Spyware: Beware of the KMSPico activator tool which is used for making Windows legitimate

The famous KMSPico activator tool has been classified as a malicious binary, the tool contacts 8 domains and 14 hosts while activating the Windows environment in which is being run.


The hosts and IPs which are connected are shown below:

cdn2.downloadcrest.com                      United States

installer.ppdownload.com                  United States

static.revenyou.com                         United States

srv.dmdataserver.com                        United States

stats.g.doubleclick.net                        United States

www.keenondownload.com                  United States

i1088.photobucket.com                     United States

cdn1.downloadcrest.com                       United States

The KMSPico mainly comminucates via ports 80 and 443.

Once we take a look at the POST traffic which is generated, we can see that information is being send to keenondownload.com which contains the MAC address of the device and some type of username.

POST /index.php HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded Accept-Language: en-US Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729) Host: www.keenondownload.com Content-Length: 554 Connection: Keep-Alive Cache-Control: no-cache Body: Net1.1=&Net2=3.5.30729.4926SP1&Net4=4.5.51641&OSversion=NT6.3SP0&Slv=&Sysid=55BE2B545C3C71DACD1ECD50DFED0C73&Sysid1=D82EEA89B81AB3DAB442A4B1607BD260&X64=N&admin=Y&browser=FirefoxURL&cavp=%22Windows+Defender%22%3B&chver=&cmdl=KMSPico10.0.9__8173_il94690.exe&dprod=A21CC102FC6D2E696FC836585B7A35&dprod4=77B342BD3BBE5C1FF30221EF5C6FD7&exe=KMSPico10.0.9__8173_il94690&ffver=

You can read the full report on the KMSPico application here.