{"report_id":"af55d19f-725d-4d62-a24b-48488a02c8f4","version":6,"status":"done","tags":[],"date":"2025-02-01T18:22:46Z","url":{"schema":"http","addr":"github.com/kkkgo/KMS_VL_ALL/archive/refs/heads/master.zip","fqdn":"github.com","domain":"github.com","tld":"com"},"ip":{"addr":"140.82.121.3","port":0,"asn":36459,"as":"GITHUB","country":"Germany","country_code":"DE"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"","expires_at":"2027-04-12T18:22:46Z","useragent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"github.com","ip":{"addr":"140.82.121.4","port":443,"asn":36459,"as":"GITHUB","country":"Germany","country_code":"DE"},"domain_registered":"2007-10-09","domain_rank":1423,"first_seen":"2016-07-13T12:28:22Z","last_seen":"2025-01-29T02:22:02.813442Z","alert_count":0,"request_count":1,"received_data":3904,"sent_data":523,"comment":"","tags":null,"fingerprints":null},{"fqdn":"codeload.github.com","ip":{"addr":"140.82.121.10","port":443,"asn":36459,"as":"GITHUB","country":"Germany","country_code":"DE"},"domain_registered":"2007-10-09","domain_rank":62359,"first_seen":"2013-04-18T11:49:11Z","last_seen":"2025-01-29T06:54:31.293585Z","alert_count":2,"request_count":1,"received_data":180517,"sent_data":526,"comment":"","tags":null,"fingerprints":null}],"files":[{"md5":"8a848b909d3c248599a1c7ff87e218f9","sha1":"25ab3cfee6ede8b191773e23c50b63098eedd0ac","sha256":"b6c178c80442479e58c38e3d987efe6bfd2be5b3c8c05aa3c3e91106a57f6066","sha512":"4c49494851a72c7ec460e8c30241295778c50c544de5d22f70c89b5db176ea311532bf127bc3e424e5b107b72de52c67b8938ddbfae84f9877442130dacecfba","magic":"Zip archive data, at least v1.0 to extract, compression method=store","size":179845,"url":{"schema":"https","addr":"codeload.github.com/kkkgo/KMS_VL_ALL/zip/refs/heads/master","fqdn":"codeload.github.com","domain":"github.com","tld":"com"},"ip":{"addr":"140.82.121.10","port":443,"asn":36459,"as":"GITHUB","country":"Germany","country_code":"DE"},"archive":[{"path":"KMS_VL_ALL-master/$OEM$/$$/Setup/Scripts/bin/A64.dll","filename":"A64.dll","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"PE32+ executable (DLL) (native) Aarch64, for MS Windows, 4 sections","size":20480,"md5":"698d2d01011110b0ba4aab62f92b9909","sha1":"1139ae6243934ca621e6d4ed2e2f34cc130ef88a","sha256":"3fb8dc2fa316ca1e7244eb34e95f591aa39a6e4b6eb0416692691aeb3d0c429b","sha512":"5f65842cb7522f22e63f2aa0612509299a28335230e24fcb1a145f47f4a9e03b40919780b81904fc1a4b4364f2d1284f5f765a6072a12e18e244c750b56db5da","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2025-01-30","alert":"Scan result 12/70","trigger":"3fb8dc2fa316ca1e7244eb34e95f591aa39a6e4b6eb0416692691aeb3d0c429b","verdict":"malicious","severity":"","comment":"malicious - 12/70","link":"https://www.virustotal.com/gui/file/3fb8dc2fa316ca1e7244eb34e95f591aa39a6e4b6eb0416692691aeb3d0c429b","meta":null}]}},{"path":"KMS_VL_ALL-master/$OEM$/$$/Setup/Scripts/bin/SvcTrigger.xml","filename":"SvcTrigger.xml","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators","size":4258,"md5":"ade0007995da8218a924eae18dd5ffa4","sha1":"de4480d869df4e45e666e3ba74c87786d2ba01e9","sha256":"6c4c7816d99652a6248e8877ac24d341b3d87bb1e7a6be159eacbb6b6bc61352","sha512":"25576dd5103c8f677452ede6bbd1ded407f290741f0e30294ddfbe54d43be98a7f9601a3d722a997041980da083d7de7da9b2e9525d920cc207143bd60ffee95","alerts":{"urlquery":null,"analyzer":null}},{"path":"KMS_VL_ALL-master/$OEM$/$$/Setup/Scripts/bin/cleanosppx64.exe","filename":"cleanosppx64.exe","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"PE32+ executable (console) x86-64, for MS Windows, 5 sections","size":19968,"md5":"162ab955cb2f002a73c1530aa796477f","sha1":"d30a0e4e5911d3ca705617d17225372731c770e2","sha256":"5ce462e5f34065fc878362ba58617fab28c22d631b9d836dddcf43fb1ad4de6e","sha512":"e0288dcf78092449d9cbaef4488041131925387c1aedc9e9512da0f66efe2fb68350ca3937f6715834e62e7c931c5dad0fc8bc3c6c0c3daedeff356d6feaac2e","alerts":{"urlquery":null,"analyzer":null}},{"path":"KMS_VL_ALL-master/$OEM$/$$/Setup/Scripts/bin/cleanosppx86.exe","filename":"cleanosppx86.exe","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"PE32 executable (console) Intel 80386, for MS Windows, 3 sections","size":17408,"md5":"5fd363d52d04ac200cd24f3bcc903200","sha1":"39ed8659e7ca16aaccb86def94ce6cec4c847dd6","sha256":"3fdefe2ad092a9a7fe0edf0ac4dc2de7e5b9ce6a0804f6511c06564194966cf9","sha512":"f8ea73b0cb0a90fac6032a54028c60119022173334e68db3fbd63fe173032dd3fc3b438678064edb8c63d4eceaa72990ce039819df3d547d7d7627ad2eee36b3","alerts":{"urlquery":null,"analyzer":null}},{"path":"KMS_VL_ALL-master/$OEM$/$$/Setup/Scripts/bin/x64.dll","filename":"x64.dll","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"PE32+ executable (DLL) (native) x86-64, for MS Windows, 4 sections","size":19968,"md5":"2914300a6e0cdf7ed242505958ac0bb5","sha1":"684103f5c312ae956e66a02b965d9aad59710745","sha256":"29ae6f149e581f8dbdc01eed2d5d20b82b597c4b4c7e102cab6d012b168df4d8","sha512":"6fa6b773275e61596f1d4885fa3089ff24a2f72166dc0a2c40667f0bd03de26b032f2a39aa05e74077ada96bbb6b0785424bfe387b995c147fd74860a11948c9","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2025-01-30","alert":"Scan result 38/72","trigger":"29ae6f149e581f8dbdc01eed2d5d20b82b597c4b4c7e102cab6d012b168df4d8","verdict":"malicious","severity":"","comment":"malicious - 38/72","link":"https://www.virustotal.com/gui/file/29ae6f149e581f8dbdc01eed2d5d20b82b597c4b4c7e102cab6d012b168df4d8","meta":null}]}},{"path":"KMS_VL_ALL-master/$OEM$/$$/Setup/Scripts/bin/x86.dll","filename":"x86.dll","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"PE32 executable (DLL) (native) Intel 80386, for MS Windows, 4 sections","size":15872,"md5":"2a2bbc30d8e715c3c29e728989498469","sha1":"da8f931c7f3bc6643e20063e075cd8fa044b53ae","sha256":"81f8fc4aef686dbc4e2b1f6b08fbac33bf877610c268564e9ecfbae1425d5e5c","sha512":"3ac38dc0c5425bdb4b8017052da8b76a6279074cd42dd01cb634b6de3b323795f2a96e2fd443ee858247b86cacf12a8ed95f39b65bab605a7a2d8784287a357f","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2025-01-27","alert":"Scan result 31/72","trigger":"81f8fc4aef686dbc4e2b1f6b08fbac33bf877610c268564e9ecfbae1425d5e5c","verdict":"malicious","severity":"","comment":"malicious - 31/72","link":"https://www.virustotal.com/gui/file/81f8fc4aef686dbc4e2b1f6b08fbac33bf877610c268564e9ecfbae1425d5e5c","meta":null}]}},{"path":"KMS_VL_ALL-master/$OEM$/$$/Setup/Scripts/setupcomplete.cmd","filename":"setupcomplete.cmd","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"ASCII text","size":96875,"md5":"65bc53900c0b960220a5af59b3ab9eb6","sha1":"b280f1a9018d9694f1cbc4c6e5c374ef29579132","sha256":"3b5a7c0317ea3b79988a6a554574da43f6ffe0cca6bc9da16140cdd6f8a6c296","sha512":"f042469b2551809d2fbdb2d325948f9d8d69ccacbda8750d4b3e1589587be75d0d24827a7af2a449222f40e46664b57993e8efc23b535ce2996ea30b0e635e71","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-02-01","alert":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","trigger":"KMS_VL_ALL-master/$OEM$/$$/Setup/Scripts/setupcomplete.cmd","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"iam-py-test","date":"2022-11-19","description":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","false_positives":"Files modifying Defender for legitimate purposes, files containing registry keys related to Defender (i.e. diagnostic tools)","rule":"Disable_Defender","yarahub_author_twitter":"@iam_py_test","yarahub_license":"CC0 1.0","yarahub_reference_md5":"799a7f1507e5e7328081a038987e9a6f","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"1fcd3702-cf5b-47b4-919d-6372c5412151"}}]}},{"path":"KMS_VL_ALL-master/Activate.cmd","filename":"Activate.cmd","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"ASCII text","size":114762,"md5":"27dbbeda34fa7260a3dc9f6fd1398fdd","sha1":"5a7ad865b94d9d98099316fa2f78a1636e8cd8d4","sha256":"79731e75607973ed0cf7fb89174785691711dcb8032527b3cc70c72d3a61118d","sha512":"b56d8a1ee30b0893d4789f8dcd631b965cf2f22539fb00fe9da1c294b009d80823379cb648f5b9f4820e477bcf2592b41b7f7055db0cd055e3dc465a35962d5d","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-02-01","alert":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","trigger":"KMS_VL_ALL-master/Activate.cmd","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"iam-py-test","date":"2022-11-19","description":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","false_positives":"Files modifying Defender for legitimate purposes, files containing registry keys related to Defender (i.e. diagnostic tools)","rule":"Disable_Defender","yarahub_author_twitter":"@iam_py_test","yarahub_license":"CC0 1.0","yarahub_reference_md5":"799a7f1507e5e7328081a038987e9a6f","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"1fcd3702-cf5b-47b4-919d-6372c5412151"}}]}},{"path":"KMS_VL_ALL-master/AutoRenewal-Setup.cmd","filename":"AutoRenewal-Setup.cmd","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"ASCII text","size":17851,"md5":"b9590b32f11fa467938518bad08b66f0","sha1":"6a3c0317ea5507277e9d647356f035d666bece37","sha256":"4b7e16ba61987144e3d7b70d26a0d11a8238182b57ef894b57da974a2e8f3b32","sha512":"1f844c68c629366a1846354ace946f980822d603fc95ca99842d9c15991fd0e6d7462f1c42bc0383fdd5e01e13096c4540c379e9c2179ddaf4ada26fe699a063","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-02-01","alert":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","trigger":"KMS_VL_ALL-master/AutoRenewal-Setup.cmd","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"iam-py-test","date":"2022-11-19","description":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","false_positives":"Files modifying Defender for legitimate purposes, files containing registry keys related to Defender (i.e. diagnostic tools)","rule":"Disable_Defender","yarahub_author_twitter":"@iam_py_test","yarahub_license":"CC0 1.0","yarahub_reference_md5":"799a7f1507e5e7328081a038987e9a6f","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"1fcd3702-cf5b-47b4-919d-6372c5412151"}}]}},{"path":"KMS_VL_ALL-master/Check-Activation-Status-vbs.cmd","filename":"Check-Activation-Status-vbs.cmd","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"ASCII text","size":6838,"md5":"48af8f351df5b7a7a341a4c1e0f0270a","sha1":"818b60cdcf7e7fc4cd81d2ada834fcbec5991347","sha256":"88615b73386261e04f17a565d0a90755e01cb5102aea5da82990d3cf67874066","sha512":"a32614c57049e976799f00604e827434d8953286992ea82160e272614c6e7f7d50b751bdf5f2b75d4bf8d1a76633def08870abf5030875e47c78064d1802eb2b","alerts":{"urlquery":null,"analyzer":null}},{"path":"KMS_VL_ALL-master/Check-Activation-Status-wmic.cmd","filename":"Check-Activation-Status-wmic.cmd","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"ASCII text, with very long lines (361)","size":16088,"md5":"d2e352bab312e0adf78b32678ba5d3d0","sha1":"cd056bc78a776cc28f20f6e10cded7b6b2acda28","sha256":"4b0a0ff29ad5b30d8a74e8ebb84e0f47670dd33a3d50d5dcd7cf08fe5d47a227","sha512":"962e2483d2de54d55cbf8aa191f36d7aa522d641f49ab8dd9b7f16dbca355b31ffe781e0bc1a58d4557299a07b597ce88d013a5fa3fbbbc665d37e6973c5d894","alerts":{"urlquery":null,"analyzer":null}},{"path":"KMS_VL_ALL-master/README.md","filename":"README.md","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"Unicode text, UTF-8 text","size":5783,"md5":"b62afe023b7da83362b66405b866a937","sha1":"8b496b32f1c27e14a8af14233c9809661624e711","sha256":"917e6a2620ed22c3b79b2c818e3270efddd3735bf511bab3e1c0eaf857bc5546","sha512":"35baa970b6d75f03fbb8822b5161cdbd850ef02b4e68c51d899b3369246151f304bc79047550d6f249772c31139978675227aaed7535db83a997cb6eb6237036","alerts":{"urlquery":null,"analyzer":null}},{"path":"KMS_VL_ALL-master/ReadMe.html","filename":"ReadMe.html","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"HTML document, Unicode text, UTF-8 (with BOM) text, with very long lines (596)","size":38635,"md5":"56b89b9bdca3b00ffc5886477ce6f0dc","sha1":"35fef6c8d72e679bb375a4b03fd8ee256047c598","sha256":"a512e9a009bdfc5ac2904549504a329b8399ccd6b99d04aa26cab1a86268feaa","sha512":"116e9f73fa62d01c859fb4791c469023231404de61987d098539d470b11469dd3344e1d8add34b009c915a9b4af714316c1c7a8a60f597f192663180da5e0365","alerts":{"urlquery":null,"analyzer":null}},{"path":"KMS_VL_ALL-master/bin/A64.dll","filename":"A64.dll","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"PE32+ executable (DLL) (native) Aarch64, for MS Windows, 4 sections","size":20480,"md5":"698d2d01011110b0ba4aab62f92b9909","sha1":"1139ae6243934ca621e6d4ed2e2f34cc130ef88a","sha256":"3fb8dc2fa316ca1e7244eb34e95f591aa39a6e4b6eb0416692691aeb3d0c429b","sha512":"5f65842cb7522f22e63f2aa0612509299a28335230e24fcb1a145f47f4a9e03b40919780b81904fc1a4b4364f2d1284f5f765a6072a12e18e244c750b56db5da","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2025-01-30","alert":"Scan result 12/70","trigger":"3fb8dc2fa316ca1e7244eb34e95f591aa39a6e4b6eb0416692691aeb3d0c429b","verdict":"malicious","severity":"","comment":"malicious - 12/70","link":"https://www.virustotal.com/gui/file/3fb8dc2fa316ca1e7244eb34e95f591aa39a6e4b6eb0416692691aeb3d0c429b","meta":null}]}},{"path":"KMS_VL_ALL-master/bin/SvcTrigger.xml","filename":"SvcTrigger.xml","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators","size":4258,"md5":"ade0007995da8218a924eae18dd5ffa4","sha1":"de4480d869df4e45e666e3ba74c87786d2ba01e9","sha256":"6c4c7816d99652a6248e8877ac24d341b3d87bb1e7a6be159eacbb6b6bc61352","sha512":"25576dd5103c8f677452ede6bbd1ded407f290741f0e30294ddfbe54d43be98a7f9601a3d722a997041980da083d7de7da9b2e9525d920cc207143bd60ffee95","alerts":{"urlquery":null,"analyzer":null}},{"path":"KMS_VL_ALL-master/bin/cleanosppx64.exe","filename":"cleanosppx64.exe","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"PE32+ executable (console) x86-64, for MS Windows, 5 sections","size":19968,"md5":"162ab955cb2f002a73c1530aa796477f","sha1":"d30a0e4e5911d3ca705617d17225372731c770e2","sha256":"5ce462e5f34065fc878362ba58617fab28c22d631b9d836dddcf43fb1ad4de6e","sha512":"e0288dcf78092449d9cbaef4488041131925387c1aedc9e9512da0f66efe2fb68350ca3937f6715834e62e7c931c5dad0fc8bc3c6c0c3daedeff356d6feaac2e","alerts":{"urlquery":null,"analyzer":null}},{"path":"KMS_VL_ALL-master/bin/cleanosppx86.exe","filename":"cleanosppx86.exe","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"PE32 executable (console) Intel 80386, for MS Windows, 3 sections","size":17408,"md5":"5fd363d52d04ac200cd24f3bcc903200","sha1":"39ed8659e7ca16aaccb86def94ce6cec4c847dd6","sha256":"3fdefe2ad092a9a7fe0edf0ac4dc2de7e5b9ce6a0804f6511c06564194966cf9","sha512":"f8ea73b0cb0a90fac6032a54028c60119022173334e68db3fbd63fe173032dd3fc3b438678064edb8c63d4eceaa72990ce039819df3d547d7d7627ad2eee36b3","alerts":{"urlquery":null,"analyzer":null}},{"path":"KMS_VL_ALL-master/bin/x64.dll","filename":"x64.dll","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"PE32+ executable (DLL) (native) x86-64, for MS Windows, 4 sections","size":19968,"md5":"2914300a6e0cdf7ed242505958ac0bb5","sha1":"684103f5c312ae956e66a02b965d9aad59710745","sha256":"29ae6f149e581f8dbdc01eed2d5d20b82b597c4b4c7e102cab6d012b168df4d8","sha512":"6fa6b773275e61596f1d4885fa3089ff24a2f72166dc0a2c40667f0bd03de26b032f2a39aa05e74077ada96bbb6b0785424bfe387b995c147fd74860a11948c9","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2025-01-30","alert":"Scan result 38/72","trigger":"29ae6f149e581f8dbdc01eed2d5d20b82b597c4b4c7e102cab6d012b168df4d8","verdict":"malicious","severity":"","comment":"malicious - 38/72","link":"https://www.virustotal.com/gui/file/29ae6f149e581f8dbdc01eed2d5d20b82b597c4b4c7e102cab6d012b168df4d8","meta":null}]}},{"path":"KMS_VL_ALL-master/bin/x86.dll","filename":"x86.dll","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"PE32 executable (DLL) (native) Intel 80386, for MS Windows, 4 sections","size":15872,"md5":"2a2bbc30d8e715c3c29e728989498469","sha1":"da8f931c7f3bc6643e20063e075cd8fa044b53ae","sha256":"81f8fc4aef686dbc4e2b1f6b08fbac33bf877610c268564e9ecfbae1425d5e5c","sha512":"3ac38dc0c5425bdb4b8017052da8b76a6279074cd42dd01cb634b6de3b323795f2a96e2fd443ee858247b86cacf12a8ed95f39b65bab605a7a2d8784287a357f","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2025-01-27","alert":"Scan result 31/72","trigger":"81f8fc4aef686dbc4e2b1f6b08fbac33bf877610c268564e9ecfbae1425d5e5c","verdict":"malicious","severity":"","comment":"malicious - 31/72","link":"https://www.virustotal.com/gui/file/81f8fc4aef686dbc4e2b1f6b08fbac33bf877610c268564e9ecfbae1425d5e5c","meta":null}]}}],"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-02-01","alert":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","trigger":"KMS_VL_ALL-master/$OEM$/$$/Setup/Scripts/setupcomplete.cmd","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"iam-py-test","date":"2022-11-19","description":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","false_positives":"Files modifying Defender for legitimate purposes, files containing registry keys related to Defender (i.e. diagnostic tools)","rule":"Disable_Defender","yarahub_author_twitter":"@iam_py_test","yarahub_license":"CC0 1.0","yarahub_reference_md5":"799a7f1507e5e7328081a038987e9a6f","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"1fcd3702-cf5b-47b4-919d-6372c5412151"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-02-01","alert":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","trigger":"KMS_VL_ALL-master/Activate.cmd","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"iam-py-test","date":"2022-11-19","description":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","false_positives":"Files modifying Defender for legitimate purposes, files containing registry keys related to Defender (i.e. diagnostic tools)","rule":"Disable_Defender","yarahub_author_twitter":"@iam_py_test","yarahub_license":"CC0 1.0","yarahub_reference_md5":"799a7f1507e5e7328081a038987e9a6f","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"1fcd3702-cf5b-47b4-919d-6372c5412151"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-02-01","alert":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","trigger":"KMS_VL_ALL-master/AutoRenewal-Setup.cmd","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"iam-py-test","date":"2022-11-19","description":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","false_positives":"Files modifying Defender for legitimate purposes, files containing registry keys related to Defender (i.e. diagnostic tools)","rule":"Disable_Defender","yarahub_author_twitter":"@iam_py_test","yarahub_license":"CC0 1.0","yarahub_reference_md5":"799a7f1507e5e7328081a038987e9a6f","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"1fcd3702-cf5b-47b4-919d-6372c5412151"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2025-01-06","alert":"Scan result 38/68","trigger":"b6c178c80442479e58c38e3d987efe6bfd2be5b3c8c05aa3c3e91106a57f6066","verdict":"malicious","severity":"","comment":"malicious - 38/68","link":"https://www.virustotal.com/gui/file/b6c178c80442479e58c38e3d987efe6bfd2be5b3c8c05aa3c3e91106a57f6066","meta":null},{"sensor_name":"clamav","sensor_type":"antivirus","title":"","description":"ClamAV","scan_date":"2025-02-01","alert":"Win.Trojan.Generic-10036804-0","trigger":"b6c178c80442479e58c38e3d987efe6bfd2be5b3c8c05aa3c3e91106a57f6066","verdict":"malicious","severity":"medium","comment":"","link":"https://www.clamav.net/","meta":null}]}}],"artifacts":{"windows_shortcuts":null,"files":[{"md5":"8a848b909d3c248599a1c7ff87e218f9","sha1":"25ab3cfee6ede8b191773e23c50b63098eedd0ac","sha256":"b6c178c80442479e58c38e3d987efe6bfd2be5b3c8c05aa3c3e91106a57f6066","sha512":"4c49494851a72c7ec460e8c30241295778c50c544de5d22f70c89b5db176ea311532bf127bc3e424e5b107b72de52c67b8938ddbfae84f9877442130dacecfba","magic":"Zip archive data, at least v1.0 to extract, compression method=store","size":179845,"url":{"schema":"https","addr":"codeload.github.com/kkkgo/KMS_VL_ALL/zip/refs/heads/master","fqdn":"codeload.github.com","domain":"github.com","tld":"com"},"ip":{"addr":"140.82.121.10","port":443,"asn":36459,"as":"GITHUB","country":"Germany","country_code":"DE"},"archive":[{"path":"KMS_VL_ALL-master/$OEM$/$$/Setup/Scripts/bin/A64.dll","filename":"A64.dll","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"PE32+ executable (DLL) (native) Aarch64, for MS Windows, 4 sections","size":20480,"md5":"698d2d01011110b0ba4aab62f92b9909","sha1":"1139ae6243934ca621e6d4ed2e2f34cc130ef88a","sha256":"3fb8dc2fa316ca1e7244eb34e95f591aa39a6e4b6eb0416692691aeb3d0c429b","sha512":"5f65842cb7522f22e63f2aa0612509299a28335230e24fcb1a145f47f4a9e03b40919780b81904fc1a4b4364f2d1284f5f765a6072a12e18e244c750b56db5da","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2025-01-30","alert":"Scan result 12/70","trigger":"3fb8dc2fa316ca1e7244eb34e95f591aa39a6e4b6eb0416692691aeb3d0c429b","verdict":"malicious","severity":"","comment":"malicious - 12/70","link":"https://www.virustotal.com/gui/file/3fb8dc2fa316ca1e7244eb34e95f591aa39a6e4b6eb0416692691aeb3d0c429b","meta":null}]}},{"path":"KMS_VL_ALL-master/$OEM$/$$/Setup/Scripts/bin/SvcTrigger.xml","filename":"SvcTrigger.xml","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators","size":4258,"md5":"ade0007995da8218a924eae18dd5ffa4","sha1":"de4480d869df4e45e666e3ba74c87786d2ba01e9","sha256":"6c4c7816d99652a6248e8877ac24d341b3d87bb1e7a6be159eacbb6b6bc61352","sha512":"25576dd5103c8f677452ede6bbd1ded407f290741f0e30294ddfbe54d43be98a7f9601a3d722a997041980da083d7de7da9b2e9525d920cc207143bd60ffee95","alerts":{"urlquery":null,"analyzer":null}},{"path":"KMS_VL_ALL-master/$OEM$/$$/Setup/Scripts/bin/cleanosppx64.exe","filename":"cleanosppx64.exe","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"PE32+ executable (console) x86-64, for MS Windows, 5 sections","size":19968,"md5":"162ab955cb2f002a73c1530aa796477f","sha1":"d30a0e4e5911d3ca705617d17225372731c770e2","sha256":"5ce462e5f34065fc878362ba58617fab28c22d631b9d836dddcf43fb1ad4de6e","sha512":"e0288dcf78092449d9cbaef4488041131925387c1aedc9e9512da0f66efe2fb68350ca3937f6715834e62e7c931c5dad0fc8bc3c6c0c3daedeff356d6feaac2e","alerts":{"urlquery":null,"analyzer":null}},{"path":"KMS_VL_ALL-master/$OEM$/$$/Setup/Scripts/bin/cleanosppx86.exe","filename":"cleanosppx86.exe","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"PE32 executable (console) Intel 80386, for MS Windows, 3 sections","size":17408,"md5":"5fd363d52d04ac200cd24f3bcc903200","sha1":"39ed8659e7ca16aaccb86def94ce6cec4c847dd6","sha256":"3fdefe2ad092a9a7fe0edf0ac4dc2de7e5b9ce6a0804f6511c06564194966cf9","sha512":"f8ea73b0cb0a90fac6032a54028c60119022173334e68db3fbd63fe173032dd3fc3b438678064edb8c63d4eceaa72990ce039819df3d547d7d7627ad2eee36b3","alerts":{"urlquery":null,"analyzer":null}},{"path":"KMS_VL_ALL-master/$OEM$/$$/Setup/Scripts/bin/x64.dll","filename":"x64.dll","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"PE32+ executable (DLL) (native) x86-64, for MS Windows, 4 sections","size":19968,"md5":"2914300a6e0cdf7ed242505958ac0bb5","sha1":"684103f5c312ae956e66a02b965d9aad59710745","sha256":"29ae6f149e581f8dbdc01eed2d5d20b82b597c4b4c7e102cab6d012b168df4d8","sha512":"6fa6b773275e61596f1d4885fa3089ff24a2f72166dc0a2c40667f0bd03de26b032f2a39aa05e74077ada96bbb6b0785424bfe387b995c147fd74860a11948c9","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2025-01-30","alert":"Scan result 38/72","trigger":"29ae6f149e581f8dbdc01eed2d5d20b82b597c4b4c7e102cab6d012b168df4d8","verdict":"malicious","severity":"","comment":"malicious - 38/72","link":"https://www.virustotal.com/gui/file/29ae6f149e581f8dbdc01eed2d5d20b82b597c4b4c7e102cab6d012b168df4d8","meta":null}]}},{"path":"KMS_VL_ALL-master/$OEM$/$$/Setup/Scripts/bin/x86.dll","filename":"x86.dll","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"PE32 executable (DLL) (native) Intel 80386, for MS Windows, 4 sections","size":15872,"md5":"2a2bbc30d8e715c3c29e728989498469","sha1":"da8f931c7f3bc6643e20063e075cd8fa044b53ae","sha256":"81f8fc4aef686dbc4e2b1f6b08fbac33bf877610c268564e9ecfbae1425d5e5c","sha512":"3ac38dc0c5425bdb4b8017052da8b76a6279074cd42dd01cb634b6de3b323795f2a96e2fd443ee858247b86cacf12a8ed95f39b65bab605a7a2d8784287a357f","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2025-01-27","alert":"Scan result 31/72","trigger":"81f8fc4aef686dbc4e2b1f6b08fbac33bf877610c268564e9ecfbae1425d5e5c","verdict":"malicious","severity":"","comment":"malicious - 31/72","link":"https://www.virustotal.com/gui/file/81f8fc4aef686dbc4e2b1f6b08fbac33bf877610c268564e9ecfbae1425d5e5c","meta":null}]}},{"path":"KMS_VL_ALL-master/$OEM$/$$/Setup/Scripts/setupcomplete.cmd","filename":"setupcomplete.cmd","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"ASCII text","size":96875,"md5":"65bc53900c0b960220a5af59b3ab9eb6","sha1":"b280f1a9018d9694f1cbc4c6e5c374ef29579132","sha256":"3b5a7c0317ea3b79988a6a554574da43f6ffe0cca6bc9da16140cdd6f8a6c296","sha512":"f042469b2551809d2fbdb2d325948f9d8d69ccacbda8750d4b3e1589587be75d0d24827a7af2a449222f40e46664b57993e8efc23b535ce2996ea30b0e635e71","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-02-01","alert":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","trigger":"KMS_VL_ALL-master/$OEM$/$$/Setup/Scripts/setupcomplete.cmd","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"iam-py-test","date":"2022-11-19","description":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","false_positives":"Files modifying Defender for legitimate purposes, files containing registry keys related to Defender (i.e. diagnostic tools)","rule":"Disable_Defender","yarahub_author_twitter":"@iam_py_test","yarahub_license":"CC0 1.0","yarahub_reference_md5":"799a7f1507e5e7328081a038987e9a6f","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"1fcd3702-cf5b-47b4-919d-6372c5412151"}}]}},{"path":"KMS_VL_ALL-master/Activate.cmd","filename":"Activate.cmd","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"ASCII text","size":114762,"md5":"27dbbeda34fa7260a3dc9f6fd1398fdd","sha1":"5a7ad865b94d9d98099316fa2f78a1636e8cd8d4","sha256":"79731e75607973ed0cf7fb89174785691711dcb8032527b3cc70c72d3a61118d","sha512":"b56d8a1ee30b0893d4789f8dcd631b965cf2f22539fb00fe9da1c294b009d80823379cb648f5b9f4820e477bcf2592b41b7f7055db0cd055e3dc465a35962d5d","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-02-01","alert":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","trigger":"KMS_VL_ALL-master/Activate.cmd","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"iam-py-test","date":"2022-11-19","description":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","false_positives":"Files modifying Defender for legitimate purposes, files containing registry keys related to Defender (i.e. diagnostic tools)","rule":"Disable_Defender","yarahub_author_twitter":"@iam_py_test","yarahub_license":"CC0 1.0","yarahub_reference_md5":"799a7f1507e5e7328081a038987e9a6f","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"1fcd3702-cf5b-47b4-919d-6372c5412151"}}]}},{"path":"KMS_VL_ALL-master/AutoRenewal-Setup.cmd","filename":"AutoRenewal-Setup.cmd","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"ASCII text","size":17851,"md5":"b9590b32f11fa467938518bad08b66f0","sha1":"6a3c0317ea5507277e9d647356f035d666bece37","sha256":"4b7e16ba61987144e3d7b70d26a0d11a8238182b57ef894b57da974a2e8f3b32","sha512":"1f844c68c629366a1846354ace946f980822d603fc95ca99842d9c15991fd0e6d7462f1c42bc0383fdd5e01e13096c4540c379e9c2179ddaf4ada26fe699a063","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-02-01","alert":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","trigger":"KMS_VL_ALL-master/AutoRenewal-Setup.cmd","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"iam-py-test","date":"2022-11-19","description":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","false_positives":"Files modifying Defender for legitimate purposes, files containing registry keys related to Defender (i.e. diagnostic tools)","rule":"Disable_Defender","yarahub_author_twitter":"@iam_py_test","yarahub_license":"CC0 1.0","yarahub_reference_md5":"799a7f1507e5e7328081a038987e9a6f","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"1fcd3702-cf5b-47b4-919d-6372c5412151"}}]}},{"path":"KMS_VL_ALL-master/Check-Activation-Status-vbs.cmd","filename":"Check-Activation-Status-vbs.cmd","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"ASCII text","size":6838,"md5":"48af8f351df5b7a7a341a4c1e0f0270a","sha1":"818b60cdcf7e7fc4cd81d2ada834fcbec5991347","sha256":"88615b73386261e04f17a565d0a90755e01cb5102aea5da82990d3cf67874066","sha512":"a32614c57049e976799f00604e827434d8953286992ea82160e272614c6e7f7d50b751bdf5f2b75d4bf8d1a76633def08870abf5030875e47c78064d1802eb2b","alerts":{"urlquery":null,"analyzer":null}},{"path":"KMS_VL_ALL-master/Check-Activation-Status-wmic.cmd","filename":"Check-Activation-Status-wmic.cmd","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"ASCII text, with very long lines (361)","size":16088,"md5":"d2e352bab312e0adf78b32678ba5d3d0","sha1":"cd056bc78a776cc28f20f6e10cded7b6b2acda28","sha256":"4b0a0ff29ad5b30d8a74e8ebb84e0f47670dd33a3d50d5dcd7cf08fe5d47a227","sha512":"962e2483d2de54d55cbf8aa191f36d7aa522d641f49ab8dd9b7f16dbca355b31ffe781e0bc1a58d4557299a07b597ce88d013a5fa3fbbbc665d37e6973c5d894","alerts":{"urlquery":null,"analyzer":null}},{"path":"KMS_VL_ALL-master/README.md","filename":"README.md","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"Unicode text, UTF-8 text","size":5783,"md5":"b62afe023b7da83362b66405b866a937","sha1":"8b496b32f1c27e14a8af14233c9809661624e711","sha256":"917e6a2620ed22c3b79b2c818e3270efddd3735bf511bab3e1c0eaf857bc5546","sha512":"35baa970b6d75f03fbb8822b5161cdbd850ef02b4e68c51d899b3369246151f304bc79047550d6f249772c31139978675227aaed7535db83a997cb6eb6237036","alerts":{"urlquery":null,"analyzer":null}},{"path":"KMS_VL_ALL-master/ReadMe.html","filename":"ReadMe.html","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"HTML document, Unicode text, UTF-8 (with BOM) text, with very long lines (596)","size":38635,"md5":"56b89b9bdca3b00ffc5886477ce6f0dc","sha1":"35fef6c8d72e679bb375a4b03fd8ee256047c598","sha256":"a512e9a009bdfc5ac2904549504a329b8399ccd6b99d04aa26cab1a86268feaa","sha512":"116e9f73fa62d01c859fb4791c469023231404de61987d098539d470b11469dd3344e1d8add34b009c915a9b4af714316c1c7a8a60f597f192663180da5e0365","alerts":{"urlquery":null,"analyzer":null}},{"path":"KMS_VL_ALL-master/bin/A64.dll","filename":"A64.dll","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"PE32+ executable (DLL) (native) Aarch64, for MS Windows, 4 sections","size":20480,"md5":"698d2d01011110b0ba4aab62f92b9909","sha1":"1139ae6243934ca621e6d4ed2e2f34cc130ef88a","sha256":"3fb8dc2fa316ca1e7244eb34e95f591aa39a6e4b6eb0416692691aeb3d0c429b","sha512":"5f65842cb7522f22e63f2aa0612509299a28335230e24fcb1a145f47f4a9e03b40919780b81904fc1a4b4364f2d1284f5f765a6072a12e18e244c750b56db5da","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2025-01-30","alert":"Scan result 12/70","trigger":"3fb8dc2fa316ca1e7244eb34e95f591aa39a6e4b6eb0416692691aeb3d0c429b","verdict":"malicious","severity":"","comment":"malicious - 12/70","link":"https://www.virustotal.com/gui/file/3fb8dc2fa316ca1e7244eb34e95f591aa39a6e4b6eb0416692691aeb3d0c429b","meta":null}]}},{"path":"KMS_VL_ALL-master/bin/SvcTrigger.xml","filename":"SvcTrigger.xml","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators","size":4258,"md5":"ade0007995da8218a924eae18dd5ffa4","sha1":"de4480d869df4e45e666e3ba74c87786d2ba01e9","sha256":"6c4c7816d99652a6248e8877ac24d341b3d87bb1e7a6be159eacbb6b6bc61352","sha512":"25576dd5103c8f677452ede6bbd1ded407f290741f0e30294ddfbe54d43be98a7f9601a3d722a997041980da083d7de7da9b2e9525d920cc207143bd60ffee95","alerts":{"urlquery":null,"analyzer":null}},{"path":"KMS_VL_ALL-master/bin/cleanosppx64.exe","filename":"cleanosppx64.exe","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"PE32+ executable (console) x86-64, for MS Windows, 5 sections","size":19968,"md5":"162ab955cb2f002a73c1530aa796477f","sha1":"d30a0e4e5911d3ca705617d17225372731c770e2","sha256":"5ce462e5f34065fc878362ba58617fab28c22d631b9d836dddcf43fb1ad4de6e","sha512":"e0288dcf78092449d9cbaef4488041131925387c1aedc9e9512da0f66efe2fb68350ca3937f6715834e62e7c931c5dad0fc8bc3c6c0c3daedeff356d6feaac2e","alerts":{"urlquery":null,"analyzer":null}},{"path":"KMS_VL_ALL-master/bin/cleanosppx86.exe","filename":"cleanosppx86.exe","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"PE32 executable (console) Intel 80386, for MS Windows, 3 sections","size":17408,"md5":"5fd363d52d04ac200cd24f3bcc903200","sha1":"39ed8659e7ca16aaccb86def94ce6cec4c847dd6","sha256":"3fdefe2ad092a9a7fe0edf0ac4dc2de7e5b9ce6a0804f6511c06564194966cf9","sha512":"f8ea73b0cb0a90fac6032a54028c60119022173334e68db3fbd63fe173032dd3fc3b438678064edb8c63d4eceaa72990ce039819df3d547d7d7627ad2eee36b3","alerts":{"urlquery":null,"analyzer":null}},{"path":"KMS_VL_ALL-master/bin/x64.dll","filename":"x64.dll","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"PE32+ executable (DLL) (native) x86-64, for MS Windows, 4 sections","size":19968,"md5":"2914300a6e0cdf7ed242505958ac0bb5","sha1":"684103f5c312ae956e66a02b965d9aad59710745","sha256":"29ae6f149e581f8dbdc01eed2d5d20b82b597c4b4c7e102cab6d012b168df4d8","sha512":"6fa6b773275e61596f1d4885fa3089ff24a2f72166dc0a2c40667f0bd03de26b032f2a39aa05e74077ada96bbb6b0785424bfe387b995c147fd74860a11948c9","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2025-01-30","alert":"Scan result 38/72","trigger":"29ae6f149e581f8dbdc01eed2d5d20b82b597c4b4c7e102cab6d012b168df4d8","verdict":"malicious","severity":"","comment":"malicious - 38/72","link":"https://www.virustotal.com/gui/file/29ae6f149e581f8dbdc01eed2d5d20b82b597c4b4c7e102cab6d012b168df4d8","meta":null}]}},{"path":"KMS_VL_ALL-master/bin/x86.dll","filename":"x86.dll","modified":"2021-10-02T20:54:27-07:00","Modified":"","magic":"PE32 executable (DLL) (native) Intel 80386, for MS Windows, 4 sections","size":15872,"md5":"2a2bbc30d8e715c3c29e728989498469","sha1":"da8f931c7f3bc6643e20063e075cd8fa044b53ae","sha256":"81f8fc4aef686dbc4e2b1f6b08fbac33bf877610c268564e9ecfbae1425d5e5c","sha512":"3ac38dc0c5425bdb4b8017052da8b76a6279074cd42dd01cb634b6de3b323795f2a96e2fd443ee858247b86cacf12a8ed95f39b65bab605a7a2d8784287a357f","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2025-01-27","alert":"Scan result 31/72","trigger":"81f8fc4aef686dbc4e2b1f6b08fbac33bf877610c268564e9ecfbae1425d5e5c","verdict":"malicious","severity":"","comment":"malicious - 31/72","link":"https://www.virustotal.com/gui/file/81f8fc4aef686dbc4e2b1f6b08fbac33bf877610c268564e9ecfbae1425d5e5c","meta":null}]}}],"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-02-01","alert":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","trigger":"KMS_VL_ALL-master/$OEM$/$$/Setup/Scripts/setupcomplete.cmd","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"iam-py-test","date":"2022-11-19","description":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","false_positives":"Files modifying Defender for legitimate purposes, files containing registry keys related to Defender (i.e. diagnostic tools)","rule":"Disable_Defender","yarahub_author_twitter":"@iam_py_test","yarahub_license":"CC0 1.0","yarahub_reference_md5":"799a7f1507e5e7328081a038987e9a6f","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"1fcd3702-cf5b-47b4-919d-6372c5412151"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-02-01","alert":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","trigger":"KMS_VL_ALL-master/Activate.cmd","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"iam-py-test","date":"2022-11-19","description":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","false_positives":"Files modifying Defender for legitimate purposes, files containing registry keys related to Defender (i.e. diagnostic tools)","rule":"Disable_Defender","yarahub_author_twitter":"@iam_py_test","yarahub_license":"CC0 1.0","yarahub_reference_md5":"799a7f1507e5e7328081a038987e9a6f","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"1fcd3702-cf5b-47b4-919d-6372c5412151"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-02-01","alert":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","trigger":"KMS_VL_ALL-master/AutoRenewal-Setup.cmd","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"iam-py-test","date":"2022-11-19","description":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","false_positives":"Files modifying Defender for legitimate purposes, files containing registry keys related to Defender (i.e. diagnostic tools)","rule":"Disable_Defender","yarahub_author_twitter":"@iam_py_test","yarahub_license":"CC0 1.0","yarahub_reference_md5":"799a7f1507e5e7328081a038987e9a6f","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"1fcd3702-cf5b-47b4-919d-6372c5412151"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2025-01-06","alert":"Scan result 38/68","trigger":"b6c178c80442479e58c38e3d987efe6bfd2be5b3c8c05aa3c3e91106a57f6066","verdict":"malicious","severity":"","comment":"malicious - 38/68","link":"https://www.virustotal.com/gui/file/b6c178c80442479e58c38e3d987efe6bfd2be5b3c8c05aa3c3e91106a57f6066","meta":null},{"sensor_name":"clamav","sensor_type":"antivirus","title":"","description":"ClamAV","scan_date":"2025-02-01","alert":"Win.Trojan.Generic-10036804-0","trigger":"b6c178c80442479e58c38e3d987efe6bfd2be5b3c8c05aa3c3e91106a57f6066","verdict":"malicious","severity":"medium","comment":"","link":"https://www.clamav.net/","meta":null}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":null}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":null},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":null},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"https","addr":"github.com/kkkgo/KMS_VL_ALL/archive/refs/heads/master.zip","fqdn":"github.com","domain":"github.com","tld":"com"},"ip":{"addr":"140.82.121.4","port":443,"asn":36459,"as":"GITHUB","country":"Germany","country_code":"DE"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2025-02-01T18:22:16.505Z","timestamp":1738434136505,"http_version":"HTTP/2","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"github.com","organization":""},"issuer":{"commonName":"Sectigo ECC Domain Validation Secure Server CA","organization":"Sectigo Limited"},"validity":{"start":"Thu, 07 Mar 2024 00:00:00 GMT","end":"Fri, 07 Mar 2025 23:59:59 GMT"},"fingerprint":{"sha1":"E7:03:5B:CC:1C:18:77:1F:79:2F:90:86:6B:6C:1D:F8:DF:AA:BD:C0","sha256":"FD:6E:9B:0E:F3:98:BC:D9:04:C3:B2:EC:16:7A:7B:0F:DA:72:01:C9:03:C5:3A:6A:6A:E5:D0:41:43:63:EF:65"}}},"request":{"raw":"GET /kkkgo/KMS_VL_ALL/archive/refs/heads/master.zip HTTP/1.1\r\nHost: github.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 302 Found\r\nserver: GitHub.com\r\ndate: Sat, 01 Feb 2025 18:22:16 GMT\r\ncontent-type: text/html; charset=utf-8\r\nvary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With\r\nlocation: https://codeload.github.com/kkkgo/KMS_VL_ALL/zip/refs/heads/master\r\ncache-control: max-age=0, private\r\nstrict-transport-security: max-age=31536000; includeSubdomains; preload\r\nx-frame-options: deny\r\nx-content-type-options: nosniff\r\nx-xss-protection: 0\r\nreferrer-policy: no-referrer-when-downgrade\r\ncontent-security-policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/\r\ncontent-length: 0\r\nx-github-request-id: 77BB:384F1:55F78DD:5967F24:679E6658\r\nX-Firefox-Spdy: h2\r\n","headers":null,"cookies":null,"status_code":"302","status_text":"Found","fingerprints":null,"data":{"size":0,"size_decoded":0,"mime_type":"application/zip","magic":"","md5":"d41d8cd98f00b204e9800998ecf8427e","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha512":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e","ssdeep":"","tlshash":"","first_seen":"0001-01-01T00:00:00Z","last_seen":"2026-05-15T15:20:42.416165Z","times_seen":15223586,"resource_available":true,"data":null}},"time_used":325,"timings":{"blocked":89,"dns":1,"connect":20,"send":0,"wait":144,"receive":1,"ssl":67},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"codeload.github.com/kkkgo/KMS_VL_ALL/zip/refs/heads/master","fqdn":"codeload.github.com","domain":"github.com","tld":"com"},"ip":{"addr":"140.82.121.10","port":443,"asn":36459,"as":"GITHUB","country":"Germany","country_code":"DE"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2025-02-01T18:22:16.766Z","timestamp":1738434136766,"http_version":"HTTP/2","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.github.com","organization":""},"issuer":{"commonName":"Sectigo ECC Domain Validation Secure Server CA","organization":"Sectigo Limited"},"validity":{"start":"Thu, 07 Mar 2024 00:00:00 GMT","end":"Fri, 07 Mar 2025 23:59:59 GMT"},"fingerprint":{"sha1":"0D:F6:EC:50:FA:ED:AE:6E:13:AF:82:94:52:F7:11:1B:0A:CF:7C:20","sha256":"4D:47:6A:EF:60:3F:1C:32:FB:EF:92:CE:03:B6:EE:F3:33:CF:72:F9:BD:B0:A2:96:0C:FC:CC:02:23:33:5D:9E"}}},"request":{"raw":"GET /kkkgo/KMS_VL_ALL/zip/refs/heads/master HTTP/1.1\r\nHost: codeload.github.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\naccess-control-allow-origin: https://render.githubusercontent.com\r\ncontent-disposition: attachment; filename=KMS_VL_ALL-master.zip\r\ncontent-security-policy: default-src 'none'; style-src 'unsafe-inline'; sandbox\r\ncontent-type: application/zip\r\ncross-origin-resource-policy: cross-origin\r\netag: W/\"8a264fe52eb1ebcb0515079b6e0dabc9e24561effce0dd1ae4085a0c7751fe94\"\r\nstrict-transport-security: max-age=31536000\r\nvary: Authorization,Accept-Encoding,Origin\r\nx-content-type-options: nosniff\r\nx-frame-options: deny\r\nx-xss-protection: 1; mode=block\r\ndate: Sat, 01 Feb 2025 18:22:16 GMT\r\nx-github-request-id: 4A7A:87AD1:1D22DE:266E20:679E6658\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":179845,"size_decoded":179845,"mime_type":"application/zip","magic":"Zip archive data, at least v1.0 to extract, compression method=store","md5":"8a848b909d3c248599a1c7ff87e218f9","sha1":"25ab3cfee6ede8b191773e23c50b63098eedd0ac","sha256":"b6c178c80442479e58c38e3d987efe6bfd2be5b3c8c05aa3c3e91106a57f6066","sha512":"4c49494851a72c7ec460e8c30241295778c50c544de5d22f70c89b5db176ea311532bf127bc3e424e5b107b72de52c67b8938ddbfae84f9877442130dacecfba","ssdeep":"3072:HkdEXEAMRzZkXRfAhEPdjCS+ZazdvNPqsayDDLvkS7QEAMMz6kXRfS:HgJA7BiwdjFPda2fvRzAzB6","tlshash":"8a04126dcd0344b9fd1db7bf44631c8fde6b70710ae8a006bad223f5294ba9602705ac","first_seen":"2023-04-06T16:32:35Z","last_seen":"2025-03-02T12:21:50.297159Z","times_seen":119,"resource_available":false,"data":null}},"time_used":347,"timings":{"blocked":111,"dns":4,"connect":23,"send":0,"wait":122,"receive":0,"ssl":83},"alerts":{"ids":null,"analyzer":[{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2025-01-06","alert":"Scan result 38/68","trigger":"b6c178c80442479e58c38e3d987efe6bfd2be5b3c8c05aa3c3e91106a57f6066","verdict":"malicious","severity":"","comment":"malicious - 38/68","link":"https://www.virustotal.com/gui/file/b6c178c80442479e58c38e3d987efe6bfd2be5b3c8c05aa3c3e91106a57f6066","meta":null},{"sensor_name":"clamav","sensor_type":"antivirus","title":"","description":"ClamAV","scan_date":"2025-02-01","alert":"Win.Trojan.Generic-10036804-0","trigger":"b6c178c80442479e58c38e3d987efe6bfd2be5b3c8c05aa3c3e91106a57f6066","verdict":"malicious","severity":"medium","comment":"","link":"https://www.clamav.net/","meta":null}],"urlquery":null}}]}