Loading ...

Play interactive tourEdit tour

Analysis Report KMS-R@1n.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:218150
Start date:26.03.2020
Start time:09:57:22
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 1m 44s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:KMS-R@1n.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal48.winEXE@2/0@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 53.8%)
  • Quality average: 38.2%
  • Quality standard deviation: 39.6%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold480 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Initial sample is implementing a service and should be registered / started as service
Sample is a service DLL but no service has been registered



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsService Execution2Modify Existing Service1Process Injection1Process Injection1Credential DumpingSecurity Software Discovery11Application Deployment SoftwareData from Local SystemData Encrypted11Standard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
Replication Through Removable MediaService ExecutionNew Service3New Service3Binary PaddingNetwork SniffingSystem Information Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumCommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: KMS-R@1n.exeVirustotal: Detection: 50%Perma Link
Source: KMS-R@1n.exeMetadefender: Detection: 37%Perma Link
Source: KMS-R@1n.exeReversingLabs: Detection: 54%

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF6CF941C58 memcpy,CryptAcquireContextW,CryptImportKey,CryptCreateHash,CryptSetHashParam,CryptHashData,CryptGetHashParam,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,0_2_00007FF6CF941C58
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF6CF941DD0 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,0_2_00007FF6CF941DD0
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF6CF9414A4 CryptAcquireContextW,CryptImportKey,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,0_2_00007FF6CF9414A4
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF6CF9413AC CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,0_2_00007FF6CF9413AC
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF6CF941B08 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,0_2_00007FF6CF941B08

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF6CF941C58 memcpy,CryptAcquireContextW,CryptImportKey,CryptCreateHash,CryptSetHashParam,CryptHashData,CryptGetHashParam,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,0_2_00007FF6CF941C58
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF6CF9414A4 CryptAcquireContextW,CryptImportKey,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,0_2_00007FF6CF9414A4
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF6CF9413AC CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,0_2_00007FF6CF9413AC

System Summary:

barindex
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF6CF9416A00_2_00007FF6CF9416A0
Classification labelShow sources
Source: classification engineClassification label: mal48.winEXE@2/0@0/0
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF6CF9430E4 EntryPoint,StartServiceCtrlDispatcherW,GetLastError,ExitProcess,ExitProcess,0_2_00007FF6CF9430E4
Contains functionality to register a service control handler (likely the sample is a service DLL)Show sources
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF6CF9430E4 EntryPoint,StartServiceCtrlDispatcherW,GetLastError,ExitProcess,ExitProcess,0_2_00007FF6CF9430E4
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3740:120:WilError_01
PE file has an executable .text section and no other executable sectionShow sources
Source: KMS-R@1n.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\KMS-R@1n.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: KMS-R@1n.exeVirustotal: Detection: 50%
Source: KMS-R@1n.exeMetadefender: Detection: 37%
Source: KMS-R@1n.exeReversingLabs: Detection: 54%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\KMS-R@1n.exe 'C:\Users\user\Desktop\KMS-R@1n.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
PE file has a high image base, often used for DLLsShow sources
Source: KMS-R@1n.exeStatic PE information: Image base 0x140000000 > 0x60000000
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: KMS-R@1n.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Boot Survival:

barindex
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF6CF9430E4 EntryPoint,StartServiceCtrlDispatcherW,GetLastError,ExitProcess,ExitProcess,0_2_00007FF6CF9430E4

Malware Analysis System Evasion:

barindex
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\KMS-R@1n.exeAPI coverage: 3.5 %
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: KMS-R@1n.exe, 00000000.00000002.743455757.00007FF6CF944000.00000002.00020000.sdmpBinary or memory string: Windows Vista EnterpriseWindows Vista Enterprise NWindows Vista BusinessWindows Vista Business NWindows 7 EnterpriseWindows 7 Enterprise EWindows 7 Enterprise NWindows 7 ProfessionalWindows 7 Professional EWindows 7 Professional NWindows 7 Embedded StandardWindows 7 Thin PCWindows Embedded POSReady 7Windows 8 EnterpriseWindows 8 Enterprise NWindows 8 ProWindows 8 Pro NWindows 8 Pro with MediaCenterWindows 8 CoreWindows 8 Core NWindows 8 Core Country SpecificWindows 8 Core Single LanguageWindows 8 Core ARMWindows 8.1 EnterpriseWindows 8.1 Enterprise NWindows 8.1 ProfessionalWindows 8.1 Professional NWindows Embedded Industry 8.1Windows Embedded IndustryE 8.1Windows Embedded IndustryA 8.1Windows 8.1 Pro with MediaCenterWindows 8.1 CoreWindows 8.1 Core NWindows 8.1 Core Country SpecificWindows 8.1 Core Single LanguageWindows 8.1 Core ARMWindows Web Server 2008Windows HPC Server 2008Windows Server 2008 EnterpriseWindows Server 2008 Enterprise without Hyper-VWindows Server 2008 StandardWindows Server 2008 Standard without Hyper-VWindows Server 2008 DatacenterWindows Server 2008 Datacenter without Hyper-VWindows Server 2008 for Itanium-Based SystemsWindows Web Server 2008 R2Windows HPC Server 2008 R2Windows MultiPoint Server 2011Windows Server 2008 R2 EnterpriseWindows Server 2008 R2 StandardWindows Server 2008 R2 DatacenterWindows Server 2008 R2 for Itanium-Based SystemsWindows Server 2012 DatacenterWindows Server 2012 StandardWindows MultiPoint Server 2012 PremiumWindows MultiPoint Server 2012 StandardWindows Server Essentials 2012Windows Server 2012 R2 DatacenterWindows Server 2012 R2 StandardWindows Storage Server 2012 R2Windows Server Essentials 2012 R2Office Professional Plus 2010Office Standard 2010Office Small Business Basics 2010Project Professional 2010Project Standard 2010Visio Premium 2010Visio Professional 2010Visio Standard 2010Access 2010Excel 2010SharePoint Workspace 2010InfoPath 2010OneNote 2010Outlook 2010PowerPoint 2010Publisher 2010Word 2010Office 2013 Professional PlusOffice 2013 StandardProject 2013 ProfessionalProject 2013 StandardVisio 2013 ProfessionalVisio 2013 StandardAccess 2013Excel 2013InfoPath 2013Lync 2013OneNote 2013Outlook 2013PowerPoint 2013Publisher 2013Word 2013WindowsOffice2010Office2013Unknown ProductError: %s failed with code %u (0x%08x)
Source: KMS-R@1n.exeBinary or memory string: fzfpfdfZfLfBf8fWindows Vista EnterpriseWindows Vista Enterprise NWindows Vista BusinessWindows Vista Business NWindows 7 EnterpriseWindows 7 Enterprise EWindows 7 Enterprise NWindows 7 ProfessionalWindows 7 Professional EWindows 7 Professional NWindows 7 Embedded StandardWindows 7 Thin PCWindows Embedded POSReady 7Windows 8 EnterpriseWindows 8 Enterprise NWindows 8 ProWindows 8 Pro NWindows 8 Pro with MediaCenterWindows 8 CoreWindows 8 Core NWindows 8 Core Country SpecificWindows 8 Core Single LanguageWindows 8 Core ARMWindows 8.1 EnterpriseWindows 8.1 Enterprise NWindows 8.1 ProfessionalWindows 8.1 Professional NWindows Embedded Industry 8.1Windows Embedded IndustryE 8.1Windows Embedded IndustryA 8.1Windows 8.1 Pro with MediaCenterWindows 8.1 CoreWindows 8.1 Core NWindows 8.1 Core Country SpecificWindows 8.1 Core Single LanguageWindows 8.1 Core ARMWindows Web Server 2008Windows HPC Server 2008Windows Server 2008 EnterpriseWindows Server 2008 Enterprise without Hyper-VWindows Server 2008 StandardWindows Server 2008 Standard without Hyper-VWindows Server 2008 DatacenterWindows Server 2008 Datacenter without Hyper-VWindows Server 2008 for Itanium-Based SystemsWindows Web Server 2008 R2Windows HPC Server 2008 R2Windows MultiPoint Server 2011Windows Server 2008 R2 EnterpriseWindows Server 2008 R2 StandardWindows Server 2008 R2 DatacenterWindows Server 2008 R2 for Itanium-Based SystemsWindows Server 2012 DatacenterWindows Server 2012 StandardWindows MultiPoint Server 2012 PremiumWindows MultiPoint Server 2012 StandardWindows Server Essentials 2012Windows Server 2012 R2 DatacenterWindows Server 2012 R2 StandardWindows Storage Server 2012 R2Windows Server Essentials 2012 R2Office Professional Plus 2010Office Standard 2010Office Small Business Basics 2010Project Professional 2010Project Standard 2010Visio Premium 2010Visio Professional 2010Visio Standard 2010Access 2010Excel 2010SharePoint Workspace 2010InfoPath 2010OneNote 2010Outlook 2010PowerPoint 2010Publisher 2010Word 2010Office 2013 Professional PlusOffice 2013 StandardProject 2013 ProfessionalProject 2013 StandardVisio 2013 ProfessionalVisio 2013 StandardAccess 2013Excel 2013InfoPath 2013Lync 2013OneNote 2013Outlook 2013PowerPoint 2013Publisher 2013Word 2013WindowsOffice2010Office2013Unknown ProductError: %s failed with code %u (0x%08x)
Program exit pointsShow sources
Source: C:\Users\user\Desktop\KMS-R@1n.exeAPI call chain: ExitProcess graph end nodegraph_0-509

Anti Debugging:

barindex
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF6CF941364 GetProcessHeap,HeapAlloc,0_2_00007FF6CF941364

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF6CF9424E4 RpcMgmtStopServerListening,0_2_00007FF6CF9424E4
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF6CF9426A0 RpcServerListen,memset,wcslen,0_2_00007FF6CF9426A0
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF6CF942F7C SetServiceStatus,RpcMgmtStopServerListening,0_2_00007FF6CF942F7C

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 218150 Sample: KMS-R@1n.exe Startdate: 26/03/2020 Architecture: WINDOWS Score: 48 10 Multi AV Scanner detection for submitted file 2->10 6 KMS-R@1n.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
KMS-R@1n.exe51%VirustotalBrowse
KMS-R@1n.exe38%MetadefenderBrowse
KMS-R@1n.exe55%ReversingLabsWin64.Hacktool.Hackkms

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Startup

  • System is w10x64
  • KMS-R@1n.exe (PID: 552 cmdline: 'C:\Users\user\Desktop\KMS-R@1n.exe' MD5: 0F9FD9565E6EB157FA9BE11ED9C1DC9F)
    • conhost.exe (PID: 3740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Created / dropped Files

No created / dropped files found

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General

File type:PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):5.5315566951223865
TrID:
  • Win64 Executable Console (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:KMS-R@1n.exe
File size:26112
MD5:0f9fd9565e6eb157fa9be11ed9c1dc9f
SHA1:ffd767312eb98685aec289b97e3768559767ee86
SHA256:7565255f0a28d065f8f30f876e7df3e46ef2e6fedf420eca7d454cf49887b2de
SHA512:d76b375a790271a8d88004e02b827f98afc2cbaaa76d20dc7e3aa9ce7dc1582f125e120950fe84722fc113fc6835cd850cdc513be2d3c488e9f357f14f90835c
SSDEEP:384:MZZVSihTYrDKG0y76D6quhUZaRJUMO0qhrLpEvttZODKkbS6:gS2TYrDKG0y+Ssa0Mbl2DKkbN
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u.1.1._E1._E1._E1.^E.._E8..E:._E...E4._E<..E0._E1..E0._E...E0._ERich1._E........................PE..d...4..S.........."......".

File Icon

Icon Hash:00828e8e8686b000

Static PE Info

General

Entrypoint:0x1400030e4
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x140000000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:0x53C4DC34 [Tue Jul 15 07:45:56 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:2
File Version Major:5
File Version Minor:2
Subsystem Version Major:5
Subsystem Version Minor:2
Import Hash:37f9979aa11c72f8eff85b3b9423a1af

Entrypoint Preview

Instruction
dec esp
mov ebx, esp
dec eax
sub esp, 48h
dec ecx
and dword ptr [ebx-18h], 00000000h
dec ecx
and dword ptr [ebx-10h], 00000000h
dec eax
lea eax, dword ptr [000010A4h]
dec ecx
mov dword ptr [ebx-28h], eax
dec eax
lea eax, dword ptr [FFFFFF81h]
dec ecx
lea ecx, dword ptr [ebx-28h]
dec ecx
mov dword ptr [ebx-20h], eax
call dword ptr [00000F1Bh]
test eax, eax
jne 00007FA54CF524F1h
call dword ptr [00000FA1h]
mov ecx, eax
call dword ptr [00000FA9h]
int3
xor ecx, ecx
call dword ptr [00000FA0h]
int3
int3
jmp dword ptr [00001050h]
jmp dword ptr [0000103Ah]
jmp dword ptr [00000FF4h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:
  • [RES] VS2013 build 21005
  • [LNK] VS2013 UPD2 build 30501
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x64340x64.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x90000x478.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x80000x1ec.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xa0000xf0.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x40000x1a0.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x21440x2200False0.608226102941data6.16110736871IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x40000x29c60x2a00False0.359840029762data4.37873508028IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x70000xb1c0xc00False0.619466145833data5.71199189577IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata0x80000x1ec0x200False0.58984375data3.92434970743IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x90000x4780x600False0.346354166667data4.36401962919IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0xa0000xf00x200False0.408203125data3.2377745709IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_MESSAGETABLE0x90a00xa0dataEnglishUnited States
RT_MANIFEST0x91400x333XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States

Imports

DLLImport
msvcrt.dll_errno, wcstoul, _time64, _localtime64, wcslen, _wcsicmp, memcpy, _vsnwprintf, memset, memcmp
KERNEL32.dllCloseHandle, GetLastError, WaitForSingleObject, ExitProcess, HeapAlloc, GetSystemDefaultLCID, FormatMessageW, GetProcessHeap, HeapFree, CreateThread
ADVAPI32.dllCryptReleaseContext, RegisterServiceCtrlHandlerW, RegOpenKeyExW, SetServiceStatus, DeregisterEventSource, RegQueryValueExW, StartServiceCtrlDispatcherW, RegisterEventSourceW, CryptHashData, RegCloseKey, CryptDestroyHash, CryptDecrypt, CryptDestroyKey, CryptCreateHash, CryptEncrypt, CryptImportKey, CryptGenRandom, CryptSetKeyParam, CryptAcquireContextW, CryptGetHashParam, CryptSetHashParam, ReportEventW
RPCRT4.dllRpcServerRegisterIfEx, RpcServerListen, RpcMgmtStopServerListening, RpcServerUnregisterIf, RpcServerUseProtseqEpW, NdrServerCall2

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Start time:09:58:19
Start date:26/03/2020
Path:C:\Users\user\Desktop\KMS-R@1n.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\KMS-R@1n.exe'
Imagebase:0x7ff6cf940000
File size:26112 bytes
MD5 hash:0F9FD9565E6EB157FA9BE11ED9C1DC9F
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:low

General

Start time:09:58:19
Start date:26/03/2020
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7c77e0000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:high

Disassembly

Code Analysis

Reset < >

    Execution Graph

    Execution Coverage:0.7%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:38%
    Total number of Nodes:171
    Total number of Limit Nodes:1

    Graph

    execution_graph 573 7ff6cf9421bc 574 7ff6cf94220c 573->574 575 7ff6cf9421f3 memcpy 573->575 577 7ff6cf941dd0 3 API calls 574->577 576 7ff6cf942247 575->576 579 7ff6cf941fe0 10 API calls 576->579 578 7ff6cf942216 memcpy 577->578 578->576 580 7ff6cf942275 579->580 595 7ff6cf941f88 memcpy memcpy 580->595 582 7ff6cf942285 583 7ff6cf941dd0 3 API calls 582->583 584 7ff6cf942297 583->584 596 7ff6cf941b08 CryptAcquireContextW 584->596 586 7ff6cf9422a5 587 7ff6cf942341 586->587 588 7ff6cf9422c0 memcpy memcpy 586->588 624 7ff6cf941364 GetProcessHeap HeapAlloc 587->624 605 7ff6cf941bec 588->605 590 7ff6cf9422fd 608 7ff6cf941c58 590->608 595->582 597 7ff6cf941b51 CryptCreateHash 596->597 598 7ff6cf941bae 596->598 597->598 599 7ff6cf941b75 CryptHashData 597->599 601 7ff6cf941bc7 598->601 602 7ff6cf941bc1 CryptDestroyHash 598->602 599->598 600 7ff6cf941b8d CryptGetHashParam 599->600 600->598 603 7ff6cf941bd9 601->603 604 7ff6cf941bd1 CryptReleaseContext 601->604 602->601 603->586 604->603 606 7ff6cf941b08 6 API calls 605->606 607 7ff6cf941c3b memcpy 606->607 607->590 609 7ff6cf941c97 608->609 610 7ff6cf941caa memcpy 609->610 611 7ff6cf941cc0 CryptAcquireContextW 609->611 610->611 612 7ff6cf941ce5 CryptImportKey 611->612 623 7ff6cf941d81 611->623 613 7ff6cf941d0f CryptCreateHash 612->613 612->623 614 7ff6cf941d32 CryptSetHashParam 613->614 613->623 619 7ff6cf941d4b CryptHashData 614->619 614->623 615 7ff6cf941d99 617 7ff6cf941da8 615->617 618 7ff6cf941da2 CryptDestroyHash 615->618 616 7ff6cf941d93 CryptDestroyKey 616->615 620 7ff6cf941db9 memcpy memcpy 617->620 621 7ff6cf941db1 CryptReleaseContext 617->621 618->617 622 7ff6cf941d62 CryptGetHashParam 619->622 619->623 620->587 621->620 622->623 623->615 623->616 625 7ff6cf942f7c 626 7ff6cf942f84 625->626 627 7ff6cf942fa2 625->627 626->627 628 7ff6cf942f89 SetServiceStatus 626->628 629 7ff6cf942f14 SetServiceStatus 627->629 628->627 630 7ff6cf942fb2 RpcMgmtStopServerListening 629->630 642 7ff6cf9426a0 RpcServerListen 643 7ff6cf94274b 642->643 644 7ff6cf9426c5 memset wcslen 642->644 648 7ff6cf9412e0 644->648 646 7ff6cf94273c 651 7ff6cf942938 646->651 656 7ff6cf94106c 648->656 652 7ff6cf94296f RegisterEventSourceW 651->652 653 7ff6cf942963 651->653 654 7ff6cf942988 ReportEventW DeregisterEventSource 652->654 655 7ff6cf9429c0 652->655 653->652 654->655 655->643 658 7ff6cf9410ac 656->658 657 7ff6cf941177 FormatMessageW 657->646 658->657 659 7ff6cf9411a1 _vsnwprintf 658->659 661 7ff6cf941117 658->661 660 7ff6cf9411bf 659->660 660->661 663 7ff6cf9411e5 660->663 661->657 662 7ff6cf94115f memset 661->662 662->657 663->657 664 7ff6cf9411fc memset 663->664 664->657 507 7ff6cf9430e4 StartServiceCtrlDispatcherW 508 7ff6cf943119 GetLastError ExitProcess 507->508 509 7ff6cf943128 ExitProcess 507->509 693 7ff6cf9424e4 RpcMgmtStopServerListening 694 7ff6cf9414a4 CryptAcquireContextW 695 7ff6cf941535 694->695 696 7ff6cf9414e4 CryptImportKey 694->696 698 7ff6cf941547 695->698 699 7ff6cf941541 CryptDestroyKey 695->699 696->695 697 7ff6cf941510 CryptDecrypt 696->697 697->695 700 7ff6cf941559 698->700 701 7ff6cf941551 CryptReleaseContext 698->701 699->698 701->700 510 7ff6cf942068 519 7ff6cf941fe0 510->519 512 7ff6cf94211e 522 7ff6cf941f88 memcpy memcpy 512->522 514 7ff6cf942130 523 7ff6cf941a40 514->523 516 7ff6cf94214d 531 7ff6cf941364 GetProcessHeap HeapAlloc 516->531 532 7ff6cf941ea0 519->532 522->514 524 7ff6cf941a8d 523->524 525 7ff6cf941ab1 523->525 524->525 553 7ff6cf9419b4 524->553 526 7ff6cf941ab8 memcpy 525->526 527 7ff6cf941ac7 525->527 526->527 528 7ff6cf9419b4 memcpy 527->528 530 7ff6cf941ad9 memcpy 528->530 530->516 533 7ff6cf941ed3 memcmp 532->533 533->533 534 7ff6cf941ef6 533->534 535 7ff6cf941f5c 534->535 536 7ff6cf941eff _wcsicmp 534->536 539 7ff6cf9427d4 535->539 536->535 538 7ff6cf941f24 wcslen 536->538 538->512 545 7ff6cf941dd0 CryptAcquireContextW 539->545 541 7ff6cf942800 542 7ff6cf942850 _time64 _localtime64 GetSystemDefaultLCID 541->542 550 7ff6cf941000 542->550 546 7ff6cf941e01 CryptGenRandom 545->546 547 7ff6cf941e18 545->547 546->547 548 7ff6cf941e2b CryptReleaseContext 547->548 549 7ff6cf941e33 547->549 548->549 549->541 551 7ff6cf94102f _vsnwprintf 550->551 552 7ff6cf94104a 550->552 551->552 552->538 555 7ff6cf9419cb 553->555 556 7ff6cf941a11 555->556 559 7ff6cf9415c0 memcpy 555->559 557 7ff6cf9415c0 memcpy 556->557 558 7ff6cf941a21 557->558 560 7ff6cf9415e5 559->560 560->555 560->560 561 7ff6cf941388 GetProcessHeap HeapFree 562 7ff6cf943088 RegisterServiceCtrlHandlerW 563 7ff6cf9430dd 562->563 564 7ff6cf9430be 562->564 570 7ff6cf942f14 564->570 571 7ff6cf942f2c SetServiceStatus 570->571 631 7ff6cf9413ac CryptAcquireContextW 632 7ff6cf94146d 631->632 633 7ff6cf9413ef CryptImportKey 631->633 635 7ff6cf941479 CryptDestroyKey 632->635 636 7ff6cf94147f 632->636 633->632 634 7ff6cf94141b 633->634 637 7ff6cf941439 634->637 638 7ff6cf941420 CryptSetKeyParam 634->638 635->636 639 7ff6cf941489 CryptReleaseContext 636->639 640 7ff6cf941491 636->640 637->632 641 7ff6cf941444 CryptEncrypt 637->641 638->637 639->640 641->632 665 7ff6cf942470 666 7ff6cf94249c 665->666 667 7ff6cf942485 665->667 669 7ff6cf9423fc 666->669 676 7ff6cf941288 669->676 672 7ff6cf941000 _vsnwprintf 673 7ff6cf94244e 672->673 674 7ff6cf942938 3 API calls 673->674 675 7ff6cf94245d 674->675 675->667 677 7ff6cf9412c7 676->677 678 7ff6cf9412a6 memcmp 676->678 677->672 678->677 679 7ff6cf9412bc 678->679 679->677 679->678 680 7ff6cf941850 681 7ff6cf941889 memset 680->681 682 7ff6cf941885 680->682 683 7ff6cf94189b 681->683 687 7ff6cf941740 683->687 689 7ff6cf941761 687->689 688 7ff6cf9415c0 memcpy 688->689 689->688 690 7ff6cf941799 689->690 691 7ff6cf9415c0 memcpy 690->691 692 7ff6cf9417a9 691->692 702 7ff6cf9418f4 706 7ff6cf94191f 702->706 707 7ff6cf94191b 702->707 703 7ff6cf94194a 704 7ff6cf9417c8 memcpy 703->704 704->707 706->703 708 7ff6cf9417c8 706->708 710 7ff6cf9417e9 708->710 711 7ff6cf941821 710->711 714 7ff6cf941608 memcpy 710->714 712 7ff6cf941608 memcpy 711->712 713 7ff6cf941829 712->713 715 7ff6cf941628 714->715 715->710 715->715

    Callgraph

    • Executed
    • Not Executed
    • Opacity -> Relevance
    • Disassembly available
    callgraph 0 Function_00007FF6CF9429D8 1 Function_00007FF6CF9423D8 2 Function_00007FF6CF941C58 3 Function_00007FF6CF942758 4 Function_00007FF6CF941FE0 32 Function_00007FF6CF941EA0 4->32 5 Function_00007FF6CF9412E0 13 Function_00007FF6CF94106C 5->13 6 Function_00007FF6CF942FE4 15 Function_00007FF6CF9424F0 6->15 16 Function_00007FF6CF942670 6->16 36 Function_00007FF6CF942B20 6->36 51 Function_00007FF6CF942F14 6->51 7 Function_00007FF6CF9424E4 8 Function_00007FF6CF941364 9 Function_00007FF6CF9430E4 10 Function_00007FF6CF941568 11 Function_00007FF6CF942068 11->4 11->8 23 Function_00007FF6CF941A40 11->23 49 Function_00007FF6CF941F88 11->49 12 Function_00007FF6CF941BEC 48 Function_00007FF6CF941B08 12->48 14 Function_00007FF6CF942470 14->1 40 Function_00007FF6CF9423FC 14->40 15->5 19 Function_00007FF6CF942938 15->19 16->19 17 Function_00007FF6CF941E74 18 Function_00007FF6CF9418F4 18->10 26 Function_00007FF6CF9417C8 18->26 20 Function_00007FF6CF941E3C 21 Function_00007FF6CF9421BC 21->2 21->4 21->8 21->10 21->12 21->17 21->20 28 Function_00007FF6CF941DD0 21->28 21->48 21->49 22 Function_00007FF6CF942FC0 22->51 39 Function_00007FF6CF9419B4 23->39 24 Function_00007FF6CF941740 24->10 25 Function_00007FF6CF9415C0 24->25 29 Function_00007FF6CF941654 24->29 43 Function_00007FF6CF941580 24->43 26->10 33 Function_00007FF6CF9415A0 26->33 34 Function_00007FF6CF9416A0 26->34 45 Function_00007FF6CF941608 26->45 27 Function_00007FF6CF941850 27->10 27->24 30 Function_00007FF6CF9427D4 30->3 30->28 31 Function_00007FF6CF942798 30->31 42 Function_00007FF6CF941000 30->42 32->30 35 Function_00007FF6CF9426A0 35->5