TeamOS Activator v4.exe
This report is generated from a file or URL submitted to this webservice on April 4th 2018 02:25:33 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.00 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
-
Spawns a lot of processes
Writes data to a remote process - Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- Tries to sleep for a long time (more than two minutes)
- Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
- Network Behavior
- Contacts 1 host. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 7
-
External Systems
-
Sample was identified as malicious by a trusted Antivirus engine
- details
- No specific details available
- source
- External System
- relevance
- 5/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 3/64 Antivirus vendors marked sample as malicious (4% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a trusted Antivirus engine
-
General
-
The analysis extracted a file that was identified as malicious
- details
-
43/76 Antivirus vendors marked dropped file "KMSAuto.exe" as malicious (classified as "Trojan.Generic" with 56% detection rate)
44/78 Antivirus vendors marked dropped file "KMSpico_setup.exe" as malicious (classified as "Application.Hacktool.KMSAuto" with 56% detection rate)
50/77 Antivirus vendors marked dropped file "Re-LoaderByR@1n.exe" as malicious (classified as "Application.Hacktool" with 64% detection rate)
7/75 Antivirus vendors marked dropped file "KMSAuto x64.exe" as malicious (classified as "AutoKMS" with 9% detection rate)
44/75 Antivirus vendors marked dropped file "Re-LoaderByRa1n.exe" as malicious (classified as "Trojan.Keylogger" with 58% detection rate)
5/69 Antivirus vendors marked dropped file "SetupComplete.cmd" as malicious (classified as "BAT_AUTOKMS.A" with 7% detection rate)
44/75 Antivirus vendors marked dropped file "Activator.exe" as malicious (classified as "Trojan.Generic" with 58% detection rate) - source
- Binary File
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
- details
-
44/75 Antivirus vendors marked spawned process "Re-LoaderByRa1n.exe" (PID: 2548) as malicious (classified as "Trojan.Keylogger" with 58% detection rate)
50/77 Antivirus vendors marked spawned process "Re-LoaderByR@1n.exe" (PID: 3988) as malicious (classified as "Application.Hacktool" with 64% detection rate)
44/75 Antivirus vendors marked spawned process "Re-LoaderByRa1n.exe" (PID: 3828) as malicious (classified as "Trojan.Keylogger" with 58% detection rate)
50/77 Antivirus vendors marked spawned process "Re-LoaderByR@1n.exe" (PID: 3096) as malicious (classified as "Application.Hacktool" with 64% detection rate)
44/75 Antivirus vendors marked spawned process "Re-LoaderByRa1n.exe" (PID: 3736) as malicious (classified as "Trojan.Keylogger" with 58% detection rate)
50/77 Antivirus vendors marked spawned process "Re-LoaderByR@1n.exe" (PID: 656) as malicious (classified as "Application.Hacktool" with 64% detection rate)
44/75 Antivirus vendors marked spawned process "Re-LoaderByRa1n.exe" (PID: 2292) as malicious (classified as "Trojan.Keylogger" with 58% detection rate)
50/77 Antivirus vendors marked spawned process "Re-LoaderByR@1n.exe" (PID: 4716) as malicious (classified as "Application.Hacktool" with 64% detection rate)
44/75 Antivirus vendors marked spawned process "Re-LoaderByRa1n.exe" (PID: 1756) as malicious (classified as "Trojan.Keylogger" with 58% detection rate)
50/77 Antivirus vendors marked spawned process "Re-LoaderByR@1n.exe" (PID: 4772) as malicious (classified as "Application.Hacktool" with 64% detection rate)
44/75 Antivirus vendors marked spawned process "Re-LoaderByRa1n.exe" (PID: 5012) as malicious (classified as "Trojan.Keylogger" with 58% detection rate)
50/77 Antivirus vendors marked spawned process "Re-LoaderByR@1n.exe" (PID: 2924) as malicious (classified as "Application.Hacktool" with 64% detection rate) - source
- Monitored Target
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"<Input Sample>" wrote 1500 bytes to a remote process "%TEMP%\ir_ext_temp_0\autorun.exe" (Handle: 284)
"<Input Sample>" wrote 4 bytes to a remote process "%TEMP%\ir_ext_temp_0\autorun.exe" (Handle: 284)
"<Input Sample>" wrote 8 bytes to a remote process "%TEMP%\ir_ext_temp_0\autorun.exe" (Handle: 284)
"<Input Sample>" wrote 32 bytes to a remote process "%TEMP%\ir_ext_temp_0\autorun.exe" (Handle: 284)
"<Input Sample>" wrote 52 bytes to a remote process "%TEMP%\ir_ext_temp_0\autorun.exe" (Handle: 284) - source
- API Call
- relevance
- 6/10
-
Writes data to a remote process
-
Unusual Characteristics
-
Contains native function calls
- details
-
NtdllDefWindowProc_A@NTDLL.DLL from TeamOS Activator v4.exe (PID: 4612) (Show Stream)
NtdllDefWindowProc_A@NTDLL.DLL from TeamOS Activator v4.exe (PID: 4612) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Spawns a lot of processes
- details
-
Spawned process "<Input Sample>" (Show Process)
Spawned process "autorun.exe" with commandline ""Activator" "v4.exe" "SFXSOURCE:C:\TeamOS Activator v4.exe"" (Show Process)
Spawned process "Re-LoaderByRa1n.exe" (Show Process)
Spawned process "Re-LoaderByR@1n.exe" (Show Process)
Spawned process "Re-LoaderByRa1n.exe" (Show Process)
Spawned process "Re-LoaderByR@1n.exe" (Show Process)
Spawned process "Re-LoaderByRa1n.exe" (Show Process)
Spawned process "Re-LoaderByR@1n.exe" (Show Process)
Spawned process "Re-LoaderByRa1n.exe" (Show Process)
Spawned process "Re-LoaderByR@1n.exe" (Show Process)
Spawned process "Re-LoaderByRa1n.exe" (Show Process)
Spawned process "Re-LoaderByR@1n.exe" (Show Process)
Spawned process "Re-LoaderByRa1n.exe" (Show Process)
Spawned process "Re-LoaderByR@1n.exe" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Contains native function calls
-
Suspicious Indicators 27
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
-
"Re-LoaderByRa1n.exe" at 00018031-00002548-00000033-67759026
"Re-LoaderByR@1n.exe" at 00018168-00003988-00000033-67761209
"Re-LoaderByRa1n.exe" at 00020263-00003828-00000033-74882078
"Re-LoaderByR@1n.exe" at 00020516-00003096-00000033-75784941
"Re-LoaderByRa1n.exe" at 00022827-00003736-00000033-84528020
"Re-LoaderByR@1n.exe" at 00023086-00000656-00000033-85461588
"Re-LoaderByRa1n.exe" at 00025416-00002292-00000033-94211152
"Re-LoaderByR@1n.exe" at 00025677-00004716-00000033-95159416
"Re-LoaderByRa1n.exe" at 00027763-00001756-00000033-103062597
"Re-LoaderByR@1n.exe" at 00028019-00004772-00000033-104045550
"Re-LoaderByRa1n.exe" at 00030329-00005012-00000033-112762898 - source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- details
-
"Re-LoaderByRa1n.exe" is allocating memory with PAGE_GUARD access rights
"Re-LoaderByR@1n.exe" is allocating memory with PAGE_GUARD access rights - source
- API Call
- relevance
- 10/10
-
PE file has unusual entropy sections
- details
-
.code
.text
.rdata
.data
UPX1 with unusual entropies 7.96657101633
7.99842825211
7.96308968927
7.99954393785
7.99985876092 - source
- Static Parser
- relevance
- 10/10
-
PE file is packed with UPX
- details
-
"KMSAuto x64.exe" has a section named "UPX0"
"KMSAuto x64.exe" has a section named "UPX1" - source
- Static Parser
- relevance
- 10/10
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
-
Cryptographic Related
-
Found a cryptographic related string
- details
- "DES" (Indicator: "des"; File: "lua5.1.dll.1719414117")
- source
- File/Memory
- relevance
- 10/10
-
Found a cryptographic related string
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
-
"Exemple d'utilisation / Logo 2: / Logo Re-Loader.exe = "VMWare" (est contraint d'installer le logo VMWare)" (Indicator: "vmware")
"Example use / Logo 2: Activator.exe / Logo = "VMWare" (is forced to install the VMWare logo)" (Indicator: "vmware") - source
- File/Memory
- relevance
- 4/10
-
Reads the cryptographic machine GUID
- details
-
"Re-LoaderByRa1n.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"Re-LoaderByR@1n.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Possibly tries to implement anti-virtualization techniques
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceA@KERNEL32.DLL from TeamOS Activator v4.exe (PID: 4612) (Show Stream)
FindResourceA@KERNEL32.DLL from TeamOS Activator v4.exe (PID: 4612) (Show Stream)
LockResource@KERNEL32.DLL from TeamOS Activator v4.exe (PID: 4612) (Show Stream)
FindResourceA@KERNEL32.DLL from TeamOS Activator v4.exe (PID: 4612) (Show Stream)
FindResourceA@KERNEL32.DLL from TeamOS Activator v4.exe (PID: 4612) (Show Stream)
FindResourceA@KERNEL32.DLL from TeamOS Activator v4.exe (PID: 4612) (Show Stream)
FreeResource@KERNEL32.DLL from TeamOS Activator v4.exe (PID: 4612) (Show Stream)
LockResource@KERNEL32.DLL from TeamOS Activator v4.exe (PID: 4612) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"autorun.exe" read file "C:\Users\desktop.ini"
"autorun.exe" read file "%PUBLIC%\desktop.ini"
"autorun.exe" read file "%PUBLIC%\Desktop\desktop.ini" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
-
"autorun.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"KMSAuto.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"KMSpico_setup.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"lua5.1.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"Re-LoaderByR@1n.exe" has type "MS-DOS executable MZ for MS-DOS"
"KMSAuto x64.exe" has type "PE32+ executable (GUI) x86-64 for MS Windows"
"Re-LoaderByRa1n.exe" has type "MS-DOS executable MZ for MS-DOS"
"lua51.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"Activator.exe" has type "PE32 executable (GUI) Intel 80386 Mono/.Net assembly for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: "IS 4.0.24.0"
"1.0.2.8"
"127.0.0.%WINDIR%\ Office"
Heuristic match: ", , 127.0.0.2:,"
Heuristic match: "; www.defense.gov = 184.25.56.139, www.whitehouse.gov = 184.27.36.110, www.kremlin.ru = 95.173.136.72 ;)" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"lua5.1.dll" claimed CRC 342940 while the actual is CRC 1806306
"KMSAuto x64.exe" claimed CRC 1767068 while the actual is CRC 1610530
"lua51.dll" claimed CRC 50122 while the actual is CRC 2312491 - source
- Static Parser
- relevance
- 10/10
-
Entrypoint in PE header is within an uncommon section
- details
-
"KMSAuto.exe" has an entrypoint in section ".msfree"
"KMSAuto x64.exe" has an entrypoint in section "UPX1" - source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegOpenKeyExW
GetProcAddress
GetModuleHandleA
LoadLibraryA
URLDownloadToFileW
WSAStartup
GetFileAttributesA
WriteFile
IsDebuggerPresent
GetModuleFileNameA
UnhandledExceptionFilter
TerminateProcess
GetTickCount
GetStartupInfoA
DeleteFileA
CreateFileA
GetCommandLineA
GetModuleHandleW
CreateProcessA
Sleep
VirtualAlloc
IcmpSendEcho
VirtualProtect
InternetOpenW
bind - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"Re-LoaderByRa1n.exe" wrote bytes "654c8b1c25c8140000" to virtual address "0xED2A25DB" (part of module "CLR.DLL")
"Re-LoaderByRa1n.exe" wrote bytes "850d31316c090000" to virtual address "0xED9B69B8" (part of module "CLR.DLL")
"Re-LoaderByRa1n.exe" wrote bytes "654c8b1c25c8140000" to virtual address "0xED2A296C" (part of module "CLR.DLL")
"Re-LoaderByRa1n.exe" wrote bytes "65488b0425c8140000" to virtual address "0xED2A2B00" (part of module "CLR.DLL")
"Re-LoaderByRa1n.exe" wrote bytes "65488b0425c8140000" to virtual address "0xED2A2B20" (part of module "CLR.DLL")
"Re-LoaderByRa1n.exe" wrote bytes "65488b0425d0140000" to virtual address "0xED2A2BEB" (part of module "CLR.DLL")
"Re-LoaderByRa1n.exe" wrote bytes "654c8b1c25c8140000" to virtual address "0xED2A26DD" (part of module "CLR.DLL")
"Re-LoaderByRa1n.exe" wrote bytes "654c8b1c25c8140000" to virtual address "0xED2A2560" (part of module "CLR.DLL")
"Re-LoaderByRa1n.exe" wrote bytes "654c8b1c25c8140000" to virtual address "0xED2A286A" (part of module "CLR.DLL")
"Re-LoaderByRa1n.exe" wrote bytes "654c8b1c25c8140000" to virtual address "0xED2A2523" (part of module "CLR.DLL")
"Re-LoaderByRa1n.exe" wrote bytes "65488b0425d0140000" to virtual address "0xED2A2B7B" (part of module "CLR.DLL")
"Re-LoaderByRa1n.exe" wrote bytes "65488b0425c8140000" to virtual address "0xED2A2AE3" (part of module "CLR.DLL")
"Re-LoaderByRa1n.exe" wrote bytes "65488b0425d0140000" to virtual address "0xED2A2BBB" (part of module "CLR.DLL")
"Re-LoaderByRa1n.exe" wrote bytes "654c8b1c25c8140000" to virtual address "0xED2A2693" (part of module "CLR.DLL")
"Re-LoaderByRa1n.exe" wrote bytes "65488b0425d0140000" to virtual address "0xED2A2C2B" (part of module "CLR.DLL")
"Re-LoaderByRa1n.exe" wrote bytes "654c8b1c25c8140000" to virtual address "0xED2A263E" (part of module "CLR.DLL")
"Re-LoaderByR@1n.exe" wrote bytes "654c8b1c25c8140000" to virtual address "0xED2A25DB" (part of module "CLR.DLL")
"Re-LoaderByR@1n.exe" wrote bytes "654c8b1c25c8140000" to virtual address "0xED2A296C" (part of module "CLR.DLL")
"Re-LoaderByR@1n.exe" wrote bytes "4b1a3f31b61f0000" to virtual address "0xED9B69B8" (part of module "CLR.DLL")
"Re-LoaderByR@1n.exe" wrote bytes "65488b0425c8140000" to virtual address "0xED2A2B00" (part of module "CLR.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"autorun.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"Re-LoaderByRa1n.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"Re-LoaderByR@1n.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
CRC value set in PE header does not match actual value
-
Hiding 11 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 26
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from TeamOS Activator v4.exe (PID: 4612) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from TeamOS Activator v4.exe (PID: 4612) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from TeamOS Activator v4.exe (PID: 4612) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
- details
-
Found reference to API NotifyWinEvent@USER32.DLL from TeamOS Activator v4.exe (PID: 4612) (Show Stream)
Found reference to API FindActCtxSectionStringA@KERNEL32.DLL from TeamOS Activator v4.exe (PID: 4612) (Show Stream)
Found reference to API IsProcessorFeaturePresent@KERNEL32.DLL from TeamOS Activator v4.exe (PID: 4612) (Show Stream)
Found reference to API HeapQueryInformation@KERNEL32.DLL from TeamOS Activator v4.exe (PID: 4612) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
PE file contains zero-size sections
- details
-
Raw size of ".adata" is zero
Raw size of "UPX0" is zero - source
- Static Parser
- relevance
- 10/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.DLL from TeamOS Activator v4.exe (PID: 4612) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from TeamOS Activator v4.exe (PID: 4612) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine timezone
- details
-
GetTimeZoneInformation@KERNEL32.DLL from TeamOS Activator v4.exe (PID: 4612) (Show Stream)
GetTimeZoneInformation@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
- GetVersionExA@KERNEL32.DLL from TeamOS Activator v4.exe (PID: 4612) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
EnumSystemLocalesA@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
- GetDiskFreeSpaceA@KERNEL32.DLL from TeamOS Activator v4.exe (PID: 4612) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersionExA@KERNEL32.DLL (Target: "TeamOS Activator v4.exe"; Stream UID: "00014598-00004612-52466-914-0041EC2A")
which is directly followed by "cmp dword ptr [ebp-00000088h], 02h" and "xor ecx, ebp". See related instructions: "...+35 call 00429510h+40 add esp, 0Ch+43 lea eax, dword ptr [ebp-00000098h]+49 push eax+50 mov dword ptr [ebp-00000098h], 00000094h+60 call dword ptr [004411ACh] ;GetVersionExA+66 mov ecx, dword ptr [ebp-04h]+69 xor eax, eax+71 cmp dword ptr [ebp-00000088h], 02h+78 sete al+81 xor ecx, ebp" ... from TeamOS Activator v4.exe (PID: 4612) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
- GetProcessHeap@KERNEL32.DLL from TeamOS Activator v4.exe (PID: 4612) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Queries volume information
- details
-
"Re-LoaderByRa1n.exe" queries volume information of "%TEMP%\ir_ext_temp_0\AutoPlay\Docs\Re-LoaderByRa1n\Re-LoaderByRa1n.exe" at 00018031-00002548-00000046-67353838
"Re-LoaderByR@1n.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\Re-Loader 2.2 Final\Re-LoaderByR@1n.exe" at 00018168-00003988-00000046-67349104
"Re-LoaderByRa1n.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\Re-LoaderByRa1n\Re-LoaderByRa1n.exe" at 00020263-00003828-00000046-74532051
"Re-LoaderByR@1n.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\Re-Loader 2.2 Final\Re-LoaderByR@1n.exe" at 00020516-00003096-00000046-75619692
"Re-LoaderByRa1n.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\Re-LoaderByRa1n\Re-LoaderByRa1n.exe" at 00022827-00003736-00000046-84175159
"Re-LoaderByR@1n.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\Re-Loader 2.2 Final\Re-LoaderByR@1n.exe" at 00023086-00000656-00000046-85297706
"Re-LoaderByRa1n.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\Re-LoaderByRa1n\Re-LoaderByRa1n.exe" at 00025416-00002292-00000046-93872529
"Re-LoaderByR@1n.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\Re-Loader 2.2 Final\Re-LoaderByR@1n.exe" at 00025677-00004716-00000046-94992782
"Re-LoaderByRa1n.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\Re-LoaderByRa1n\Re-LoaderByRa1n.exe" at 00027763-00001756-00000046-102735077
"Re-LoaderByR@1n.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\Re-Loader 2.2 Final\Re-LoaderByR@1n.exe" at 00028019-00004772-00000046-103852081
"Re-LoaderByRa1n.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\Re-LoaderByRa1n\Re-LoaderByRa1n.exe" at 00030329-00005012-00000046-112424915 - source
- API Call
- relevance
- 2/10
-
Contains ability to query machine time
-
General
-
Contacts server
- details
- "2.21.242.227:80"
- source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
- "%USERPROFILE%\Documents\Visual Studio 2015\Projects\R@1n10RC8GUI\R@1n\bin\Debug\CryptoObfuscator_Output\Activator.pdb"
- source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\ir_ext_temp_0\AutoPlay\Audio\Click1.ogg"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Audio\High1.ogg"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\KMSAuto_Lite_Portable_v1.3.5.2\KMSAuto x64.exe"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\KMSAuto_Lite_Portable_v1.3.5.2\KMSAuto.exe"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\KMSAuto_Lite_Portable_v1.3.5.2\KMSAutoLite.ini"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\KMSAuto_Lite_Portable_v1.3.5.2\readme_bg.txt"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\KMSAuto_Lite_Portable_v1.3.5.2\readme_cn.txt"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\KMSAuto_Lite_Portable_v1.3.5.2\readme_en.txt"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\KMSAuto_Lite_Portable_v1.3.5.2\readme_ru.txt" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"DirectSound Administrator shared thread array (lock)"
"Local\DirectSound DllMain mutex (0x00000E6C)"
"\Sessions\1\BaseNamedObjects\Local\DirectSound DllMain mutex (0x00000E6C)"
"\Sessions\1\BaseNamedObjects\DirectSound Administrator shared thread array (lock)" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "lua5.1.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "SetupComplete.cmd" as clean (type is "DOS batch file ASCII text with CRLF line terminators"), Antivirus vendors marked dropped file "lua51.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Loads the .NET runtime environment
- details
-
"Re-LoaderByRa1n.exe" loaded module "%WINDIR%\assembly\NativeImages_v4.0.30319_64\mscorlib\5d0c037297cc1a64b52ce43b45c2ac2e\mscorlib.ni.dll" at EBD00000
"Re-LoaderByR@1n.exe" loaded module "%WINDIR%\assembly\NativeImages_v4.0.30319_64\mscorlib\5d0c037297cc1a64b52ce43b45c2ac2e\mscorlib.ni.dll" at EBD00000
"Re-LoaderByRa1n.exe" loaded module "%WINDIR%\assembly\NativeImages_v4.0.30319_64\mscorlib\5d0c037297cc1a64b52ce43b45c2ac2e\mscorlib.ni.dll" at EC6F0000 - source
- Loaded Module
-
Process launched with changed environment
- details
-
Process "Re-LoaderByRa1n.exe" (Show Process) was launched with new environment variables: "LUA_PATH="!\AutoPlay\Scripts\?;!\AutoPlay\Scripts\?.lua;.\?.lua;!\lua\?.lua;!\lua\?\init.lua;!\?.lua;!\?\init.lua\AutoPlay\Scripts\?.lua;;!\?.lua;!\?;?;?.lua;", __COMPAT_LAYER="ElevateCreateProcess", LUA_CPATH="!\AutoPlay\Scripts\?;!\AutoPlay\Scripts\?.dll;.\?.dll;.\?51.dll;!\?.dll;!\?51.dll;!\clibs\?.dll;!\clibs\?51.dll;!\loadall.dll;!\clibs\loadall.dll\AutoPlay\Scripts\?.dll;;!\?.dll;!\?;""
Process "Re-LoaderByRa1n.exe" (Show Process) was launched with modified environment variables: "Path" - source
- Monitored Target
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "autorun.exe" with commandline ""Activator" "v4.exe" "SFXSOURCE:C:\TeamOS Activator v4.exe"" (Show Process)
Spawned process "Re-LoaderByRa1n.exe" (Show Process)
Spawned process "Re-LoaderByR@1n.exe" (Show Process)
Spawned process "Re-LoaderByRa1n.exe" (Show Process)
Spawned process "Re-LoaderByR@1n.exe" (Show Process)
Spawned process "Re-LoaderByRa1n.exe" (Show Process)
Spawned process "Re-LoaderByR@1n.exe" (Show Process)
Spawned process "Re-LoaderByRa1n.exe" (Show Process)
Spawned process "Re-LoaderByR@1n.exe" (Show Process)
Spawned process "Re-LoaderByRa1n.exe" (Show Process)
Spawned process "Re-LoaderByR@1n.exe" (Show Process)
Spawned process "Re-LoaderByRa1n.exe" (Show Process)
Spawned process "Re-LoaderByR@1n.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts server
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"Re-LoaderByRa1n.exe" connecting to "\ThemeApiPort"
"Re-LoaderByR@1n.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"autorun.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"KMSAuto.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"KMSpico_setup.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"lua5.1.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"Re-LoaderByR@1n.exe" has type "MS-DOS executable MZ for MS-DOS"
"KMSAuto x64.exe" has type "PE32+ executable (GUI) x86-64 for MS Windows"
"Re-LoaderByRa1n.exe" has type "MS-DOS executable MZ for MS-DOS"
"SetupComplete.cmd" has type "DOS batch file ASCII text with CRLF line terminators"
"lua51.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"Activator.exe" has type "PE32 executable (GUI) Intel 80386 Mono/.Net assembly for MS Windows"
"readme_bg.txt" has type "Non-ISO extended-ASCII text with CRLF line terminators"
"readme_cn.txt" has type "UTF-8 Unicode (with BOM) text with CRLF line terminators"
"background.psd" has type "Adobe Photoshop Image 396 x 400 RGB 3x 8-bit channels"
"KMSAutoLite.ini" has type "UTF-8 Unicode (with BOM) text with CRLF line terminators"
"Click1.ogg" has type "Ogg data Vorbis audio mono 44100 Hz ~128000 bps created by: Xiphophorus libVorbis I (1.0 RC2)"
"Ico.ico" has type "MS Windows icon resource - 9 icons 256-colors"
"Readme.txt" has type "ASCII text with CRLF line terminators"
"Lisezmoi.txt" has type "ISO-8859 text with CRLF line terminators" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "C:\Windows\SysWOW64\en-US\msctf.dll.mui"
"<Input Sample>" touched file "C:\Windows\Fonts\StaticCache.dat"
"<Input Sample>" touched file "C:\Windows\SysWOW64\tzres.dll"
"<Input Sample>" touched file "C:\Windows\AppPatch\sysmain.sdb"
"autorun.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"autorun.exe" touched file "C:\Windows\AppPatch\AcLayers.dll"
"autorun.exe" touched file "C:\Windows\SysWOW64\tzres.dll"
"autorun.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"autorun.exe" touched file "C:\Windows\SysWOW64\d3d9.dll"
"autorun.exe" touched file "C:\Windows\SysWOW64\en-US\dsound.dll.mui"
"autorun.exe" touched file "C:\Windows\Fonts\StaticCache.dat"
"autorun.exe" touched file "C:\Windows\SysWOW64\en-US\user32.dll.mui"
"autorun.exe" touched file "C:\Windows\SysWOW64\en-US\msctf.dll.mui"
"autorun.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"autorun.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "-O\S.vE"
Heuristic match: "`^=d<K.jE"
Heuristic match: "Aii[8W9.CD"
Heuristic match: "m5JgFH.ke"
Heuristic match: "?1gl?..vn"
Heuristic match: "U5\5CB.LB"
Pattern match: "www.indigorose.com"
Pattern match: "www.teamos-hkrg.com"
Pattern match: "http://genuine.microsoft.com/reporting/XmlEvent.ashx?v=3"
Pattern match: "http://www.indigorose.com"
Heuristic match: "Lua - The Programming LanguageArgument %d must be of type %s.EC"
Heuristic match: "Black\ContextTabGreenClient.bmpContextTabYellowClient = Office2007Black\ContextTabYellowClient.bmpContextTabPurpleClient = Office2007Black\ContextTabPurpleClient.bmpContextTabRedClient = Office2007Black\ContextTabRedClient.bmpContextTabPurpleHeader"
Heuristic match: ".teamos-hkrg.com"
Heuristic match: ">7.Jp"
Heuristic match: "Activator.My"
Pattern match: "http://schemas.microsoft.com/SMI/2005/WindowsSettings"
Pattern match: "http://www.microsoft.com/it-it/download/details.aspx?id=17718"
Pattern match: "http://www.microsoft.com/genuine/validate/"
Pattern match: "https://technet.microsoft.com/it-it/library/jj612867.aspx"
Pattern match: "https://technet.microsoft.com/it-it/library/dn385360.aspx"
Pattern match: "http://forums.mydigitallife.info/"
Pattern match: "www.lua.org"
Pattern match: "http://www.w3.org/2001/XMLSchema-instance"
Pattern match: "www.defense.gov"
Heuristic match: "Item0 = kms.03k.org"
Heuristic match: "Item1 = kms.digiboy.ir"
Heuristic match: "Item2 = hq1.chinancce.com"
Heuristic match: "Item3 = xykz.f3322.org"
Heuristic match: "Item4 = kms.lotro.cc"
Heuristic match: "Item5 = kms789.com"
Heuristic match: "Item6 = kms-win.msdn123.com"
Pattern match: "http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline"
Pattern match: "http://schemas.microsoft.com/SMI/2005/Windo" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
-
"- Sur Twitter: @Ra1nReLoader" (Indicator: "twitter")
"- I'm back on Twitter with the account @Ra1nReLoader This is my original account! other accounts are fake! be careful!" (Indicator: "twitter")
"* Updated Twitter account, you can find me with @Ra1nReLoader, OTHER ACCOUNTS ARE FAKE." (Indicator: "twitter")
"Merci aux membres sur Twitter: RainReLoader" (Indicator: "twitter")
"- Sur Twitter: RainReLoader" (Indicator: "twitter")
"- on Twitter: @Ra1nReLoader" (Indicator: "twitter")
"Thanks to members on Twitter:RainReLoader" (Indicator: "twitter")
"- On Twitter: RainReLoader" (Indicator: "twitter") - source
- File/Memory
- relevance
- 7/10
-
Found a reference to a known community page
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"<Input Sample>" opened "\Device\KsecDD"
"autorun.exe" opened "\Device\KsecDD"
"Re-LoaderByRa1n.exe" opened "\Device\KsecDD"
"Re-LoaderByR@1n.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"KMSAuto.exe" was detected as "ASPack v2.1"
"lua5.1.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
"Re-LoaderByR@1n.exe" was detected as "Microsoft visual C# v7.0 / Basic .NET"
"Re-LoaderByRa1n.exe" was detected as "Microsoft visual C# v7.0 / Basic .NET"
"lua51.dll" was detected as "Microsoft visual C++ vx.x DLL" - source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
TeamOS Activator v4.exe
- Filename
- TeamOS Activator v4.exe
- Size
- 30MiB (31724021 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 5b78b1d8c2a43abc74488d56bc4a9efc4f678ac2b3f77eb0de9ee3aa9663b5cc
- MD5
- 5603824dcbf4578d8ed42e400c4389a6
- SHA1
- 0c4add8e9a0fa0b2130079a3b417f027cb1d7911
Classification (TrID)
- 56.1% (.EXE) Win64 Executable (generic)
- 26.6% (.SCR) Windows screen saver
- 9.1% (.EXE) Win32 Executable (generic)
- 4.0% (.EXE) Generic Win/DOS Executable
- 4.0% (.EXE) DOS Executable Generic
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 14 processes in total (System Resource Monitor).
-
TeamOS Activator v4.exe
(PID: 4612)
3/64
-
autorun.exe
"Activator" "v4.exe" "SFXSOURCE:C:\TeamOS Activator v4.exe"
(PID: 3692)
- Re-LoaderByRa1n.exe (PID: 2548) 44/75
- Re-LoaderByR@1n.exe (PID: 3988) 50/77
- Re-LoaderByRa1n.exe (PID: 3828) 44/75
- Re-LoaderByR@1n.exe (PID: 3096) 50/77
- Re-LoaderByRa1n.exe (PID: 3736) 44/75
- Re-LoaderByR@1n.exe (PID: 656) 50/77
- Re-LoaderByRa1n.exe (PID: 2292) 44/75
- Re-LoaderByR@1n.exe (PID: 4716) 50/77
- Re-LoaderByRa1n.exe (PID: 1756) 44/75
- Re-LoaderByR@1n.exe (PID: 4772) 50/77
- Re-LoaderByRa1n.exe (PID: 5012) 44/75
- Re-LoaderByR@1n.exe (PID: 2924) 50/77
-
autorun.exe
"Activator" "v4.exe" "SFXSOURCE:C:\TeamOS Activator v4.exe"
(PID: 3692)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
2.21.242.227 |
80
TCP |
- | European Union |
Contacted Countries
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 24 extracted file(s). The remaining 6 file(s) are available in the full version and XML/JSON reports.
-
Malicious 7
-
-
KMSAuto x64.exe
- Size
- 1.6MiB (1711976 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (GUI) x86-64, for MS Windows
- AV Scan Result
- Labeled as "AutoKMS" (7/75)
- Runtime Process
- TeamOS Activator v4.exe (PID: 4612)
- MD5
- cd0029d89904f05c92942b1628b62351
- SHA1
- 13d028e47d712d51b6300c60fe7eb20609ae9518
- SHA256
- 586ab928bafab3552f93cde81219a2c474ddded15057c6a0aff3ae5ea193c78e
-
KMSAuto.exe
- Size
- 1.7MiB (1774936 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Trojan.Generic" (43/76)
- Runtime Process
- TeamOS Activator v4.exe (PID: 4612)
- MD5
- dcdaad3cdd381dd218c2b9aab76d1e9a
- SHA1
- c848630807c7e81ed40329d776e58d4c48fb13a6
- SHA256
- 37a515c77dfdc4df3b05ff78a40449eac6dea2c6599dcddc9681b92a123e9216
-
KMSpico_setup.exe
- Size
- 3.1MiB (3229424 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Application.Hacktool.KMSAuto" (44/78)
- Runtime Process
- TeamOS Activator v4.exe (PID: 4612)
- MD5
- a02164371a50c5ff9fa2870ef6e8cfa3
- SHA1
- 060614723f8375ecaad8b249ff07e3be082d7f25
- SHA256
- 64c731adbe1b96cb5765203b1e215093dcf268d020b299445884a4ae62ed2d3a
-
Activator.exe
- Size
- 3.1MiB (3279872 bytes)
- Type
- peexe assembly executable
- Description
- PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- Labeled as "Trojan.Generic" (44/75)
- Runtime Process
- TeamOS Activator v4.exe (PID: 4612)
- MD5
- cd1f98bf03eae5c3a86bbac863ac50f3
- SHA1
- ee7f39871486b04eb119c3290ec34dcf05eded39
- SHA256
- de49d6e07c706ba0be11d1c1d17db2a274142a03b8ae4b50663912f880249324
-
Re-LoaderByR@1n.exe
- Size
- 1.5MiB (1581275 bytes)
- Type
- neexe executable
- Description
- MS-DOS executable, MZ for MS-DOS
- AV Scan Result
- Labeled as "Application.Hacktool" (50/77)
- Runtime Process
- Re-LoaderByR@1n.exe (PID: 4772)
- MD5
- 3c8289913e7994117532856caee1c06c
- SHA1
- ba021aae374a4ba0c635138b921a1381b58819fa
- SHA256
- 391c989d2103dd488d9d4c2c8e1776bc6264f613656bb5bebcd7722db22160e7
-
Re-LoaderByRa1n.exe
- Size
- 2.2MiB (2292572 bytes)
- Type
- neexe executable
- Description
- MS-DOS executable, MZ for MS-DOS
- AV Scan Result
- Labeled as "Trojan.Keylogger" (44/75)
- Runtime Process
- Re-LoaderByRa1n.exe (PID: 3828)
- MD5
- f7b368a33ea9ca184679e132806b414f
- SHA1
- 08d3f435b52559cb0e0d10c862e1f1e13e92936d
- SHA256
- a18db5954dfb60064ea28f49810fe20b40cdf81b484b05b0db167c33ad134fed
-
SetupComplete.cmd
- Size
- 331B (331 bytes)
- Type
- text
- Description
- DOS batch file, ASCII text, with CRLF line terminators
- AV Scan Result
- Labeled as "BAT_AUTOKMS.A" (5/69)
- Runtime Process
- TeamOS Activator v4.exe (PID: 4612)
- MD5
- 21a93c0f93ee99f60adf82478fc19c65
- SHA1
- 1c7771aa4e2873ec92db5b78af1cc5c3f544c3cc
- SHA256
- 353413c1c76ef3fb63ee05414474a1b90537b34e0d1584bd79d159a0b0602aea
-
-
Clean 2
-
-
lua5.1.dll
- Size
- 327KiB (334864 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/75
- Runtime Process
- autorun.exe (PID: 3692)
- MD5
- 1492452bc19b1cba1ee6516e5318eedc
- SHA1
- cd324ee6b883c16f43d44e94328203ed64f4c656
- SHA256
- 0bab23ffeea212139a28d176950d2ba1703103f48d5dbd68b1f4f61372104f15
-
lua51.dll
- Size
- 22KiB (22544 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/65
- Runtime Process
- TeamOS Activator v4.exe (PID: 4612)
- MD5
- e1ec4dffc4d737e6e87d797a96692b24
- SHA1
- 256cfe42f6374ecbc7e8cad3b421bef5a6a98e06
- SHA256
- 4c06c1fe4d85f014b03bca843137d387510bedd52e3ec755edee878e0fabcee9
-
-
Informative Selection 1
-
-
Ico.ico
- Size
- 162KiB (165508 bytes)
- Type
- unknown
- Description
- MS Windows icon resource - 9 icons, 256-colors
- Runtime Process
- autorun.exe (PID: 3692)
- MD5
- b948fa100ecc0e7351c2726526292c05
- SHA1
- 2f97f14073b0fe3e291e52a9b7fbbd0654b5cbbb
- SHA256
- 3677c748f671f8e9601b0ee113d68b42b00d6b4474acd20f49084e280f513e01
-
-
Informative 14
-
-
Click1.ogg
- Size
- 3.8KiB (3872 bytes)
- Type
- data
- Description
- Ogg data, Vorbis audio, mono, 44100 Hz, ~128000 bps, created by: Xiphophorus libVorbis I (1.0 RC2)
- Runtime Process
- TeamOS Activator v4.exe (PID: 4612)
- MD5
- 93270c4fa492e4e4edee872a2b961dde
- SHA1
- 7b3c079d55d00aa5390662f0a2059e60546ed003
- SHA256
- 25d49cbbd65d48ad462455f1143f73ee997df8f747e7d2213daab18e321c028b
-
High1.ogg
- Size
- 3.7KiB (3833 bytes)
- Runtime Process
- TeamOS Activator v4.exe (PID: 4612)
- MD5
- fc2a595f574b1ead82a6dcf06492c985
- SHA1
- 400626784368fb9825a954ab8e14238054a277d1
- SHA256
- ee9a4903a8df90eff4c5b65a8073e564a3581cf73772a72eb82396e69932e769
-
KMSAutoLite.ini
- Size
- 2.2KiB (2288 bytes)
- Type
- text
- Description
- UTF-8 Unicode (with BOM) text, with CRLF line terminators
- Runtime Process
- TeamOS Activator v4.exe (PID: 4612)
- MD5
- e7f351db1fb3583c07f09b38c17a30f6
- SHA1
- 7f154ca6d089314d1dc3115c35fb688493edaee8
- SHA256
- fca24227a11b38951dda4b7d6226d8d82ac7996239a873fc213dd9d836794afd
-
readme_bg.txt
- Size
- 6.7KiB (6898 bytes)
- Type
- text
- Description
- Non-ISO extended-ASCII text, with CRLF line terminators
- Runtime Process
- TeamOS Activator v4.exe (PID: 4612)
- MD5
- 275f4d605ed2cc590b7d4d61d9c8bcdf
- SHA1
- 1acf6ae89aaa6f89deea6ef97ecef004e3d82066
- SHA256
- bf6b27dc18b9ab2cf68e3f53d66353d6cfa5c63dcb0b3ca241ba1bb64300aed7
-
readme_cn.txt
- Size
- 6.4KiB (6542 bytes)
- Type
- text
- Description
- UTF-8 Unicode (with BOM) text, with CRLF line terminators
- Runtime Process
- TeamOS Activator v4.exe (PID: 4612)
- MD5
- 45c3c938716d75ccd74a8cd0c3cb5430
- SHA1
- 100f550b7cd955ce52bc6f029a49df6aebc519e3
- SHA256
- 3603a5b4fe7c97ffda5c02ed4510fc22c97bb6508f4085df2b92ffcc2437341b
-
readme_en.txt
- Size
- 6.5KiB (6688 bytes)
- Runtime Process
- TeamOS Activator v4.exe (PID: 4612)
- MD5
- 869a24d97919fbde88e415267402e37e
- SHA1
- 6c6e273e2ee41cf65324d3e15e4a10a94da987e5
- SHA256
- 1295c56117a2e647bc9708df13389b09a834dc2401834bdf6d2533e310cb2707
-
readme_ru.txt
- Size
- 6.7KiB (6831 bytes)
- Runtime Process
- TeamOS Activator v4.exe (PID: 4612)
- MD5
- 93f97de9ae986006bfd836358d788b52
- SHA1
- 7b47e989baab53c1d30f919ce2d68f3c6bf4d76f
- SHA256
- 4e5ef4b8da773d17617a1726ac07803f4b6a7380e51dbc1c772f56e213875227
-
ReadMe KMSpico Install.txt
- Size
- 6.4KiB (6586 bytes)
- Runtime Process
- TeamOS Activator v4.exe (PID: 4612)
- MD5
- 3fe84899f0087b615a294698f240d21c
- SHA1
- 5561b385205a3f04d2f5d20b4a737eac5f23d2af
- SHA256
- f0cbcd2a45918b77477aae9b2d0755fd772d2d0e5c693ad64da76ce58b521782
-
Leggimi.txt
- Size
- 17KiB (17405 bytes)
- Runtime Process
- TeamOS Activator v4.exe (PID: 4612)
- MD5
- 968ab5ef1e55246e50d9d060d893bad3
- SHA1
- 55309dbe508516494cbac8bab79c9c0721ffcee0
- SHA256
- 9d947aff3d01229667b3546b956209fc5bb132f867adf965f7aeb25443bf10c0
-
Lisezmoi.txt
- Size
- 17KiB (17530 bytes)
- Type
- text
- Description
- ISO-8859 text, with CRLF line terminators
- Runtime Process
- TeamOS Activator v4.exe (PID: 4612)
- MD5
- a4b317eba76432a9fb4c9c5e6c72e886
- SHA1
- d4d8c32bb5c54d75812730fcb692cd1d7662e169
- SHA256
- 3d982528e2c03d1756290f5ecc6cab6a16bbff97e521dc805ff0f479f74a1336
-
Readme.txt
- Size
- 16KiB (16515 bytes)
- Runtime Process
- TeamOS Activator v4.exe (PID: 4612)
- MD5
- dd69f3367ae33ac5cb885b1947eae258
- SHA1
- 3c92d591081cb4db35c6cf13bc543fd227f76d62
- SHA256
- dadc97d1088e9cc5abc68571075dcd97e63dcac20432c12523ec2dabd8d9168c
-
background.jpg
- Size
- 84KiB (85510 bytes)
- Runtime Process
- autorun.exe (PID: 3692)
- MD5
- 98360d181d632bfb8c2787f14a383d87
- SHA1
- 9024805391478e801034b0cf231d200396b1d205
- SHA256
- 92363b2c76df4447f28e56e37bfcaef22196a6caab2f5aa18bf02452db171465
-
background.psd
- Size
- 210KiB (215134 bytes)
- Type
- unknown
- Description
- Adobe Photoshop Image, 396 x 400, RGB, 3x 8-bit channels
- Runtime Process
- TeamOS Activator v4.exe (PID: 4612)
- MD5
- d6130decf3084ed624fc2e36794cb1b6
- SHA1
- 46fed277f07295c0f527af625148d2b4c2252c24
- SHA256
- 3c7f8e7833c9aa7f73dddb802287bae099cb5ac23890ef1b1866f4fa070df854
-
autorun.exe
- Size
- 4.9MiB (5177344 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Runtime Process
- autorun.exe (PID: 3692)
- MD5
- 0a89beef9a34eca640e0e2feeb1191cb
- SHA1
- 0dfe26e70430fc41c4a4e2c889bc911d9cb3e8a2
- SHA256
- e6cb6aac6284f0ae34ba5100d73c2f0ae2e6100b9d2599836bc468b1375b161a
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Extracted file "autorun.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/e6cb6aac6284f0ae34ba5100d73c2f0ae2e6100b9d2599836bc468b1375b161a/analysis/1522802254/")
- No static analysis parsing on sample was performed
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-1" are available in the report
- Not all sources for indicator ID "api-4" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "registry-1" are available in the report
- Not all sources for indicator ID "registry-25" are available in the report
- Not all sources for indicator ID "static-6" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report