Malware Analysis Report

2024-09-22 16:44

Sample ID 240206-fp9atagah4
Target КМSрiсо.exe
SHA256 838e46c53ecc12301e73abfe5d5aa2785ee2f9090a1106cedd75acc0a57dd32d
Tags
babadeda cryptbot crypter discovery evasion loader persistence spyware stealer themida trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

838e46c53ecc12301e73abfe5d5aa2785ee2f9090a1106cedd75acc0a57dd32d

Threat Level: Known bad

The file КМSрiсо.exe was found to be: Known bad.

Malicious Activity Summary

babadeda cryptbot crypter discovery evasion loader persistence spyware stealer themida trojan upx

CryptBot

Babadeda Crypter

Babadeda

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Sets file execution options in registry

Creates new service(s)

Drops startup file

Loads dropped DLL

Executes dropped EXE

Themida packer

UPX packed file

Checks BIOS information in registry

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates connected drives

Checks whether UAC is enabled

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Launches sc.exe

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Modifies Internet Explorer Phishing Filter

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Uses Task Scheduler COM API

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-02-06 05:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-06 05:04

Reported

2024-02-06 05:06

Platform

win11-20231215-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\КМSрiсо.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

CryptBot

spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files (x86)\folder1\Setup1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe N/A

Creates new service(s)

persistence

Sets file execution options in registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe C:\Program Files\KMSpico\AutoPico.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe C:\Program Files\KMSpico\KMSELDI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\Debugger = "C:\\Windows\\SECOH-QAD.exe" C:\Program Files\KMSpico\KMSELDI.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe C:\Program Files\KMSpico\KMSELDI.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe C:\Program Files\KMSpico\AutoPico.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\Debugger = "C:\\Windows\\SECOH-QAD.exe" C:\Program Files\KMSpico\AutoPico.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files (x86)\folder1\Setup1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\folder1\Setup1.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk C:\Program Files (x86)\folder1\Setup1.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\folder1\Setup1.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\X: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\L: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\S: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\Y: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\T: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\E: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\O: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Program Files (x86)\folder1\Setup.exe N/A
File opened (read-only) \??\R: C:\Program Files (x86)\folder1\Setup.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\Vestris.ResourceLib.dll C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Windows\system32\is-67F08.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Windows\system32\is-3UULK.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\folder1\Setup1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\KMSpico\cert\kmscert2013\Standard\is-AEP6U.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscertW8\CoreN\is-9BOPT.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2013\ProPlus\is-EBHCR.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2013\ProPlus\is-J4P84.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscertW10\EnterpriseS\is-FOOVI.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-4PM48.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-7VSGI.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-IP3UG.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-MN635.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2013\VisioPro\is-EI0H2.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2013\VisioPro\is-4C6RI.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-CCAPU.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\Standard\is-FAMT3.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2013\Lync\is-K4CNV.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2016\SkypeforBusiness\is-FVPU9.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscertW8\Professional\is-B0DJI.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-QSGUK.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-L19LF.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\PowerPoint\is-TGET4.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-5H8C8.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\Publisher\is-0SJDN.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\sounds\is-3QMMC.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-CH83K.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-D8I4J.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\Publisher\is-AJE57.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-L9IRO.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2016\VisioPro\is-0HN1M.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-947UR.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscertW8\ProfessionalWMC\is-5THBP.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-NHCP9.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-VG7P0.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\ProPlus\is-S6GIE.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-N4ADE.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File opened for modification C:\Program Files\KMSpico\Vestris.ResourceLib.dll C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-8P0UE.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2013\ProjectPro\is-KP055.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-RDK98.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscertW10\Core\is-R1I40.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-53U3K.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2013\Access\is-E7PDC.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2013\Word\is-0EHKB.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2016\Excel\is-2PAU7.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files (x86)\folder1\Setup1.exe C:\Users\Admin\AppData\Local\Temp\КМSрiсо.exe N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\Word\is-E6IQV.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2016\PowerPoint\is-OTSFA.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2016\VisioStd\is-15Q2S.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscertW10\Education\is-5F2AB.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\sounds\is-1F956.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-EHC3T.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscertW6\Business\is-BHB04.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscertW7\Embedded\is-EOEQO.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\scripts\is-TQ6PG.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscertW8\EnterpriseN\is-P1DI5.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\driver\is-MKGCA.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\OneNote\is-KPQRP.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\Standard\is-DS32B.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscertW6\Business\is-F5K42.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-V0A6A.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\Word\is-5F7LI.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2013\ProjectStd\is-6BARE.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2016\Publisher\is-O9562.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2013\Excel\is-A0RUI.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\logs\is-OD2C7.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
File created C:\Program Files\KMSpico\cert\kmscert2010\Access\is-OS2EB.tmp C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI435D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI438D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{8DF27864-44E9-4A93-928A-75C0E8302965} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4622.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFD7E4729159D715CB.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5842c1.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SECOH-QAD.dll C:\Program Files\KMSpico\KMSELDI.exe N/A
File created C:\Windows\SystemTemp\~DFD31ACC7F2D7C175E.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI439E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI43CF.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF12D40F3456A94AD3.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5842c1.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI43BF.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF4D95D7C71EF119F1.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SECOH-QAD.exe C:\Program Files\KMSpico\KMSELDI.exe N/A
File opened for modification C:\Windows\Installer\MSI43AE.tmp C:\Windows\system32\msiexec.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner\xltoolkit.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner\xltoolkit.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000\Control Panel\Desktop\PaintDesktopVersion = "0" C:\Program Files\KMSpico\KMSELDI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000\Control Panel\Desktop\PaintDesktopVersion = "0" C:\Program Files\KMSpico\AutoPico.exe N/A

Modifies Internet Explorer Phishing Filter

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeSystemtimePrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeAuditPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeUndockPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeManageVolumePrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeImpersonatePrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeSystemtimePrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeAuditPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeUndockPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeManageVolumePrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeImpersonatePrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Program Files (x86)\folder1\Setup.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 540 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\КМSрiсо.exe C:\Program Files (x86)\folder1\Setup.exe
PID 540 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\КМSрiсо.exe C:\Program Files (x86)\folder1\Setup.exe
PID 540 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\КМSрiсо.exe C:\Program Files (x86)\folder1\Setup.exe
PID 540 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\КМSрiсо.exe C:\Program Files (x86)\folder1\KMSpico.exe
PID 540 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\КМSрiсо.exe C:\Program Files (x86)\folder1\KMSpico.exe
PID 540 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\КМSрiсо.exe C:\Program Files (x86)\folder1\KMSpico.exe
PID 540 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\КМSрiсо.exe C:\Program Files (x86)\folder1\Setup1.exe
PID 540 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\КМSрiсо.exe C:\Program Files (x86)\folder1\Setup1.exe
PID 1660 wrote to memory of 1392 N/A C:\Program Files (x86)\folder1\KMSpico.exe C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp
PID 1660 wrote to memory of 1392 N/A C:\Program Files (x86)\folder1\KMSpico.exe C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp
PID 1660 wrote to memory of 1392 N/A C:\Program Files (x86)\folder1\KMSpico.exe C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp
PID 3880 wrote to memory of 4608 N/A C:\Program Files (x86)\folder1\Setup1.exe C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
PID 3880 wrote to memory of 4608 N/A C:\Program Files (x86)\folder1\Setup1.exe C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
PID 2384 wrote to memory of 5112 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2384 wrote to memory of 5112 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2384 wrote to memory of 5112 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3216 wrote to memory of 1008 N/A C:\Program Files (x86)\folder1\Setup.exe C:\Windows\SysWOW64\msiexec.exe
PID 3216 wrote to memory of 1008 N/A C:\Program Files (x86)\folder1\Setup.exe C:\Windows\SysWOW64\msiexec.exe
PID 3216 wrote to memory of 1008 N/A C:\Program Files (x86)\folder1\Setup.exe C:\Windows\SysWOW64\msiexec.exe
PID 2384 wrote to memory of 4816 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2384 wrote to memory of 4816 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2384 wrote to memory of 4816 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2384 wrote to memory of 3428 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner\xltoolkit.exe
PID 2384 wrote to memory of 3428 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner\xltoolkit.exe
PID 2384 wrote to memory of 3428 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner\xltoolkit.exe
PID 1392 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp C:\Windows\system32\cmd.exe
PID 1392 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp C:\Windows\system32\cmd.exe
PID 1392 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp C:\Windows\system32\cmd.exe
PID 1392 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp C:\Windows\system32\cmd.exe
PID 1392 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp C:\Program Files\KMSpico\UninsHs.exe
PID 1392 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp C:\Program Files\KMSpico\UninsHs.exe
PID 1392 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp C:\Program Files\KMSpico\UninsHs.exe
PID 1392 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp C:\Program Files\KMSpico\KMSELDI.exe
PID 1392 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp C:\Program Files\KMSpico\KMSELDI.exe
PID 792 wrote to memory of 2772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 792 wrote to memory of 2772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2824 wrote to memory of 3616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2824 wrote to memory of 3616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2272 wrote to memory of 2044 N/A C:\Windows\SECOH-QAD.exe C:\Windows\system32\SppExtComObj.exe
PID 2272 wrote to memory of 2044 N/A C:\Windows\SECOH-QAD.exe C:\Windows\system32\SppExtComObj.exe
PID 2272 wrote to memory of 2044 N/A C:\Windows\SECOH-QAD.exe C:\Windows\system32\SppExtComObj.exe
PID 2044 wrote to memory of 5000 N/A C:\Windows\system32\SppExtComObj.exe C:\Windows\System32\SLUI.exe
PID 2044 wrote to memory of 5000 N/A C:\Windows\system32\SppExtComObj.exe C:\Windows\System32\SLUI.exe
PID 1392 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp C:\Program Files\KMSpico\AutoPico.exe
PID 1392 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp C:\Program Files\KMSpico\AutoPico.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\КМSрiсо.exe

"C:\Users\Admin\AppData\Local\Temp\КМSрiсо.exe"

C:\Program Files (x86)\folder1\Setup.exe

"C:\Program Files (x86)\folder1\Setup.exe"

C:\Program Files (x86)\folder1\KMSpico.exe

"C:\Program Files (x86)\folder1\KMSpico.exe"

C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp

"C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp" /SL5="$50234,2952592,69120,C:\Program Files (x86)\folder1\KMSpico.exe"

C:\Program Files (x86)\folder1\Setup1.exe

"C:\Program Files (x86)\folder1\Setup1.exe"

C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe

"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 6716137F37C45D67735C70D57CFB0FD6 C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\adv1.msi" AI_SETUPEXEPATH="C:\Program Files (x86)\folder1\Setup.exe" SETUPEXEDIR="C:\Program Files (x86)\folder1\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1706955260 " AI_EUIMSI=""

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 8892E79C8B078A1B1E64D1E72DE736E4

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner\xltoolkit.exe

"C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner\xltoolkit.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Service.cmd""

C:\Program Files\KMSpico\UninsHs.exe

"C:\Program Files\KMSpico\UninsHs.exe" /r0=KMSpico,default,C:\Program Files (x86)\folder1\KMSpico.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Task.cmd""

C:\Program Files\KMSpico\KMSELDI.exe

"C:\Program Files\KMSpico\KMSELDI.exe" /silent /backup

C:\Windows\system32\sc.exe

sc create "Service KMSELDI" binPath= "C:\Program Files\KMSpico\Service_KMS.exe" type= own error= normal start= auto DisplayName= "Service KMSELDI"

C:\Windows\system32\schtasks.exe

SCHTASKS /Create /TN "AutoPico Daily Restart" /TR "'C:\Program Files\KMSpico\AutoPico.exe' /silent" /SC DAILY /ST 23:59:59 /RU "NT AUTHORITY\SYSTEM" /RL Highest /F

C:\Windows\SECOH-QAD.exe

C:\Windows\SECOH-QAD.exe C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\SLUI.exe

"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent

C:\Program Files\KMSpico\AutoPico.exe

"C:\Program Files\KMSpico\AutoPico.exe" /silent

Network

Country Destination Domain Proto
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
N/A 127.0.0.1:1688 tcp
GB 184.28.176.89:443 tcp
DE 51.116.246.104:443 browser.pipe.aria.microsoft.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
US 8.8.8.8:53 161.128.123.92.in-addr.arpa udp

Files

C:\Program Files (x86)\folder1\Setup.exe

MD5 e641ae01784f18a19b646cd10464c17b
SHA1 a7c81c3eaf838463c5eedac166140310e8098de4
SHA256 d9d7bd87155d65b20ab0603d5dc022ffb64e82295d1cbc6bb5385182bd5bf530
SHA512 a585b0783d196959436f9da7f529f81abf232eee715ad373c23e15f5369d0042287767552fc19eeee82556c8a95f0b1fe3238ad0251da114a6e84435a2f35d09

C:\Program Files (x86)\folder1\Setup.exe

MD5 3316414b199356c83e7d5c002edf9b96
SHA1 36039426dc2ed64393dfd8dff799d19a05ac0fb7
SHA256 421120d69ddc1a60c936411ca95b9d6729a69ebc6139bf8cee25d151d311d0be
SHA512 163adffa05ef7460a484cea2e7f0d01c0847bee6e500d837769dd4f85cb9465f9d9fa517eccd9a79f46c7d7974b4e560dea22fd22bdea183d57407db2f5a297c

C:\Program Files (x86)\folder1\Setup.exe

MD5 0e567d24763edd5a1a59ec053c1477fd
SHA1 e76775c37eedb4258c749810d589d1e7c771ccb7
SHA256 7de6dc4a54812f56030b7c34a5879db48e67abbfc4e75a223716673bb4e40a6d
SHA512 c5125aa098178c67b0a5685248d55b982768d445a347591abbf983557130ca85f5eaf4879e68ac0a992b8b53a243d6c764a6abf609f937cef446151e69dec970

C:\Program Files (x86)\folder1\KMSpico.exe

MD5 16357aeedd5a98a97b006ff2b88d7597
SHA1 b1df2fb3a20dd20614bc6643d426839c0f9359fe
SHA256 ea842459ebe10ac1e099f3c6da1cf59ad5a1b4b041ffd6dffc6ab8f1426b1fb1
SHA512 baa4a6f21fc9c4897d91e872138779eb3e6d5e27f92778be4ab146c2cbe52cab034e8bd901ba23e9d55a2b3fb85dcd0f3f94fb915913d2d141004c740dec58e4

C:\Program Files (x86)\folder1\KMSpico.exe

MD5 0a7675b54d33c0e165966e31b892a162
SHA1 86d642019a1e6ec44d4d78e5094e549ec8144a1e
SHA256 a4a897342a44607fe72f39273f3a41b940efd81962993ad3f97629be2728250e
SHA512 f7b7f4142d63d4f3eb82c3abcd21780d06433f010eed30a97cc06a47d5844f06b7cdde09ec28c0728483e89494d33a2ba91652b3a5fea4af83256cee39e03b35

memory/1660-30-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Program Files (x86)\folder1\Setup1.exe

MD5 627bd29f527c6c740e095b30e7d4273a
SHA1 4114532bcf0cb5d4bdd11873a9d8920b5d331ab5
SHA256 ef15666065bfa40c1cb6fec17cd65974aae4f70a0aef5dbe17f2910b613d3b9b
SHA512 56aba0a7e3161481481954f2929382e23156adcee0d3059cf19fc34f42226419d43468b23f32e5e10c7967bb43037910f7df97dc431d064386db6c6f02303f7c

C:\Program Files (x86)\folder1\Setup1.exe

MD5 1052257cf0fcc489e3fde015fa0d2698
SHA1 e2439a42e14f582d649534ed7a64b1332db1e872
SHA256 f2eb18549dd189d543949058bf676e4eae67fd89d7d3620f3e4850965fbbba81
SHA512 61c09f13f124e2ab7b674997b9ce77ad6ff886e23f8cb4b3461c7c63bdca77c57fb3af787e9a7564bbdb1ff55688161f7c76c3765366d1d4a657cf23296a3c39

memory/3880-38-0x00007FF7549B0000-0x00007FF75526D000-memory.dmp

memory/3880-50-0x00007FFB14040000-0x00007FFB14249000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp

MD5 9ac08a71483454cda4399c9e966a2b82
SHA1 4d8cc2586bce5855e1beffd152da6147f7c35871
SHA256 de4a8014ca456659b533d354317428ed931e918ce286c1f51184c60c50f8284d
SHA512 9e38a6c1910e13517a197b8a9311105c580e87fb75d5eb9b7d4196c7438f78cf6413affab73e92240ebcba2920b1780cc639b5cefdea735f319e07f5adec3eae

memory/1392-55-0x00000000021C0000-0x00000000021C1000-memory.dmp

memory/3880-51-0x00007FF7549B0000-0x00007FF75526D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\decoder.dll

MD5 831e0b597db11a6eb6f3f797105f7be8
SHA1 d89154670218f9fba4515b0c1c634ae0900ca6d4
SHA256 e3404d4af16702a67dcaa4da4c5a8776ef350343b179ae6e7f2d347e7e1d1fb7
SHA512 e5e71a62c937e7d1c2cf7698bc80fa42732ddd82735ba0ccaee28aee7a7ea7b2132650dfd2c483eb6fb93f447b59643e1a3d6d077a50f0cd42b6f3fc78c1ad8f

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\adv1.msi

MD5 7f22059a0b801c830666b5fab17649f3
SHA1 e0a1a7af1cb336b08143a90a56387897ff66a5ea
SHA256 c261656d4f2c0a19f59a415e6e7342fe108ff198a46fffef81d1eebd6e8289de
SHA512 005c76de78bc9b74e5f37780c56bc959626bdfbc29e1e2b53a145851894ad7c895a12e422d1caf43fef4e72906969ad3af3136ac213f83cd05acc2797b154e88

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\decoder.dll

MD5 fc3c50cc89bd796b94cb4102fed6e7b0
SHA1 629ae6d87ba397042a5b72be11b01c6053213a7e
SHA256 7620dc258aed12b902d3ac7f080f542512e598a9024afd59ca51f12f9ac1b5ac
SHA512 3f02bfbe53687ce8185392e297afdc787715491e966bc3034540455ee96b9855c25c16b112be457fd94c81bd54a3aa8a40682eb148496b9ec8bc7dd1e514f3ef

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\decoder.dll

MD5 e33057f00406e0d7cf583b9f4f631435
SHA1 1951068f863ca2807a52afebbd04aa7471894790
SHA256 691c3f1db20bc62c74347132a5186def8087ddc4170e5db8ceb7068f4d277157
SHA512 cdae1af6528068455d897218253881c0b02a0f5ae387c5d9be43339ce98ae1716f7a1b89ac401d026c28c92b5d8b78a87d5db544d391399cf43f5b9af82983d9

C:\Users\Admin\AppData\Local\Temp\is-5LI1F.tmp\KMSpico.tmp

MD5 32dcc6be60faea3f319e5057f733e093
SHA1 28b9f13561d3f76edb6d512157c169f69f983eda
SHA256 b7f2b0463eeaa9bec2aad12e6780251ebfbdf8d5cd8beb1c51e5cb469f53d9a0
SHA512 6159ed2b83c031609bc9bb3b0a24769bff9e8500c8475b65a338fb77df3de65df1660cd605c26a2fdfb859743d929602e96d5ed24c86b3755b52dd515edad2cf

memory/3880-37-0x00007FF7549B0000-0x00007FF75526D000-memory.dmp

memory/3880-66-0x00007FF7549B0000-0x00007FF75526D000-memory.dmp

C:\Program Files (x86)\folder1\KMSpico.exe

MD5 7409c2ebb693c4927cafc7cd1bcda70b
SHA1 cb7b763f5019771a9b38ed4f27e45cc3424cf175
SHA256 250a0efca346f2d76a309c7655a712746e279c114b2063778386ba07d98a1b58
SHA512 2594d3e11a49015d174f484c2af50eaa848f80ffcc96789ed3013d3a2ad3769c61962691a7f1b7d75c8b6ba0a25331cb38ececa11fedf590400864a2f185247d

memory/3880-67-0x00007FF7549B0000-0x00007FF75526D000-memory.dmp

C:\Program Files (x86)\folder1\Setup1.exe

MD5 7c10102b695b525a58e37002c311b7a0
SHA1 040bd2fbfcfb86bbb29ed477a1acd4886cc98626
SHA256 3d0e4c294a094b35a2c57fd391229bf762ca80c74f583adc4d5f180a23df28f7
SHA512 a8467156e316d689cd395e0a0a7c7f33b424f830d2584754e90dd1092b8e26dc5c50797477c77b1fb48927c303965e930961cb123ce907946b99e6d3847fae7d

C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe

MD5 6de235b21db1c4a76c237d4d48855916
SHA1 8bd01e617a5166ac4252f1e6c6a2306e733d8bd4
SHA256 16b3acd7746af93bca47d3f55435071ab84688708e71bfffb126569aef30c1bf
SHA512 569e728adf78699b3c1ffe44974bf56a43f8266bcdecea137ac3415d454e48094f0222fc12ce3ab043cfaf500c77de7574f4c5a5986dafb04133b0609bf9c2e6

memory/4608-76-0x00007FF664660000-0x00007FF664F1D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe

MD5 24cf6f96cf797ff5782f516e15dd7743
SHA1 3ca8255806a124ddb474889e7ec61f6633d664df
SHA256 3668755e74cb2d8775b44de0c48dad6931d084af5e514542ea38b909dd4a40dc
SHA512 e7f2ca33700f91081a725b532a925a37658f40fcdabb5be1de8e597e4f06fbb4d6e9539e4f94830e60633389e9da6ef68deb4c3aa3c99490c490898efcb14ef6

memory/4608-78-0x00007FF664660000-0x00007FF664F1D000-memory.dmp

memory/3880-77-0x00007FFB14040000-0x00007FFB14249000-memory.dmp

memory/4608-81-0x00007FFB14040000-0x00007FFB14249000-memory.dmp

memory/4608-82-0x00007FF664660000-0x00007FF664F1D000-memory.dmp

memory/3880-75-0x00007FF7549B0000-0x00007FF75526D000-memory.dmp

memory/4608-83-0x00007FF664660000-0x00007FF664F1D000-memory.dmp

memory/4608-84-0x00007FF664660000-0x00007FF664F1D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSI419A.tmp

MD5 2a39e09f0ff3815ca5107ec622921531
SHA1 c0cacf5fb1cb107e11c2143bc0dc9b1d70c8500c
SHA256 688c60740c019b41ba38f575d232ad6264073ef97aebb80590491b47e0a80137
SHA512 499c4f97e455c78a985c2451a503bbf289fa5355f88dbac8a75776e9f29b697396c4b50069523f44ed718a947cccfbd460c1696dac0df1b65dda25e8cf2f0c52

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\adv1.msi

MD5 5130100301617cae84f569cee2ff36ac
SHA1 c73c7f58ed866c434ce79b671a9f1a4bf0207ec0
SHA256 7617d0d8a268eeb8211388d8a9b2388215fd4870d7e72d6ecf210305b0046392
SHA512 7f815ecc3be27dfe2167590f48629fe3207f798bde3648f98ab5eb274a140c47416062850e04acde9e37c36f93f642ef4098e1541304f92d117e5b961b4ecd2d

C:\Users\Admin\AppData\Local\Temp\MSI419A.tmp

MD5 7f5a537f1cd54caed71a10df573b8bf4
SHA1 0b438359d32e25f734e2e1ff248b1cb13d2f5d0b
SHA256 a5bd2bad1913a1a965bc862158a542893bd1d45de4956d42885bdb6e6f1a0c04
SHA512 f8f2ddfbabe1809e94347c7b218ae2feda5d948cb996d5348a6fe44a3be32e00a7ade61ad88df7e68c787e5d97a582201f26d6501c8a8d2e95972feb8806dcee

C:\Users\Admin\AppData\Local\Temp\MSI415A.tmp

MD5 99c098c952eafea38e9b0546d962bb2b
SHA1 608188b7f0ebac1e2f3e413d49a5147258f462e4
SHA256 91d96292c35c2f55c660f33f7097ba2f6e8b862ea23967fbb07bf757f43815a1
SHA512 38fd790067b6cdf26af07254d345a4c37783ebf1ad22858ddc54cba2a00cfedec20dbbfa3b0cf9622c613d6bbbebf7eae85a73830651ef4eab14f76b0d5439d7

C:\Users\Admin\AppData\Local\Temp\MSI415A.tmp

MD5 85e4dc0b70fe5da406ff62d9a22a078b
SHA1 73ae55389ff5ecf93645012d22223d9d0fc3ced2
SHA256 877fedbb9e1ed4b21c299b047e6c968b12b6acc12a6b243b8bb24d55c664e1ce
SHA512 71a6eda0cc5dcd6b70fd63be705743083c3208f46fc88ce0e14751e8993aae4e2a5268cadf1e63fdc0805f9931a9703405c47ec9cc8ecd5e21c5b807be72edab

C:\Windows\Installer\MSI435D.tmp

MD5 ef3f21e41739170bb0016858d2708cbb
SHA1 d4882e261fd599e71dc5559104b3164648865f51
SHA256 779e14f0ae1dc64269054f9019da2ac495c45ae0136dfbb69fdc51caa434ee1f
SHA512 d41e80fd7363cf0cb4e96cdb52a346327eb7e9e5836c891dc928867e86fb67518f0c06a00456e389b4fa4b02a45feeb68ad91221a0efe610cf06a6ad3dfaca2b

C:\Windows\Installer\MSI435D.tmp

MD5 1ac4e4cf299d4203f068f92eff782bdb
SHA1 faf6b994f4412716e1965200b09f7858796d9c16
SHA256 bfb3265e89dade4b0533bec4141c99813217f27e8bffdfb04eb0cc03306163df
SHA512 489eb75ec80acd21bfcd7cd5a7b60ea91d77324b3ef964e2b97acd5bd471a611fdd4a9834008af3c56b1273bbd994b127d3bd67222ed011f787e30f1f45e9fd0

C:\Windows\Installer\MSI43AE.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\Installer\MSI439E.tmp

MD5 640a4c1c8514b335aea8124f15f060ab
SHA1 e59fcf5fbc02c79038c29bc2476c444732ce66bd
SHA256 2ff56e27170fa3941914de2bf5505962a39f351622bf7d67c0ad71a6b8d4f434
SHA512 fc2eb5d00350dfc91ef336e55a7c9fa2707e98e3a49cfc36e7b1c5060d21323085a5bd283cf187a6fca9e37602882e9a32337f1e530463fd30f65300612bd5b1

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\decoder.dll

MD5 080ad76c166cee110c6dcc4436761844
SHA1 5388cd78960f0535ada36d8bef1c9a02571b31a9
SHA256 e3ded27f0d31e221b874472f09da834c5c70c13336f14c20ade670d6210c24dc
SHA512 22b01651997a8f9562f6978e0065ed5139e4f957c58feef1721d62d5bd6da195a6030b66fa54865bbfe7d1a4e370e0df93a906932ef6db2d8667ef94e7880054

C:\Windows\Installer\MSI43CF.tmp

MD5 841db2de248cdd997cb0a87d6cf777e5
SHA1 403723954b4e7b6dd446c1861836cb96c123315c
SHA256 04b597ea719a2b2110ee4912dba8bb78d402e336bd55281193157ea4c07aef85
SHA512 a15264a44c492f6ba51ac26012bea412326869e37ca4f1481fd7cd37fa59e51060416a93db121fedea6a2497ed03c082504405b6e5eab6bdf4dc5a80defef34b

C:\Windows\Installer\MSI43CF.tmp

MD5 3b2a7e8f82b40b987c2cbcd0d86f78a1
SHA1 5914c6f85e3c4a562e2a7440476ffe152c64ba1c
SHA256 e22e85e96f845763a778ebb283454334b5fe2b67b8489c7ce4f0779a442511c6
SHA512 20bf093037b558676406b2f5898106513340f4583ec6fbde5fd8c44de222e8bac4110de4baaa7de4fee31825f1f1e9667cf83460ac0d685662ddb9d93954e0fe

C:\Windows\Installer\MSI43BF.tmp

MD5 39643846955f0df77cf8664b86adfd92
SHA1 9ad7ef8a457c1a13638385613206b8fb83d32305
SHA256 9aa2310198a389c27a0e2ee80b139aee121e8be19f3f0de8be1ca2f149af249f
SHA512 e8c67b5eac7effa5dd0d84c932713cfeeee372b999295d07730e5686eefa4a89b99af786f14be3362d824965b71fca5938bbab5c7e3589eeb86093db71505731

C:\Windows\Installer\MSI43BF.tmp

MD5 599f3de76a863b803451d28d6c7750b5
SHA1 698fa59bf15c5bf3b12ea77ef7e3710f2678c6e6
SHA256 b63683a0f7ac4e9d05f64af95a9fafa70df8d4fbda98c0a9ec392fd195042462
SHA512 eff7cf8db6b45f5858d0f2a71f0ee5e107644116fe3e85f3f38b4fa7d923ca406811540873c1920f0b2c2f6a53b7b96f7b7657cb679a2f0725735b094a18bd63

C:\Windows\Installer\MSI43AE.tmp

MD5 dc1f98019e6337a7041d73fdd12eea76
SHA1 e5a54d0275c51a84fc43203f7904d816fe39e922
SHA256 c6b48fb3790fdc6d90adec97564487b2a906c39dbfaa152a3dbe58a7f9624361
SHA512 fa768fc3d3043f061e2efdd658c97ceb8a55661e3c9c54621de071c0d1ab55f76e3c04ce6e31dcc8fa7d44bafb922345348dc5b008b12042319cfc90d3db40a4

C:\Windows\Installer\MSI439E.tmp

MD5 92712d94018946f715fb4fb2ad21e101
SHA1 00b39f8d7c02d14dd42c1e327e66876cc34d28ae
SHA256 b60ea402c06c70707887e9fc3529229b12103b61bce26f257806b6c00a97d6f8
SHA512 42e7fd30c96213d873a534e3d45fcd77809092e1516709d2bc914c31e538ad074c45bca750658eb63fbd3ce3323b874388fa2aaf3be19438d0b8314865d3f47e

C:\Windows\Installer\MSI438D.tmp

MD5 073c802abe5396d195431dae32b567cc
SHA1 efc67a21482cf548463a235f69cf7e54d62a318e
SHA256 668d3ec065a6e0d9e825e54b973972b991aedd99090edddbec41b81994af8ca7
SHA512 b42557f9cb5431555264f7dd2091c6609e9815f0df5800f3d022f469d7323265997d3bb5a9c3eeb0eed7a994ab6dd5490e7f60722a51a4d3b4f1739142237f0a

C:\Windows\Installer\MSI438D.tmp

MD5 0ca009ed76a59054613ccbaf34a38d3a
SHA1 d34bcee59521385f8c242a472e6f92e4840c7898
SHA256 967a88247f65b9e17134767948d5134e327cde586b326c469691fa3f8f8e6728
SHA512 3f914b8c98cea82df5fbeee655f5a9e1166695f61dcc1b6f5e5459b8d88726fded127fd87f61503a0b096e5e83a04ad6742b689544b791f639627d4abda29ede

C:\Windows\Installer\MSI438D.tmp

MD5 18ba61dce779f0026125265ef75eea53
SHA1 cbc713440aba79a97ec506b63aea3003967e7e02
SHA256 9cb1333c93689acc87feb89295abf73cc183c1e7f0567a524965697cb38c2f0b
SHA512 58afdbb8408b712154015928671e371326f1f878419c73a4305f154f13aaae53f9a18b21e130160eb05c4aeb224eb62605e091d85639a569aa451c1709e31e22

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\librsvg-2-1.dll

MD5 916844d9ea74a09437e21a8a72afce94
SHA1 7cbba090510ddbb0224e2ff4a8a5c2782602320f
SHA256 bd87e1f41f4184470ed52fb547cbdd8194602347e37b5e8cd1f2598c86716759
SHA512 ae22c0eceb2a316988d6271b2c7e82ec5186358f2ecc20a55237a2bfd61df8e2301824d1f4d11e9c82edf1df4d0ccf64db774f40bf705cfeea8f52741d555783

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Linq.dll

MD5 6d6917bae13e128f00d95da1fd3f191e
SHA1 4c5ae1e9e7e4c8147f913c350a9b4561ca3f1851
SHA256 dc9ea055006a22a2faaa81b37d48a8ab1c98127b158181fd894388bd6c2049f4
SHA512 eabf0f2fdf1f29f425f04198c920451bb686a900931b9dfe418b62252c7d025936784fa0251fc7fb25809e4933c8e1f872b8290870c8afa2b24177750a24e105

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.IO.UnmanagedMemoryStream.dll

MD5 64abb65b37b941b10b119ef32531b50a
SHA1 9cf171c463f11575fe0a7a507101da6177cd10fc
SHA256 a0c98af8925ac0ab86c1f768f9ccac1cbcf19027b23814f64860d3f28b686fb7
SHA512 a5708fec9d02449409a931b8fd998fc27f6c7ea2a0f32a7a73707550ec298cdbf5ab9ee13388c5a01f6f3ff9e99fddfe8cf563c6f8e55f1ceb55139c1178efeb

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.IO.Pipes.dll

MD5 004cc9cbffb46f50c1f037002c3655ce
SHA1 86947f12790e70bafd4c3f72cad8e386a6015d04
SHA256 0f387e9591a5613ef02da3c6d32abce4f9c3e1e577a3ffd0cef85c345a3fa1df
SHA512 69d1545c912d82d6ec1eb928e16e0c1d45c9a04e980adfa77f7a764a7f5b642c91b9e74ffa3e5a33343453bcaedf0aca31258f78495cc3c10e771ae1e917e7ac

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.IO.MemoryMappedFiles.dll

MD5 a58039e022feca900e6db589672c7ad8
SHA1 804333e184d8c7f306bedd5a86e9134461c0226a
SHA256 841403493c0b651bb2d78d0befe912d438ee60e406806cad21b9a30f227323b4
SHA512 1c4cecaf1579f0a67ba18d0b7ad50edd2afdf16c98770e801affaca358a977bd2108327723d4173d95b5c86fe8bd6cf0bb6aa2dce69c84ee5c83049ec07ad88b

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.IO.IsolatedStorage.dll

MD5 f37c2957428bade9781b58f1fc32b576
SHA1 94ad0c9e7b3fc0b3c56ac7574f429a43e6db67fe
SHA256 b7bdb4930cfd82361b2f59c164aac4687798c72e3d0e0c73d21ca7516f19adc0
SHA512 301494cd941a5e4aef6ad7d6f02edb13d183625d18f240a37bb9b7971d166ba4c8c38da11c05a9d9080defa0ab1a7057dda47e98eeebafda01035339e380624b

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.IO.FileSystem.Watcher.dll

MD5 6ac5596f4aeb88842716640ae1047045
SHA1 fbf23bf89732b8b32cbc123830f20b2c2147ea60
SHA256 f875e323e57d704f1b17c84c7bc50f0d1ffcb0bed08c5f6af74a60fccc04c3bb
SHA512 ecb1f8d458e3f6b14d9086772f2f0ed33bf00f7f9b778f6896eaa45e38bbef493184f2296ab14588f3eacd698a5a96fb8adee6fb944a1553d50713bf5227ffce

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.IO.FileSystem.Primitives.dll

MD5 f764b511af044c89927070d413f54197
SHA1 fe6726705fb76bb64c11c787599cb044799a3f6c
SHA256 00762994e600cd4db1ef21c7161d808ddc409cadeca547ef49553f3a4d920ed8
SHA512 08dbc68b3ed5b519828537fe1c97158eff6754dcb219001c65c1ae344b2d8bbd6e3ac19c2d34977a23f36da3a67df8f9e94b10780cbfb826bd4e448960d765bf

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.IO.FileSystem.DriveInfo.dll

MD5 ab0b6870db47e35d54bd1809b4c60466
SHA1 09beb5e11a689205694dc3ee3bdf6a66b6eebfb0
SHA256 f09acd2d42983a7683e34c772e73c02f542450b681852836f2472d6977b764e7
SHA512 ed24b929666268e6a959bc2331e46cbaadc7a9b38e3da10078ae5d8ffff77a9d8d1757a0bad1fbc699156bc4471948f008b624c2a6c4eb35b58fe4758eb4199b

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.IO.FileSystem.dll

MD5 5e1824522e05f3612bd8c4f599763a86
SHA1 3372d225504cf30df6d3fd0e9b70f07ba34a8166
SHA256 ebfaa7aac28863225ca4e55305c2627239841d7e0070fa4567e1aea6eca6fdcf
SHA512 10234a737a12f25ba52b64a78cb9fb457fe10f83707a0fdc85b0ce357c6ec3846774cdf7476f427828476d12639382d2f20e5e69f863b6d5a98461ffae91e239

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.IO.dll

MD5 18a32afb2c4d9638bb0bddc1dee60788
SHA1 1e76b32a88cb2fb7bd0caf962636058426dd6230
SHA256 f534d81c3f035c5b91c303096c4dc5b4d46f6d75ad5568eaee92cc9dc6aa75f3
SHA512 48121a28644b8d46b2ffa129dbc3061712eb6377c6b1d76df577fb9929cd1c48bb0deecb5bab1f43293918f3b7f453b880b4fcefc15019b4dd290ae36cb71c88

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.IO.Compression.ZipFile.dll

MD5 c4c4e310f604a98404f756bbd2d1fa6d
SHA1 2991e215a479ea048cb53f328b740db610547b75
SHA256 1209835143aa950e64cb9d28c565fae7f7df5278c013af621f4e689527279bfc
SHA512 f498f05bb85381cf9f91cc0a60eaab8a4798772ce18cf8c53329061fa461582a970b37d3578a800c80d8c87d8954d976213ee587894de51ac1ebd79422ab0f1b

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Globalization.dll

MD5 a25d659fff26c73b2f34ba6b92c84551
SHA1 69e6bf884f40d6d78e3c4f5f1d0103a666931619
SHA256 f4e9f919b625dcc6e2a5d0c76308543c71b7c3a6314a138058e7fa9f3426b3ea
SHA512 7f5632cf8aaa380e1f7c76b54c1efb5cac0412647a0f2e1986af07ed9dcf89b8c4563178ce79e54ef283e487706f61c156bffdd5a4b42317b39d74a92e236bb4

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Drawing.Primitives.dll

MD5 61b6fc62c4003ce711377a97cede84f5
SHA1 3b8f870b0da16bd6bdc6104aa44d036b24b61ac0
SHA256 2ff0d64f6d9bb38e15208c4d632c767a669a68e6b41adb0f27d99528b801ee3b
SHA512 611707f5d54dfffcbe5cb58204c925cab6ba488ffbd82a5c5efae9d1cfd10cd32205e5d05ead2cf7f8a3f5b392ca7538060a87695be40535d6657542b2043ab0

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Diagnostics.Tracing.dll

MD5 e338e2a9e8e3325d696dd18f46a6d82b
SHA1 eb907bd53f78b91e5fcf27fd76050bd682d80e0c
SHA256 5052b3701850537611da44858a0a8feb4b4cc936cd5bbb95b64cea4a987e5860
SHA512 ed015b37851138a2e503bce8671ac81d158948cfc3e8cde9ab751c8264cfb1da56b1f02fd281921b3b0e1c1f42b7b5cf97360c7ee263555e21fc51ea0162c4f2

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Diagnostics.Tools.dll

MD5 bd36e482e5cfde3c791e62143dc5deb1
SHA1 32fb1bd024be0b7a2af182739fd384bd74610844
SHA256 d9562ec4dc0430ff3ab66a5d0238b72402ebdb17ceb31eebdb1daf91768c7d4d
SHA512 6e128b3bf3850c1972fd8fc8cee4d82ecb7dc98fe7c5a8b887523011dc270dccbb99a0d5496954c7a156ae3c92ff3435d30c0a87768e2dbcbbf8672b9e68cfce

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Diagnostics.TextWriterTraceListener.dll

MD5 2967113593429927e7938d95b5d3471c
SHA1 34a84e6878172df939f9748279490e1eb4533926
SHA256 d8631076802f2e9b690998c65d8e7f0bede7a772b3c04e7cba5f3391c395a9e1
SHA512 502295d8eec6acd1c7e7f4f6759bbbfbb452b7581b9e10cabf0b9735737e0baa61bba0e32bb4688f0ba43fef445e5728c7001a9a364118c13eac3d3332f13e3c

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Diagnostics.FileVersionInfo.dll

MD5 54ba6e35897cd238118b745c84d579e6
SHA1 07a9a5f273a65796ae77416a0d35905e949e3257
SHA256 a354569ac90b53002c7e447d72795013eb20c391d01b73197688057d07bcaa42
SHA512 2f2fb02c76bc1af89a6d97b8c0b9c2a6b176f912d2d76e3acfb5d5cf4741e58f6dd1335bdaf626c7bc92c256eb353d534f718b59e4e52bded9907e604115a5f4

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Diagnostics.Debug.dll

MD5 cf668ba196134d611d7b4fac0b571e8d
SHA1 2a960aef8bc74c7893dd225398298ce8b912ab10
SHA256 2769f8bb522846338bbe9aafb10381f64fcbdfbc6929a848463b8b9857f1d4fd
SHA512 302ca14e3c1985f34656c48dc175951d27dac6696724f9db33c0097314aba677f244421677ca1a5949a7d7a11077a0f564142d1136998127c216616f42abed5f

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Data.Common.dll

MD5 9b92dc2f6bb4bf2a39e6a3b6629a8693
SHA1 f7025db90e16c70577cfdd13c9a67ba264e1719d
SHA256 77cfeb9fe837a16baa5a1e845ce0df2f79efd964f448e51ef48df058aa05d39b
SHA512 539d30afb968d1fccd1da01dec6c14fcd12d23015d0ab35b45462b93275fe8dfd322814416a14501288098f751380bd2137245107fb2e1b8edc4a24ef29f99d0

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Console.dll

MD5 564d1a61bae30f01c20a5808e8f7a82f
SHA1 e6039eb23d3a10ff31e40851ef0dd594c5689712
SHA256 1ca9706a4593bcc3b232efb14d2497812ab1797bf112b16665c6674c42fdc061
SHA512 c546a8d4dc852d133baf576e81bfca16763ca0e94c964d657cedbbf3153c64fdbea79329fd2a9d7ff04a0f28720a61e6d0255f8db91ed91dca2f56aaec5b5f4c

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.ComponentModel.dll

MD5 4f167e1cf791cefa55fde1949dde7d2f
SHA1 08badaf0444ca34230d82af4590f44c7ade78533
SHA256 df1a7bc429159db17be8c79a2dc56c0fa54c6a7e5174d5082f7ece9b67a4f982
SHA512 d804f60f3d2b5891eaa38ff683194924a705aba371c872e8bfef2325c90b7bf910851cbe89cdfd0a66cb1bf801bc25c92830b37947a7e60df8fe6bdcb53de15c

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Collections.Specialized.dll

MD5 f72152d834fbbb9c0d70a2822e0b68cf
SHA1 49eca7ac3d34ce69a1d48c0be56cdd13995adbb3
SHA256 ce3dd8b3cb2bfbbe5cdd1a339e593ad604f6bb6eb4f981555a3f53257609c8e5
SHA512 3b8018450aa7676a35fdc8bea1997d67e45e945522bd7ac963ef0ccf574aa6df67dbd85c8773d704b0daab05b20f6d79c2ce2a42f10610f73a303246d44078bf

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Collections.NonGeneric.dll

MD5 a3fdfde8c2f6259a3da55919679dda3d
SHA1 a36bc9fd0fd5319a36c523ae0c565e6670e6a403
SHA256 0f63c8b909689effec4c17122ff4336a14cc9c296be28d6172a11c5d8bdd2ffe
SHA512 4a917ec7f626d85cd24ed5518f29bf8acc546d34b8f86a2cd00634b54ccb5c9bc7725707ffb42c08d3ff008abfa5ffef07df3263c13c0796ed7e8f98c6200832

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Collections.dll

MD5 4a264d07346dc69303bbe6e26e049883
SHA1 e093758cec19749f1d92b280b42aee86d4224fdc
SHA256 e256940626e265de760586937ce5ed2a45d9b91c96e1fa768f719682505db5c2
SHA512 d6cf4024cee7679b73f1b9aef749728a3c0851934016ab391315c955689dfa3595a8f6e2a9580244ace991895b4e255a65977490264258bb9f3c98f9370b33c5

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.Collections.Concurrent.dll

MD5 939cb89fbb0da435b9528d9edb3feab0
SHA1 3825f2b13d43f34330bc278aeeefbbbfd95239cc
SHA256 9c887cfd9e21e9ee31ab8232248059b677f9a3086b033d38fbad053b4f20bc25
SHA512 4159cf39f29198942245e3a16a67e8b3fe54e871af407291204b5f5df2a76c2829680ba0d5bea261e31335bab2b6b8afa5a895bf635e515c94059a122dd36a1d

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\System.AppContext.dll

MD5 82e7fd917dfd1bda64ab990606d90bdd
SHA1 ab92034645c77737b6ef482e18296e896bea3751
SHA256 f0857a7c3737b0e80d9b4a9a986acb69b0d18d1fe0adc3b1e05d81f02ceb103b
SHA512 81ab0c3a10d64cdb0bb03ff65a10c3333d5ee91f21404acec41eb638a9eae77d38f00f18758d4cf8480910905d677349c71e762bb44a1ff4068084d5205c6f51

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\netstandard.dll

MD5 3501cf072f2a0aa167efb5e2370efc1e
SHA1 1de11fb25075e81250c4c47ad80265cc98c44c3e
SHA256 dad6aa523b80f2bbfb2b3838ade29ce6f4a7a634f66df50484f05a63905df60d
SHA512 66f5a62a3c8cfcd1b55f65b48134cd1ea7766c165722b303b73a50609ce8546d678acac292c999d5932112ec195a890ebb3645f5e44bb2c2ed951fa09b6cf53c

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\Microsoft.Win32.Primitives.dll

MD5 5b2b93ee8801c83b4e652c7fbabf8c83
SHA1 89a8df867ccdf916881234db9de45ed4c57e5b0b
SHA256 7a1462297eb910a44c35062e021723b5553346407dc52cf013e78c8be032331a
SHA512 1d3f06f8bd04e6b85748e09bdd1e5bc6ee14f4bfdc9cf426fa76d3a268fa537557d7ad4fede1ca2e263a2462272bdb294c9d907e6f7579c60cbaaf1db41a41e9

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\Warden.dll

MD5 59391cfbee2a880611a8a77582f2824c
SHA1 41f8bc228a5988668ec8556cff1e9cfb107ecb98
SHA256 24f05a73da2e34c4ad3c67779cae8214c9f0e3e19a217f6a917e8d42abc42669
SHA512 a145c844186db28194417094e191e0f1cd225067ffb44dca32ef46bf70ef72145bd0132e6cf7f5d20c49e2ed94c8058c7ca4a6744cabf866ee5b97f2e568a4ab

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\ZetaLongPaths.dll

MD5 09374c4581177a8c866b866f108c8958
SHA1 05f861bd4d4c038e8181e83a46e6e93bc04ca5df
SHA256 8af34db2c25f4387b878b2311ef60e74c4f83774c779689393199ecdb039baa2
SHA512 2099c97a43c59592c3af3ccd45551a883ca9654fbb1a1b98e4241693b60ef982f688a55488f394476cedcacb850a18361002179d383ea3a93bb98b31a5c0371b

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\WindowsInput.pdb

MD5 50e869af7b21aecb7598627f9d90e3ff
SHA1 e1b081b0619d8a63070d2d0e78c0ce760c919e6e
SHA256 ab913e1b256c09628963e9bc1c20c8c20ef29b408289a4b2655293f3fd4e7127
SHA512 72ba511de08f0aa7abd3962d4e047adbe137d7048a251490b88a9ba97a6b96227b3f74a444a6c636331dadc5b32ccbf59d93b087045fdddcf80170fa52a0d7c1

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\gdf

MD5 2d09b43d2b4401708083af5fe82bf9bd
SHA1 5d9e71e2d01edc61ba4b5450fb748fd3bfa7a248
SHA256 5ac4a8225dcd3a56a10a19a90e79d8548fc59fd7f9528a9410ea8e1ec5faf3ba
SHA512 0e9b28033494c5801cdb3586dcef0eb46963df62e255bf1c7fba8ea328a60764cadaad24acd5105293d297f9f8e75b5b7a6e7e97149e3691d59e44e2f6bde1ab

C:\Users\Admin\AppData\Roaming\Marc Gravell\ProtoFsg Tuner 34.0.0.1\install\8302965\xltoolkit.exe

MD5 b53e54b5f8db8155d5e7b07bdc4ebb9f
SHA1 906d1736bc7814dcec4cce7f532739fb6eca3e4e
SHA256 15027ae694989a0c7dee5ffea6ebd6d8928215d9ff2b696f8ac237aef17ab0ae
SHA512 6a07ae21b891159455643b6ed213309bf6e587f85bb1b7426b666dc417d1ae83292c3c99efc3a15cff42eb4a0c9a60ec16dc1ac117dc140eac78184b73472b84

C:\Config.Msi\e5842c4.rbs

MD5 8e244134c30556f327a1ffab24f7865c
SHA1 814d03dcaf65654a614933dce1fe1185b99a649c
SHA256 7778da1e4a01a87916c126aa70c4ad6e0b48979a1f0fa1d80de69d98ca8cf797
SHA512 f74181072359fec48143f11500479516a7b042325c08b6c29d9ba59f1509f3149911a94c76dc121353684029324b22b5131584ac7d7f0147e400618715850ee5

memory/3428-491-0x0000000000180000-0x00000000006A8000-memory.dmp

memory/1660-494-0x0000000000400000-0x0000000000417000-memory.dmp

memory/4608-496-0x00007FF664660000-0x00007FF664F1D000-memory.dmp

memory/1392-495-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/1392-497-0x00000000021C0000-0x00000000021C1000-memory.dmp

memory/1392-499-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/4608-501-0x00007FFB14040000-0x00007FFB14249000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iUDYSEeoeok\_Files\_Information.txt

MD5 bb88cc1d6543c105cfa5b95d8cd70f2d
SHA1 8f9e14cb77f221eb536a8b7c68484714503a2853
SHA256 25ab1b7bf18458029a5b84f36f72381874fd83204f3e29c4951efd0fc8cb2b7e
SHA512 20cb0ed833f3855e3ebb645f72cea55cacc7fe2621bcb09c4ffe7085ed87306daa27433126c3857bb37608618d64b84a8623ea755d2a0d950b2f6434d2d48700

C:\Users\Admin\AppData\Local\Temp\iUDYSEeoeok\_Files\_Screen_Desktop.jpeg

MD5 e701d10c8192d0b5b70bca7e4d0dbcb9
SHA1 e715786010c69a032108942a9540a6dd0732abe9
SHA256 c9e949bea70a98af380c654ffabca9612c77604b86d4577325d13f453ecc4cdb
SHA512 834ffc80025e3b3d799001c577a6915773d4a00b4a949bca44fb96075308ffa07d6bc2a9a2a0f097857158fee047304d869aab8549beb03e909ec37d456a197d

C:\Users\Admin\AppData\Local\Temp\iUDYSEeoeok\_Files\_Information.txt

MD5 a44795d7575921fe85f488d4a68da556
SHA1 79852fd0d4256a8a202e8304aa707241764e39e8
SHA256 1ada63fa7ae81ffefb752acb5d4f1555369d83516e2e281d9e4e9aca13bc7d7e
SHA512 3ef8e182e197811f78ec4b16097e61bd94e822395b9c6bb3dec1caa085b8ddfe92c13abf673285765e9360a96c444a28abe412532248ac18e27452f3fb54de94

C:\Windows\System32\Vestris.ResourceLib.dll

MD5 3d733144477cadcf77009ef614413630
SHA1 0a530a2524084f1d2a85b419f033e1892174ab31
SHA256 392d73617fd0a55218261572ece2f50301e0cfa29b5ed24c3f692130aa406af3
SHA512 be6b524d67d69385a02874a2d96d4270335846bece7b528308e136428fd67af66a4216d90da4f288aeefd00a0ba5d5f3b5493824fcb352b919ab25e7ef50b81c

memory/1392-1166-0x0000000000400000-0x00000000004C0000-memory.dmp

C:\Program Files\KMSpico\UninsHs.exe

MD5 245824502aefe21b01e42f61955aa7f4
SHA1 a58682a8aae6302f1c934709c5aa1f6c86b2be99
SHA256 0a265b4bb8acceafaffb001632fa7e4c3f8ac39a71eda37f253e15bc1b8db90d
SHA512 204b39e31f22ba99cf09c5c8458fc94ea21b47aacc4abd305f71ba20a35d36bfc0ff53b95180542911c9c6f259db897dee76090d953f7ee18a8079caefda7981

C:\Program Files\KMSpico\KMSELDI.exe

MD5 f0280de3880ef581bf14f9cc72ec1c16
SHA1 43d348e164c35f9e02370f6f66186fbfb15ae2a3
SHA256 50ebfa1dd5b147e40244607d5d5be25709edf2cc66247a78beb920c77ac514cc
SHA512 ac31a972e9e93e6671f44d403139b0db89d950097c848fbaf6b9965b722215f74e9ed9bb9e083d31328101e6fcfe7f960a08b3bea0813900f11d5c1bb40539a6

memory/4624-1391-0x0000000000400000-0x0000000000417000-memory.dmp

memory/5012-1393-0x0000000000010000-0x00000000000FA000-memory.dmp

memory/5012-1394-0x00007FFAF2D50000-0x00007FFAF3812000-memory.dmp

memory/5012-1395-0x000000001AF10000-0x000000001AF20000-memory.dmp

memory/5012-1396-0x000000001B620000-0x000000001BB60000-memory.dmp

memory/5012-1400-0x000000001AF10000-0x000000001AF20000-memory.dmp

memory/5012-1442-0x000000001AF10000-0x000000001AF20000-memory.dmp

memory/5012-1443-0x000000001AF10000-0x000000001AF20000-memory.dmp

memory/5012-1437-0x000000001AF10000-0x000000001AF20000-memory.dmp

C:\Program Files\KMSpico\logs\KMSELDI.log

MD5 ae7043251df77c6802c7a16a10c154ed
SHA1 b847bed94758ede8f069d5d2f0311d5b56fab09b
SHA256 d72eae06bdff19c74ef33d27cf5898493646463af50ddc4b94a7a21644f3d389
SHA512 e2f580b700901e8236cdc76b718dfb86ae6efa0f3583f5f6b0040ccfa8f705384f2818c64401bc41e8bdfbbb1e3596e0db2277bf7b4134b351344ebffcbac0f5

C:\Program Files\KMSpico\logs\KMSELDI.log

MD5 82632bdabc39196d50e0049ce50f8430
SHA1 d44c492527a7694be09f360945989bfe62493978
SHA256 6c49af1310953751ea161849643831a901329559e80ee69c40ad5b4f565599d5
SHA512 cf53bed7054258311e616cb8c4a094fde80b8bb7d93ab0137d147062ec7ec550e168eb50b8e3ea7029d961d6056eec023aef78af2a77a45206c229be2a970ce6

memory/1392-1628-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/5012-1687-0x000000001E030000-0x000000001E130000-memory.dmp

memory/5012-1718-0x00007FFAF2D50000-0x00007FFAF3812000-memory.dmp

C:\Program Files\KMSpico\AutoPico.exe

MD5 cfe1c391464c446099a5eb33276f6d57
SHA1 9999bfcded2c953e025eabaa66b4971dab122c24
SHA256 4a714d98ce40f5f3577c306a66cb4a6b1ff3fd01047c7f4581f8558f0bcdf5fa
SHA512 4119a1722202bbc33339747ea02fd35b327890d55bb472cd1e2146ca446d8ba6fddb1e8cf8bbfaeb08aec8ed2a9d5c0fa71b73510d409ffacd3908fa72bb53b4

memory/760-1720-0x0000000000480000-0x000000000053A000-memory.dmp

memory/760-1721-0x00007FFAF2D50000-0x00007FFAF3812000-memory.dmp

memory/760-1724-0x0000000002570000-0x0000000002580000-memory.dmp

C:\Program Files\KMSpico\logs\AutoPico.log

MD5 573360d585f3aa92f8a170566fba61f0
SHA1 38a7299101071bac0c862e1f9f328dd494499839
SHA256 50637ff9d71a08192a89f3a044daff1f199015d1d7910efd2dcb67158991f63d
SHA512 06df47fec225f5082c9d177dfba9c7a06108bc02876725c8bb7112fe518dec5cb1ef24fce03432767f4662df6414ea7a55d3cd252b3aebcfbb47c0b3d2e69078

C:\Users\Admin\AppData\Local\Temp\iUDYSEeoeok\MbvScMvxNntPSG.zip

MD5 6e8fe57c992e8168f979c16116afdb73
SHA1 a7fc3dbd3ec868981f7611e507d71a183e5eb557
SHA256 6555882bd93cd0f83087b134b1e55ec4c1e762d32df1e70ba73aa848f8902a56
SHA512 81fbbda0510c11e75418ee1226d1a59916d2174c6863904f7ae2c0076a963c9ea63c97916e2033bfddd7e964dde8a63ce5e6cf0b944b49ecfd3dd0169bcbad09

memory/1392-1955-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/760-2013-0x00007FFAF2D50000-0x00007FFAF3812000-memory.dmp

memory/1392-2017-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/1660-2018-0x0000000000400000-0x0000000000417000-memory.dmp