Analysis Overview
SHA256
838e46c53ecc12301e73abfe5d5aa2785ee2f9090a1106cedd75acc0a57dd32d
Threat Level: Known bad
The file КМSрiсо.exe was found to be: Known bad.
Malicious Activity Summary
CryptBot
Babadeda Crypter
Babadeda
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Sets file execution options in registry
Creates new service(s)
Drops startup file
Loads dropped DLL
Executes dropped EXE
Themida packer
UPX packed file
Checks BIOS information in registry
Reads user/profile data of web browsers
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates connected drives
Checks whether UAC is enabled
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Launches sc.exe
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Modifies Internet Explorer Phishing Filter
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Uses Task Scheduler COM API
Modifies Control Panel
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-02-06 05:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-06 05:04
Reported
2024-02-06 05:06
Platform
win11-20231215-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Babadeda
Babadeda Crypter
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
CryptBot
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Program Files (x86)\folder1\Setup1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe | N/A |
Creates new service(s)
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe | C:\Program Files\KMSpico\AutoPico.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe | C:\Program Files\KMSpico\KMSELDI.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\Debugger = "C:\\Windows\\SECOH-QAD.exe" | C:\Program Files\KMSpico\KMSELDI.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe | C:\Program Files\KMSpico\KMSELDI.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe | C:\Program Files\KMSpico\AutoPico.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\Debugger = "C:\\Windows\\SECOH-QAD.exe" | C:\Program Files\KMSpico\AutoPico.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Program Files (x86)\folder1\Setup1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Program Files (x86)\folder1\Setup1.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk | C:\Program Files (x86)\folder1\Setup1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\folder1\Setup.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\folder1\KMSpico.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\folder1\Setup1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner\xltoolkit.exe | N/A |
| N/A | N/A | C:\Program Files\KMSpico\UninsHs.exe | N/A |
| N/A | N/A | C:\Program Files\KMSpico\KMSELDI.exe | N/A |
| N/A | N/A | C:\Windows\SECOH-QAD.exe | N/A |
| N/A | N/A | C:\Program Files\KMSpico\AutoPico.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\folder1\Setup.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\folder1\Setup.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\folder1\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner\xltoolkit.exe | N/A |
| N/A | N/A | C:\Windows\system32\SppExtComObj.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\folder1\Setup1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Program Files (x86)\folder1\Setup.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Program Files (x86)\folder1\Setup.exe | N/A |
| File opened (read-only) | \??\X: | C:\Program Files (x86)\folder1\Setup.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Program Files (x86)\folder1\Setup.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Program Files (x86)\folder1\Setup.exe | N/A |
| File opened (read-only) | \??\L: | C:\Program Files (x86)\folder1\Setup.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Program Files (x86)\folder1\Setup.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Program Files (x86)\folder1\Setup.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Program Files (x86)\folder1\Setup.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Program Files (x86)\folder1\Setup.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Program Files (x86)\folder1\Setup.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Program Files (x86)\folder1\Setup.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Program Files (x86)\folder1\Setup.exe | N/A |
| File opened (read-only) | \??\S: | C:\Program Files (x86)\folder1\Setup.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Program Files (x86)\folder1\Setup.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Program Files (x86)\folder1\Setup.exe | N/A |
| File opened (read-only) | \??\T: | C:\Program Files (x86)\folder1\Setup.exe | N/A |
| File opened (read-only) | \??\E: | C:\Program Files (x86)\folder1\Setup.exe | N/A |
| File opened (read-only) | \??\O: | C:\Program Files (x86)\folder1\Setup.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Program Files (x86)\folder1\Setup.exe | N/A |
| File opened (read-only) | \??\R: | C:\Program Files (x86)\folder1\Setup.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\Vestris.ResourceLib.dll | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Windows\system32\is-67F08.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Windows\system32\is-3UULK.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\folder1\Setup1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\KMSpico\cert\kmscert2013\Standard\is-AEP6U.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscertW8\CoreN\is-9BOPT.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2013\ProPlus\is-EBHCR.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2013\ProPlus\is-J4P84.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscertW10\EnterpriseS\is-FOOVI.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-4PM48.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-7VSGI.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-IP3UG.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-MN635.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2013\VisioPro\is-EI0H2.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2013\VisioPro\is-4C6RI.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-CCAPU.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2010\Standard\is-FAMT3.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2013\Lync\is-K4CNV.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2016\SkypeforBusiness\is-FVPU9.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscertW8\Professional\is-B0DJI.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-QSGUK.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-L19LF.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2010\PowerPoint\is-TGET4.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-5H8C8.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2010\Publisher\is-0SJDN.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\sounds\is-3QMMC.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-CH83K.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-D8I4J.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2010\Publisher\is-AJE57.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-L9IRO.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2016\VisioPro\is-0HN1M.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-947UR.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscertW8\ProfessionalWMC\is-5THBP.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-NHCP9.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-VG7P0.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2010\ProPlus\is-S6GIE.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-N4ADE.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File opened for modification | C:\Program Files\KMSpico\Vestris.ResourceLib.dll | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-8P0UE.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2013\ProjectPro\is-KP055.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-RDK98.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscertW10\Core\is-R1I40.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-53U3K.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2013\Access\is-E7PDC.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2013\Word\is-0EHKB.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2016\Excel\is-2PAU7.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files (x86)\folder1\Setup1.exe | C:\Users\Admin\AppData\Local\Temp\КМSрiсо.exe | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2010\Word\is-E6IQV.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2016\PowerPoint\is-OTSFA.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2016\VisioStd\is-15Q2S.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscertW10\Education\is-5F2AB.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\sounds\is-1F956.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-EHC3T.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscertW6\Business\is-BHB04.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscertW7\Embedded\is-EOEQO.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\scripts\is-TQ6PG.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscertW8\EnterpriseN\is-P1DI5.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\driver\is-MKGCA.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2010\OneNote\is-KPQRP.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2010\Standard\is-DS32B.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscertW6\Business\is-F5K42.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-V0A6A.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2010\Word\is-5F7LI.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2013\ProjectStd\is-6BARE.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2016\Publisher\is-O9562.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2013\Excel\is-A0RUI.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\logs\is-OD2C7.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| File created | C:\Program Files\KMSpico\cert\kmscert2010\Access\is-OS2EB.tmp | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI435D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI438D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{8DF27864-44E9-4A93-928A-75C0E8302965} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4622.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DFD7E4729159D715CB.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e5842c1.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SECOH-QAD.dll | C:\Program Files\KMSpico\KMSELDI.exe | N/A |
| File created | C:\Windows\SystemTemp\~DFD31ACC7F2D7C175E.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI439E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI43CF.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF12D40F3456A94AD3.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e5842c1.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI43BF.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF4D95D7C71EF119F1.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SECOH-QAD.exe | C:\Program Files\KMSpico\KMSELDI.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI43AE.tmp | C:\Windows\system32\msiexec.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner\xltoolkit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner\xltoolkit.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000\Control Panel\Desktop\PaintDesktopVersion = "0" | C:\Program Files\KMSpico\KMSELDI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000\Control Panel\Desktop\PaintDesktopVersion = "0" | C:\Program Files\KMSpico\AutoPico.exe | N/A |
Modifies Internet Explorer Phishing Filter
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
| N/A | N/A | C:\Windows\SECOH-QAD.exe | N/A |
| N/A | N/A | C:\Windows\SECOH-QAD.exe | N/A |
| N/A | N/A | C:\Windows\SECOH-QAD.exe | N/A |
| N/A | N/A | C:\Windows\SECOH-QAD.exe | N/A |
| N/A | N/A | C:\Windows\SECOH-QAD.exe | N/A |
| N/A | N/A | C:\Windows\SECOH-QAD.exe | N/A |
| N/A | N/A | C:\Program Files\KMSpico\KMSELDI.exe | N/A |
| N/A | N/A | C:\Program Files\KMSpico\AutoPico.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\КМSрiсо.exe
"C:\Users\Admin\AppData\Local\Temp\КМSрiсо.exe"
C:\Program Files (x86)\folder1\Setup.exe
"C:\Program Files (x86)\folder1\Setup.exe"
C:\Program Files (x86)\folder1\KMSpico.exe
"C:\Program Files (x86)\folder1\KMSpico.exe"
C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp" /SL5="$50234,2952592,69120,C:\Program Files (x86)\folder1\KMSpico.exe"
C:\Program Files (x86)\folder1\Setup1.exe
"C:\Program Files (x86)\folder1\Setup1.exe"
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 6716137F37C45D67735C70D57CFB0FD6 C
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\adv1.msi" AI_SETUPEXEPATH="C:\Program Files (x86)\folder1\Setup.exe" SETUPEXEDIR="C:\Program Files (x86)\folder1\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1706955260 " AI_EUIMSI=""
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8892E79C8B078A1B1E64D1E72DE736E4
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner\xltoolkit.exe
"C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner\xltoolkit.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Service.cmd""
C:\Program Files\KMSpico\UninsHs.exe
"C:\Program Files\KMSpico\UninsHs.exe" /r0=KMSpico,default,C:\Program Files (x86)\folder1\KMSpico.exe
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Task.cmd""
C:\Program Files\KMSpico\KMSELDI.exe
"C:\Program Files\KMSpico\KMSELDI.exe" /silent /backup
C:\Windows\system32\sc.exe
sc create "Service KMSELDI" binPath= "C:\Program Files\KMSpico\Service_KMS.exe" type= own error= normal start= auto DisplayName= "Service KMSELDI"
C:\Windows\system32\schtasks.exe
SCHTASKS /Create /TN "AutoPico Daily Restart" /TR "'C:\Program Files\KMSpico\AutoPico.exe' /silent" /SC DAILY /ST 23:59:59 /RU "NT AUTHORITY\SYSTEM" /RL Highest /F
C:\Windows\SECOH-QAD.exe
C:\Windows\SECOH-QAD.exe C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
C:\Program Files\KMSpico\AutoPico.exe
"C:\Program Files\KMSpico\AutoPico.exe" /silent
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| N/A | 127.0.0.1:1688 | tcp | |
| GB | 184.28.176.89:443 | tcp | |
| DE | 51.116.246.104:443 | browser.pipe.aria.microsoft.com | tcp |
| GB | 92.123.128.161:443 | r.bing.com | tcp |
| GB | 92.123.128.161:443 | r.bing.com | tcp |
| GB | 92.123.128.161:443 | r.bing.com | tcp |
| GB | 92.123.128.161:443 | r.bing.com | tcp |
| GB | 92.123.128.161:443 | r.bing.com | tcp |
| GB | 92.123.128.161:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | 161.128.123.92.in-addr.arpa | udp |
Files
C:\Program Files (x86)\folder1\Setup.exe
| MD5 | e641ae01784f18a19b646cd10464c17b |
| SHA1 | a7c81c3eaf838463c5eedac166140310e8098de4 |
| SHA256 | d9d7bd87155d65b20ab0603d5dc022ffb64e82295d1cbc6bb5385182bd5bf530 |
| SHA512 | a585b0783d196959436f9da7f529f81abf232eee715ad373c23e15f5369d0042287767552fc19eeee82556c8a95f0b1fe3238ad0251da114a6e84435a2f35d09 |
C:\Program Files (x86)\folder1\Setup.exe
| MD5 | 3316414b199356c83e7d5c002edf9b96 |
| SHA1 | 36039426dc2ed64393dfd8dff799d19a05ac0fb7 |
| SHA256 | 421120d69ddc1a60c936411ca95b9d6729a69ebc6139bf8cee25d151d311d0be |
| SHA512 | 163adffa05ef7460a484cea2e7f0d01c0847bee6e500d837769dd4f85cb9465f9d9fa517eccd9a79f46c7d7974b4e560dea22fd22bdea183d57407db2f5a297c |
C:\Program Files (x86)\folder1\Setup.exe
| MD5 | 0e567d24763edd5a1a59ec053c1477fd |
| SHA1 | e76775c37eedb4258c749810d589d1e7c771ccb7 |
| SHA256 | 7de6dc4a54812f56030b7c34a5879db48e67abbfc4e75a223716673bb4e40a6d |
| SHA512 | c5125aa098178c67b0a5685248d55b982768d445a347591abbf983557130ca85f5eaf4879e68ac0a992b8b53a243d6c764a6abf609f937cef446151e69dec970 |
C:\Program Files (x86)\folder1\KMSpico.exe
| MD5 | 16357aeedd5a98a97b006ff2b88d7597 |
| SHA1 | b1df2fb3a20dd20614bc6643d426839c0f9359fe |
| SHA256 | ea842459ebe10ac1e099f3c6da1cf59ad5a1b4b041ffd6dffc6ab8f1426b1fb1 |
| SHA512 | baa4a6f21fc9c4897d91e872138779eb3e6d5e27f92778be4ab146c2cbe52cab034e8bd901ba23e9d55a2b3fb85dcd0f3f94fb915913d2d141004c740dec58e4 |
C:\Program Files (x86)\folder1\KMSpico.exe
| MD5 | 0a7675b54d33c0e165966e31b892a162 |
| SHA1 | 86d642019a1e6ec44d4d78e5094e549ec8144a1e |
| SHA256 | a4a897342a44607fe72f39273f3a41b940efd81962993ad3f97629be2728250e |
| SHA512 | f7b7f4142d63d4f3eb82c3abcd21780d06433f010eed30a97cc06a47d5844f06b7cdde09ec28c0728483e89494d33a2ba91652b3a5fea4af83256cee39e03b35 |
memory/1660-30-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Program Files (x86)\folder1\Setup1.exe
| MD5 | 627bd29f527c6c740e095b30e7d4273a |
| SHA1 | 4114532bcf0cb5d4bdd11873a9d8920b5d331ab5 |
| SHA256 | ef15666065bfa40c1cb6fec17cd65974aae4f70a0aef5dbe17f2910b613d3b9b |
| SHA512 | 56aba0a7e3161481481954f2929382e23156adcee0d3059cf19fc34f42226419d43468b23f32e5e10c7967bb43037910f7df97dc431d064386db6c6f02303f7c |
C:\Program Files (x86)\folder1\Setup1.exe
| MD5 | 1052257cf0fcc489e3fde015fa0d2698 |
| SHA1 | e2439a42e14f582d649534ed7a64b1332db1e872 |
| SHA256 | f2eb18549dd189d543949058bf676e4eae67fd89d7d3620f3e4850965fbbba81 |
| SHA512 | 61c09f13f124e2ab7b674997b9ce77ad6ff886e23f8cb4b3461c7c63bdca77c57fb3af787e9a7564bbdb1ff55688161f7c76c3765366d1d4a657cf23296a3c39 |
memory/3880-38-0x00007FF7549B0000-0x00007FF75526D000-memory.dmp
memory/3880-50-0x00007FFB14040000-0x00007FFB14249000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp
| MD5 | 9ac08a71483454cda4399c9e966a2b82 |
| SHA1 | 4d8cc2586bce5855e1beffd152da6147f7c35871 |
| SHA256 | de4a8014ca456659b533d354317428ed931e918ce286c1f51184c60c50f8284d |
| SHA512 | 9e38a6c1910e13517a197b8a9311105c580e87fb75d5eb9b7d4196c7438f78cf6413affab73e92240ebcba2920b1780cc639b5cefdea735f319e07f5adec3eae |
memory/1392-55-0x00000000021C0000-0x00000000021C1000-memory.dmp
memory/3880-51-0x00007FF7549B0000-0x00007FF75526D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\decoder.dll
| MD5 | 831e0b597db11a6eb6f3f797105f7be8 |
| SHA1 | d89154670218f9fba4515b0c1c634ae0900ca6d4 |
| SHA256 | e3404d4af16702a67dcaa4da4c5a8776ef350343b179ae6e7f2d347e7e1d1fb7 |
| SHA512 | e5e71a62c937e7d1c2cf7698bc80fa42732ddd82735ba0ccaee28aee7a7ea7b2132650dfd2c483eb6fb93f447b59643e1a3d6d077a50f0cd42b6f3fc78c1ad8f |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\adv1.msi
| MD5 | 7f22059a0b801c830666b5fab17649f3 |
| SHA1 | e0a1a7af1cb336b08143a90a56387897ff66a5ea |
| SHA256 | c261656d4f2c0a19f59a415e6e7342fe108ff198a46fffef81d1eebd6e8289de |
| SHA512 | 005c76de78bc9b74e5f37780c56bc959626bdfbc29e1e2b53a145851894ad7c895a12e422d1caf43fef4e72906969ad3af3136ac213f83cd05acc2797b154e88 |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\decoder.dll
| MD5 | fc3c50cc89bd796b94cb4102fed6e7b0 |
| SHA1 | 629ae6d87ba397042a5b72be11b01c6053213a7e |
| SHA256 | 7620dc258aed12b902d3ac7f080f542512e598a9024afd59ca51f12f9ac1b5ac |
| SHA512 | 3f02bfbe53687ce8185392e297afdc787715491e966bc3034540455ee96b9855c25c16b112be457fd94c81bd54a3aa8a40682eb148496b9ec8bc7dd1e514f3ef |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\decoder.dll
| MD5 | e33057f00406e0d7cf583b9f4f631435 |
| SHA1 | 1951068f863ca2807a52afebbd04aa7471894790 |
| SHA256 | 691c3f1db20bc62c74347132a5186def8087ddc4170e5db8ceb7068f4d277157 |
| SHA512 | cdae1af6528068455d897218253881c0b02a0f5ae387c5d9be43339ce98ae1716f7a1b89ac401d026c28c92b5d8b78a87d5db544d391399cf43f5b9af82983d9 |
C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp
| MD5 | 32dcc6be60faea3f319e5057f733e093 |
| SHA1 | 28b9f13561d3f76edb6d512157c169f69f983eda |
| SHA256 | b7f2b0463eeaa9bec2aad12e6780251ebfbdf8d5cd8beb1c51e5cb469f53d9a0 |
| SHA512 | 6159ed2b83c031609bc9bb3b0a24769bff9e8500c8475b65a338fb77df3de65df1660cd605c26a2fdfb859743d929602e96d5ed24c86b3755b52dd515edad2cf |
memory/3880-37-0x00007FF7549B0000-0x00007FF75526D000-memory.dmp
memory/3880-66-0x00007FF7549B0000-0x00007FF75526D000-memory.dmp
C:\Program Files (x86)\folder1\KMSpico.exe
| MD5 | 7409c2ebb693c4927cafc7cd1bcda70b |
| SHA1 | cb7b763f5019771a9b38ed4f27e45cc3424cf175 |
| SHA256 | 250a0efca346f2d76a309c7655a712746e279c114b2063778386ba07d98a1b58 |
| SHA512 | 2594d3e11a49015d174f484c2af50eaa848f80ffcc96789ed3013d3a2ad3769c61962691a7f1b7d75c8b6ba0a25331cb38ececa11fedf590400864a2f185247d |
memory/3880-67-0x00007FF7549B0000-0x00007FF75526D000-memory.dmp
C:\Program Files (x86)\folder1\Setup1.exe
| MD5 | 7c10102b695b525a58e37002c311b7a0 |
| SHA1 | 040bd2fbfcfb86bbb29ed477a1acd4886cc98626 |
| SHA256 | 3d0e4c294a094b35a2c57fd391229bf762ca80c74f583adc4d5f180a23df28f7 |
| SHA512 | a8467156e316d689cd395e0a0a7c7f33b424f830d2584754e90dd1092b8e26dc5c50797477c77b1fb48927c303965e930961cb123ce907946b99e6d3847fae7d |
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
| MD5 | 6de235b21db1c4a76c237d4d48855916 |
| SHA1 | 8bd01e617a5166ac4252f1e6c6a2306e733d8bd4 |
| SHA256 | 16b3acd7746af93bca47d3f55435071ab84688708e71bfffb126569aef30c1bf |
| SHA512 | 569e728adf78699b3c1ffe44974bf56a43f8266bcdecea137ac3415d454e48094f0222fc12ce3ab043cfaf500c77de7574f4c5a5986dafb04133b0609bf9c2e6 |
memory/4608-76-0x00007FF664660000-0x00007FF664F1D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
| MD5 | 24cf6f96cf797ff5782f516e15dd7743 |
| SHA1 | 3ca8255806a124ddb474889e7ec61f6633d664df |
| SHA256 | 3668755e74cb2d8775b44de0c48dad6931d084af5e514542ea38b909dd4a40dc |
| SHA512 | e7f2ca33700f91081a725b532a925a37658f40fcdabb5be1de8e597e4f06fbb4d6e9539e4f94830e60633389e9da6ef68deb4c3aa3c99490c490898efcb14ef6 |
memory/4608-78-0x00007FF664660000-0x00007FF664F1D000-memory.dmp
memory/3880-77-0x00007FFB14040000-0x00007FFB14249000-memory.dmp
memory/4608-81-0x00007FFB14040000-0x00007FFB14249000-memory.dmp
memory/4608-82-0x00007FF664660000-0x00007FF664F1D000-memory.dmp
memory/3880-75-0x00007FF7549B0000-0x00007FF75526D000-memory.dmp
memory/4608-83-0x00007FF664660000-0x00007FF664F1D000-memory.dmp
memory/4608-84-0x00007FF664660000-0x00007FF664F1D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSI419A.tmp
| MD5 | 2a39e09f0ff3815ca5107ec622921531 |
| SHA1 | c0cacf5fb1cb107e11c2143bc0dc9b1d70c8500c |
| SHA256 | 688c60740c019b41ba38f575d232ad6264073ef97aebb80590491b47e0a80137 |
| SHA512 | 499c4f97e455c78a985c2451a503bbf289fa5355f88dbac8a75776e9f29b697396c4b50069523f44ed718a947cccfbd460c1696dac0df1b65dda25e8cf2f0c52 |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\adv1.msi
| MD5 | 5130100301617cae84f569cee2ff36ac |
| SHA1 | c73c7f58ed866c434ce79b671a9f1a4bf0207ec0 |
| SHA256 | 7617d0d8a268eeb8211388d8a9b2388215fd4870d7e72d6ecf210305b0046392 |
| SHA512 | 7f815ecc3be27dfe2167590f48629fe3207f798bde3648f98ab5eb274a140c47416062850e04acde9e37c36f93f642ef4098e1541304f92d117e5b961b4ecd2d |
C:\Users\Admin\AppData\Local\Temp\MSI419A.tmp
| MD5 | 7f5a537f1cd54caed71a10df573b8bf4 |
| SHA1 | 0b438359d32e25f734e2e1ff248b1cb13d2f5d0b |
| SHA256 | a5bd2bad1913a1a965bc862158a542893bd1d45de4956d42885bdb6e6f1a0c04 |
| SHA512 | f8f2ddfbabe1809e94347c7b218ae2feda5d948cb996d5348a6fe44a3be32e00a7ade61ad88df7e68c787e5d97a582201f26d6501c8a8d2e95972feb8806dcee |
C:\Users\Admin\AppData\Local\Temp\MSI415A.tmp
| MD5 | 99c098c952eafea38e9b0546d962bb2b |
| SHA1 | 608188b7f0ebac1e2f3e413d49a5147258f462e4 |
| SHA256 | 91d96292c35c2f55c660f33f7097ba2f6e8b862ea23967fbb07bf757f43815a1 |
| SHA512 | 38fd790067b6cdf26af07254d345a4c37783ebf1ad22858ddc54cba2a00cfedec20dbbfa3b0cf9622c613d6bbbebf7eae85a73830651ef4eab14f76b0d5439d7 |
C:\Users\Admin\AppData\Local\Temp\MSI415A.tmp
| MD5 | 85e4dc0b70fe5da406ff62d9a22a078b |
| SHA1 | 73ae55389ff5ecf93645012d22223d9d0fc3ced2 |
| SHA256 | 877fedbb9e1ed4b21c299b047e6c968b12b6acc12a6b243b8bb24d55c664e1ce |
| SHA512 | 71a6eda0cc5dcd6b70fd63be705743083c3208f46fc88ce0e14751e8993aae4e2a5268cadf1e63fdc0805f9931a9703405c47ec9cc8ecd5e21c5b807be72edab |
C:\Windows\Installer\MSI435D.tmp
| MD5 | ef3f21e41739170bb0016858d2708cbb |
| SHA1 | d4882e261fd599e71dc5559104b3164648865f51 |
| SHA256 | 779e14f0ae1dc64269054f9019da2ac495c45ae0136dfbb69fdc51caa434ee1f |
| SHA512 | d41e80fd7363cf0cb4e96cdb52a346327eb7e9e5836c891dc928867e86fb67518f0c06a00456e389b4fa4b02a45feeb68ad91221a0efe610cf06a6ad3dfaca2b |
C:\Windows\Installer\MSI435D.tmp
| MD5 | 1ac4e4cf299d4203f068f92eff782bdb |
| SHA1 | faf6b994f4412716e1965200b09f7858796d9c16 |
| SHA256 | bfb3265e89dade4b0533bec4141c99813217f27e8bffdfb04eb0cc03306163df |
| SHA512 | 489eb75ec80acd21bfcd7cd5a7b60ea91d77324b3ef964e2b97acd5bd471a611fdd4a9834008af3c56b1273bbd994b127d3bd67222ed011f787e30f1f45e9fd0 |
C:\Windows\Installer\MSI43AE.tmp
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\Installer\MSI439E.tmp
| MD5 | 640a4c1c8514b335aea8124f15f060ab |
| SHA1 | e59fcf5fbc02c79038c29bc2476c444732ce66bd |
| SHA256 | 2ff56e27170fa3941914de2bf5505962a39f351622bf7d67c0ad71a6b8d4f434 |
| SHA512 | fc2eb5d00350dfc91ef336e55a7c9fa2707e98e3a49cfc36e7b1c5060d21323085a5bd283cf187a6fca9e37602882e9a32337f1e530463fd30f65300612bd5b1 |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\decoder.dll
| MD5 | 080ad76c166cee110c6dcc4436761844 |
| SHA1 | 5388cd78960f0535ada36d8bef1c9a02571b31a9 |
| SHA256 | e3ded27f0d31e221b874472f09da834c5c70c13336f14c20ade670d6210c24dc |
| SHA512 | 22b01651997a8f9562f6978e0065ed5139e4f957c58feef1721d62d5bd6da195a6030b66fa54865bbfe7d1a4e370e0df93a906932ef6db2d8667ef94e7880054 |
C:\Windows\Installer\MSI43CF.tmp
| MD5 | 841db2de248cdd997cb0a87d6cf777e5 |
| SHA1 | 403723954b4e7b6dd446c1861836cb96c123315c |
| SHA256 | 04b597ea719a2b2110ee4912dba8bb78d402e336bd55281193157ea4c07aef85 |
| SHA512 | a15264a44c492f6ba51ac26012bea412326869e37ca4f1481fd7cd37fa59e51060416a93db121fedea6a2497ed03c082504405b6e5eab6bdf4dc5a80defef34b |
C:\Windows\Installer\MSI43CF.tmp
| MD5 | 3b2a7e8f82b40b987c2cbcd0d86f78a1 |
| SHA1 | 5914c6f85e3c4a562e2a7440476ffe152c64ba1c |
| SHA256 | e22e85e96f845763a778ebb283454334b5fe2b67b8489c7ce4f0779a442511c6 |
| SHA512 | 20bf093037b558676406b2f5898106513340f4583ec6fbde5fd8c44de222e8bac4110de4baaa7de4fee31825f1f1e9667cf83460ac0d685662ddb9d93954e0fe |
C:\Windows\Installer\MSI43BF.tmp
| MD5 | 39643846955f0df77cf8664b86adfd92 |
| SHA1 | 9ad7ef8a457c1a13638385613206b8fb83d32305 |
| SHA256 | 9aa2310198a389c27a0e2ee80b139aee121e8be19f3f0de8be1ca2f149af249f |
| SHA512 | e8c67b5eac7effa5dd0d84c932713cfeeee372b999295d07730e5686eefa4a89b99af786f14be3362d824965b71fca5938bbab5c7e3589eeb86093db71505731 |
C:\Windows\Installer\MSI43BF.tmp
| MD5 | 599f3de76a863b803451d28d6c7750b5 |
| SHA1 | 698fa59bf15c5bf3b12ea77ef7e3710f2678c6e6 |
| SHA256 | b63683a0f7ac4e9d05f64af95a9fafa70df8d4fbda98c0a9ec392fd195042462 |
| SHA512 | eff7cf8db6b45f5858d0f2a71f0ee5e107644116fe3e85f3f38b4fa7d923ca406811540873c1920f0b2c2f6a53b7b96f7b7657cb679a2f0725735b094a18bd63 |
C:\Windows\Installer\MSI43AE.tmp
| MD5 | dc1f98019e6337a7041d73fdd12eea76 |
| SHA1 | e5a54d0275c51a84fc43203f7904d816fe39e922 |
| SHA256 | c6b48fb3790fdc6d90adec97564487b2a906c39dbfaa152a3dbe58a7f9624361 |
| SHA512 | fa768fc3d3043f061e2efdd658c97ceb8a55661e3c9c54621de071c0d1ab55f76e3c04ce6e31dcc8fa7d44bafb922345348dc5b008b12042319cfc90d3db40a4 |
C:\Windows\Installer\MSI439E.tmp
| MD5 | 92712d94018946f715fb4fb2ad21e101 |
| SHA1 | 00b39f8d7c02d14dd42c1e327e66876cc34d28ae |
| SHA256 | b60ea402c06c70707887e9fc3529229b12103b61bce26f257806b6c00a97d6f8 |
| SHA512 | 42e7fd30c96213d873a534e3d45fcd77809092e1516709d2bc914c31e538ad074c45bca750658eb63fbd3ce3323b874388fa2aaf3be19438d0b8314865d3f47e |
C:\Windows\Installer\MSI438D.tmp
| MD5 | 073c802abe5396d195431dae32b567cc |
| SHA1 | efc67a21482cf548463a235f69cf7e54d62a318e |
| SHA256 | 668d3ec065a6e0d9e825e54b973972b991aedd99090edddbec41b81994af8ca7 |
| SHA512 | b42557f9cb5431555264f7dd2091c6609e9815f0df5800f3d022f469d7323265997d3bb5a9c3eeb0eed7a994ab6dd5490e7f60722a51a4d3b4f1739142237f0a |
C:\Windows\Installer\MSI438D.tmp
| MD5 | 0ca009ed76a59054613ccbaf34a38d3a |
| SHA1 | d34bcee59521385f8c242a472e6f92e4840c7898 |
| SHA256 | 967a88247f65b9e17134767948d5134e327cde586b326c469691fa3f8f8e6728 |
| SHA512 | 3f914b8c98cea82df5fbeee655f5a9e1166695f61dcc1b6f5e5459b8d88726fded127fd87f61503a0b096e5e83a04ad6742b689544b791f639627d4abda29ede |
C:\Windows\Installer\MSI438D.tmp
| MD5 | 18ba61dce779f0026125265ef75eea53 |
| SHA1 | cbc713440aba79a97ec506b63aea3003967e7e02 |
| SHA256 | 9cb1333c93689acc87feb89295abf73cc183c1e7f0567a524965697cb38c2f0b |
| SHA512 | 58afdbb8408b712154015928671e371326f1f878419c73a4305f154f13aaae53f9a18b21e130160eb05c4aeb224eb62605e091d85639a569aa451c1709e31e22 |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\librsvg-2-1.dll
| MD5 | 916844d9ea74a09437e21a8a72afce94 |
| SHA1 | 7cbba090510ddbb0224e2ff4a8a5c2782602320f |
| SHA256 | bd87e1f41f4184470ed52fb547cbdd8194602347e37b5e8cd1f2598c86716759 |
| SHA512 | ae22c0eceb2a316988d6271b2c7e82ec5186358f2ecc20a55237a2bfd61df8e2301824d1f4d11e9c82edf1df4d0ccf64db774f40bf705cfeea8f52741d555783 |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Linq.dll
| MD5 | 6d6917bae13e128f00d95da1fd3f191e |
| SHA1 | 4c5ae1e9e7e4c8147f913c350a9b4561ca3f1851 |
| SHA256 | dc9ea055006a22a2faaa81b37d48a8ab1c98127b158181fd894388bd6c2049f4 |
| SHA512 | eabf0f2fdf1f29f425f04198c920451bb686a900931b9dfe418b62252c7d025936784fa0251fc7fb25809e4933c8e1f872b8290870c8afa2b24177750a24e105 |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.IO.UnmanagedMemoryStream.dll
| MD5 | 64abb65b37b941b10b119ef32531b50a |
| SHA1 | 9cf171c463f11575fe0a7a507101da6177cd10fc |
| SHA256 | a0c98af8925ac0ab86c1f768f9ccac1cbcf19027b23814f64860d3f28b686fb7 |
| SHA512 | a5708fec9d02449409a931b8fd998fc27f6c7ea2a0f32a7a73707550ec298cdbf5ab9ee13388c5a01f6f3ff9e99fddfe8cf563c6f8e55f1ceb55139c1178efeb |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.IO.Pipes.dll
| MD5 | 004cc9cbffb46f50c1f037002c3655ce |
| SHA1 | 86947f12790e70bafd4c3f72cad8e386a6015d04 |
| SHA256 | 0f387e9591a5613ef02da3c6d32abce4f9c3e1e577a3ffd0cef85c345a3fa1df |
| SHA512 | 69d1545c912d82d6ec1eb928e16e0c1d45c9a04e980adfa77f7a764a7f5b642c91b9e74ffa3e5a33343453bcaedf0aca31258f78495cc3c10e771ae1e917e7ac |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.IO.MemoryMappedFiles.dll
| MD5 | a58039e022feca900e6db589672c7ad8 |
| SHA1 | 804333e184d8c7f306bedd5a86e9134461c0226a |
| SHA256 | 841403493c0b651bb2d78d0befe912d438ee60e406806cad21b9a30f227323b4 |
| SHA512 | 1c4cecaf1579f0a67ba18d0b7ad50edd2afdf16c98770e801affaca358a977bd2108327723d4173d95b5c86fe8bd6cf0bb6aa2dce69c84ee5c83049ec07ad88b |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.IO.IsolatedStorage.dll
| MD5 | f37c2957428bade9781b58f1fc32b576 |
| SHA1 | 94ad0c9e7b3fc0b3c56ac7574f429a43e6db67fe |
| SHA256 | b7bdb4930cfd82361b2f59c164aac4687798c72e3d0e0c73d21ca7516f19adc0 |
| SHA512 | 301494cd941a5e4aef6ad7d6f02edb13d183625d18f240a37bb9b7971d166ba4c8c38da11c05a9d9080defa0ab1a7057dda47e98eeebafda01035339e380624b |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.IO.FileSystem.Watcher.dll
| MD5 | 6ac5596f4aeb88842716640ae1047045 |
| SHA1 | fbf23bf89732b8b32cbc123830f20b2c2147ea60 |
| SHA256 | f875e323e57d704f1b17c84c7bc50f0d1ffcb0bed08c5f6af74a60fccc04c3bb |
| SHA512 | ecb1f8d458e3f6b14d9086772f2f0ed33bf00f7f9b778f6896eaa45e38bbef493184f2296ab14588f3eacd698a5a96fb8adee6fb944a1553d50713bf5227ffce |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.IO.FileSystem.Primitives.dll
| MD5 | f764b511af044c89927070d413f54197 |
| SHA1 | fe6726705fb76bb64c11c787599cb044799a3f6c |
| SHA256 | 00762994e600cd4db1ef21c7161d808ddc409cadeca547ef49553f3a4d920ed8 |
| SHA512 | 08dbc68b3ed5b519828537fe1c97158eff6754dcb219001c65c1ae344b2d8bbd6e3ac19c2d34977a23f36da3a67df8f9e94b10780cbfb826bd4e448960d765bf |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.IO.FileSystem.DriveInfo.dll
| MD5 | ab0b6870db47e35d54bd1809b4c60466 |
| SHA1 | 09beb5e11a689205694dc3ee3bdf6a66b6eebfb0 |
| SHA256 | f09acd2d42983a7683e34c772e73c02f542450b681852836f2472d6977b764e7 |
| SHA512 | ed24b929666268e6a959bc2331e46cbaadc7a9b38e3da10078ae5d8ffff77a9d8d1757a0bad1fbc699156bc4471948f008b624c2a6c4eb35b58fe4758eb4199b |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.IO.FileSystem.dll
| MD5 | 5e1824522e05f3612bd8c4f599763a86 |
| SHA1 | 3372d225504cf30df6d3fd0e9b70f07ba34a8166 |
| SHA256 | ebfaa7aac28863225ca4e55305c2627239841d7e0070fa4567e1aea6eca6fdcf |
| SHA512 | 10234a737a12f25ba52b64a78cb9fb457fe10f83707a0fdc85b0ce357c6ec3846774cdf7476f427828476d12639382d2f20e5e69f863b6d5a98461ffae91e239 |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.IO.dll
| MD5 | 18a32afb2c4d9638bb0bddc1dee60788 |
| SHA1 | 1e76b32a88cb2fb7bd0caf962636058426dd6230 |
| SHA256 | f534d81c3f035c5b91c303096c4dc5b4d46f6d75ad5568eaee92cc9dc6aa75f3 |
| SHA512 | 48121a28644b8d46b2ffa129dbc3061712eb6377c6b1d76df577fb9929cd1c48bb0deecb5bab1f43293918f3b7f453b880b4fcefc15019b4dd290ae36cb71c88 |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.IO.Compression.ZipFile.dll
| MD5 | c4c4e310f604a98404f756bbd2d1fa6d |
| SHA1 | 2991e215a479ea048cb53f328b740db610547b75 |
| SHA256 | 1209835143aa950e64cb9d28c565fae7f7df5278c013af621f4e689527279bfc |
| SHA512 | f498f05bb85381cf9f91cc0a60eaab8a4798772ce18cf8c53329061fa461582a970b37d3578a800c80d8c87d8954d976213ee587894de51ac1ebd79422ab0f1b |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Globalization.dll
| MD5 | a25d659fff26c73b2f34ba6b92c84551 |
| SHA1 | 69e6bf884f40d6d78e3c4f5f1d0103a666931619 |
| SHA256 | f4e9f919b625dcc6e2a5d0c76308543c71b7c3a6314a138058e7fa9f3426b3ea |
| SHA512 | 7f5632cf8aaa380e1f7c76b54c1efb5cac0412647a0f2e1986af07ed9dcf89b8c4563178ce79e54ef283e487706f61c156bffdd5a4b42317b39d74a92e236bb4 |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Drawing.Primitives.dll
| MD5 | 61b6fc62c4003ce711377a97cede84f5 |
| SHA1 | 3b8f870b0da16bd6bdc6104aa44d036b24b61ac0 |
| SHA256 | 2ff0d64f6d9bb38e15208c4d632c767a669a68e6b41adb0f27d99528b801ee3b |
| SHA512 | 611707f5d54dfffcbe5cb58204c925cab6ba488ffbd82a5c5efae9d1cfd10cd32205e5d05ead2cf7f8a3f5b392ca7538060a87695be40535d6657542b2043ab0 |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Diagnostics.Tracing.dll
| MD5 | e338e2a9e8e3325d696dd18f46a6d82b |
| SHA1 | eb907bd53f78b91e5fcf27fd76050bd682d80e0c |
| SHA256 | 5052b3701850537611da44858a0a8feb4b4cc936cd5bbb95b64cea4a987e5860 |
| SHA512 | ed015b37851138a2e503bce8671ac81d158948cfc3e8cde9ab751c8264cfb1da56b1f02fd281921b3b0e1c1f42b7b5cf97360c7ee263555e21fc51ea0162c4f2 |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Diagnostics.Tools.dll
| MD5 | bd36e482e5cfde3c791e62143dc5deb1 |
| SHA1 | 32fb1bd024be0b7a2af182739fd384bd74610844 |
| SHA256 | d9562ec4dc0430ff3ab66a5d0238b72402ebdb17ceb31eebdb1daf91768c7d4d |
| SHA512 | 6e128b3bf3850c1972fd8fc8cee4d82ecb7dc98fe7c5a8b887523011dc270dccbb99a0d5496954c7a156ae3c92ff3435d30c0a87768e2dbcbbf8672b9e68cfce |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Diagnostics.TextWriterTraceListener.dll
| MD5 | 2967113593429927e7938d95b5d3471c |
| SHA1 | 34a84e6878172df939f9748279490e1eb4533926 |
| SHA256 | d8631076802f2e9b690998c65d8e7f0bede7a772b3c04e7cba5f3391c395a9e1 |
| SHA512 | 502295d8eec6acd1c7e7f4f6759bbbfbb452b7581b9e10cabf0b9735737e0baa61bba0e32bb4688f0ba43fef445e5728c7001a9a364118c13eac3d3332f13e3c |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Diagnostics.FileVersionInfo.dll
| MD5 | 54ba6e35897cd238118b745c84d579e6 |
| SHA1 | 07a9a5f273a65796ae77416a0d35905e949e3257 |
| SHA256 | a354569ac90b53002c7e447d72795013eb20c391d01b73197688057d07bcaa42 |
| SHA512 | 2f2fb02c76bc1af89a6d97b8c0b9c2a6b176f912d2d76e3acfb5d5cf4741e58f6dd1335bdaf626c7bc92c256eb353d534f718b59e4e52bded9907e604115a5f4 |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Diagnostics.Debug.dll
| MD5 | cf668ba196134d611d7b4fac0b571e8d |
| SHA1 | 2a960aef8bc74c7893dd225398298ce8b912ab10 |
| SHA256 | 2769f8bb522846338bbe9aafb10381f64fcbdfbc6929a848463b8b9857f1d4fd |
| SHA512 | 302ca14e3c1985f34656c48dc175951d27dac6696724f9db33c0097314aba677f244421677ca1a5949a7d7a11077a0f564142d1136998127c216616f42abed5f |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Data.Common.dll
| MD5 | 9b92dc2f6bb4bf2a39e6a3b6629a8693 |
| SHA1 | f7025db90e16c70577cfdd13c9a67ba264e1719d |
| SHA256 | 77cfeb9fe837a16baa5a1e845ce0df2f79efd964f448e51ef48df058aa05d39b |
| SHA512 | 539d30afb968d1fccd1da01dec6c14fcd12d23015d0ab35b45462b93275fe8dfd322814416a14501288098f751380bd2137245107fb2e1b8edc4a24ef29f99d0 |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Console.dll
| MD5 | 564d1a61bae30f01c20a5808e8f7a82f |
| SHA1 | e6039eb23d3a10ff31e40851ef0dd594c5689712 |
| SHA256 | 1ca9706a4593bcc3b232efb14d2497812ab1797bf112b16665c6674c42fdc061 |
| SHA512 | c546a8d4dc852d133baf576e81bfca16763ca0e94c964d657cedbbf3153c64fdbea79329fd2a9d7ff04a0f28720a61e6d0255f8db91ed91dca2f56aaec5b5f4c |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.ComponentModel.dll
| MD5 | 4f167e1cf791cefa55fde1949dde7d2f |
| SHA1 | 08badaf0444ca34230d82af4590f44c7ade78533 |
| SHA256 | df1a7bc429159db17be8c79a2dc56c0fa54c6a7e5174d5082f7ece9b67a4f982 |
| SHA512 | d804f60f3d2b5891eaa38ff683194924a705aba371c872e8bfef2325c90b7bf910851cbe89cdfd0a66cb1bf801bc25c92830b37947a7e60df8fe6bdcb53de15c |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Collections.Specialized.dll
| MD5 | f72152d834fbbb9c0d70a2822e0b68cf |
| SHA1 | 49eca7ac3d34ce69a1d48c0be56cdd13995adbb3 |
| SHA256 | ce3dd8b3cb2bfbbe5cdd1a339e593ad604f6bb6eb4f981555a3f53257609c8e5 |
| SHA512 | 3b8018450aa7676a35fdc8bea1997d67e45e945522bd7ac963ef0ccf574aa6df67dbd85c8773d704b0daab05b20f6d79c2ce2a42f10610f73a303246d44078bf |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Collections.NonGeneric.dll
| MD5 | a3fdfde8c2f6259a3da55919679dda3d |
| SHA1 | a36bc9fd0fd5319a36c523ae0c565e6670e6a403 |
| SHA256 | 0f63c8b909689effec4c17122ff4336a14cc9c296be28d6172a11c5d8bdd2ffe |
| SHA512 | 4a917ec7f626d85cd24ed5518f29bf8acc546d34b8f86a2cd00634b54ccb5c9bc7725707ffb42c08d3ff008abfa5ffef07df3263c13c0796ed7e8f98c6200832 |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Collections.dll
| MD5 | 4a264d07346dc69303bbe6e26e049883 |
| SHA1 | e093758cec19749f1d92b280b42aee86d4224fdc |
| SHA256 | e256940626e265de760586937ce5ed2a45d9b91c96e1fa768f719682505db5c2 |
| SHA512 | d6cf4024cee7679b73f1b9aef749728a3c0851934016ab391315c955689dfa3595a8f6e2a9580244ace991895b4e255a65977490264258bb9f3c98f9370b33c5 |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Collections.Concurrent.dll
| MD5 | 939cb89fbb0da435b9528d9edb3feab0 |
| SHA1 | 3825f2b13d43f34330bc278aeeefbbbfd95239cc |
| SHA256 | 9c887cfd9e21e9ee31ab8232248059b677f9a3086b033d38fbad053b4f20bc25 |
| SHA512 | 4159cf39f29198942245e3a16a67e8b3fe54e871af407291204b5f5df2a76c2829680ba0d5bea261e31335bab2b6b8afa5a895bf635e515c94059a122dd36a1d |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.AppContext.dll
| MD5 | 82e7fd917dfd1bda64ab990606d90bdd |
| SHA1 | ab92034645c77737b6ef482e18296e896bea3751 |
| SHA256 | f0857a7c3737b0e80d9b4a9a986acb69b0d18d1fe0adc3b1e05d81f02ceb103b |
| SHA512 | 81ab0c3a10d64cdb0bb03ff65a10c3333d5ee91f21404acec41eb638a9eae77d38f00f18758d4cf8480910905d677349c71e762bb44a1ff4068084d5205c6f51 |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\netstandard.dll
| MD5 | 3501cf072f2a0aa167efb5e2370efc1e |
| SHA1 | 1de11fb25075e81250c4c47ad80265cc98c44c3e |
| SHA256 | dad6aa523b80f2bbfb2b3838ade29ce6f4a7a634f66df50484f05a63905df60d |
| SHA512 | 66f5a62a3c8cfcd1b55f65b48134cd1ea7766c165722b303b73a50609ce8546d678acac292c999d5932112ec195a890ebb3645f5e44bb2c2ed951fa09b6cf53c |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\Microsoft.Win32.Primitives.dll
| MD5 | 5b2b93ee8801c83b4e652c7fbabf8c83 |
| SHA1 | 89a8df867ccdf916881234db9de45ed4c57e5b0b |
| SHA256 | 7a1462297eb910a44c35062e021723b5553346407dc52cf013e78c8be032331a |
| SHA512 | 1d3f06f8bd04e6b85748e09bdd1e5bc6ee14f4bfdc9cf426fa76d3a268fa537557d7ad4fede1ca2e263a2462272bdb294c9d907e6f7579c60cbaaf1db41a41e9 |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\Warden.dll
| MD5 | 59391cfbee2a880611a8a77582f2824c |
| SHA1 | 41f8bc228a5988668ec8556cff1e9cfb107ecb98 |
| SHA256 | 24f05a73da2e34c4ad3c67779cae8214c9f0e3e19a217f6a917e8d42abc42669 |
| SHA512 | a145c844186db28194417094e191e0f1cd225067ffb44dca32ef46bf70ef72145bd0132e6cf7f5d20c49e2ed94c8058c7ca4a6744cabf866ee5b97f2e568a4ab |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\ZetaLongPaths.dll
| MD5 | 09374c4581177a8c866b866f108c8958 |
| SHA1 | 05f861bd4d4c038e8181e83a46e6e93bc04ca5df |
| SHA256 | 8af34db2c25f4387b878b2311ef60e74c4f83774c779689393199ecdb039baa2 |
| SHA512 | 2099c97a43c59592c3af3ccd45551a883ca9654fbb1a1b98e4241693b60ef982f688a55488f394476cedcacb850a18361002179d383ea3a93bb98b31a5c0371b |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\WindowsInput.pdb
| MD5 | 50e869af7b21aecb7598627f9d90e3ff |
| SHA1 | e1b081b0619d8a63070d2d0e78c0ce760c919e6e |
| SHA256 | ab913e1b256c09628963e9bc1c20c8c20ef29b408289a4b2655293f3fd4e7127 |
| SHA512 | 72ba511de08f0aa7abd3962d4e047adbe137d7048a251490b88a9ba97a6b96227b3f74a444a6c636331dadc5b32ccbf59d93b087045fdddcf80170fa52a0d7c1 |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\gdf
| MD5 | 2d09b43d2b4401708083af5fe82bf9bd |
| SHA1 | 5d9e71e2d01edc61ba4b5450fb748fd3bfa7a248 |
| SHA256 | 5ac4a8225dcd3a56a10a19a90e79d8548fc59fd7f9528a9410ea8e1ec5faf3ba |
| SHA512 | 0e9b28033494c5801cdb3586dcef0eb46963df62e255bf1c7fba8ea328a60764cadaad24acd5105293d297f9f8e75b5b7a6e7e97149e3691d59e44e2f6bde1ab |
C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\xltoolkit.exe
| MD5 | b53e54b5f8db8155d5e7b07bdc4ebb9f |
| SHA1 | 906d1736bc7814dcec4cce7f532739fb6eca3e4e |
| SHA256 | 15027ae694989a0c7dee5ffea6ebd6d8928215d9ff2b696f8ac237aef17ab0ae |
| SHA512 | 6a07ae21b891159455643b6ed213309bf6e587f85bb1b7426b666dc417d1ae83292c3c99efc3a15cff42eb4a0c9a60ec16dc1ac117dc140eac78184b73472b84 |
C:\Config.Msi\e5842c4.rbs
| MD5 | 8e244134c30556f327a1ffab24f7865c |
| SHA1 | 814d03dcaf65654a614933dce1fe1185b99a649c |
| SHA256 | 7778da1e4a01a87916c126aa70c4ad6e0b48979a1f0fa1d80de69d98ca8cf797 |
| SHA512 | f74181072359fec48143f11500479516a7b042325c08b6c29d9ba59f1509f3149911a94c76dc121353684029324b22b5131584ac7d7f0147e400618715850ee5 |
memory/3428-491-0x0000000000180000-0x00000000006A8000-memory.dmp
memory/1660-494-0x0000000000400000-0x0000000000417000-memory.dmp
memory/4608-496-0x00007FF664660000-0x00007FF664F1D000-memory.dmp
memory/1392-495-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/1392-497-0x00000000021C0000-0x00000000021C1000-memory.dmp
memory/1392-499-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/4608-501-0x00007FFB14040000-0x00007FFB14249000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iUDYSEeoeok\_Files\_Information.txt
| MD5 | bb88cc1d6543c105cfa5b95d8cd70f2d |
| SHA1 | 8f9e14cb77f221eb536a8b7c68484714503a2853 |
| SHA256 | 25ab1b7bf18458029a5b84f36f72381874fd83204f3e29c4951efd0fc8cb2b7e |
| SHA512 | 20cb0ed833f3855e3ebb645f72cea55cacc7fe2621bcb09c4ffe7085ed87306daa27433126c3857bb37608618d64b84a8623ea755d2a0d950b2f6434d2d48700 |
C:\Users\Admin\AppData\Local\Temp\iUDYSEeoeok\_Files\_Screen_Desktop.jpeg
| MD5 | e701d10c8192d0b5b70bca7e4d0dbcb9 |
| SHA1 | e715786010c69a032108942a9540a6dd0732abe9 |
| SHA256 | c9e949bea70a98af380c654ffabca9612c77604b86d4577325d13f453ecc4cdb |
| SHA512 | 834ffc80025e3b3d799001c577a6915773d4a00b4a949bca44fb96075308ffa07d6bc2a9a2a0f097857158fee047304d869aab8549beb03e909ec37d456a197d |
C:\Users\Admin\AppData\Local\Temp\iUDYSEeoeok\_Files\_Information.txt
| MD5 | a44795d7575921fe85f488d4a68da556 |
| SHA1 | 79852fd0d4256a8a202e8304aa707241764e39e8 |
| SHA256 | 1ada63fa7ae81ffefb752acb5d4f1555369d83516e2e281d9e4e9aca13bc7d7e |
| SHA512 | 3ef8e182e197811f78ec4b16097e61bd94e822395b9c6bb3dec1caa085b8ddfe92c13abf673285765e9360a96c444a28abe412532248ac18e27452f3fb54de94 |
C:\Windows\System32\Vestris.ResourceLib.dll
| MD5 | 3d733144477cadcf77009ef614413630 |
| SHA1 | 0a530a2524084f1d2a85b419f033e1892174ab31 |
| SHA256 | 392d73617fd0a55218261572ece2f50301e0cfa29b5ed24c3f692130aa406af3 |
| SHA512 | be6b524d67d69385a02874a2d96d4270335846bece7b528308e136428fd67af66a4216d90da4f288aeefd00a0ba5d5f3b5493824fcb352b919ab25e7ef50b81c |
memory/1392-1166-0x0000000000400000-0x00000000004C0000-memory.dmp
C:\Program Files\KMSpico\UninsHs.exe
| MD5 | 245824502aefe21b01e42f61955aa7f4 |
| SHA1 | a58682a8aae6302f1c934709c5aa1f6c86b2be99 |
| SHA256 | 0a265b4bb8acceafaffb001632fa7e4c3f8ac39a71eda37f253e15bc1b8db90d |
| SHA512 | 204b39e31f22ba99cf09c5c8458fc94ea21b47aacc4abd305f71ba20a35d36bfc0ff53b95180542911c9c6f259db897dee76090d953f7ee18a8079caefda7981 |
C:\Program Files\KMSpico\KMSELDI.exe
| MD5 | f0280de3880ef581bf14f9cc72ec1c16 |
| SHA1 | 43d348e164c35f9e02370f6f66186fbfb15ae2a3 |
| SHA256 | 50ebfa1dd5b147e40244607d5d5be25709edf2cc66247a78beb920c77ac514cc |
| SHA512 | ac31a972e9e93e6671f44d403139b0db89d950097c848fbaf6b9965b722215f74e9ed9bb9e083d31328101e6fcfe7f960a08b3bea0813900f11d5c1bb40539a6 |
memory/4624-1391-0x0000000000400000-0x0000000000417000-memory.dmp
memory/5012-1393-0x0000000000010000-0x00000000000FA000-memory.dmp
memory/5012-1394-0x00007FFAF2D50000-0x00007FFAF3812000-memory.dmp
memory/5012-1395-0x000000001AF10000-0x000000001AF20000-memory.dmp
memory/5012-1396-0x000000001B620000-0x000000001BB60000-memory.dmp
memory/5012-1400-0x000000001AF10000-0x000000001AF20000-memory.dmp
memory/5012-1442-0x000000001AF10000-0x000000001AF20000-memory.dmp
memory/5012-1443-0x000000001AF10000-0x000000001AF20000-memory.dmp
memory/5012-1437-0x000000001AF10000-0x000000001AF20000-memory.dmp
C:\Program Files\KMSpico\logs\KMSELDI.log
| MD5 | ae7043251df77c6802c7a16a10c154ed |
| SHA1 | b847bed94758ede8f069d5d2f0311d5b56fab09b |
| SHA256 | d72eae06bdff19c74ef33d27cf5898493646463af50ddc4b94a7a21644f3d389 |
| SHA512 | e2f580b700901e8236cdc76b718dfb86ae6efa0f3583f5f6b0040ccfa8f705384f2818c64401bc41e8bdfbbb1e3596e0db2277bf7b4134b351344ebffcbac0f5 |
C:\Program Files\KMSpico\logs\KMSELDI.log
| MD5 | 82632bdabc39196d50e0049ce50f8430 |
| SHA1 | d44c492527a7694be09f360945989bfe62493978 |
| SHA256 | 6c49af1310953751ea161849643831a901329559e80ee69c40ad5b4f565599d5 |
| SHA512 | cf53bed7054258311e616cb8c4a094fde80b8bb7d93ab0137d147062ec7ec550e168eb50b8e3ea7029d961d6056eec023aef78af2a77a45206c229be2a970ce6 |
memory/1392-1628-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/5012-1687-0x000000001E030000-0x000000001E130000-memory.dmp
memory/5012-1718-0x00007FFAF2D50000-0x00007FFAF3812000-memory.dmp
C:\Program Files\KMSpico\AutoPico.exe
| MD5 | cfe1c391464c446099a5eb33276f6d57 |
| SHA1 | 9999bfcded2c953e025eabaa66b4971dab122c24 |
| SHA256 | 4a714d98ce40f5f3577c306a66cb4a6b1ff3fd01047c7f4581f8558f0bcdf5fa |
| SHA512 | 4119a1722202bbc33339747ea02fd35b327890d55bb472cd1e2146ca446d8ba6fddb1e8cf8bbfaeb08aec8ed2a9d5c0fa71b73510d409ffacd3908fa72bb53b4 |
memory/760-1720-0x0000000000480000-0x000000000053A000-memory.dmp
memory/760-1721-0x00007FFAF2D50000-0x00007FFAF3812000-memory.dmp
memory/760-1724-0x0000000002570000-0x0000000002580000-memory.dmp
C:\Program Files\KMSpico\logs\AutoPico.log
| MD5 | 573360d585f3aa92f8a170566fba61f0 |
| SHA1 | 38a7299101071bac0c862e1f9f328dd494499839 |
| SHA256 | 50637ff9d71a08192a89f3a044daff1f199015d1d7910efd2dcb67158991f63d |
| SHA512 | 06df47fec225f5082c9d177dfba9c7a06108bc02876725c8bb7112fe518dec5cb1ef24fce03432767f4662df6414ea7a55d3cd252b3aebcfbb47c0b3d2e69078 |
C:\Users\Admin\AppData\Local\Temp\iUDYSEeoeok\MbvScMvxNntPSG.zip
| MD5 | 6e8fe57c992e8168f979c16116afdb73 |
| SHA1 | a7fc3dbd3ec868981f7611e507d71a183e5eb557 |
| SHA256 | 6555882bd93cd0f83087b134b1e55ec4c1e762d32df1e70ba73aa848f8902a56 |
| SHA512 | 81fbbda0510c11e75418ee1226d1a59916d2174c6863904f7ae2c0076a963c9ea63c97916e2033bfddd7e964dde8a63ce5e6cf0b944b49ecfd3dd0169bcbad09 |
memory/1392-1955-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/760-2013-0x00007FFAF2D50000-0x00007FFAF3812000-memory.dmp
memory/1392-2017-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/1660-2018-0x0000000000400000-0x0000000000417000-memory.dmp