home

Service_KMS.exe

Service_KMS

The executable Service_KMS.exe has been detected as malware by 13 anti-virus scanners. It runs as a separate (within the context of its own process) windows Service named “Service KMSELDI”. This file is typically installed with the program KMSpico. While running, it connects to the Internet address time-d.nist.gov on port 13.
Product:
Service_KMS

Version:
10.2.1.0

MD5:
feee59526b59849231a744fc9c5f0945

SHA-1:
0b875e3a101d2b73bfaaddd9cc37c51386775d51

SHA-256:
a82b91b05e3316cf1db14e1ec53290e81a3342835872bde1c148fe9a6c46093a

Scanner detections:
13 / 68

Status:
Malware

Analysis date:
5/12/2025 10:30:10 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
Dropper.Msil
2014.0.3628

Baidu Antivirus
Trojan.Win32.Generic
4.0.3.131121

Bkav FE
W32.Cloda10.Trojan
1.3.0.4613

ESET NOD32
MSIL/HackTool.IdleKMS.B potentially unsafe application
6.3.12010.0

IKARUS anti.virus
Win32.SuspectCrc
t3scan.2.2.29

McAfee
RDN/Generic Dropper!sd
5600.7266

Microsoft Security Essentials
HackTool:Win32/AutoKMS
1.237.1116.0

Norman
Agent.AOQWC
11.20131121

Panda Antivirus
Suspicious file
13.11.21.02

Reason Heuristics
Unnamed.Threat.18
14.3.1.1

Sophos
Generic PUA AL
4.96

Trend Micro House Call
TROJ_GEN.R0CBB01KS13
7.2.325

VIPRE Antivirus
Trojan.Win32.Generic
24418

File size:
670.5 KB (686,592 bytes)

Product version:
10.2.1.0

Original file name:
Service_KMS.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\kmspico\service_kms.exe

File PE Metadata
Compilation timestamp:
11/13/2013 4:08:05 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
12288:NomT1omoVSlEE3dNHXTrw90HSPxHp7yV8pDNDriX99nCdC0ix:3ToYlEE37jr283uPiX95

Entry address:
0xA544E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
653.5 KB (669,184 bytes)

Service
Display name:
Service KMSELDI

Type:
Win32OwnProcess


The file Service_KMS.exe has been discovered within the following program.

KMSpico
About 8% of users remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to time-d.nist.gov  (129.6.15.27:13)

TCP:
Connects to 207_223_123_18.colo.teklinks.net  (207.223.123.18:13)

TCP:
Connects to time-c.nist.gov  (129.6.15.30:13)

TCP:
Connects to nisttime.edzone.net  (198.111.152.100:13)

TCP:
Connects to nist1-lnk.binary.net  (216.229.0.179:13)

TCP:
Connects to 2a.6a.acb8.ip4.static.sl-reverse.com  (184.172.106.42:13)

TCP:
Connects to utcnist2.colorado.edu  (128.138.141.172:13)

TCP:
Connects to nist.netservicesgroup.com  (64.113.32.5:13)

Remove Service_KMS.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.