

Loads dropped DLL 20 IoCs

pid	Process
1992	KMSpico_11_final_setup.exe
1992	KMSpico_11_final_setup.exe
1308	KMSpico_setup.exe
1676	KMSpico_setup.tmp
1676	KMSpico_setup.tmp
1172	KMSpico_setup.exe
2016	_setup.exe
1496	_setup.tmp
1496	_setup.tmp
1992	KMSpico_11_final_setup.exe
1992	KMSpico_11_final_setup.exe
1496	_setup.tmp
1496	_setup.tmp
1496	_setup.tmp
1496	_setup.tmp
552	UninsHs.exe
552	UninsHs.exe
552	UninsHs.exe
1496	_setup.tmp
1496	_setup.tmp

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000018b16-975.dat	upx
behavioral1/files/0x0006000000018b16-981.dat	upx
behavioral1/files/0x0006000000018b16-980.dat	upx
behavioral1/files/0x0006000000018b16-983.dat	upx
behavioral1/files/0x0006000000018b16-986.dat	upx
behavioral1/files/0x0006000000018b16-989.dat	upx
behavioral1/files/0x0006000000018b16-988.dat	upx
behavioral1/files/0x0006000000018b16-987.dat	upx
behavioral1/memory/552-990-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/1496-1156-0x0000000008AB0000-0x0000000008AB8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchost = "cmd /c \"start \"svchost\" \"C:\\Program Files (x86)\\Windows\\svchost.exe\""	REG.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	KMSpico_11_final_setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	KMSpico_11_final_setup.exe

Checks system information in the registry 2 TTPs 1 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	KMSpico_setup.tmp

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\is-BO8BA.tmp	_setup.tmp
File created	C:\Windows\system32\is-31R0F.tmp	_setup.tmp
File opened for modification	C:\Windows\system32\Vestris.ResourceLib.dll	_setup.tmp
File created	C:\Windows\system32\is-PNSVN.tmp	_setup.tmp

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1992 set thread context of 912	1992	KMSpico_11_final_setup.exe	29
PID 1992 set thread context of 1596	1992	KMSpico_11_final_setup.exe	59

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\KMSpico\driver\is-FTK6E.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-V031P.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-F4FFU.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Word\is-8OPQN.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\Business\is-39505.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-M0JI3.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-N630O.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW8\Enterprise\is-6KA4V.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\sounds\is-DJIJ0.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-HNP45.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-MM46M.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\InfoPath\is-N443G.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\ProPlus\is-O262A.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\VisioStd\is-4FQRT.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW10\Professional\is-92R0L.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-BD3GI.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-BV4P5.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\Standard\is-0CH9O.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\OneNote\is-9IS8N.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW10\Core\is-JL5FJ.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\sounds\is-IAG08.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\ProjectPro\is-43L9N.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\Standard\is-OD93C.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\driver\is-L77K6.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\OneNote\is-V89IC.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\Access\is-GPJ3H.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\Business\is-VV3T8.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW7\Embedded\is-T2RH2.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW81\ProfessionalWMC\is-F6RDV.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\sounds\is-D50S8.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\DM.bin	KMSELDI.exe
File created	C:\Program Files\KMSpico\is-IS1IG.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Publisher\is-LQ5E6.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\Access\is-N12RP.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\ProPlus\is-H5VN0.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\Access\is-17BDS.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\Word\is-VBOGS.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\Excel\is-H4MDR.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-H219N.tmp	_setup.tmp
File opened for modification	C:\Program Files\KMSpico\Service_KMS.exe	_setup.tmp
File created	C:\Program Files\KMSpico\is-3558O.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-HNT59.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\Standard\is-EGP2O.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\SkypeforBusiness\is-S8BF9.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\Word\is-IVKJL.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\sounds\is-H45L2.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\is-HC2JV.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Access\is-PMQQ1.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-0MCDA.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Publisher\is-B1JF6.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-N28NV.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW8\CoreN\is-8PRJ5.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\scripts\is-1CB6C.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Access\is-4K5ES.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-T79PI.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-C2VML.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\Excel\is-ILJLH.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-BOPCJ.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW81\EmbeddedIndustry\is-09T7B.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW81\ServerStandard\is-E0A8M.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-Q6HS9.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\PowerPoint\is-GPS90.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-CMCLQ.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\ProPlus\is-MEK77.tmp	_setup.tmp

Launches sc.exe 7 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
328	sc.exe
1940	sc.exe
948	sc.exe
1240	sc.exe
784	sc.exe
764	sc.exe
1240	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
764	schtasks.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1708	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\Desktop\PaintDesktopVersion = "0"	KMSELDI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\Desktop\PaintDesktopVersion = "0"	AutoPico.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter	_setup.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0"	_setup.tmp

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1868	a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe
912	KMSpico_11_final_setup.exe
576	a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe
1496	_setup.tmp
1496	_setup.tmp
912	KMSpico_11_final_setup.exe
912	KMSpico_11_final_setup.exe
912	KMSpico_11_final_setup.exe
912	KMSpico_11_final_setup.exe
912	KMSpico_11_final_setup.exe
912	KMSpico_11_final_setup.exe
912	KMSpico_11_final_setup.exe
1496	_setup.tmp
912	KMSpico_11_final_setup.exe
912	KMSpico_11_final_setup.exe
912	KMSpico_11_final_setup.exe
912	KMSpico_11_final_setup.exe
912	KMSpico_11_final_setup.exe
912	KMSpico_11_final_setup.exe
1172	KMSpico_setup.exe
912	KMSpico_11_final_setup.exe
912	KMSpico_11_final_setup.exe
912	KMSpico_11_final_setup.exe
912	KMSpico_11_final_setup.exe
912	KMSpico_11_final_setup.exe
912	KMSpico_11_final_setup.exe
912	KMSpico_11_final_setup.exe
912	KMSpico_11_final_setup.exe
912	KMSpico_11_final_setup.exe
912	KMSpico_11_final_setup.exe
912	KMSpico_11_final_setup.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1992	KMSpico_11_final_setup.exe
1992	KMSpico_11_final_setup.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	KMSpico_11_final_setup.exe
Token: SeDebugPrivilege	1868	a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe
Token: SeDebugPrivilege	1708	taskkill.exe
Token: SeDebugPrivilege	912	KMSpico_11_final_setup.exe
Token: SeDebugPrivilege	576	a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe
Token: SeSystemtimePrivilege	1668	KMSELDI.exe
Token: SeSystemtimePrivilege	2864	AutoPico.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1496	_setup.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
912	KMSpico_11_final_setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 912	1992	KMSpico_11_final_setup.exe	29
PID 1992 wrote to memory of 912	1992	KMSpico_11_final_setup.exe	29
PID 1992 wrote to memory of 912	1992	KMSpico_11_final_setup.exe	29
PID 1992 wrote to memory of 912	1992	KMSpico_11_final_setup.exe	29
PID 1992 wrote to memory of 912	1992	KMSpico_11_final_setup.exe	29
PID 1992 wrote to memory of 912	1992	KMSpico_11_final_setup.exe	29
PID 1992 wrote to memory of 912	1992	KMSpico_11_final_setup.exe	29
PID 1992 wrote to memory of 912	1992	KMSpico_11_final_setup.exe	29
PID 1992 wrote to memory of 1868	1992	KMSpico_11_final_setup.exe	30
PID 1992 wrote to memory of 1868	1992	KMSpico_11_final_setup.exe	30
PID 1992 wrote to memory of 1868	1992	KMSpico_11_final_setup.exe	30
PID 1992 wrote to memory of 1868	1992	KMSpico_11_final_setup.exe	30
PID 1868 wrote to memory of 1744	1868	a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe	32
PID 1868 wrote to memory of 1744	1868	a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe	32
PID 1868 wrote to memory of 1744	1868	a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe	32
PID 1744 wrote to memory of 1308	1744	WScript.exe	33
PID 1744 wrote to memory of 1308	1744	WScript.exe	33
PID 1744 wrote to memory of 1308	1744	WScript.exe	33
PID 1744 wrote to memory of 1308	1744	WScript.exe	33
PID 1744 wrote to memory of 1308	1744	WScript.exe	33
PID 1744 wrote to memory of 1308	1744	WScript.exe	33
PID 1744 wrote to memory of 1308	1744	WScript.exe	33
PID 1308 wrote to memory of 1676	1308	KMSpico_setup.exe	34
PID 1308 wrote to memory of 1676	1308	KMSpico_setup.exe	34
PID 1308 wrote to memory of 1676	1308	KMSpico_setup.exe	34
PID 1308 wrote to memory of 1676	1308	KMSpico_setup.exe	34
PID 1308 wrote to memory of 1676	1308	KMSpico_setup.exe	34
PID 1308 wrote to memory of 1676	1308	KMSpico_setup.exe	34
PID 1308 wrote to memory of 1676	1308	KMSpico_setup.exe	34
PID 1676 wrote to memory of 1172	1676	KMSpico_setup.tmp	35
PID 1676 wrote to memory of 1172	1676	KMSpico_setup.tmp	35
PID 1676 wrote to memory of 1172	1676	KMSpico_setup.tmp	35
PID 1676 wrote to memory of 1172	1676	KMSpico_setup.tmp	35
PID 1676 wrote to memory of 1172	1676	KMSpico_setup.tmp	35
PID 1676 wrote to memory of 1172	1676	KMSpico_setup.tmp	35
PID 1676 wrote to memory of 1172	1676	KMSpico_setup.tmp	35
PID 1172 wrote to memory of 996	1172	KMSpico_setup.exe	36
PID 1172 wrote to memory of 996	1172	KMSpico_setup.exe	36
PID 1172 wrote to memory of 996	1172	KMSpico_setup.exe	36
PID 1172 wrote to memory of 996	1172	KMSpico_setup.exe	36
PID 1172 wrote to memory of 996	1172	KMSpico_setup.exe	36
PID 1172 wrote to memory of 996	1172	KMSpico_setup.exe	36
PID 1172 wrote to memory of 996	1172	KMSpico_setup.exe	36
PID 2016 wrote to memory of 1496	2016	_setup.exe	58
PID 2016 wrote to memory of 1496	2016	_setup.exe	58
PID 2016 wrote to memory of 1496	2016	_setup.exe	58
PID 2016 wrote to memory of 1496	2016	_setup.exe	58
PID 2016 wrote to memory of 1496	2016	_setup.exe	58
PID 2016 wrote to memory of 1496	2016	_setup.exe	58
PID 2016 wrote to memory of 1496	2016	_setup.exe	58
PID 1992 wrote to memory of 1596	1992	KMSpico_11_final_setup.exe	59
PID 1992 wrote to memory of 1596	1992	KMSpico_11_final_setup.exe	59
PID 1992 wrote to memory of 1596	1992	KMSpico_11_final_setup.exe	59
PID 1992 wrote to memory of 1596	1992	KMSpico_11_final_setup.exe	59
PID 1992 wrote to memory of 1596	1992	KMSpico_11_final_setup.exe	59
PID 1992 wrote to memory of 1596	1992	KMSpico_11_final_setup.exe	59
PID 1992 wrote to memory of 1596	1992	KMSpico_11_final_setup.exe	59
PID 1992 wrote to memory of 1596	1992	KMSpico_11_final_setup.exe	59
PID 912 wrote to memory of 1684	912	KMSpico_11_final_setup.exe	63
PID 912 wrote to memory of 1684	912	KMSpico_11_final_setup.exe	63
PID 912 wrote to memory of 1684	912	KMSpico_11_final_setup.exe	63
PID 912 wrote to memory of 1684	912	KMSpico_11_final_setup.exe	63
PID 1992 wrote to memory of 576	1992	KMSpico_11_final_setup.exe	60
PID 1992 wrote to memory of 576	1992	KMSpico_11_final_setup.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\KMSpico_11_final_setup.exe
"C:\Users\Admin\AppData\Local\Temp\KMSpico_11_final_setup.exe"
1⤵
- Luminosity
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\KMSpico_11_final_setup.exe
  "C:\Users\Admin\AppData\Local\Temp\KMSpico_11_final_setup.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "svchost" /tr "'C:\Program Files (x86)\Windows\svchost.exe' /startup" /sc MINUTE /f /rl highest
    3⤵
    - Luminosity
    PID:1684
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "svchost" /d "cmd /c """start """svchost""" """C:\Program Files (x86)\Windows\svchost.exe"""" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:2548
- C:\Users\Admin\AppData\Local\Temp\a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe
  "C:\Users\Admin\AppData\Local\Temp\a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e57de42-5fb2-46fd-a0ff-879f70c92e61\125665993.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Users\Admin\AppData\Local\Temp\5e57de42-5fb2-46fd-a0ff-879f70c92e61\KMSpico_setup.exe
      "C:\Users\Admin\AppData\Local\Temp\5e57de42-5fb2-46fd-a0ff-879f70c92e61\KMSpico_setup.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1308
    - - C:\Users\Admin\AppData\Local\Temp\is-J08O7.tmp\KMSpico_setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-J08O7.tmp\KMSpico_setup.tmp" /SL5="$201D6,3598500,122880,C:\Users\Admin\AppData\Local\Temp\5e57de42-5fb2-46fd-a0ff-879f70c92e61\KMSpico_setup.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1676
      - C:\Users\Admin\AppData\Local\Temp\5e57de42-5fb2-46fd-a0ff-879f70c92e61\KMSpico_setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5e57de42-5fb2-46fd-a0ff-879f70c92e61\KMSpico_setup.exe" /VERYSILENT
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\is-QN7AF.tmp\KMSpico_setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-QN7AF.tmp\KMSpico_setup.tmp" /SL5="$301D6,3598500,122880,C:\Users\Admin\AppData\Local\Temp\5e57de42-5fb2-46fd-a0ff-879f70c92e61\KMSpico_setup.exe" /VERYSILENT
        7⤵
        Executes dropped EXE
        Checks system information in the registry
        
        PID:996
        
        C:\Windows\SysWOW64\taskkill.exe
        
        "taskkill.exe" /f /im "ISUSPM.exe"
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /delete /tn * /f
        8⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" delete isupdate.exe
        8⤵
        Launches sc.exe
        
        PID:784
        
        C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" delete ISUSPM.exe
        8⤵
        Launches sc.exe
        
        PID:764
        
        C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" delete msiupd.exe
        8⤵
        Launches sc.exe
        
        PID:1240
        
        C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" delete router.exe
        8⤵
        Launches sc.exe
        
        PID:328
        
        C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" delete Updater.exe
        8⤵
        Launches sc.exe
        
        PID:1940
        
        C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" delete updatesvc.exe
        8⤵
        Launches sc.exe
        
        PID:948
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /F /SC ONLOGON /RL HIGHEST /TN "InstallShield® Update Service Scheduler" /TR "'C:\Program Files (x86)\Common Files\InstallShield\Update\ISUSPM.exe'"
        8⤵
        Luminosity
        
        PID:880
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /F /SC WEEKLY /D WED,SUN /ST 12:00 /RL HIGHEST /TN "Optimize Thumbnail Cache Files" /TR "wscript.exe //nologo //E:jscript //B C:\ProgramData\InstallShield\Update\isuspm.ini"
        8⤵
        Luminosity
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\is-LQ0PE.tmp\_setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-LQ0PE.tmp\_setup.exe"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\is-LUJPS.tmp\_setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-LUJPS.tmp\_setup.tmp" /SL5="$B01FE,2952592,69120,C:\Users\Admin\AppData\Local\Temp\is-LQ0PE.tmp\_setup.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Modifies Internet Explorer Phishing Filter
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:1496
        
        C:\Program Files\KMSpico\UninsHs.exe
        
        "C:\Program Files\KMSpico\UninsHs.exe" /r0=KMSpico,default,C:\Users\Admin\AppData\Local\Temp\is-LQ0PE.tmp\_setup.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:552
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Task.cmd""
        10⤵
        
        PID:108
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Create /TN "AutoPico Daily Restart" /TR "'C:\Program Files\KMSpico\AutoPico.exe' /silent" /SC DAILY /ST 23:59:59 /RU "NT AUTHORITY\SYSTEM" /RL Highest /F
        11⤵
        Luminosity
        Creates scheduled task(s)
        
        PID:764
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Service.cmd""
        10⤵
        
        PID:768
        
        C:\Windows\system32\sc.exe
        
        sc create "Service KMSELDI" binPath= "C:\Program Files\KMSpico\Service_KMS.exe" type= own error= normal start= auto DisplayName= "Service KMSELDI"
        11⤵
        Launches sc.exe
        
        PID:1240
        
        C:\Program Files\KMSpico\KMSELDI.exe
        
        "C:\Program Files\KMSpico\KMSELDI.exe" /silent /backup
        10⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies Control Panel
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
        
        C:\Program Files\KMSpico\AutoPico.exe
        
        "C:\Program Files\KMSpico\AutoPico.exe" /silent
        10⤵
        Executes dropped EXE
        Modifies Control Panel
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
- C:\Users\Admin\AppData\Local\Temp\KMSpico_11_final_setup.exe
  "C:\Users\Admin\AppData\Local\Temp\KMSpico_11_final_setup.exe"
  2⤵
  PID:1596
- C:\Users\Admin\AppData\Local\Temp\a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe
  "C:\Users\Admin\AppData\Local\Temp\a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows\svchost.exe

Filesize
6.6MB

MD5
78d2d7076e5c3f18ef75e4e570b1e0fe

SHA1
8e15869622584d541465f37a87030f171960b7f1

SHA256
e0c720e092c6c0265f3e2a37f0636a26a7fdefc6a49069c659dbe3c5e35aefd6

SHA512
75e4ddadc01ad2d8ed66d76e7f9899f79f1605e82ebbd60d76e15dfd8f76502f1ca0213ae36fbe3d2d6d4268ebb9621dc88d9f247b69078fdf8ad6e4e4f10997

Download Submit
C:\Program Files\KMSpico\AutoPico.exe

Filesize
728KB

MD5
cfe1c391464c446099a5eb33276f6d57

SHA1
9999bfcded2c953e025eabaa66b4971dab122c24

SHA256
4a714d98ce40f5f3577c306a66cb4a6b1ff3fd01047c7f4581f8558f0bcdf5fa

SHA512
4119a1722202bbc33339747ea02fd35b327890d55bb472cd1e2146ca446d8ba6fddb1e8cf8bbfaeb08aec8ed2a9d5c0fa71b73510d409ffacd3908fa72bb53b4

Download Submit
C:\Program Files\KMSpico\AutoPico.exe

Filesize
728KB

MD5
cfe1c391464c446099a5eb33276f6d57

SHA1
9999bfcded2c953e025eabaa66b4971dab122c24

SHA256
4a714d98ce40f5f3577c306a66cb4a6b1ff3fd01047c7f4581f8558f0bcdf5fa

SHA512
4119a1722202bbc33339747ea02fd35b327890d55bb472cd1e2146ca446d8ba6fddb1e8cf8bbfaeb08aec8ed2a9d5c0fa71b73510d409ffacd3908fa72bb53b4

Download Submit
C:\Program Files\KMSpico\AutoPico.exe

Filesize
728KB

MD5
cfe1c391464c446099a5eb33276f6d57

SHA1
9999bfcded2c953e025eabaa66b4971dab122c24

SHA256
4a714d98ce40f5f3577c306a66cb4a6b1ff3fd01047c7f4581f8558f0bcdf5fa

SHA512
4119a1722202bbc33339747ea02fd35b327890d55bb472cd1e2146ca446d8ba6fddb1e8cf8bbfaeb08aec8ed2a9d5c0fa71b73510d409ffacd3908fa72bb53b4

Download Submit
C:\Program Files\KMSpico\DevComponents.DotNetBar2.dll

Filesize
5.2MB

MD5
1397b23f30681f97049df61f94f54d05

SHA1
5cb1ce6966e3d6d8b8c398cbd537c814312f194d

SHA256
fa76151a783250014ac8fa55d4c833100a623fcad1d6e2ddadcde259f5709609

SHA512
7d001b5942dad8ce1a83831b5a87f2fa6a1571bc133ce3c1ebe9988a43a7fcefc5cdb7870a6e692ef89fb815cfcff0e9c4b41f24ba0716c6808f190ea3c53535

Download Submit
C:\Program Files\KMSpico\KMSELDI.exe

Filesize
921KB

MD5
f0280de3880ef581bf14f9cc72ec1c16

SHA1
43d348e164c35f9e02370f6f66186fbfb15ae2a3

SHA256
50ebfa1dd5b147e40244607d5d5be25709edf2cc66247a78beb920c77ac514cc

SHA512
ac31a972e9e93e6671f44d403139b0db89d950097c848fbaf6b9965b722215f74e9ed9bb9e083d31328101e6fcfe7f960a08b3bea0813900f11d5c1bb40539a6

Download Submit
C:\Program Files\KMSpico\KMSELDI.exe

Filesize
921KB

MD5
f0280de3880ef581bf14f9cc72ec1c16

SHA1
43d348e164c35f9e02370f6f66186fbfb15ae2a3

SHA256
50ebfa1dd5b147e40244607d5d5be25709edf2cc66247a78beb920c77ac514cc

SHA512
ac31a972e9e93e6671f44d403139b0db89d950097c848fbaf6b9965b722215f74e9ed9bb9e083d31328101e6fcfe7f960a08b3bea0813900f11d5c1bb40539a6

Download Submit
C:\Program Files\KMSpico\KMSELDI.exe

Filesize
921KB

MD5
f0280de3880ef581bf14f9cc72ec1c16

SHA1
43d348e164c35f9e02370f6f66186fbfb15ae2a3

SHA256
50ebfa1dd5b147e40244607d5d5be25709edf2cc66247a78beb920c77ac514cc

SHA512
ac31a972e9e93e6671f44d403139b0db89d950097c848fbaf6b9965b722215f74e9ed9bb9e083d31328101e6fcfe7f960a08b3bea0813900f11d5c1bb40539a6

Download Submit
C:\Program Files\KMSpico\UninsHs.exe

Filesize
29KB

MD5
245824502aefe21b01e42f61955aa7f4

SHA1
a58682a8aae6302f1c934709c5aa1f6c86b2be99

SHA256
0a265b4bb8acceafaffb001632fa7e4c3f8ac39a71eda37f253e15bc1b8db90d

SHA512
204b39e31f22ba99cf09c5c8458fc94ea21b47aacc4abd305f71ba20a35d36bfc0ff53b95180542911c9c6f259db897dee76090d953f7ee18a8079caefda7981

Download Submit
C:\Program Files\KMSpico\UninsHs.exe

Filesize
29KB

MD5
245824502aefe21b01e42f61955aa7f4

SHA1
a58682a8aae6302f1c934709c5aa1f6c86b2be99

SHA256
0a265b4bb8acceafaffb001632fa7e4c3f8ac39a71eda37f253e15bc1b8db90d

SHA512
204b39e31f22ba99cf09c5c8458fc94ea21b47aacc4abd305f71ba20a35d36bfc0ff53b95180542911c9c6f259db897dee76090d953f7ee18a8079caefda7981

Download Submit
C:\Program Files\KMSpico\UninsHs.exe

Filesize
29KB

MD5
245824502aefe21b01e42f61955aa7f4

SHA1
a58682a8aae6302f1c934709c5aa1f6c86b2be99

SHA256
0a265b4bb8acceafaffb001632fa7e4c3f8ac39a71eda37f253e15bc1b8db90d

SHA512
204b39e31f22ba99cf09c5c8458fc94ea21b47aacc4abd305f71ba20a35d36bfc0ff53b95180542911c9c6f259db897dee76090d953f7ee18a8079caefda7981

Download Submit
C:\Program Files\KMSpico\logs\AutoPico.log

Filesize
3B

MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\Program Files\KMSpico\logs\KMSELDI.log

Filesize
3KB

MD5
2b54a25b7992c319e14e5e603a534a73

SHA1
7718ddc91ec656a2591ae672eb2f422f6dd15c25

SHA256
272504e92e4bd580202bf0cc21a9ac52619096bf20e836f5be0a71ed43439d4d

SHA512
a9abe417a36dff01e71793a3cadb62b9d617e6a2e14566dc15c0a9f5548030717ab0260460f5ef46cc541c9d2e4ab2a5ff9e7aec51231a10d395c0006b360480

Download Submit
C:\Program Files\KMSpico\logs\KMSELDI.log

Filesize
4KB

MD5
596e0d98ea816e8c1ebc4178c57d4587

SHA1
7904c7b7dbd75af4632f692be8958509e382c662

SHA256
a1e4a37d05e7e21b60deeb3406a725c93badd501194007f37c924ed305949bd6

SHA512
84e7c596ba994d06d512b0eb7e508bc91d6a6b4faa24e6477f7945d970a648a16a3e3e8524b9e50675add9d4e1a40c364ca0ae3ae0ba2f5887e9ed0e45ae8b62

Download Submit
C:\Program Files\KMSpico\scripts\Install_Service.cmd

Filesize
213B

MD5
9107cd31951f2cf90e0892740b9087c9

SHA1
efac5c2e59ddef2f0a7782ad1dea8f6b25a07395

SHA256
11578521b14c17fbbb070c13887161586d57196f4d408c41a0f02ed07ee32f2c

SHA512
f6b66dcbbb8aa55793b63f20fc3718038d7c35f94570cf487b6e8393f67be6bd004dd64f3b8fc8345b7e02e2e8ec2d48ceed2494d9f1282ca020dbbaa621f457

Download Submit
C:\Program Files\KMSpico\scripts\Install_Task.cmd

Filesize
220B

MD5
ade709ca6a00370a4a6fea2425f948c1

SHA1
5919c95ef78bd4ab200f8071b98970ff9541a24a

SHA256
5b067073b968361fe489017d173040655f21890605d39cdb012a030dd75b52a8

SHA512
860f9f12bc4995fae7c74481c2b24a346e763e32a782b3826c0f0772ad90be48377faefd883c9a28b221f8476fd203782932fee859b079fb7d4b1b152cce7b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e57de42-5fb2-46fd-a0ff-879f70c92e61\125665993.vbs

Filesize
511B

MD5
b78d84d98549910a6b639196988d73d9

SHA1
43c620c32b923e54e7b27a700836939e952fe226

SHA256
10b2e6313460af7d99911e21de85096d553bb80c23a89491031fe03867737314

SHA512
a5256f57e7f81736c212e35f77d56fd5f7c31b16591ba7e237a7c4291435bdbe7e20bc02afbf3526c92e36d7f522c0078cefdb3e4c30ad210a1a52603d333ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e57de42-5fb2-46fd-a0ff-879f70c92e61\125665993.vbs

Filesize
511B

MD5
b78d84d98549910a6b639196988d73d9

SHA1
43c620c32b923e54e7b27a700836939e952fe226

SHA256
10b2e6313460af7d99911e21de85096d553bb80c23a89491031fe03867737314

SHA512
a5256f57e7f81736c212e35f77d56fd5f7c31b16591ba7e237a7c4291435bdbe7e20bc02afbf3526c92e36d7f522c0078cefdb3e4c30ad210a1a52603d333ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e57de42-5fb2-46fd-a0ff-879f70c92e61\KMSpico_setup.exe

Filesize
3.7MB

MD5
f2d3ac0f919ceaef19dc3ae5f96cc038

SHA1
0189ef96d041bd8e3cb940c4329c05907fd5c0e3

SHA256
2fd8eed51595006b591eeade829e304c4db4c11c60aa733a7000629c4b92d34c

SHA512
78d5be1f2df96b30154406ec7f11a8031f7bad400050344c73ef8f98dd5c8c467ad8e7bd6370c0315ad0f43969c409c6c991d26071b08dd04b631f99a49b8c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e57de42-5fb2-46fd-a0ff-879f70c92e61\KMSpico_setup.exe

Filesize
3.7MB

MD5
f2d3ac0f919ceaef19dc3ae5f96cc038

SHA1
0189ef96d041bd8e3cb940c4329c05907fd5c0e3

SHA256
2fd8eed51595006b591eeade829e304c4db4c11c60aa733a7000629c4b92d34c

SHA512
78d5be1f2df96b30154406ec7f11a8031f7bad400050344c73ef8f98dd5c8c467ad8e7bd6370c0315ad0f43969c409c6c991d26071b08dd04b631f99a49b8c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e57de42-5fb2-46fd-a0ff-879f70c92e61\KMSpico_setup.exe

Filesize
3.7MB

MD5
f2d3ac0f919ceaef19dc3ae5f96cc038

SHA1
0189ef96d041bd8e3cb940c4329c05907fd5c0e3

SHA256
2fd8eed51595006b591eeade829e304c4db4c11c60aa733a7000629c4b92d34c

SHA512
78d5be1f2df96b30154406ec7f11a8031f7bad400050344c73ef8f98dd5c8c467ad8e7bd6370c0315ad0f43969c409c6c991d26071b08dd04b631f99a49b8c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e57de42-5fb2-46fd-a0ff-879f70c92e61\KMSpico_setup.exe

Filesize
3.7MB

MD5
f2d3ac0f919ceaef19dc3ae5f96cc038

SHA1
0189ef96d041bd8e3cb940c4329c05907fd5c0e3

SHA256
2fd8eed51595006b591eeade829e304c4db4c11c60aa733a7000629c4b92d34c

SHA512
78d5be1f2df96b30154406ec7f11a8031f7bad400050344c73ef8f98dd5c8c467ad8e7bd6370c0315ad0f43969c409c6c991d26071b08dd04b631f99a49b8c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe

Filesize
4.1MB

MD5
be894480a8ecc85ac82d4e9075481333

SHA1
a3c8c8be6dcb906f63db1573eb034952e75570f5

SHA256
cb5e2b75694b32b8c160e2a6f97905c6049defcab124937698f092b7fc4c82a1

SHA512
c4751e28189bd17f294ba804fbe9eb7181c64fc09ed3eb91d9d267a6dab589929322e650de31d473a6a1003a223abb123dd87642bd291959affc757aaa0e1f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe

Filesize
4.1MB

MD5
be894480a8ecc85ac82d4e9075481333

SHA1
a3c8c8be6dcb906f63db1573eb034952e75570f5

SHA256
cb5e2b75694b32b8c160e2a6f97905c6049defcab124937698f092b7fc4c82a1

SHA512
c4751e28189bd17f294ba804fbe9eb7181c64fc09ed3eb91d9d267a6dab589929322e650de31d473a6a1003a223abb123dd87642bd291959affc757aaa0e1f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe

Filesize
4.1MB

MD5
be894480a8ecc85ac82d4e9075481333

SHA1
a3c8c8be6dcb906f63db1573eb034952e75570f5

SHA256
cb5e2b75694b32b8c160e2a6f97905c6049defcab124937698f092b7fc4c82a1

SHA512
c4751e28189bd17f294ba804fbe9eb7181c64fc09ed3eb91d9d267a6dab589929322e650de31d473a6a1003a223abb123dd87642bd291959affc757aaa0e1f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe

Filesize
4.1MB

MD5
be894480a8ecc85ac82d4e9075481333

SHA1
a3c8c8be6dcb906f63db1573eb034952e75570f5

SHA256
cb5e2b75694b32b8c160e2a6f97905c6049defcab124937698f092b7fc4c82a1

SHA512
c4751e28189bd17f294ba804fbe9eb7181c64fc09ed3eb91d9d267a6dab589929322e650de31d473a6a1003a223abb123dd87642bd291959affc757aaa0e1f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe

Filesize
4.1MB

MD5
be894480a8ecc85ac82d4e9075481333

SHA1
a3c8c8be6dcb906f63db1573eb034952e75570f5

SHA256
cb5e2b75694b32b8c160e2a6f97905c6049defcab124937698f092b7fc4c82a1

SHA512
c4751e28189bd17f294ba804fbe9eb7181c64fc09ed3eb91d9d267a6dab589929322e650de31d473a6a1003a223abb123dd87642bd291959affc757aaa0e1f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J08O7.tmp\KMSpico_setup.tmp

Filesize
767KB

MD5
fb33895f8356d68212e76eb4e0654322

SHA1
cd2531ed83c3c879df1de7c10916f3aa0770a199

SHA256
a2b3b9ef41be708ab10402be3efcabe02af9554fba930abbb02d63c1ff2b62ab

SHA512
38f0216a867067b7ef5fbbc8766f47e22fb348afa20d209c2901937fb3381e121f6779c0825ab150ff3053b55fc4db2479d3b1cd41649e51fcff1691a821210c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LUJPS.tmp\_setup.tmp

Filesize
703KB

MD5
1778c1f66ff205875a6435a33229ab3c

SHA1
5b6189159b16c6f85feed66834af3e06c0277a19

SHA256
95c06acac4fe4598840e5556f9613d43aa1039c52dac64536f59e45a70f79da6

SHA512
8844de1296ce707e3c5c71823f5118f8f2e50287ace3a2ee1ec0b69df0ec48ebcf5b755db669d2cd869d345fb06a9c07b36e98eda8c32a9b26b8fe22bdc105a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LUJPS.tmp\_setup.tmp

Filesize
703KB

MD5
1778c1f66ff205875a6435a33229ab3c

SHA1
5b6189159b16c6f85feed66834af3e06c0277a19

SHA256
95c06acac4fe4598840e5556f9613d43aa1039c52dac64536f59e45a70f79da6

SHA512
8844de1296ce707e3c5c71823f5118f8f2e50287ace3a2ee1ec0b69df0ec48ebcf5b755db669d2cd869d345fb06a9c07b36e98eda8c32a9b26b8fe22bdc105a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QN7AF.tmp\KMSpico_setup.tmp

Filesize
767KB

MD5
fb33895f8356d68212e76eb4e0654322

SHA1
cd2531ed83c3c879df1de7c10916f3aa0770a199

SHA256
a2b3b9ef41be708ab10402be3efcabe02af9554fba930abbb02d63c1ff2b62ab

SHA512
38f0216a867067b7ef5fbbc8766f47e22fb348afa20d209c2901937fb3381e121f6779c0825ab150ff3053b55fc4db2479d3b1cd41649e51fcff1691a821210c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QN7AF.tmp\KMSpico_setup.tmp

Filesize
767KB

MD5
fb33895f8356d68212e76eb4e0654322

SHA1
cd2531ed83c3c879df1de7c10916f3aa0770a199

SHA256
a2b3b9ef41be708ab10402be3efcabe02af9554fba930abbb02d63c1ff2b62ab

SHA512
38f0216a867067b7ef5fbbc8766f47e22fb348afa20d209c2901937fb3381e121f6779c0825ab150ff3053b55fc4db2479d3b1cd41649e51fcff1691a821210c

Download Submit
C:\Windows\System32\Vestris.ResourceLib.dll

Filesize
88KB

MD5
3d733144477cadcf77009ef614413630

SHA1
0a530a2524084f1d2a85b419f033e1892174ab31

SHA256
392d73617fd0a55218261572ece2f50301e0cfa29b5ed24c3f692130aa406af3

SHA512
be6b524d67d69385a02874a2d96d4270335846bece7b528308e136428fd67af66a4216d90da4f288aeefd00a0ba5d5f3b5493824fcb352b919ab25e7ef50b81c

Download Submit
\Program Files\KMSpico\AutoPico.exe

Filesize
728KB

MD5
cfe1c391464c446099a5eb33276f6d57

SHA1
9999bfcded2c953e025eabaa66b4971dab122c24

SHA256
4a714d98ce40f5f3577c306a66cb4a6b1ff3fd01047c7f4581f8558f0bcdf5fa

SHA512
4119a1722202bbc33339747ea02fd35b327890d55bb472cd1e2146ca446d8ba6fddb1e8cf8bbfaeb08aec8ed2a9d5c0fa71b73510d409ffacd3908fa72bb53b4

Download Submit
\Program Files\KMSpico\AutoPico.exe

Filesize
728KB

MD5
cfe1c391464c446099a5eb33276f6d57

SHA1
9999bfcded2c953e025eabaa66b4971dab122c24

SHA256
4a714d98ce40f5f3577c306a66cb4a6b1ff3fd01047c7f4581f8558f0bcdf5fa

SHA512
4119a1722202bbc33339747ea02fd35b327890d55bb472cd1e2146ca446d8ba6fddb1e8cf8bbfaeb08aec8ed2a9d5c0fa71b73510d409ffacd3908fa72bb53b4

Download Submit
\Program Files\KMSpico\KMSELDI.exe

Filesize
921KB

MD5
f0280de3880ef581bf14f9cc72ec1c16

SHA1
43d348e164c35f9e02370f6f66186fbfb15ae2a3

SHA256
50ebfa1dd5b147e40244607d5d5be25709edf2cc66247a78beb920c77ac514cc

SHA512
ac31a972e9e93e6671f44d403139b0db89d950097c848fbaf6b9965b722215f74e9ed9bb9e083d31328101e6fcfe7f960a08b3bea0813900f11d5c1bb40539a6

Download Submit
\Program Files\KMSpico\KMSELDI.exe

Filesize
921KB

MD5
f0280de3880ef581bf14f9cc72ec1c16

SHA1
43d348e164c35f9e02370f6f66186fbfb15ae2a3

SHA256
50ebfa1dd5b147e40244607d5d5be25709edf2cc66247a78beb920c77ac514cc

SHA512
ac31a972e9e93e6671f44d403139b0db89d950097c848fbaf6b9965b722215f74e9ed9bb9e083d31328101e6fcfe7f960a08b3bea0813900f11d5c1bb40539a6

Download Submit
\Program Files\KMSpico\UninsHs.exe

Filesize
29KB

MD5
245824502aefe21b01e42f61955aa7f4

SHA1
a58682a8aae6302f1c934709c5aa1f6c86b2be99

SHA256
0a265b4bb8acceafaffb001632fa7e4c3f8ac39a71eda37f253e15bc1b8db90d

SHA512
204b39e31f22ba99cf09c5c8458fc94ea21b47aacc4abd305f71ba20a35d36bfc0ff53b95180542911c9c6f259db897dee76090d953f7ee18a8079caefda7981

Download Submit
\Program Files\KMSpico\UninsHs.exe

Filesize
29KB

MD5
245824502aefe21b01e42f61955aa7f4

SHA1
a58682a8aae6302f1c934709c5aa1f6c86b2be99

SHA256
0a265b4bb8acceafaffb001632fa7e4c3f8ac39a71eda37f253e15bc1b8db90d

SHA512
204b39e31f22ba99cf09c5c8458fc94ea21b47aacc4abd305f71ba20a35d36bfc0ff53b95180542911c9c6f259db897dee76090d953f7ee18a8079caefda7981

Download Submit
\Program Files\KMSpico\UninsHs.exe

Filesize
29KB

MD5
245824502aefe21b01e42f61955aa7f4

SHA1
a58682a8aae6302f1c934709c5aa1f6c86b2be99

SHA256
0a265b4bb8acceafaffb001632fa7e4c3f8ac39a71eda37f253e15bc1b8db90d

SHA512
204b39e31f22ba99cf09c5c8458fc94ea21b47aacc4abd305f71ba20a35d36bfc0ff53b95180542911c9c6f259db897dee76090d953f7ee18a8079caefda7981

Download Submit
\Program Files\KMSpico\UninsHs.exe

Filesize
29KB

MD5
245824502aefe21b01e42f61955aa7f4

SHA1
a58682a8aae6302f1c934709c5aa1f6c86b2be99

SHA256
0a265b4bb8acceafaffb001632fa7e4c3f8ac39a71eda37f253e15bc1b8db90d

SHA512
204b39e31f22ba99cf09c5c8458fc94ea21b47aacc4abd305f71ba20a35d36bfc0ff53b95180542911c9c6f259db897dee76090d953f7ee18a8079caefda7981

Download Submit
\Program Files\KMSpico\UninsHs.exe

Filesize
29KB

MD5
245824502aefe21b01e42f61955aa7f4

SHA1
a58682a8aae6302f1c934709c5aa1f6c86b2be99

SHA256
0a265b4bb8acceafaffb001632fa7e4c3f8ac39a71eda37f253e15bc1b8db90d

SHA512
204b39e31f22ba99cf09c5c8458fc94ea21b47aacc4abd305f71ba20a35d36bfc0ff53b95180542911c9c6f259db897dee76090d953f7ee18a8079caefda7981

Download Submit
\Users\Admin\AppData\Local\Temp\5e57de42-5fb2-46fd-a0ff-879f70c92e61\KMSpico_setup.exe

Filesize
3.7MB

MD5
f2d3ac0f919ceaef19dc3ae5f96cc038

SHA1
0189ef96d041bd8e3cb940c4329c05907fd5c0e3

SHA256
2fd8eed51595006b591eeade829e304c4db4c11c60aa733a7000629c4b92d34c

SHA512
78d5be1f2df96b30154406ec7f11a8031f7bad400050344c73ef8f98dd5c8c467ad8e7bd6370c0315ad0f43969c409c6c991d26071b08dd04b631f99a49b8c63

Download Submit
\Users\Admin\AppData\Local\Temp\a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe

Filesize
4.1MB

MD5
be894480a8ecc85ac82d4e9075481333

SHA1
a3c8c8be6dcb906f63db1573eb034952e75570f5

SHA256
cb5e2b75694b32b8c160e2a6f97905c6049defcab124937698f092b7fc4c82a1

SHA512
c4751e28189bd17f294ba804fbe9eb7181c64fc09ed3eb91d9d267a6dab589929322e650de31d473a6a1003a223abb123dd87642bd291959affc757aaa0e1f3e

Download Submit
\Users\Admin\AppData\Local\Temp\a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe

Filesize
4.1MB

MD5
be894480a8ecc85ac82d4e9075481333

SHA1
a3c8c8be6dcb906f63db1573eb034952e75570f5

SHA256
cb5e2b75694b32b8c160e2a6f97905c6049defcab124937698f092b7fc4c82a1

SHA512
c4751e28189bd17f294ba804fbe9eb7181c64fc09ed3eb91d9d267a6dab589929322e650de31d473a6a1003a223abb123dd87642bd291959affc757aaa0e1f3e

Download Submit
\Users\Admin\AppData\Local\Temp\a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe

Filesize
4.1MB

MD5
be894480a8ecc85ac82d4e9075481333

SHA1
a3c8c8be6dcb906f63db1573eb034952e75570f5

SHA256
cb5e2b75694b32b8c160e2a6f97905c6049defcab124937698f092b7fc4c82a1

SHA512
c4751e28189bd17f294ba804fbe9eb7181c64fc09ed3eb91d9d267a6dab589929322e650de31d473a6a1003a223abb123dd87642bd291959affc757aaa0e1f3e

Download Submit
\Users\Admin\AppData\Local\Temp\a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe

Filesize
4.1MB

MD5
be894480a8ecc85ac82d4e9075481333

SHA1
a3c8c8be6dcb906f63db1573eb034952e75570f5

SHA256
cb5e2b75694b32b8c160e2a6f97905c6049defcab124937698f092b7fc4c82a1

SHA512
c4751e28189bd17f294ba804fbe9eb7181c64fc09ed3eb91d9d267a6dab589929322e650de31d473a6a1003a223abb123dd87642bd291959affc757aaa0e1f3e

Download Submit
\Users\Admin\AppData\Local\Temp\is-J08O7.tmp\KMSpico_setup.tmp

Filesize
767KB

MD5
fb33895f8356d68212e76eb4e0654322

SHA1
cd2531ed83c3c879df1de7c10916f3aa0770a199

SHA256
a2b3b9ef41be708ab10402be3efcabe02af9554fba930abbb02d63c1ff2b62ab

SHA512
38f0216a867067b7ef5fbbc8766f47e22fb348afa20d209c2901937fb3381e121f6779c0825ab150ff3053b55fc4db2479d3b1cd41649e51fcff1691a821210c

Download Submit
\Users\Admin\AppData\Local\Temp\is-LUJPS.tmp\_setup.tmp

Filesize
703KB

MD5
1778c1f66ff205875a6435a33229ab3c

SHA1
5b6189159b16c6f85feed66834af3e06c0277a19

SHA256
95c06acac4fe4598840e5556f9613d43aa1039c52dac64536f59e45a70f79da6

SHA512
8844de1296ce707e3c5c71823f5118f8f2e50287ace3a2ee1ec0b69df0ec48ebcf5b755db669d2cd869d345fb06a9c07b36e98eda8c32a9b26b8fe22bdc105a0

Download Submit
\Users\Admin\AppData\Local\Temp\is-MD1H5.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
\Users\Admin\AppData\Local\Temp\is-QN7AF.tmp\KMSpico_setup.tmp

Filesize
767KB

MD5
fb33895f8356d68212e76eb4e0654322

SHA1
cd2531ed83c3c879df1de7c10916f3aa0770a199

SHA256
a2b3b9ef41be708ab10402be3efcabe02af9554fba930abbb02d63c1ff2b62ab

SHA512
38f0216a867067b7ef5fbbc8766f47e22fb348afa20d209c2901937fb3381e121f6779c0825ab150ff3053b55fc4db2479d3b1cd41649e51fcff1691a821210c

Download Submit
\Users\Admin\AppData\Local\Temp\is-VA8C8.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-VA8C8.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/552-990-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/576-163-0x00000000010F0000-0x0000000001174000-memory.dmp

Filesize
528KB

Download
memory/912-58-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/912-214-0x0000000000BE0000-0x0000000000C20000-memory.dmp

Filesize
256KB

Download
memory/912-73-0x0000000000BE0000-0x0000000000C20000-memory.dmp

Filesize
256KB

Download
memory/912-63-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/912-60-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/996-138-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/996-141-0x0000000002AD0000-0x0000000002C2C000-memory.dmp

Filesize
1.4MB

Download
memory/1172-111-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1172-181-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1172-1305-0x0000000002100000-0x0000000002180000-memory.dmp

Filesize
512KB

Download
memory/1172-1364-0x0000000002100000-0x0000000002180000-memory.dmp

Filesize
512KB

Download
memory/1308-115-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1308-94-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1496-1042-0x0000000003210000-0x0000000003227000-memory.dmp

Filesize
92KB

Download
memory/1496-978-0x0000000008AB0000-0x0000000008AB8000-memory.dmp

Filesize
32KB

Download
memory/1496-1263-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1496-1227-0x000000001B270000-0x000000001B2F0000-memory.dmp

Filesize
512KB

Download
memory/1496-532-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1496-1045-0x0000000003210000-0x0000000003227000-memory.dmp

Filesize
92KB

Download
memory/1496-1225-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1496-137-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1496-1166-0x0000000003210000-0x0000000003227000-memory.dmp

Filesize
92KB

Download
memory/1496-1156-0x0000000008AB0000-0x0000000008AB8000-memory.dmp

Filesize
32KB

Download
memory/1496-996-0x0000000003210000-0x0000000003227000-memory.dmp

Filesize
92KB

Download
memory/1496-1086-0x0000000003210000-0x0000000003227000-memory.dmp

Filesize
92KB

Download
memory/1496-1085-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/1496-1043-0x0000000003210000-0x0000000003227000-memory.dmp

Filesize
92KB

Download
memory/1496-1084-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/1496-1083-0x0000000003210000-0x0000000003227000-memory.dmp

Filesize
92KB

Download
memory/1496-1033-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1496-1041-0x0000000003210000-0x0000000003227000-memory.dmp

Filesize
92KB

Download
memory/1596-161-0x0000000000D60000-0x0000000000DA0000-memory.dmp

Filesize
256KB

Download
memory/1668-1000-0x000000001B270000-0x000000001B2F0000-memory.dmp

Filesize
512KB

Download
memory/1668-1171-0x000000001B270000-0x000000001B2F0000-memory.dmp

Filesize
512KB

Download
memory/1668-1177-0x000000001B270000-0x000000001B2F0000-memory.dmp

Filesize
512KB

Download
memory/1668-1030-0x000000001B270000-0x000000001B2F0000-memory.dmp

Filesize
512KB

Download
memory/1668-1029-0x000000001B270000-0x000000001B2F0000-memory.dmp

Filesize
512KB

Download
memory/1668-998-0x000000001B4A0000-0x000000001B9E0000-memory.dmp

Filesize
5.2MB

Download
memory/1668-1176-0x000000001B270000-0x000000001B2F0000-memory.dmp

Filesize
512KB

Download
memory/1668-1093-0x000000001B270000-0x000000001B2F0000-memory.dmp

Filesize
512KB

Download
memory/1668-1094-0x000000001B270000-0x000000001B2F0000-memory.dmp

Filesize
512KB

Download
memory/1668-1095-0x000000001B270000-0x000000001B2F0000-memory.dmp

Filesize
512KB

Download
memory/1668-1096-0x000000001B270000-0x000000001B2F0000-memory.dmp

Filesize
512KB

Download
memory/1668-1167-0x000000001B270000-0x000000001B2F0000-memory.dmp

Filesize
512KB

Download
memory/1668-995-0x0000000000140000-0x000000000022A000-memory.dmp

Filesize
936KB

Download
memory/1676-107-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1676-112-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1868-75-0x0000000000370000-0x00000000003F4000-memory.dmp

Filesize
528KB

Download
memory/1868-77-0x000000001AE30000-0x000000001AEA4000-memory.dmp

Filesize
464KB

Download
memory/1868-91-0x0000000002010000-0x0000000002090000-memory.dmp

Filesize
512KB

Download
memory/1992-160-0x0000000008180000-0x0000000008183000-memory.dmp

Filesize
12KB

Download
memory/1992-54-0x0000000000920000-0x0000000000960000-memory.dmp

Filesize
256KB

Download
memory/1992-121-0x0000000000920000-0x0000000000960000-memory.dmp

Filesize
256KB

Download
memory/1992-72-0x0000000004F10000-0x0000000004F13000-memory.dmp

Filesize
12KB

Download
memory/1992-136-0x0000000000920000-0x0000000000960000-memory.dmp

Filesize
256KB

Download
memory/1992-589-0x0000000004F10000-0x0000000004F13000-memory.dmp

Filesize
12KB

Download
memory/1992-57-0x0000000004F10000-0x0000000004F13000-memory.dmp

Filesize
12KB

Download
memory/1992-55-0x0000000000920000-0x0000000000960000-memory.dmp

Filesize
256KB

Download
memory/2016-123-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2016-523-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2016-1264-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2864-1223-0x0000000000AF0000-0x0000000000BAA000-memory.dmp

Filesize
744KB

Download
memory/2864-1226-0x0000000002100000-0x0000000002180000-memory.dmp

Filesize
512KB

Download