MD5 Hash: 07605abeb10fc533881c91f19decf69a
SHA256 Hash: cf7ea402d800e3fc6a0cda2136afd044aa2f8a97182b7e527d3e1970303c0067
File size: 1923584 bytes (1879 KB.)
Last analysis: 18 Feb, 2018 00:16:40

Analysis MD5: 07605abeb10fc533881c91f19decf69a

Analysis of the file classifies it as a class E- (Malicious). The file is malicious, do not use it. The trust index of this analysis is 100 % (certain).



AutoKMS.exe is part of the Trojanstartpage.DAW malware. This file is a security risk for your system and the system of others.

Filename: AutoKMS.exe (Trojanstartpage.DAW)
Threat analysis: Malicious
Analysis trust:
Recent activity:
First seen: 05 Jun, 2016
Last seen: 19 Jun, 2016
Last analysis: 18 Feb, 2018
Possible infection: Trojan:Bat/Startpage.JR

AutoKMS.exe Trojanstartpage.DAW

Application: Trojanstartpage.DAW
Developer: CODYQX4
File version:
File size: 1923584 bytes (1879 KB.)
Recent activity:
Historic activity:
CRC32 hash: 285574559
MD5 hash: 07605abeb10fc533881c91f19decf69a
SHA1 hash: 13ee8c9fce6f74512dcd188cca0655c5ede37612
SHA256 hash: cf7ea402d800e3fc6a0cda2136afd044aa2f8a97182b7e527d3e1970303c0067

Signature verification


This file has no digital signature. The publisher of this file could not be verified.

Publisher n/a
Product AutoKMS
Description AutoKMS
Signingdate 0000-00-00 00:00:00
Publisher warning

The publishers name has been found in other malware.


File entropy

File entropy match: Random data

The file contains random data or highly encrypted data. This might have been done to avoid detection.

| 0 b.1923584 b. |
Plain Data Text Code Compressed Encrypted Random

File signature

Microsoft Visual C# / Basic.NET / MS Visual Basic 2005

C# is a multi-paradigm programming language encompassing strong typing, imperative, declarative, functional, procedural, generic, object-oriented (class-based), and component-oriented programming disciplines. It was developed by Microsoft within its .NET initiative.

File header First 32 bytes of this file

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00

The determination of a file type is done with a signature or magic-numbers. Files are identified using by comparing the first set of bytes in the file header. Using this method type of files are recognised no matter the extension used. This information is useful to for example recognise executable files cloaked as images or movies.


Malicious code scan

Malicious code found

Agics makes een analysis of the source code of the file. We look for comparisons with known malicious source code. This is a good way to detect new malicious files which are in fact variations of existing, and known malicious files.

Scan results:

100 %

Fuzzy hash a.k.a. Context Triggered Piecewise Hashing


Context Triggered Piecewise Hashing, also called Fuzzy Hashing, can match inputs that have homologies. Such inputs have sequences of identical bytes in the same order, although bytes in between these sequences may be different in both content and length. Comparing a fuzzyhash is a good way to detect morphing malware. Malware which include random code in every copy to change its properties. Agics uses ssdeep to make create a fuzzyhash.

SSDEEP: 49152:osgtI O8Rb37gDq6cXJaGJ2xv0IZy64hWpu:HgtI tRb7gO/Ra

No match found


Online virus scanners

Detection ration:

60 %

Not available on is a repository of malware samples to provide security researchers, incident responders, forensic analysts, and the morbidly curious access to samples of live malicious code. Presence of the sample on this site indicates that the file is (Once considered) being malicious.

National Software Reference Library

Not on the nsrl list

The NSRL contains a collection of digital signatures of known, traceable software applications. There are application hash values in the hash set which may be considered malicious, i.e. steganography tools and hacking scripts.



Sandbox behaviour analysis:

The file is executed in a safe environment to track its behaviour. The behaviour analysis can help with detecting new malware which is not recognized by virusscanners yet. However it has a high chance on a false-positive, especially with installers, uninstallers and virusscanners.

Network activity

Possible dangerous internet traffic

Dropped files

File name md5


Import hashing

Imphash 9895210c4401e36bdb164398c62d3587

Fingerprinting files can be done in various way. One way is to make a hash of the PE Imports. PE Imports are relative unique and this is a great way to find new variants of existing malware. The chance of false-positives is relative high. The resulting hash is often called an imphash.

0% Match0% Match

Statistic analysis

Statistic analysis of the file

Similar to other files with the same name
No certificate
Other files with the same name do not have a certificate as well
This is not a common file
Normal code

Neural network analysis

Analysis: Malicious

A neural network is a type of artificial intelligence. It recognized patterns nog clear for a human viewer. Our neural network is surprisingly accurate in recognizing dangerous files. The value below is the predicted chance the file is malicious.

90%90 %


User feedback

Read feedback on this file from other users. Help other users by providing feedback yourself.

You can earn reputation points !

You are currently not logged in. Login, or Create an account

Feedback users:

There has been no user feedback provided yet.
You are not logged in. Only registered users can provide feedback. Login and help other users.

Login Create an account