home

Service_KMS.exe

Service_KMS

@ByELDI

The application Service_KMS.exe by @ByELDI has been detected as a potentially unwanted program by 2 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “Service KMSELDI”. This file is typically installed with the program KMSpico. While running, it connects to the Internet address 2a.6a.acb8.ip4.static.sl-reverse.com on port 13.
Publisher:
@ByELDI  (signed and verified)

Product:
Service_KMS

Version:
12.1.0.0

MD5:
c471c170bfb078deb5cf7c270d47b529

SHA-1:
17565fdf920ab1f99b05f4b0f7fa2af1684f51c9

SHA-256:
d9d5e88266eededf97b4210ec3af89fb93ea358476f40edbc068d2121e036438

Scanner detections:
2 / 68

Status:
Potentially unwanted

Analysis date:
4/23/2024 4:54:04 PM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
MSIL/HackTool.IdleKMS (variant)
8.9397

Reason Heuristics
PUP.ByELDI.Meta
15.4.25.2

File size:
1 MB (1,069,248 bytes)

Product version:
12.1.0.0

Original file name:
Service_KMS.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\Program Files\kmspico\service_kms.exe

Digital Signature
Signed by:
@ByELDI

Authority:
@ByELDI Certificate Authority

Valid from:
2/3/2014 6:17:06 PM

Valid to:
2/3/2044 6:17:06 PM

Subject:
CN=@ByELDI

Issuer:
CN=@ByELDI Certificate Authority

Serial number:
DC0E43711C7C40D18044372CAF69F6A1

File PE Metadata
Compilation timestamp:
2/6/2014 8:12:21 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
12288:+D/somT1omoVSlifJahl7dnXNHXTrw90HSPxH9+YR3t31NBKSyfUPKTP:+DYToYl8Ul7dndjr282R3vNwHTP

Entry address:
0x101A5E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
6.0152

Code size:
1023 KB (1,047,552 bytes)

Service
Display name:
Service KMSELDI

Type:
Win32OwnProcess


The file Service_KMS.exe has been discovered within the following program.

KMSpico
About 8% of users remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to time-c.nist.gov  (129.6.15.30:13)

TCP:
Connects to time-d.nist.gov  (129.6.15.27:13)

TCP:
Connects to 207_223_123_18.colo.teklinks.net  (207.223.123.18:13)

TCP:
Connects to nist1-lnk.binary.net  (216.229.0.179:13)

TCP:
Connects to nist.netservicesgroup.com  (64.113.32.5:13)

TCP:
Connects to 2a.6a.acb8.ip4.static.sl-reverse.com  (184.172.106.42:13)

TCP:
Connects to utcnist2.colorado.edu  (128.138.141.172:13)

TCP:
Connects to unallocated.barefruit.co.uk  (92.242.140.20:13)

TCP:
Connects to time-a.nist.gov  (129.6.15.28:13)

TCP:
Connects to nist-time-server.eoni.com  (216.228.192.69:13)

TCP:
Connects to nisttime.edzone.net  (198.111.152.100:13)

TCP:
Connects to india.colorado.edu  (128.138.140.44:13)

TCP:
Connects to host-24-56-178-140.beyondbb.com  (24.56.178.140:13)

Remove Service_KMS.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.