The famous KMSPico activator tool has been classified as a malicious binary, the tool contacts 8 domains and 14 hosts while activating the Windows environment in which is being run.
The hosts and IPs which are connected are shown below:
cdn2.downloadcrest.com 126.96.36.199 United States
installer.ppdownload.com 188.8.131.52 United States
static.revenyou.com 184.108.40.206 United States
srv.dmdataserver.com 220.127.116.11 United States
stats.g.doubleclick.net 18.104.22.168 United States
www.keenondownload.com 22.214.171.124 United States
i1088.photobucket.com 126.96.36.199 United States
cdn1.downloadcrest.com 188.8.131.52 United States
The KMSPico mainly comminucates via ports 80 and 443.
Once we take a look at the POST traffic which is generated, we can see that information is being send to keenondownload.com which contains the MAC address of the device and some type of username.
POST /index.php HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded Accept-Language: en-US Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729) Host: www.keenondownload.com Content-Length: 554 Connection: Keep-Alive Cache-Control: no-cache Body: Net1.1=&Net2=3.5.30729.4926SP1&Net4=4.5.51641&OSversion=NT6.3SP0&Slv=&Sysid=55BE2B545C3C71DACD1ECD50DFED0C73&Sysid1=D82EEA89B81AB3DAB442A4B1607BD260&X64=N&admin=Y&browser=FirefoxURL&cavp=%22Windows+Defender%22%3B&chver=&cmdl=KMSPico10.0.9__8173_il94690.exe&dprod=A21CC102FC6D2E696FC836585B7A35&dprod4=77B342BD3BBE5C1FF30221EF5C6FD7&exe=KMSPico10.0.9__8173_il94690&ffver=184.108.40.20642&lang_DfltUser=0409&mac=MEEwMDI3MjlDQjdEMDAwMAA%3D&machg=ZGIwMmNiMmEtYjkzYS00YjA3LWE5OWEtZTBlZmMxM2RiYjY4AA%3D%3D&name=YjlhUjVDenZ6awA%3D&netfs=-1&ts=1438624280&ver=220.127.116.11
You can read the full report on the KMSPico application here.