| File name: | KMSPico.rar |
| Full analysis: | https://app.any.run/tasks/c2e0ba19-77bb-47e0-91a0-ffefb250c6d2 |
| Verdict: | Malicious activity |
| Analysis date: | May 17, 2024, 00:57:55 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | EC2BECCE2C50A36C062656E218777FA1 |
| SHA1: | C9C1810A021377F67EA5CC5DE71EDA90685FE649 |
| SHA256: | 2FF0B5ECCFC8F9242C5763B9C1C05ABD89C768E61EAB0766E7617D2E4F73942D |
| SSDEEP: | 98304:Q/iTXMcSVhDA8QR+JFrOwTvsgQOAh8BPDNoocsZJ0kelRbKKXOWaMZQiAUSOW26c:x+gHvX8MjQmb0+xlht |
MALICIOUS
Actions looks like stealing of personal data
- activate.exe (PID: 820)
SUSPICIOUS
Creates or modifies Windows services
- AutoPico.exe (PID: 304)
Searches for installed software
- activate.exe (PID: 820)
Reads browser cookies
- activate.exe (PID: 820)
Starts CMD.EXE for commands execution
- activate.exe (PID: 820)
Reads security settings of Internet Explorer
- activate.exe (PID: 820)
Reads the Internet Settings
- activate.exe (PID: 820)
Executable content was dropped or overwritten
- expand.exe (PID: 1596)
INFO
Reads the computer name
- AutoPico.exe (PID: 304)
- wmpnscfg.exe (PID: 2484)
- AutoPico.exe (PID: 1644)
- activate.exe (PID: 820)
- AutoPico.exe (PID: 3596)
Checks supported languages
- AutoPico.exe (PID: 304)
- wmpnscfg.exe (PID: 2484)
- activate.exe (PID: 820)
- AutoPico.exe (PID: 1644)
- AutoPico.exe (PID: 3596)
Reads product name
- AutoPico.exe (PID: 304)
- AutoPico.exe (PID: 3596)
- AutoPico.exe (PID: 1644)
Reads Microsoft Office registry keys
- AutoPico.exe (PID: 304)
- AutoPico.exe (PID: 3596)
- AutoPico.exe (PID: 1644)
Reads Environment values
- AutoPico.exe (PID: 304)
- AutoPico.exe (PID: 3596)
- AutoPico.exe (PID: 1644)
Reads the machine GUID from the registry
- AutoPico.exe (PID: 304)
- AutoPico.exe (PID: 3596)
- AutoPico.exe (PID: 1644)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3968)
- expand.exe (PID: 1596)
Manual execution by a user
- wmpnscfg.exe (PID: 2484)
- activate.exe (PID: 820)
- AutoPico.exe (PID: 2040)
- AutoPico.exe (PID: 1296)
- AutoPico.exe (PID: 304)
- AutoPico.exe (PID: 1644)
- AutoPico.exe (PID: 3596)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3968)
Reads CPU info
- activate.exe (PID: 820)
Creates files or folders in the user directory
- expand.exe (PID: 1596)
- activate.exe (PID: 820)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rar | | | RAR compressed archive (v5.0) (61.5) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (38.4) |
Total processes
61
Monitored processes
12
Malicious processes
1
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 304 | "C:\Users\admin\Desktop\KMSPico\AutoPico.exe" | C:\Users\admin\Desktop\KMSPico\AutoPico.exe | explorer.exe | ||||||||||||
User: admin Company: @ByELDI Integrity Level: HIGH Description: AutoPico Exit code: 0 Version: 16.1.0.0 Modules
| |||||||||||||||
| 820 | "C:\Users\admin\Desktop\KMSPico\activate.exe" | C:\Users\admin\Desktop\KMSPico\activate.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
| 1296 | "C:\Users\admin\Desktop\KMSPico\AutoPico.exe" | C:\Users\admin\Desktop\KMSPico\AutoPico.exe | — | explorer.exe | |||||||||||
User: admin Company: @ByELDI Integrity Level: MEDIUM Description: AutoPico Exit code: 3221226540 Version: 16.1.0.0 Modules
| |||||||||||||||
| 1596 | expand.exe "C:\Users\admin\AppData\Roaming\ServiceData\c2Gt4H.tmp" -F:* "C:\Users\admin\AppData\Roaming\ServiceData" | C:\Windows\System32\expand.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: LZ Expansion Utility Exit code: 0 Version: 6.1.7601.24535 (win7sp1_ldr_escrow.191105-1059) Modules
| |||||||||||||||
| 1644 | "C:\Users\admin\Desktop\KMSPico\AutoPico.exe" | C:\Users\admin\Desktop\KMSPico\AutoPico.exe | explorer.exe | ||||||||||||
User: admin Company: @ByELDI Integrity Level: HIGH Description: AutoPico Exit code: 0 Version: 16.1.0.0 Modules
| |||||||||||||||
| 1940 | schtasks /create /tn \Service\Data /tr """"C:\Users\admin\AppData\Roaming\ServiceData\Davonevur.exe""" """C:\Users\admin\AppData\Roaming\ServiceData\Davonevur.jpg"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f | C:\Windows\System32\schtasks.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2040 | "C:\Users\admin\Desktop\KMSPico\AutoPico.exe" | C:\Users\admin\Desktop\KMSPico\AutoPico.exe | — | explorer.exe | |||||||||||
User: admin Company: @ByELDI Integrity Level: MEDIUM Description: AutoPico Exit code: 3221226540 Version: 16.1.0.0 Modules
| |||||||||||||||
| 2344 | "C:\Windows\system32\cmd.exe" /c schtasks /create /tn \Service\Data /tr """"C:\Users\admin\AppData\Roaming\ServiceData\Davonevur.exe""" """C:\Users\admin\AppData\Roaming\ServiceData\Davonevur.jpg"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f | C:\Windows\System32\cmd.exe | — | activate.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2368 | "C:\Windows\system32\cmd.exe" /c expand.exe "C:\Users\admin\AppData\Roaming\ServiceData\c2Gt4H.tmp" -F:* "C:\Users\admin\AppData\Roaming\ServiceData" | C:\Windows\System32\cmd.exe | — | activate.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2484 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
13 298
Read events
13 134
Write events
163
Delete events
1
Modification events
| (PID) Process: | (3968) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3968) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3968) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3968) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface |
| Operation: | write | Name: | ShowPassword |
Value: 0 | |||
| (PID) Process: | (3968) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3968) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3968) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3968) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\KMSPico.rar | |||
| (PID) Process: | (3968) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3968) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
Executable files
7
Suspicious files
1
Text files
352
Unknown types
13
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3968 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3968.31065\KMSPico\activate.exe | — | |
MD5:— | SHA256:— | |||
| 3968 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3968.31065\KMSPico\cert\kmscert2010\Access\Access_KMS_Client.PPDLIC.xrm-ms | xml | |
MD5:B9B7F8BBE224421D24F0883A5149B9DC | SHA256:55CE78CAA24FBC6ECE43F336D73372AD47BB6C1748D7B72513BEB77CB355E8F5 | |||
| 3968 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3968.31065\KMSPico\cert\kmscert2010\Access\AccessVLReg32.reg | text | |
MD5:19506B075C7448CE328682DA3D1A57B0 | SHA256:0BB62DF2FDAB1A42A2303729400C343D70090C1F18123357456922C7544131B8 | |||
| 3968 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3968.31065\KMSPico\cert\kmscert2010\Access\AccessVLReg64.reg | text | |
MD5:3C688EC4EDC18A1FFA7EA020556504DB | SHA256:EE5C8D9592F48DEED26590C06756CC7EABF96ED0BEA56B8DD87EC6C80871B9B9 | |||
| 3968 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3968.31065\KMSPico\cert\kmscert2010\Access\AccessVLRegWOW.reg | text | |
MD5:50122EA723FFE7367AD811FC333594C2 | SHA256:18B8099777C8956C4299DA79A44BF9CB3ADDE96B652A0C6D063BF6C9A925B0B8 | |||
| 3968 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3968.31065\KMSPico\cert\kmscert2010\Access\Access_KMS_Client.OOB.xrm-ms | xml | |
MD5:3958FF865F2BFBE00BB97D50E250B241 | SHA256:A0213A19815ECB6BE15D08ABFA18FD23BB203937C4700637ABB29B5F5F3DB27F | |||
| 3968 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3968.31065\KMSPico\cert\kmscert2010\Excel\ExcelVLReg32.reg | text | |
MD5:28BD0428CA20C5E612D7EC795BBB9EA9 | SHA256:3D1A428865F4F4FB5AFDB7CD69F0619C9A5F466EBA160F63DB8ED376C721563C | |||
| 3968 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3968.31065\KMSPico\cert\kmscert2010\Excel\ExcelVLRegWOW.reg | text | |
MD5:D176B75D51FD47CD9C933F84FF55907A | SHA256:03CAF6C2A36E70C0DFBF53BCCD1956D2823965FC01DF4629308887DD1F0F8AFB | |||
| 3968 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3968.31065\KMSPico\cert\kmscert2010\Excel\Excel_KMS_Client.PL.xrm-ms | xml | |
MD5:172B4FDA35D922C837A254AC561DE21E | SHA256:39825A0E6C6EBDFEB7F6F038568DB4516AB17DC4FF1C4A56AA28FE9A2859D270 | |||
| 3968 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3968.31065\KMSPico\cert\kmscert2010\Access\Access_KMS_Client.RAC_Priv.xrm-ms | xml | |
MD5:A279AB8F8C617DF9C5411FDC199E7676 | SHA256:9084E7F35F7220EC760719B29721A267943178972578E739BDAC2D6475A573E3 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
10
DNS requests
3
Threats
5
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
820 | activate.exe | POST | 200 | 51.250.99.148:80 | http://qmseven7ht.top/upload.php | unknown | — | — | unknown |
820 | activate.exe | POST | 200 | 51.250.99.148:80 | http://qmseven7ht.top/upload.php | unknown | — | — | unknown |
820 | activate.exe | POST | 200 | 51.250.99.148:80 | http://qmseven7ht.top/upload.php | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
304 | AutoPico.exe | 207.89.102.10:123 | 2.pool.ntp.org | — | — | unknown |
1644 | AutoPico.exe | 207.89.102.10:123 | 2.pool.ntp.org | — | — | unknown |
820 | activate.exe | 51.250.99.148:80 | qmseven7ht.top | Yandex.Cloud LLC | RU | unknown |
3596 | AutoPico.exe | 161.97.164.152:123 | 3.pool.ntp.org | — | — | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
2.pool.ntp.org |
| whitelisted |
qmseven7ht.top |
| unknown |
3.pool.ntp.org |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
— | — | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
3 ETPRO signatures available at the full report