6ee7f3ecd5111cd5306792fd3141515d

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2015-Aug-10 07:45:14
Comments
CompanyName MSFree Inc.
FileDescription KMSAuto Net
FileVersion 1.3.8
InternalName KMSAuto Net.exe
LegalCopyright
LegalTrademarks
OriginalFilename KMSAuto Net.exe
ProductName KMSAuto Net
ProductVersion 1.3.8
Assembly Version 1.3.8.0

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual C++ 8.0
MASM/TASM - sig2(h)
Microsoft Visual C++
Microsoft Visual C++ v6.0
.NET executable -> Microsoft
Suspicious Strings found in the binary may indicate undesirable behavior: Contains references to system / monitoring tools:
  • control.exe
  • sc.exe
Contains references to internet browsers:
  • iexplore.exe
Contains references to security software:
  • sfc.exe
May have dropper capabilities:
  • %TEMP%
  • CurrentControlSet\Services
  • CurrentControlSet\services
  • CurrentVersion\Run
Accesses the WMI:
  • root\cimv2
Miscellaneous malware strings:
  • Virus
  • cmd.exe
  • exploit
  • virus
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to MD5
Uses constants related to SHA1
Uses constants related to SHA256
Uses constants related to AES
Info The PE is digitally signed. Signer: Ratiborus MSFree Inc..
Issuer: Ratiborus MSFree Inc..
Malicious VirusTotal score: 39/66 (Scanned on 2018-03-11 13:59:37) Bkav: W32.HfsAdware.6B84
MicroWorld-eScan: Application.Hacktool.KMSAuto.B
CAT-QuickHeal: HackTool.AutoKMS.FC.3225
McAfee: Generic HTool.h
Cylance: Unsafe
K7GW: Unwanted-Program ( 004fa0b21 )
K7AntiVirus: Unwanted-Program ( 004fa0b21 )
Invincea: heuristic
Cyren: W32/Trojan.TLVG-1451
Symantec: Trojan.Gen
ESET-NOD32: a variant of MSIL/HackKMS.I potentially unsafe
TrendMicro-HouseCall: CRCK_KMS
ClamAV: Win.Tool.Kmsauto-2
Kaspersky: not-a-virus:RiskTool.Win32.HackKMS.i
BitDefender: Application.Hacktool.KMSAuto.B
Ad-Aware: Application.Hacktool.KMSAuto.B
Sophos: KMS Activator (PUA)
Comodo: ApplicUnsaf.Win32.HackTool.AutoKMS
F-Secure: Application.Hacktool.KMSAuto
VIPRE: Trojan.Win32.Generic!BT
TrendMicro: CRCK_KMS
McAfee-GW-Edition: Generic HTool.h
Emsisoft: Application.HackTool (A)
SentinelOne: static engine - malicious
Jiangmin: HackTool.KMSAuto.n
Webroot: W32.Hacktool.Kms
Antiy-AVL: RiskWare[RiskTool]/MSIL.HackKMS
Microsoft: HackTool:Win32/AutoKMS
Endgame: malicious (high confidence)
Arcabit: Application.Hacktool.KMSAuto.B
ZoneAlarm: not-a-virus:HEUR:RiskTool.MSIL.HackKMS.gen
GData: Application.Hacktool.KMSAuto.B
AhnLab-V3: HackTool/Win32.KMSAuto.R209007
AVware: Trojan.Win32.Generic!BT
MAX: malware (ai score=98)
Yandex: Riskware.HackTool!7QxPaUSMW1c
Ikarus: PUA.HackTool.Kmsauto
Fortinet: Riskware/KMSAuto
Cybereason: malicious.cd5111

Hashes

MD5 6ee7f3ecd5111cd5306792fd3141515d
SHA1 45c92d0e691175a39a8c61228f526f80a7ca94fc
SHA256 69a8ae6352cffd366409df8e566e84315b4bffcf5865a4b8079c446123ba1d26
SHA3 f7daf52e41b6e9710fb47b62aed6a4b9321190d9453e38db069ae9ee70db0655
SSDeep 196608:0eywBGqyw1lT3ywuywQyw1ywlywaywTyw9lywfywEyw1ywHywwywmIBywyywsywv:IwBGnw1l+wjwNw4wIw3w2w9IwqwJw4w4
Imports Hash f34d5f2d4577ed6d9ceec516c1f5a744

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x80

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 3
TimeDateStamp 2015-Aug-10 07:45:14
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32
LinkerVersion 80.0
SizeOfCode 0x69a600
SizeOfInitializedData 0xc000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x69c4c2 (Section: .text)
BaseOfCode 0x2000
BaseOfData 0x69e000
ImageBase 0x400000
SectionAlignment 0x2000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x6ac000
SizeOfHeaders 0x200
Checksum 0x6ab464
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 d96d3c1f27fdf8ed4ffc84bae8d08d53
SHA1 3d7a7de44f333b36e3bce4e739689b8420051814
SHA256 8c9240655a8aa6055e190444b341dc9a109990b79c03ff4b6fea8c364cc984d9
SHA3 1aacec7f262f177a7d1b732409f75aa95c4bbe892cf6896fb6137ac20e3da906
VirtualSize 0x69a4c8
VirtualAddress 0x2000
SizeOfRawData 0x69a600
PointerToRawData 0x200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 7.09188

.rsrc

MD5 9fd389f93f01f78c83da3fd6f38a2dce
SHA1 8db451b07e1a3334e0f5a60e8ad5495a0cc5bdc5
SHA256 79789549d8e4a7ce5b7fe5db094fe8c76555ebbf624f2a2b28666bed5a4cd486
SHA3 c1a0e83a13ffc5746b10ee9df97b03d7636062b790bfdde1eead3aae86e3cfc7
VirtualSize 0xbc3c
VirtualAddress 0x69e000
SizeOfRawData 0xbe00
PointerToRawData 0x69a800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.62475

.reloc

MD5 cc481ba5a719ca3f1636116bf8fb9c81
SHA1 66967131b7e5b1b1fb7b7c5d6b7dd832e32f115e
SHA256 34aed731e9b854cb2c383fe43d56844ae095204ca31d2d84161a13bb3a119aca
SHA3 ba13c61028fa6e22a502bea26e60b2cb6585108e95ac7edf485afffbbfdc4c52
VirtualSize 0xc
VirtualAddress 0x6aa000
SizeOfRawData 0x200
PointerToRawData 0x6a6600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 0.10191

Imports

mscoree.dll _CorExeMain

Delayed Imports

1

Type RT_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0xea8
Entropy 4.77266
MD5 b91dfb58d28a620ce5903736baafed0d
SHA1 399ea2003cb06393d4d8552d4d3ed308e0da2e28
SHA256 a5b578dd05dd966b8154c45589d9f4c4997c388f89cd1615f0507594f9671b8f
SHA3 7fed1c5dd199c70ca0b71b046586d2cdf7bcb99bd3857bbcd27c4e8c9c840850

2

Type RT_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0x8a8
Entropy 5.29604
MD5 eeedec0e99eddbf26b17e36eea0b76ac
SHA1 25826ac568237b22e43f8ceb021f333514be19d5
SHA256 2902fad50697e55603cdf43006ecb62a518dcb01872ba79d11ea1719c04868ff
SHA3 1e89769cf0d8c6b8c764398cb337548a76a2e480f3d4b1a5a64709cbd3897cb0

3

Type RT_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0x6c8
Entropy 4.35071
MD5 7abe8c176dbe2ae2ad5f9b41b39da62d
SHA1 fdacd53099ada70fcf91988cef9e29e4b490ca81
SHA256 cc3506eadd7e416b621899c23c435280f2869dc45a66b99b95ac0d92df654261
SHA3 8973629c34e7994c1715c0e4e6e7342536a69aaf19d6c74c79c4f02c18ac8793

4

Type RT_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0x568
Entropy 3.03007
MD5 02a09b53b53c0e3b0f82977eb58ab5b9
SHA1 712bf54be3ee3c2daabe4ad730c08dd76e73a55d
SHA256 8d20d73af732650caa2467f207905a0f30af8270243306f84afba87102301462
SHA3 91ff711da174d3241956c660f0b1d2a83aa93c1cdefe97e20329a0154550b704

5

Type RT_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0x4228
Entropy 3.79019
MD5 79f34f59a1682db69ce1a1b9014771dc
SHA1 adbb3afafeaffdf99402d9ad49ed0cbdeef13c46
SHA256 737f61d83e94b9f96fa7d8a2e341e0120eee33b4aa0ddb24e61fca4d8ed60090
SHA3 cf988dafa88590a72a399d36a992ef6ce4eb1cb0a60f20a514f932e8b996d56b

6

Type RT_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0x25a8
Entropy 4.1678
MD5 24a1e7e7c6e045aefe1a55e777d0818a
SHA1 d3c6c274f87d67ab2ebcafc22c80d8b5c6bf30ab
SHA256 2371b811ce9e67be6371eb03cc6693973e6ba95483c177406be4165aa6a7fe5c
SHA3 35125a048c6e79ada89541cf9f61291ba3314d7c15f1568e5745f7898b318f38

7

Type RT_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0x10a8
Entropy 4.32586
MD5 f1e11368814679b45bf408938a83d89c
SHA1 4ff9edddd0b7255764a20c559615107207bd4388
SHA256 d98b9f4207a4ed1122444a0f4d6ff15da9b99d65621491c6780b93bcddd0bbd1
SHA3 490d78ee23e9a95d6f75e32e068be5bc173b4fc129955fc86c1609dd5994ffef

8

Type RT_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0x988
Entropy 4.672
MD5 95476d8cba2b0fc425a45b23f962492e
SHA1 79786f5ca7ecac9fc5a4be0f4e65310c4f349cd6
SHA256 5d3d4d5c58ccd81cee4b20fbaf65a19ba7abaa340c3239e51c47fcf1be349d54
SHA3 febda5cda78a77dfdfa9330c51b2a7dede08da63e206333a2c5d9394b21b4ea3

9

Type RT_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0x468
Entropy 5.05539
MD5 de7d3bc3dcac36f1b115df41c3667658
SHA1 6b8192c80e09243cb2085806d23d6dd6d1908317
SHA256 72781296cf166c7ee02dd8af1e646ba2f931e3cc3c225c35808d0046ab42b352
SHA3 b63d6d13b784fb841d5172a76a22351520a165223504026c31b9c7361d507dc6

32512

Type RT_GROUP_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0x84
Entropy 2.96193
Detected Filetype Icon file
MD5 f2ead720e26aea3a53ab0840ceb93532
SHA1 877ecc189bf14a4099f528ad5db16aa69d16c9b2
SHA256 acf711e5149fd94f1e8f573fde716526e9fae613de09caecc0bd36d3f6379b8e
SHA3 a3c5178771e88a259ae443b2b977cf83e670e3a7267bb221b602332c72c8856a

1 (#2)

Type RT_VERSION
Language UNKNOWN
Codepage UNKNOWN
Size 0x318
Entropy 3.33987
MD5 b4c42fcd12e51a66c3268fa3a58ec6d3
SHA1 5d9f9c23dc09ca5fcd8a6b039d3995e903a5de42
SHA256 08ae4ea3d6f64489cf5ffb0d4acef64bef53f3795147f3e2996cd9f58477d5db
SHA3 81c8f542a4a3443ba7e87df42b4446df5f5d158d4409caacaea8b95853b7879e

1 (#3)

Type RT_MANIFEST
Language UNKNOWN
Codepage UNKNOWN
Size 0xc01
Entropy 5.41186
MD5 1013eb8986f4bbfe28bfdb90218006b8
SHA1 f7955422f894fbf63a42520b8b4518a4b60c6eed
SHA256 2595c62ac46f1922d13e744516f6f1f0a46fa116cff91c3167e36d92090f81a7
SHA3 550db5923578bb1060b4c2ac75b6a54586ccc6fc318da67fe94d0d735248a1a5

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 1.3.8.0
ProductVersion 1.3.8.0
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
FileType VFT_APP
Language UNKNOWN
Comments
CompanyName MSFree Inc.
FileDescription KMSAuto Net
FileVersion (#2) 1.3.8
InternalName KMSAuto Net.exe
LegalCopyright
LegalTrademarks
OriginalFilename KMSAuto Net.exe
ProductName KMSAuto Net
ProductVersion (#2) 1.3.8
Assembly Version 1.3.8.0
Resource LangID UNKNOWN

TLS Callbacks

Load Configuration

RICH Header

Errors