File name: | KMSPico 10.2.1.zip |
Full analysis: | https://app.any.run/tasks/951aec84-837a-47cb-99dd-afa3d61312f7 |
Verdict: | Malicious activity |
Analysis date: | January 17, 2019, 14:46:05 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | C030AB3934B0B93FA0F727AD8C93165D |
SHA1: | 521C762FCB4150D768CF07BDDC4717A1EB304933 |
SHA256: | E2D08D5F7AA3FD1FD6CED12E2636B095C79866386AC31109C6405951F987070A |
SSDEEP: | 98304:tXQUxzCWEKhMVIqItyU/ciah5Q27zEfv0qtvNcJN1u7:tQWEKvztyU/8k7fvL/Qk7 |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | GNU LICENSE.pdf |
---|---|
ZipUncompressedSize: | 370751 |
ZipCompressedSize: | 359796 |
ZipCRC: | 0x395eca2e |
ZipModifyDate: | 2018:03:15 18:28:19 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0001 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3016 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\KMSPico 10.2.1.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2192 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb3016.40467\KMSPico 10.2.1.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb3016.40467\KMSPico 10.2.1.exe | — | WinRAR.exe |
User: admin Integrity Level: MEDIUM Exit code: 3221226540 | ||||
2536 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb3016.40467\KMSPico 10.2.1.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb3016.40467\KMSPico 10.2.1.exe | WinRAR.exe | |
User: admin Integrity Level: HIGH | ||||
2228 | cmd /c ""C:\Program Files\KMSPico 10.2.1 Final\KMSPICO_SETUP.BAT"" | C:\Windows\system32\cmd.exe | — | KMSPico 10.2.1.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2832 | schtasks /create /tn "SVC Update" /tr "C:\Windows\explorer.exe ""http://lktoday.ru""" /sc DAILY | C:\Windows\system32\schtasks.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1012 | "KMSPicoActivator.exe" | C:\Program Files\KMSPico 10.2.1 Final\KMSPicoActivator.exe | cmd.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
3604 | "Registry_Activation_1593077924.exe" | C:\Program Files\KMSPico 10.2.1 Final\Registry_Activation_1593077924.exe | — | cmd.exe |
User: admin Company: Integrity Level: HIGH Description: Lelebata Setup Version: 2.3.1.4 | ||||
3288 | "C:\Program Files\KMSPico 10.2.1 Final\Registry_Activation_1593077924.exe" /_ShowProgress /PrTxt:TG9hZGluZy4uLg== /mnl | C:\Program Files\KMSPico 10.2.1 Final\Registry_Activation_1593077924.exe | — | Registry_Activation_1593077924.exe |
User: admin Company: Integrity Level: HIGH Description: Lelebata Setup Exit code: 259 Version: 2.3.1.4 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3604 | Registry_Activation_1593077924.exe | C:\Users\admin\AppData\Local\Temp\00250309.log | — | |
MD5:— | SHA256:— | |||
2536 | KMSPico 10.2.1.exe | C:\Users\admin\AppData\Local\Temp\genteeDE\setup_temp.gea | bs | |
MD5:2215E338401449838D618C001AC495FC | SHA256:7A977C8A920A6CD4AACF7EB6B85EA9812361942330D26D9C6497A850F35F9AEC | |||
2536 | KMSPico 10.2.1.exe | C:\Program Files\KMSPico 10.2.1 Final\KMSPICO_SETUP.BAT | text | |
MD5:D60C8BD33E6CC5CB0E21326DB688D00C | SHA256:45084BE22C07EA6E8F309EBCAC99581BA3E7FEAAF36AC26959FC1405D9F4D4A9 | |||
3016 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3016.40467\GNU LICENSE.pdf | ||
MD5:00D4F618C0DE7B14A46DCB44CB51C6FA | SHA256:D77838D8A443FD896BBA46B615DD954220F5AEAC5EB4EAC21B19EA42138C87BB | |||
2536 | KMSPico 10.2.1.exe | C:\Program Files\KMSPico 10.2.1 Final\activation.exe | executable | |
MD5:F63B568CD350D2845CA187C17801944A | SHA256:74E61E9954896AB9EEF69A9560D8A42670377AE4990163106109759161317E12 | |||
2536 | KMSPico 10.2.1.exe | C:\Program Files\KMSPico 10.2.1 Final\Registry_Activation_1593077924.exe | executable | |
MD5:89BA7CD67B24E069800F07523AF73510 | SHA256:0907412C7D0F9C9F28B031B8963BD89648701E10FCBBBC57701C1967C8B8A40A | |||
2536 | KMSPico 10.2.1.exe | C:\Program Files\KMSPico 10.2.1 Final\KMSPicoActivator.exe | executable | |
MD5:CF8BCFB831E0544BA343EDDFD5E20B77 | SHA256:B83F5AFECA49CE41F24282DF09DD2B2EB311D2B4474EB6C6FFE8C3DF9B0CC01F | |||
3016 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3016.40467\KMSPico 10.2.1.exe | executable | |
MD5:79AB3CE97177023917A54B80CE4A0FA5 | SHA256:D7DE94BBC77967BE9053C9481884A0A7450DF974A6A89E69726DF0A1E31FD911 | |||
3604 | Registry_Activation_1593077924.exe | C:\Users\admin\AppData\Local\Temp\inH242560941608\form.bmp.Mask | binary | |
MD5:D2FC989F9C2043CD32332EC0FAD69C70 | SHA256:27DD029405CBFB0C3BF8BAC517BE5DB9AA83E981B1DC2BD5C5D6C549FA514101 | |||
3604 | Registry_Activation_1593077924.exe | C:\Users\admin\AppData\Local\Temp\inH242560941608\css\_variables.scss | text | |
MD5:07922410C30F0117CBC3C140F14AEA88 | SHA256:AF1999B49C03F5DCBB19466466FAC2D8172C684C0FF18931B85A8D0A06332C73 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1012 | KMSPicoActivator.exe | GET | 200 | 52.222.146.177:80 | http://all.fingersleep.bid/offer.php?affId=1462&trackingId=356255617&instId=803&ho_trackingid=HO356255617&cc=LK&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5d979308c3b6ea5ad7e984e628c8cac1&v=3&net=4.6.01055&ie=8%2e0%2e7601%2e17514&res=1280x720&osd=469&kid=hqmrb21aga33h9lsvhd | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1012 | KMSPicoActivator.exe | 52.222.146.177:80 | all.fingersleep.bid | Amazon.com, Inc. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
all.fingersleep.bid |
| whitelisted |
ww2.kalutobb-saca.com |
| malicious |
app.kalutobb-saca.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1012 | KMSPicoActivator.exe | A Network Trojan was detected | ET MALWARE PPI User-Agent (InstallCapital) |
1012 | KMSPicoActivator.exe | Misc activity | ADWARE [PTsecurity] SoftwareBundler:Win32/Prepscram |