analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

KMSPico 10.2.1.zip

Full analysis: https://app.any.run/tasks/951aec84-837a-47cb-99dd-afa3d61312f7
Verdict: Malicious activity
Analysis date: January 17, 2019, 14:46:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installcapital
adware
prepscram
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

C030AB3934B0B93FA0F727AD8C93165D

SHA1:

521C762FCB4150D768CF07BDDC4717A1EB304933

SHA256:

E2D08D5F7AA3FD1FD6CED12E2636B095C79866386AC31109C6405951F987070A

SSDEEP:

98304:tXQUxzCWEKhMVIqItyU/ciah5Q27zEfv0qtvNcJN1u7:tQWEKvztyU/8k7fvL/Qk7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • KMSPico 10.2.1.exe (PID: 2192)
      • Registry_Activation_1593077924.exe (PID: 3604)
      • KMSPico 10.2.1.exe (PID: 2536)
      • KMSPicoActivator.exe (PID: 1012)
      • Registry_Activation_1593077924.exe (PID: 3288)
    • Loads dropped or rewritten executable

      • KMSPico 10.2.1.exe (PID: 2536)
    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 2832)
    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 2228)
    • PREPSCRAM was detected

      • KMSPicoActivator.exe (PID: 1012)
  • SUSPICIOUS

    • Reads Windows owner or organization settings

      • KMSPico 10.2.1.exe (PID: 2536)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3016)
      • KMSPico 10.2.1.exe (PID: 2536)
    • Starts CMD.EXE for commands execution

      • KMSPico 10.2.1.exe (PID: 2536)
    • Reads the Windows organization settings

      • KMSPico 10.2.1.exe (PID: 2536)
    • Creates files in the program directory

      • KMSPico 10.2.1.exe (PID: 2536)
    • Reads CPU info

      • Registry_Activation_1593077924.exe (PID: 3604)
    • Reads Environment values

      • Registry_Activation_1593077924.exe (PID: 3604)
    • Reads internet explorer settings

      • Registry_Activation_1593077924.exe (PID: 3604)
    • Reads the machine GUID from the registry

      • Registry_Activation_1593077924.exe (PID: 3604)
    • Application launched itself

      • Registry_Activation_1593077924.exe (PID: 3604)
    • Reads Windows Product ID

      • Registry_Activation_1593077924.exe (PID: 3604)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: GNU LICENSE.pdf
ZipUncompressedSize: 370751
ZipCompressedSize: 359796
ZipCRC: 0x395eca2e
ZipModifyDate: 2018:03:15 18:28:19
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
8
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start start winrar.exe kmspico 10.2.1.exe no specs kmspico 10.2.1.exe cmd.exe no specs schtasks.exe no specs #PREPSCRAM kmspicoactivator.exe registry_activation_1593077924.exe no specs registry_activation_1593077924.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3016"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\KMSPico 10.2.1.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2192"C:\Users\admin\AppData\Local\Temp\Rar$EXb3016.40467\KMSPico 10.2.1.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb3016.40467\KMSPico 10.2.1.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
2536"C:\Users\admin\AppData\Local\Temp\Rar$EXb3016.40467\KMSPico 10.2.1.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb3016.40467\KMSPico 10.2.1.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
2228cmd /c ""C:\Program Files\KMSPico 10.2.1 Final\KMSPICO_SETUP.BAT""C:\Windows\system32\cmd.exeKMSPico 10.2.1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2832schtasks /create /tn "SVC Update" /tr "C:\Windows\explorer.exe ""http://lktoday.ru""" /sc DAILYC:\Windows\system32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1012"KMSPicoActivator.exe"C:\Program Files\KMSPico 10.2.1 Final\KMSPicoActivator.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3604"Registry_Activation_1593077924.exe"C:\Program Files\KMSPico 10.2.1 Final\Registry_Activation_1593077924.execmd.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Lelebata Setup
Version:
2.3.1.4
3288"C:\Program Files\KMSPico 10.2.1 Final\Registry_Activation_1593077924.exe" /_ShowProgress /PrTxt:TG9hZGluZy4uLg== /mnlC:\Program Files\KMSPico 10.2.1 Final\Registry_Activation_1593077924.exeRegistry_Activation_1593077924.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Lelebata Setup
Exit code:
259
Version:
2.3.1.4
Total events
722
Read events
680
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
5
Text files
70
Unknown types
1

Dropped files

PID
Process
Filename
Type
3604Registry_Activation_1593077924.exeC:\Users\admin\AppData\Local\Temp\00250309.log
MD5:
SHA256:
2536KMSPico 10.2.1.exeC:\Users\admin\AppData\Local\Temp\genteeDE\setup_temp.geabs
MD5:2215E338401449838D618C001AC495FC
SHA256:7A977C8A920A6CD4AACF7EB6B85EA9812361942330D26D9C6497A850F35F9AEC
2536KMSPico 10.2.1.exeC:\Program Files\KMSPico 10.2.1 Final\KMSPICO_SETUP.BATtext
MD5:D60C8BD33E6CC5CB0E21326DB688D00C
SHA256:45084BE22C07EA6E8F309EBCAC99581BA3E7FEAAF36AC26959FC1405D9F4D4A9
3016WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3016.40467\GNU LICENSE.pdfpdf
MD5:00D4F618C0DE7B14A46DCB44CB51C6FA
SHA256:D77838D8A443FD896BBA46B615DD954220F5AEAC5EB4EAC21B19EA42138C87BB
2536KMSPico 10.2.1.exeC:\Program Files\KMSPico 10.2.1 Final\activation.exeexecutable
MD5:F63B568CD350D2845CA187C17801944A
SHA256:74E61E9954896AB9EEF69A9560D8A42670377AE4990163106109759161317E12
2536KMSPico 10.2.1.exeC:\Program Files\KMSPico 10.2.1 Final\Registry_Activation_1593077924.exeexecutable
MD5:89BA7CD67B24E069800F07523AF73510
SHA256:0907412C7D0F9C9F28B031B8963BD89648701E10FCBBBC57701C1967C8B8A40A
2536KMSPico 10.2.1.exeC:\Program Files\KMSPico 10.2.1 Final\KMSPicoActivator.exeexecutable
MD5:CF8BCFB831E0544BA343EDDFD5E20B77
SHA256:B83F5AFECA49CE41F24282DF09DD2B2EB311D2B4474EB6C6FFE8C3DF9B0CC01F
3016WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3016.40467\KMSPico 10.2.1.exeexecutable
MD5:79AB3CE97177023917A54B80CE4A0FA5
SHA256:D7DE94BBC77967BE9053C9481884A0A7450DF974A6A89E69726DF0A1E31FD911
3604Registry_Activation_1593077924.exeC:\Users\admin\AppData\Local\Temp\inH242560941608\form.bmp.Maskbinary
MD5:D2FC989F9C2043CD32332EC0FAD69C70
SHA256:27DD029405CBFB0C3BF8BAC517BE5DB9AA83E981B1DC2BD5C5D6C549FA514101
3604Registry_Activation_1593077924.exeC:\Users\admin\AppData\Local\Temp\inH242560941608\css\_variables.scsstext
MD5:07922410C30F0117CBC3C140F14AEA88
SHA256:AF1999B49C03F5DCBB19466466FAC2D8172C684C0FF18931B85A8D0A06332C73
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1012
KMSPicoActivator.exe
GET
200
52.222.146.177:80
http://all.fingersleep.bid/offer.php?affId=1462&trackingId=356255617&instId=803&ho_trackingid=HO356255617&cc=LK&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5d979308c3b6ea5ad7e984e628c8cac1&v=3&net=4.6.01055&ie=8%2e0%2e7601%2e17514&res=1280x720&osd=469&kid=hqmrb21aga33h9lsvhd
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1012
KMSPicoActivator.exe
52.222.146.177:80
all.fingersleep.bid
Amazon.com, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
all.fingersleep.bid
  • 52.222.146.177
  • 52.222.146.52
  • 52.222.146.134
  • 52.222.146.65
whitelisted
ww2.kalutobb-saca.com
malicious
app.kalutobb-saca.com
malicious

Threats

PID
Process
Class
Message
1012
KMSPicoActivator.exe
A Network Trojan was detected
ET MALWARE PPI User-Agent (InstallCapital)
1012
KMSPicoActivator.exe
Misc activity
ADWARE [PTsecurity] SoftwareBundler:Win32/Prepscram
No debug info