Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AppKMSPico.exe

Overview

General Information

Sample name:AppKMSPico.exe
Analysis ID:1632211
MD5:df66ba47474a9daadb671ac4fde9b2e8
SHA1:ca0ec093c0e0120a343de43394efc1d8eb5e9db4
SHA256:b537b24d31cd6cf9809827248309a7710461831149b695cacea56fa7f9b49d79
Tags:exeuser-aachum
Infos:

Detection

RHADAMANTHYS
Score:96
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected RHADAMANTHYS Stealer
C2 URLs / IPs found in malware configuration
Switches to a custom stack to bypass stack traces
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • AppKMSPico.exe (PID: 5792 cmdline: "C:\Users\user\Desktop\AppKMSPico.exe" MD5: DF66BA47474A9DAADB671AC4FDE9B2E8)
    • AppKMSPico.tmp (PID: 2640 cmdline: "C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmp" /SL5="$20408,6747598,914432,C:\Users\user\Desktop\AppKMSPico.exe" MD5: 283BD14CA25CDAED1067039CFC9D7573)
      • AppKMSPico.exe (PID: 5440 cmdline: "C:\Users\user\Desktop\AppKMSPico.exe" /VERYSILENT MD5: DF66BA47474A9DAADB671AC4FDE9B2E8)
        • AppKMSPico.tmp (PID: 3680 cmdline: "C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmp" /SL5="$2040C,6747598,914432,C:\Users\user\Desktop\AppKMSPico.exe" /VERYSILENT MD5: 283BD14CA25CDAED1067039CFC9D7573)
          • unins.exe (PID: 5268 cmdline: "C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exe" MD5: 5B701F699CF2F2A358FB43EEED75A73F)
            • svchost.exe (PID: 7344 cmdline: "C:\Windows\System32\svchost.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
              • fontdrvhost.exe (PID: 7424 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
                • WerFault.exe (PID: 7500 cmdline: C:\Windows\system32\WerFault.exe -u -p 7424 -s 140 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RhadamanthysAccording to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.
  • Sandworm
https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Malware Configuration

Threatname: Rhadamanthys

{"C2 url": "https://89.163.155.192:9992/994a0435cf44e2/b9qevj4x.32o4f"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000003.1352907117.00000000008A0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
    0000000D.00000003.1363440168.00000000037F0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
      00000005.00000003.1363664007.0000000002B30000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
        0000000D.00000003.1366435370.0000000005720000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          00000005.00000003.1358860719.0000000003470000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            13.3.svchost.exe.5720000.6.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              13.3.svchost.exe.5940000.7.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                13.3.svchost.exe.5720000.6.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  5.3.unins.exe.3690000.6.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                    5.3.unins.exe.3470000.5.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                      Click to see the 2 entries

                      Sigma Signatures

                      Sigma detected: Uncommon Svchost Parent Process
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exe", ParentImage: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exe, ParentProcessId: 5268, ParentProcessName: unins.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 7344, ProcessName: svchost.exe
                      Sigma detected: Windows Processes Suspicious Parent Directory
                      Source: Process startedAuthor: vburov: Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exe", ParentImage: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exe, ParentProcessId: 5268, ParentProcessName: unins.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 7344, ProcessName: svchost.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-07T21:08:43.705803+010028548021Domain Observed Used for C2 Detected89.163.155.1929992192.168.2.849691TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 00000005.00000003.1368817646.00000000029E3000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Rhadamanthys {"C2 url": "https://89.163.155.192:9992/994a0435cf44e2/b9qevj4x.32o4f"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-OOPFH.tmpReversingLabs: Detection: 18%
                      Multi AV Scanner detection for submitted file
                      Source: AppKMSPico.exeVirustotal: Detection: 10%Perma Link
                      Source: AppKMSPico.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                      Source: AppKMSPico.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: Binary string: C:\A\1\23\s\obj\Release\MCppEE.pdb4 source: is-OE061.tmp.4.dr
                      Source: Binary string: C:\A\1\23\s\obj\Release\MCppEE.pdb source: is-OE061.tmp.4.dr
                      Source: Binary string: wkernel32.pdb source: unins.exe, 00000005.00000003.1357861759.0000000003470000.00000004.00000001.00020000.00000000.sdmp, unins.exe, 00000005.00000003.1358388128.00000000035A1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1365756920.0000000005840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1365563418.0000000005720000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: D:\dbs\sh\ddvsm\0727_115535_0\cmd\q\out\binaries\amd64ret\bin\amd64\vstlbinf.pdb source: is-U3JMT.tmp.4.dr
                      Source: Binary string: wkernelbase.pdb source: unins.exe, 00000005.00000003.1358860719.0000000003470000.00000004.00000001.00020000.00000000.sdmp, unins.exe, 00000005.00000003.1360472910.0000000003690000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1366435370.0000000005720000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1366627359.0000000005940000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: unins.exe, 00000005.00000003.1354895491.0000000003660000.00000004.00000001.00020000.00000000.sdmp, unins.exe, 00000005.00000003.1353980881.0000000003470000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1364551615.0000000005910000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1364289294.0000000005720000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: r:\tinderbox\win-qt-5.15\out\qtbase\lib\Qt5PrintSupportVBox.pdb22 source: is-VBA1E.tmp.4.dr
                      Source: Binary string: r:\tinderbox\win-qt-5.15\out\qtbase\lib\Qt5PrintSupportVBox.pdb source: is-VBA1E.tmp.4.dr
                      Source: Binary string: wntdll.pdbUGP source: unins.exe, 00000005.00000003.1357062400.0000000003610000.00000004.00000001.00020000.00000000.sdmp, unins.exe, 00000005.00000003.1356155553.0000000003470000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1365082580.00000000058C0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1364840158.0000000005720000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdbUGP source: unins.exe, 00000005.00000003.1354895491.0000000003660000.00000004.00000001.00020000.00000000.sdmp, unins.exe, 00000005.00000003.1353980881.0000000003470000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1364551615.0000000005910000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1364289294.0000000005720000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: unins.exe, 00000005.00000003.1357062400.0000000003610000.00000004.00000001.00020000.00000000.sdmp, unins.exe, 00000005.00000003.1356155553.0000000003470000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1365082580.00000000058C0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1364840158.0000000005720000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\AudioSupport.pdb source: is-SHJF7.tmp.4.dr
                      Source: Binary string: wkernel32.pdbUGP source: unins.exe, 00000005.00000003.1357861759.0000000003470000.00000004.00000001.00020000.00000000.sdmp, unins.exe, 00000005.00000003.1358388128.00000000035A1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1365756920.0000000005840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1365563418.0000000005720000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdbUGP source: unins.exe, 00000005.00000003.1358860719.0000000003470000.00000004.00000001.00020000.00000000.sdmp, unins.exe, 00000005.00000003.1360472910.0000000003690000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1366435370.0000000005720000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1366627359.0000000005940000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: AppKMSPico.tmp, 00000002.00000003.1019495696.00000000023A3000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr, _isdecmp.dll.2.dr
                      Source: Binary string: D:\dbs\sh\ddvsm\0727_115535_0\cmd\q\out\binaries\amd64ret\bin\amd64\vstlbinf.pdb44 source: is-U3JMT.tmp.4.dr
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_029D9608 FindFirstFileExW,5_3_029D9608
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 4x nop then dec esp14_2_00000260DF210511

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 89.163.155.192:9992 -> 192.168.2.8:49691
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 89.163.155.192 9992Jump to behavior
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: https://89.163.155.192:9992/994a0435cf44e2/b9qevj4x.32o4f
                      Source: global trafficTCP traffic: 192.168.2.8:49691 -> 89.163.155.192:9992
                      Source: Joe Sandbox ViewASN Name: MYLOC-ASIPBackboneofmyLocmanagedITAGDE MYLOC-ASIPBackboneofmyLocmanagedITAGDE
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: unknownTCP traffic detected without corresponding DNS query: 89.163.155.192
                      Source: is-VBA1E.tmp.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                      Source: is-VBA1E.tmp.4.dr, is-ENC75.tmp.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                      Source: is-VBA1E.tmp.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                      Source: is-ENC75.tmp.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                      Source: is-VBA1E.tmp.4.dr, is-ENC75.tmp.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                      Source: is-VBA1E.tmp.4.dr, is-ENC75.tmp.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                      Source: AppKMSPico.tmp, 00000002.00000003.1019495696.00000000023A3000.00000004.00001000.00020000.00000000.sdmp, AppKMSPico.tmp, 00000004.00000003.1180152935.0000000002573000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr, _isdecmp.dll.2.drString found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
                      Source: AppKMSPico.tmp, 00000002.00000003.1019495696.00000000023A3000.00000004.00001000.00020000.00000000.sdmp, AppKMSPico.tmp, 00000004.00000003.1180152935.0000000002573000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr, _isdecmp.dll.2.drString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
                      Source: AppKMSPico.tmp, 00000004.00000002.1181865812.0000000000192000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
                      Source: AppKMSPico.tmp, 00000004.00000002.1181865812.0000000000192000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                      Source: AppKMSPico.tmp, 00000004.00000002.1181865812.0000000000192000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
                      Source: AppKMSPico.tmp, 00000004.00000002.1181865812.0000000000192000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
                      Source: AppKMSPico.tmp, 00000002.00000003.1019495696.00000000023A3000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr, _isdecmp.dll.2.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                      Source: is-SHJF7.tmp.4.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                      Source: is-VBA1E.tmp.4.dr, is-ENC75.tmp.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                      Source: is-VBA1E.tmp.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                      Source: is-ENC75.tmp.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                      Source: is-VBA1E.tmp.4.dr, is-ENC75.tmp.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                      Source: is-ENC75.tmp.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                      Source: is-VBA1E.tmp.4.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                      Source: is-VBA1E.tmp.4.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: is-ENC75.tmp.4.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                      Source: is-VBA1E.tmp.4.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
                      Source: AppKMSPico.tmp, 00000004.00000002.1181865812.0000000000192000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
                      Source: AppKMSPico.tmp, 00000004.00000002.1181865812.0000000000192000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                      Source: AppKMSPico.tmp, 00000004.00000002.1181865812.0000000000192000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
                      Source: AppKMSPico.tmp, 00000004.00000002.1181865812.0000000000192000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
                      Source: AppKMSPico.tmp, 00000002.00000003.1019495696.00000000023A3000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr, _isdecmp.dll.2.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                      Source: AppKMSPico.tmp, 00000002.00000003.1019495696.00000000023A3000.00000004.00001000.00020000.00000000.sdmp, AppKMSPico.tmp, 00000004.00000003.1180152935.0000000002573000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr, _isdecmp.dll.2.drString found in binary or memory: http://cscasha2.ocsp-certum.com04
                      Source: is-SHJF7.tmp.4.drString found in binary or memory: http://evcs-aia.ws.symantec.com/evcs.cer0
                      Source: is-SHJF7.tmp.4.drString found in binary or memory: http://evcs-crl.ws.symantec.com/evcs.crl0
                      Source: is-SHJF7.tmp.4.drString found in binary or memory: http://evcs-ocsp.ws.symantec.com04
                      Source: is-ENC75.tmp.4.drString found in binary or memory: http://ocsp.digicert.com0
                      Source: is-VBA1E.tmp.4.dr, is-ENC75.tmp.4.drString found in binary or memory: http://ocsp.digicert.com0A
                      Source: is-VBA1E.tmp.4.dr, is-ENC75.tmp.4.drString found in binary or memory: http://ocsp.digicert.com0C
                      Source: is-VBA1E.tmp.4.drString found in binary or memory: http://ocsp.digicert.com0N
                      Source: is-VBA1E.tmp.4.dr, is-ENC75.tmp.4.drString found in binary or memory: http://ocsp.digicert.com0X
                      Source: AppKMSPico.tmp, 00000002.00000003.1019495696.00000000023A3000.00000004.00001000.00020000.00000000.sdmp, AppKMSPico.tmp, 00000004.00000002.1181865812.0000000000192000.00000004.00000010.00020000.00000000.sdmp, _isdecmp.dll.4.dr, _isdecmp.dll.2.drString found in binary or memory: http://ocsp.sectigo.com0
                      Source: AppKMSPico.tmp, 00000004.00000002.1181865812.0000000000192000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0#
                      Source: is-SHJF7.tmp.4.drString found in binary or memory: http://ocsp.thawte.com0
                      Source: is-ENC75.tmp.4.drString found in binary or memory: http://purl.oclc.org/dsdl/schematron
                      Source: is-ENC75.tmp.4.drString found in binary or memory: http://purl.oclc.org/dsdl/schematronhttp://www.ascc.net/xml/schematronFailed
                      Source: is-ENC75.tmp.4.drString found in binary or memory: http://relaxng.org/ns/structure/1.0
                      Source: AppKMSPico.tmp, 00000002.00000003.1019495696.00000000023A3000.00000004.00001000.00020000.00000000.sdmp, AppKMSPico.tmp, 00000004.00000003.1180152935.0000000002573000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr, _isdecmp.dll.2.drString found in binary or memory: http://repository.certum.pl/cscasha2.cer0
                      Source: AppKMSPico.tmp, 00000002.00000003.1019495696.00000000023A3000.00000004.00001000.00020000.00000000.sdmp, AppKMSPico.tmp, 00000004.00000003.1180152935.0000000002573000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr, _isdecmp.dll.2.drString found in binary or memory: http://repository.certum.pl/ctnca.cer09
                      Source: AppKMSPico.tmp, 00000002.00000003.1019495696.00000000023A3000.00000004.00001000.00020000.00000000.sdmp, AppKMSPico.tmp, 00000004.00000003.1180152935.0000000002573000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr, _isdecmp.dll.2.drString found in binary or memory: http://subca.ocsp-certum.com01
                      Source: is-SHJF7.tmp.4.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                      Source: is-SHJF7.tmp.4.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                      Source: is-SHJF7.tmp.4.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                      Source: is-ENC75.tmp.4.drString found in binary or memory: http://www.apple.com/
                      Source: is-ENC75.tmp.4.drString found in binary or memory: http://www.ascc.net/xml/schematron
                      Source: AppKMSPico.tmp, 00000002.00000003.1019495696.00000000023A3000.00000004.00001000.00020000.00000000.sdmp, AppKMSPico.tmp, 00000004.00000003.1180152935.0000000002573000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr, _isdecmp.dll.2.drString found in binary or memory: http://www.certum.pl/CPS0
                      Source: is-VBA1E.tmp.4.dr, is-ENC75.tmp.4.drString found in binary or memory: http://www.digicert.com/CPS0
                      Source: is-ENC75.tmp.4.drString found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd
                      Source: is-ENC75.tmp.4.drString found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD
                      Source: is-SHJF7.tmp.4.drString found in binary or memory: http://www.symauth.com/cps0(
                      Source: is-SHJF7.tmp.4.drString found in binary or memory: http://www.symauth.com/cps09
                      Source: is-SHJF7.tmp.4.drString found in binary or memory: http://www.symauth.com/rpa04
                      Source: svchost.exe, 0000000D.00000002.1424555120.000000000350C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1424299686.0000000002F7C000.00000004.00000010.00020000.00000000.sdmp, fontdrvhost.exe, fontdrvhost.exe, 0000000E.00000002.1821550106.00000260DF210000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: https://89.163.155.192:9992/994a0435cf44e2/b9qevj4x.32o4f
                      Source: svchost.exe, 0000000D.00000002.1424555120.000000000350C000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000000E.00000002.1821550106.00000260DF210000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: https://89.163.155.192:9992/994a0435cf44e2/b9qevj4x.32o4fkernelbasentdllkernel32GetProcessMitigation
                      Source: svchost.exe, 0000000D.00000002.1424299686.0000000002F7C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://89.163.155.192:9992/994a0435cf44e2/b9qevj4x.32o4fx
                      Source: svchost.exe, 0000000D.00000003.1387854849.00000000035A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cloudflare-dns.com/dns-query
                      Source: svchost.exe, 0000000D.00000003.1387854849.00000000035A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cloudflare-dns.com/dns-queryPOSTContent-TypeContent-LengthHostapplication/dns-message%dMachi
                      Source: is-93JOF.tmp.4.drString found in binary or memory: https://gnu.org/licenses/gpl.html
                      Source: is-93JOF.tmp.4.drString found in binary or memory: https://gnu.org/licenses/gpl.html1995-2022Ulrich
                      Source: AppKMSPico.tmp, 00000002.00000003.1019495696.00000000023A3000.00000004.00001000.00020000.00000000.sdmp, AppKMSPico.tmp, 00000004.00000003.1180152935.0000000002573000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr, _isdecmp.dll.2.drString found in binary or memory: https://jrsoftware.org/
                      Source: AppKMSPico.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                      Source: AppKMSPico.tmp, 00000002.00000003.1019495696.00000000023A3000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr, _isdecmp.dll.2.drString found in binary or memory: https://jrsoftware.org0
                      Source: is-93JOF.tmp.4.drString found in binary or memory: https://savannah.gnu.org/projects/gettext
                      Source: is-93JOF.tmp.4.drString found in binary or memory: https://savannah.gnu.org/projects/gettexttoo
                      Source: AppKMSPico.tmp, 00000004.00000002.1181865812.0000000000192000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: AppKMSPico.tmp, 00000002.00000003.1019495696.00000000023A3000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr, _isdecmp.dll.2.drString found in binary or memory: https://sectigo.com/CPS0D
                      Source: AppKMSPico.tmp, 00000002.00000003.1019495696.00000000023A3000.00000004.00001000.00020000.00000000.sdmp, AppKMSPico.tmp, 00000004.00000003.1180152935.0000000002573000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr, _isdecmp.dll.2.drString found in binary or memory: https://www.certum.pl/CPS0
                      Source: is-VBA1E.tmp.4.drString found in binary or memory: https://www.digicert.com/CPS0
                      Source: is-93JOF.tmp.4.drString found in binary or memory: https://www.gnu.org/licenses/
                      Source: AppKMSPico.exe, 00000000.00000003.996992162.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, AppKMSPico.tmp, 00000002.00000000.998244942.0000000000401000.00000020.00000001.01000000.00000004.sdmp, unins.exe, 00000005.00000000.1177848939.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: https://www.innosetup.com/
                      Source: AppKMSPico.exe, 00000000.00000003.996992162.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, AppKMSPico.tmp, 00000002.00000000.998244942.0000000000401000.00000020.00000001.01000000.00000004.sdmp, unins.exe, 00000005.00000000.1177848939.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: https://www.remobjects.com/ps
                      Source: unins.exe, 00000005.00000003.1358860719.0000000003470000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DirectInput8Creatememstr_3c56c778-8
                      Source: unins.exe, 00000005.00000003.1358860719.0000000003470000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_b6918819-a
                      Source: Yara matchFile source: 13.3.svchost.exe.5720000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.3.svchost.exe.5940000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.3.svchost.exe.5720000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.unins.exe.3690000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.unins.exe.3470000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.3.svchost.exe.5720000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.3.svchost.exe.5720000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000D.00000003.1366435370.0000000005720000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.1358860719.0000000003470000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.1360472910.0000000003690000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.1366627359.0000000005940000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: unins.exe PID: 5268, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7344, type: MEMORYSTR
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_00C7219A NtProtectVirtualMemory,5_3_00C7219A
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_00C7215C NtFreeVirtualMemory,5_3_00C7215C
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_00C72109 NtAllocateVirtualMemory,5_3_00C72109
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_2_008D19C5 free,NtClose,free,5_2_008D19C5
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_2_008D0CD8 NtAllocateVirtualMemory,NtFreeVirtualMemory,5_2_008D0CD8
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_2_008D10E8 NtTerminateThread,NtClose,5_2_008D10E8
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_2_008D11E5 CreateThread,malloc,NtClose,free,5_2_008D11E5
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_2_008D066E NtProtectVirtualMemory,5_2_008D066E
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_2_008D0B72 NtGetContextThread,NtSetContextThread,NtResumeThread,5_2_008D0B72
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_2_008D1084 NtClose,5_2_008D1084
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_2_008D114C NtClose,5_2_008D114C
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 14_2_00000260DF2115C0 NtAcceptConnectPort,14_2_00000260DF2115C0
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 14_2_00000260DF210AC8 NtAcceptConnectPort,NtAcceptConnectPort,14_2_00000260DF210AC8
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 14_2_00000260DF211AA4 NtAcceptConnectPort,NtAcceptConnectPort,14_2_00000260DF211AA4
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 14_2_00000260DF211CF4 NtAcceptConnectPort,CloseHandle,14_2_00000260DF211CF4
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_00C706FF5_3_00C706FF
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_00C700005_3_00C70000
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_029D264D5_3_029D264D
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_029CC3DC5_3_029CC3DC
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_029CC09A5_3_029CC09A
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_029DCC255_3_029DCC25
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_029CF13B5_3_029CF13B
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_029D11705_3_029D1170
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 14_2_00000260DF210C7014_2_00000260DF210C70
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: String function: 029C7FB0 appears 38 times
                      Source: C:\Windows\System32\fontdrvhost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7424 -s 140
                      Source: AppKMSPico.exeStatic PE information: invalid certificate
                      Source: AppKMSPico.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                      Source: AppKMSPico.tmp.3.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                      Source: is-RTVTR.tmp.4.drStatic PE information: Number of sections : 11 > 10
                      Source: AppKMSPico.exe, 00000000.00000003.996992162.000000007FE2C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameFolderWasher.exe vs AppKMSPico.exe
                      Source: AppKMSPico.exe, 00000000.00000000.996038997.00000000004D2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameFolderWasher.exe vs AppKMSPico.exe
                      Source: AppKMSPico.exe, 00000000.00000003.1023198092.000000000220B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameFolderWasher.exe vs AppKMSPico.exe
                      Source: AppKMSPico.exe, 00000000.00000003.1023198092.00000000022C8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs AppKMSPico.exe
                      Source: AppKMSPico.exe, 00000003.00000003.1185092554.0000000002288000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs AppKMSPico.exe
                      Source: AppKMSPico.exe, 00000003.00000003.1185092554.00000000021CB000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameFolderWasher.exe vs AppKMSPico.exe
                      Source: AppKMSPico.exeBinary or memory string: OriginalFileNameFolderWasher.exe vs AppKMSPico.exe
                      Source: AppKMSPico.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                      Source: classification engineClassification label: mal96.troj.evad.winEXE@14/62@0/1
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_00C70E0F CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,CloseHandle,5_3_00C70E0F
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7424
                      Source: C:\Windows\SysWOW64\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-b5f6d05-8444-11dd7e-c8cedb5060cc}
                      Source: C:\Users\user\Desktop\AppKMSPico.exeFile created: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmpJump to behavior
                      Source: C:\Users\user\Desktop\AppKMSPico.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\AppKMSPico.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\AppKMSPico.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\AppKMSPico.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\AppKMSPico.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                      Source: AppKMSPico.exeVirustotal: Detection: 10%
                      Source: AppKMSPico.exeString found in binary or memory: /LOADINF="filename"
                      Source: C:\Users\user\Desktop\AppKMSPico.exeFile read: C:\Users\user\Desktop\AppKMSPico.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\AppKMSPico.exe "C:\Users\user\Desktop\AppKMSPico.exe"
                      Source: C:\Users\user\Desktop\AppKMSPico.exeProcess created: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmp "C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmp" /SL5="$20408,6747598,914432,C:\Users\user\Desktop\AppKMSPico.exe"
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpProcess created: C:\Users\user\Desktop\AppKMSPico.exe "C:\Users\user\Desktop\AppKMSPico.exe" /VERYSILENT
                      Source: C:\Users\user\Desktop\AppKMSPico.exeProcess created: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmp "C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmp" /SL5="$2040C,6747598,914432,C:\Users\user\Desktop\AppKMSPico.exe" /VERYSILENT
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpProcess created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exe "C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exe"
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
                      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
                      Source: C:\Windows\System32\fontdrvhost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7424 -s 140
                      Source: C:\Users\user\Desktop\AppKMSPico.exeProcess created: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmp "C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmp" /SL5="$20408,6747598,914432,C:\Users\user\Desktop\AppKMSPico.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpProcess created: C:\Users\user\Desktop\AppKMSPico.exe "C:\Users\user\Desktop\AppKMSPico.exe" /VERYSILENTJump to behavior
                      Source: C:\Users\user\Desktop\AppKMSPico.exeProcess created: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmp "C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmp" /SL5="$2040C,6747598,914432,C:\Users\user\Desktop\AppKMSPico.exe" /VERYSILENTJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpProcess created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exe "C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\AppKMSPico.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\AppKMSPico.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\AppKMSPico.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\AppKMSPico.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\AppKMSPico.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: wtsapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: winsta.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: shfolder.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\AppKMSPico.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\AppKMSPico.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\AppKMSPico.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\AppKMSPico.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\AppKMSPico.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpSection loaded: wtsapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpSection loaded: winsta.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpSection loaded: shfolder.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpSection loaded: dwmapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpSection loaded: sfc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpSection loaded: explorerframe.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpWindow found: window name: TMainFormJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: AppKMSPico.exeStatic file information: File size 72932898 > 1048576
                      Source: AppKMSPico.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: Binary string: C:\A\1\23\s\obj\Release\MCppEE.pdb4 source: is-OE061.tmp.4.dr
                      Source: Binary string: C:\A\1\23\s\obj\Release\MCppEE.pdb source: is-OE061.tmp.4.dr
                      Source: Binary string: wkernel32.pdb source: unins.exe, 00000005.00000003.1357861759.0000000003470000.00000004.00000001.00020000.00000000.sdmp, unins.exe, 00000005.00000003.1358388128.00000000035A1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1365756920.0000000005840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1365563418.0000000005720000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: D:\dbs\sh\ddvsm\0727_115535_0\cmd\q\out\binaries\amd64ret\bin\amd64\vstlbinf.pdb source: is-U3JMT.tmp.4.dr
                      Source: Binary string: wkernelbase.pdb source: unins.exe, 00000005.00000003.1358860719.0000000003470000.00000004.00000001.00020000.00000000.sdmp, unins.exe, 00000005.00000003.1360472910.0000000003690000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1366435370.0000000005720000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1366627359.0000000005940000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: unins.exe, 00000005.00000003.1354895491.0000000003660000.00000004.00000001.00020000.00000000.sdmp, unins.exe, 00000005.00000003.1353980881.0000000003470000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1364551615.0000000005910000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1364289294.0000000005720000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: r:\tinderbox\win-qt-5.15\out\qtbase\lib\Qt5PrintSupportVBox.pdb22 source: is-VBA1E.tmp.4.dr
                      Source: Binary string: r:\tinderbox\win-qt-5.15\out\qtbase\lib\Qt5PrintSupportVBox.pdb source: is-VBA1E.tmp.4.dr
                      Source: Binary string: wntdll.pdbUGP source: unins.exe, 00000005.00000003.1357062400.0000000003610000.00000004.00000001.00020000.00000000.sdmp, unins.exe, 00000005.00000003.1356155553.0000000003470000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1365082580.00000000058C0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1364840158.0000000005720000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdbUGP source: unins.exe, 00000005.00000003.1354895491.0000000003660000.00000004.00000001.00020000.00000000.sdmp, unins.exe, 00000005.00000003.1353980881.0000000003470000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1364551615.0000000005910000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1364289294.0000000005720000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: unins.exe, 00000005.00000003.1357062400.0000000003610000.00000004.00000001.00020000.00000000.sdmp, unins.exe, 00000005.00000003.1356155553.0000000003470000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1365082580.00000000058C0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1364840158.0000000005720000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\AudioSupport.pdb source: is-SHJF7.tmp.4.dr
                      Source: Binary string: wkernel32.pdbUGP source: unins.exe, 00000005.00000003.1357861759.0000000003470000.00000004.00000001.00020000.00000000.sdmp, unins.exe, 00000005.00000003.1358388128.00000000035A1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1365756920.0000000005840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1365563418.0000000005720000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdbUGP source: unins.exe, 00000005.00000003.1358860719.0000000003470000.00000004.00000001.00020000.00000000.sdmp, unins.exe, 00000005.00000003.1360472910.0000000003690000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1366435370.0000000005720000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1366627359.0000000005940000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: AppKMSPico.tmp, 00000002.00000003.1019495696.00000000023A3000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr, _isdecmp.dll.2.dr
                      Source: Binary string: D:\dbs\sh\ddvsm\0727_115535_0\cmd\q\out\binaries\amd64ret\bin\amd64\vstlbinf.pdb44 source: is-U3JMT.tmp.4.dr
                      Source: is-BA1SK.tmp.4.drStatic PE information: 0xA1535B33 [Fri Oct 8 07:50:11 2055 UTC]
                      Source: AppKMSPico.exeStatic PE information: section name: .didata
                      Source: AppKMSPico.tmp.0.drStatic PE information: section name: .didata
                      Source: AppKMSPico.tmp.3.drStatic PE information: section name: .didata
                      Source: is-RTVTR.tmp.4.drStatic PE information: section name: .xdata
                      Source: is-EDSHH.tmp.4.drStatic PE information: section name: text
                      Source: is-J20KS.tmp.4.drStatic PE information: section name: .orpc
                      Source: is-LP7T4.tmp.4.drStatic PE information: section name: .buildid
                      Source: is-LP7T4.tmp.4.drStatic PE information: section name: .xdata
                      Source: is-1H2R8.tmp.4.drStatic PE information: section name: .orpc
                      Source: is-1H2R8.tmp.4.drStatic PE information: section name: _RDATA
                      Source: is-8TD00.tmp.4.drStatic PE information: section name: .nep
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_02AF28EC push edi; ret 5_3_02AF28F8
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_02AF10F9 push FFFFFF82h; iretd 5_3_02AF10FB
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_02AF44F9 push edx; retf 5_3_02AF44FC
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_02AF2C39 push ecx; ret 5_3_02AF2C59
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_02AF525D push es; ret 5_3_02AF5264
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_02AF3F89 push edi; iretd 5_3_02AF3F96
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_02AF21DC push eax; ret 5_3_02AF21DD
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_02AF3FD4 push ss; retf 5_3_02AF3FF5
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_02AF0F6A push eax; ret 5_3_02AF0F75
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_02AF4D5E push esi; ret 5_3_02AF4D69
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_029E19B4 push ecx; ret 5_3_029E19C7
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_3_02FB52DD push es; ret 13_3_02FB52E4
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_3_02FB2CB9 push ecx; ret 13_3_02FB2CD9
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_3_02FB225C push eax; ret 13_3_02FB225D
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_3_02FB4054 push ss; retf 13_3_02FB4075
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_3_02FB4009 push edi; iretd 13_3_02FB4016
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_3_02FB0FEA push eax; ret 13_3_02FB0FF5
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_3_02FB4DDE push esi; ret 13_3_02FB4DE9
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_3_02FB1179 push FFFFFF82h; iretd 13_3_02FB117B
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_3_02FB4579 push edx; retf 13_3_02FB457C
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_3_02FB296C push edi; ret 13_3_02FB2978
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\Microsoft.TeamFoundation.Build.Activities.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Local\Temp\is-6UFGR.tmp\_isetup\_setup64.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\DiagnosticsTap.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\msys-pcre2-8-0.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Local\Temp\is-35SEJ.tmp\_isetup\_iscrypt.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-BH69G.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\bin\is-93JOF.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\Qt5PrintSupportVBox.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-JAKVM.tmpJump to dropped file
                      Source: C:\Users\user\Desktop\AppKMSPico.exeFile created: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\AudioSupport.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\VulcanMessage5.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\bin\is-LCE5V.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Local\Temp\is-6UFGR.tmp\_isetup\_iscrypt.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-3MR1I.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\Microsoft.VisualStudio.Language.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-8TD00.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Local\Temp\is-6UFGR.tmp\_isetup\_isdecmp.dllJump to dropped file
                      Source: C:\Users\user\Desktop\AppKMSPico.exeFile created: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\libpcre-1.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-OE061.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Local\Temp\is-35SEJ.tmp\_isetup\_isdecmp.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\bin\connect.exe (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\MCppEE.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-ENC75.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\bin\git-credential-helper-selector.exe (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\vstlbinf.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-OOPFH.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-1H2R8.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\bin\kvno.exe (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\NuGet.Commands.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-J20KS.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-59G3M.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\Microsoft.TeamFoundation.Controls.resources.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-LP7T4.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\jdwp.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-SHJF7.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-BA1SK.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\bin\is-E8MAN.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\msenv80p.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-LGD1B.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\bin\tclsh86.exe (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\bin\ahost.exe (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-EDSHH.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\bin\is-OVV89.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-U3JMT.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\mc_enc_aac.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-RTVTR.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-VBA1E.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\bin\is-4PI55.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\bin\is-1JENH.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\bin\gettext.exe (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exe (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\pixmesh.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Local\Temp\is-35SEJ.tmp\_isetup\_setup64.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpFile created: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\libxml2.dll (copy)Jump to dropped file
                      Source: C:\Users\user\Desktop\AppKMSPico.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AppKMSPico.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Switches to a custom stack to bypass stack traces
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeAPI/Special instruction interceptor: Address: 7FF9B762D044
                      Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF9B762D044
                      Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 59EB83A
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\Microsoft.TeamFoundation.Build.Activities.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-6UFGR.tmp\_isetup\_setup64.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\msys-pcre2-8-0.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\DiagnosticsTap.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-35SEJ.tmp\_isetup\_iscrypt.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\bin\is-93JOF.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-BH69G.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\Qt5PrintSupportVBox.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-JAKVM.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\AudioSupport.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\VulcanMessage5.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\bin\is-LCE5V.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-6UFGR.tmp\_isetup\_iscrypt.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-3MR1I.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\Microsoft.VisualStudio.Language.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-8TD00.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-6UFGR.tmp\_isetup\_isdecmp.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\libpcre-1.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-OE061.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-35SEJ.tmp\_isetup\_isdecmp.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\bin\connect.exe (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\MCppEE.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-ENC75.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\bin\git-credential-helper-selector.exe (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\vstlbinf.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\bin\kvno.exe (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-1H2R8.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\NuGet.Commands.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-J20KS.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\Microsoft.TeamFoundation.Controls.resources.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-59G3M.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-LP7T4.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\jdwp.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-SHJF7.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-BA1SK.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\bin\is-E8MAN.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\msenv80p.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-LGD1B.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\bin\tclsh86.exe (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\bin\ahost.exe (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-EDSHH.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\bin\is-OVV89.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-U3JMT.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\mc_enc_aac.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-VBA1E.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\is-RTVTR.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\bin\is-4PI55.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\bin\is-1JENH.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\bin\gettext.exe (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\pixmesh.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-35SEJ.tmp\_isetup\_setup64.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\libxml2.dll (copy)Jump to dropped file
                      Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_029D9608 FindFirstFileExW,5_3_029D9608
                      Source: AppKMSPico.tmp, 00000002.00000002.1022229886.000000000087D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}H
                      Source: svchost.exe, 0000000D.00000003.1366627359.0000000005940000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
                      Source: AppKMSPico.tmp, 00000002.00000002.1022229886.000000000087D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                      Source: svchost.exe, 0000000D.00000002.1424447517.0000000003400000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 0000000D.00000002.1424470233.0000000003412000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWMSAFD RfComm [Bluetooth]en-USen-GBn
                      Source: svchost.exe, 0000000D.00000002.1424494472.0000000003424000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
                      Source: svchost.exe, 0000000D.00000003.1366627359.0000000005940000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity
                      Source: C:\Users\user\AppData\Local\Temp\is-VV52U.tmp\AppKMSPico.tmpProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_00C719D1 LdrInitializeThunk,5_3_00C719D1
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_029D4B0C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_3_029D4B0C
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_02AF0277 mov eax, dword ptr fs:[00000030h]5_3_02AF0277
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_00C706FF mov edx, dword ptr fs:[00000030h]5_3_00C706FF
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_00C70CBF mov eax, dword ptr fs:[00000030h]5_3_00C70CBF
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_00C71CFD mov eax, dword ptr fs:[00000030h]5_3_00C71CFD
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_00C7106F mov eax, dword ptr fs:[00000030h]5_3_00C7106F
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_00C7130F mov eax, dword ptr fs:[00000030h]5_3_00C7130F
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_00C7130E mov eax, dword ptr fs:[00000030h]5_3_00C7130E
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_3_02FB0283 mov eax, dword ptr fs:[00000030h]13_3_02FB0283
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_029D4B0C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_3_029D4B0C
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_029C800F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_3_029C800F
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_029C7D4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_3_029C7D4D

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 89.163.155.192 9992Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-AJJCK.tmp\AppKMSPico.tmpProcess created: C:\Users\user\Desktop\AppKMSPico.exe "C:\Users\user\Desktop\AppKMSPico.exe" /VERYSILENTJump to behavior
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_029C781B cpuid 5_3_029C781B
                      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\{81BC352B-FE8E-44D0-BAFD-61B652F68FCB}\unins.exeCode function: 5_3_029C7C40 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,5_3_029C7C40
                      Source: C:\Windows\SysWOW64\svchost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: Amcache.hve.LOG1.17.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.LOG1.17.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                      Source: Amcache.hve.LOG1.17.drBinary or memory string: MsMpEng.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected RHADAMANTHYS Stealer
                      Source: Yara matchFile source: 00000005.00000003.1352907117.00000000008A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.1363440168.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.1363664007.0000000002B30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.1424914250.0000000003800000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                      Remote Access Functionality

                      barindex
                      Yara detected RHADAMANTHYS Stealer
                      Source: Yara matchFile source: 00000005.00000003.1352907117.00000000008A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.1363440168.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.1363664007.0000000002B30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.1424914250.0000000003800000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		111
                      Process Injection                      		1
                      Masquerading                      		21
                      Input Capture                      		1
                      System Time Discovery                      		Remote Services21
                      Input Capture                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts2
                      Command and Scripting Interpreter                      		Boot or Logon Initialization Scripts1
                      DLL Side-Loading                      		2
                      Virtualization/Sandbox Evasion                      		LSASS Memory241
                      Security Software Discovery                      		Remote Desktop Protocol1
                      Archive Collected Data                      		1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)111
                      Process Injection                      		Security Account Manager2
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Deobfuscate/Decode Files or Information                      		NTDS2
                      Process Discovery                      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
                      Obfuscated Files or Information                      		LSA Secrets2
                      System Owner/User Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Timestomp                      		Cached Domain Credentials2
                      File and Directory Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      DLL Side-Loading                      		DCSync124
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1632211 Sample: AppKMSPico.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 96 55 Suricata IDS alerts for network traffic 2->55 57 Found malware configuration 2->57 59 Multi AV Scanner detection for dropped file 2->59 61 3 other signatures 2->61 12 AppKMSPico.exe 2 2->12         started        process3 file4 45 C:\Users\user\AppData\...\AppKMSPico.tmp, PE32 12->45 dropped 15 AppKMSPico.tmp 3 15 12->15         started        process5 file6 47 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 15->47 dropped 49 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 15->49 dropped 51 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 15->51 dropped 18 AppKMSPico.exe 2 15->18         started        process7 file8 35 C:\Users\user\AppData\...\AppKMSPico.tmp, PE32 18->35 dropped 21 AppKMSPico.tmp 5 40 18->21         started        process9 file10 37 C:\Users\user\AppData\...\vstlbinf.dll (copy), PE32+ 21->37 dropped 39 C:\Users\user\AppData\...\unins.exe (copy), PE32 21->39 dropped 41 C:\Users\user\AppData\...\pixmesh.dll (copy), PE32+ 21->41 dropped 43 48 other files (11 malicious) 21->43 dropped 24 unins.exe 1 21->24         started        process11 signatures12 63 Switches to a custom stack to bypass stack traces 24->63 27 svchost.exe 24->27         started        process13 dnsIp14 53 89.163.155.192, 49691, 9992 MYLOC-ASIPBackboneofmyLocmanagedITAGDE Germany 27->53 65 System process connects to network (likely due to code injection or exploit) 27->65 67 Switches to a custom stack to bypass stack traces 27->67 31 fontdrvhost.exe 27->31         started        signatures15 process16 process17 33 WerFault.exe 20 16 31->33         started       

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.