Technical Information
- [<HKLM>\System\CurrentControlSet\Services\KMSEmulator] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\KMSEmulator] 'ImagePath' = 'temp.exe'
- [<HKLM>\SYSTEM\CurrentControlSet\services\KMSEmulator] 'ImagePath' = '"%PROGRAMDATA%\KMSAuto\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPI...
- [<HKLM>\System\CurrentControlSet\Services\WinDivert1.1] 'ImagePath' = '%PROGRAMDATA%\KMSAuto\bin\driver\x64WDV\WinDivert.sys'
- '<SYSTEM32>\netsh.exe' Advfirewall Firewall add rule name="0pen Port KMS" dir=in action=allow protocol=TCP localport=1688
- '%WINDIR%\syswow64\taskkill.exe' /t /f /IM FakeClient.exe
- %WINDIR%\kms\boottask.cmd
- %PROGRAMDATA%\kmsauto\kmsauto net.exe
- %PROGRAMDATA%\kmsauto\bin\driver\x64wdv\windivert.sys
- %PROGRAMDATA%\kmsauto\bin\driver\x64wdv\windivert.dll
- %PROGRAMDATA%\kmsauto\bin\driver\x64wdv\wdfcoinstaller01009.dll
- %PROGRAMDATA%\kmsauto\bin\driver\x64wdv\fakeclient.exe
- %PROGRAMDATA%\kmsauto\bin\driver\x64tap2\tapoas.sys
- %PROGRAMDATA%\kmsauto\bin\driver\x64tap2\devcon.exe
- %PROGRAMDATA%\kmsauto\bin\driver\x64tap1\tap0901.sys
- %PROGRAMDATA%\kmsauto\bin\driver\x64tap1\devcon.exe
- %PROGRAMDATA%\kmsauto\bin\driver\x64wdv\windivert.inf
- %PROGRAMDATA%\kmsauto\bin\driver\x64tap2\tapoas.inf
- %PROGRAMDATA%\kmsauto\bin\driver\x64tap2\tapoas.cat
- %PROGRAMDATA%\kmsauto\bin\driver\x64tap1\tap0901.cat
- %PROGRAMDATA%\kmsauto\bin\driver\x64tap1\oemvista.inf
- %PROGRAMDATA%\kmsauto\bin\driver\oas_sert.cer
- %PROGRAMDATA%\kmsauto\bin_x64.dat
- %PROGRAMDATA%\kmsauto\bin\tunmirror2.exe
- %PROGRAMDATA%\kmsauto\bin\kmsss.exe
- %PROGRAMDATA%\kmsauto\bin\tunmirror.exe
- %PROGRAMDATA%\kmsauto\bin\aesdecoder.exe
- %PROGRAMDATA%\kmsauto\bin\tunmirror2.exe.aes
- %PROGRAMDATA%\kmsauto\bin\kmsss.exe.aes
- %PROGRAMDATA%\kmsauto\bin.dat
- %PROGRAMDATA%\kmsauto\wzt\certmgr.exe
- %PROGRAMDATA%\kmsauto\wzt\wzteam.cer
- %PROGRAMDATA%\kmsauto\wzt.dat
- %WINDIR%\kms\test.test
- %LOCALAPPDATA%\msfree inc\kmsauto.ini
- %WINDIR%\kms\kmsauto net.exe
- %PROGRAMDATA%\kmsauto\bin\kmsss.log
- %WINDIR%\temp\udddf70.tmp
- %WINDIR%\kms\test.test
- %PROGRAMDATA%\kmsauto\bin\driver\x64wdv\windivert.dll
- %PROGRAMDATA%\kmsauto\bin\driver\x64wdv\wdfcoinstaller01009.dll
- %PROGRAMDATA%\kmsauto\bin\driver\x64wdv\fakeclient.exe
- %PROGRAMDATA%\kmsauto\bin\driver\x64wdv\windivert.inf
- %PROGRAMDATA%\kmsauto\bin\kmsss.log
- %PROGRAMDATA%\kmsauto\bin\kmsss.exe
- %PROGRAMDATA%\kmsauto\bin\driver\x64tap2\tapoas.sys
- %PROGRAMDATA%\kmsauto\bin\driver\x64tap2\tapoas.inf
- %PROGRAMDATA%\kmsauto\bin\driver\x64tap2\tapoas.cat
- %PROGRAMDATA%\kmsauto\bin\driver\x64tap2\devcon.exe
- %PROGRAMDATA%\kmsauto\bin\driver\x64tap1\tap0901.sys
- %PROGRAMDATA%\kmsauto\bin\driver\x64tap1\tap0901.cat
- %PROGRAMDATA%\kmsauto\bin\driver\x64tap1\oemvista.inf
- %PROGRAMDATA%\kmsauto\bin\driver\x64tap1\devcon.exe
- %PROGRAMDATA%\kmsauto\bin\driver\oas_sert.cer
- %PROGRAMDATA%\kmsauto\bin_x64.dat
- %PROGRAMDATA%\kmsauto\bin\aesdecoder.exe
- %PROGRAMDATA%\kmsauto\bin\tunmirror2.exe.aes
- %PROGRAMDATA%\kmsauto\bin\kmsss.exe.aes
- %PROGRAMDATA%\kmsauto\bin.dat
- %PROGRAMDATA%\kmsauto\wzt\wzteam.cer
- %PROGRAMDATA%\kmsauto\wzt\certmgr.exe
- %PROGRAMDATA%\kmsauto\wzt.dat
- %PROGRAMDATA%\kmsauto\bin\driver\x64wdv\windivert.sys
- %WINDIR%\temp\udddf70.tmp
- %PROGRAMDATA%\kmsauto\wzt.dat
- %PROGRAMDATA%\kmsauto\bin\driver\x64wdv\wdfcoinstaller01009.dll
- %PROGRAMDATA%\kmsauto\bin\driver\x64wdv\fakeclient.exe
- %PROGRAMDATA%\kmsauto\bin\driver\x64wdv\windivert.inf
- %PROGRAMDATA%\kmsauto\bin\kmsss.log
- %PROGRAMDATA%\kmsauto\bin\driver\x64tap2\tapoas.sys
- %PROGRAMDATA%\kmsauto\bin\driver\x64tap2\devcon.exe
- %PROGRAMDATA%\kmsauto\bin\driver\x64tap1\tap0901.sys
- %PROGRAMDATA%\kmsauto\bin\driver\x64tap1\devcon.exe
- %PROGRAMDATA%\kmsauto\bin\driver\x64tap2\tapoas.inf
- %PROGRAMDATA%\kmsauto\bin\driver\x64tap2\tapoas.cat
- %PROGRAMDATA%\kmsauto\bin\driver\x64tap1\tap0901.cat
- %PROGRAMDATA%\kmsauto\bin\driver\x64tap1\oemvista.inf
- %PROGRAMDATA%\kmsauto\bin\driver\oas_sert.cer
- %PROGRAMDATA%\kmsauto\bin_x64.dat
- %PROGRAMDATA%\kmsauto\bin\kmsss.exe
- %PROGRAMDATA%\kmsauto\bin\aesdecoder.exe
- %PROGRAMDATA%\kmsauto\bin\tunmirror2.exe.aes
- %PROGRAMDATA%\kmsauto\bin\kmsss.exe.aes
- %PROGRAMDATA%\kmsauto\bin.dat
- %PROGRAMDATA%\kmsauto\wzt\certmgr.exe
- %PROGRAMDATA%\kmsauto\wzt\wzteam.cer
- %PROGRAMDATA%\kmsauto\bin\driver\x64wdv\windivert.dll
- %PROGRAMDATA%\kmsauto\bin\driver\x64wdv\windivert.sys
- ClassName: 'EDIT' WindowName: ''
- ClassName: '' WindowName: ''
- '%WINDIR%\kms\kmsauto net.exe' /win=act
- '%PROGRAMDATA%\kmsauto\bin\aesdecoder.exe'
- '%PROGRAMDATA%\kmsauto\bin\kmsss.exe' -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 -Log -IP
- '%PROGRAMDATA%\kmsauto\wzt.dat' -y -pkmsauto
- '%PROGRAMDATA%\kmsauto\bin.dat' -y -pkmsauto
- '%PROGRAMDATA%\kmsauto\wzt\certmgr.exe' -add wzteam.cer -n wzteam -s -r localMachine ROOT
- '%PROGRAMDATA%\kmsauto\bin_x64.dat' -y -pkmsauto
- '%PROGRAMDATA%\kmsauto\wzt\certmgr.exe' -add wzteam.cer -n wzteam -s -r localMachine TRUSTEDPUBLISHER
- '<SYSTEM32>\cmd.exe' /D /c del /F /Q "bin_x64.dat"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /D /c FakeClient.exe 100.100.0.10' (with hidden window)
- '<SYSTEM32>\cmd.exe' /D /c route -p add 100.100.0.10 0.0.0.0 IF 1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /D /c reg.exe DELETE HKLM\SYSTEM\CurrentControlSet\Services\KMSEmulator /f' (with hidden window)
- '<SYSTEM32>\reg.exe' delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f' (with hidden window)
- '<SYSTEM32>\reg.exe' delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55C92734-D682-4D71-983E-D6EC3F16059F" /f' (with hidden window)
- '<SYSTEM32>\reg.exe' delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59A52881-A989-479D-AF46-F275C6370663" /f' (with hidden window)
- '<SYSTEM32>\reg.exe' delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f' (with hidden window)
- '<SYSTEM32>\reg.exe' delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f' (with hidden window)
- '<SYSTEM32>\netsh.exe' Advfirewall Firewall add rule name="0pen Port KMS" dir=in action=allow protocol=TCP localport=1688' (with hidden window)
- '<SYSTEM32>\netsh.exe' Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCP' (with hidden window)
- '<SYSTEM32>\reg.exe' delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f' (with hidden window)
- '<SYSTEM32>\cmd.exe' /D /c for /f "tokens=5 delims=, " %i in ('netstat -ano ^| find ":1688 "') do taskkill /pid %i /f' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c md "%LOCALAPPDATA%\MSfree Inc"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /D /c WMIC Path Win32_NetworkAdapter WHERE ServiceName="tap0901" get Manufacturer >"%TEMP%\KMSSettmp159.tmp' (with hidden window)
- '<SYSTEM32>\cmd.exe' /D /c del /F /Q "wzt.dat"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /D /c bin_x64.dat -y -pkmsauto' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c echo test>>"%WINDIR%\kms\test.test"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /D /c del /F /Q "AESDecoder.exe"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /D /c md "%PROGRAMDATA%\KMSAuto"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /D /c wzt.dat -y -pkmsauto' (with hidden window)
- '<SYSTEM32>\cmd.exe' /D /c del /F /Q "test.test"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /D /c certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine ROOT' (with hidden window)
- '<SYSTEM32>\cmd.exe' /D /c certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine TRUSTEDPUBLISHER' (with hidden window)
- '<SYSTEM32>\cmd.exe' /D /c bin.dat -y -pkmsauto' (with hidden window)
- '<SYSTEM32>\cmd.exe' /D /c del /F /Q "bin.dat"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /D /c AESDecoder.exe' (with hidden window)
- '<SYSTEM32>\cmd.exe' /D /c route delete 100.100.0.10 0.0.0.0' (with hidden window)
- '<SYSTEM32>\cmd.exe' /D /c WMIC Path Win32_NetworkAdapter WHERE ServiceName="tapoas" get Manufacturer >"%TEMP%\KMSSettmp159.tmp' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ""%WINDIR%\kms\boottask.cmd" "
- '<SYSTEM32>\reg.exe' delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f
- '<SYSTEM32>\reg.exe' delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59A52881-A989-479D-AF46-F275C6370663" /f
- '<SYSTEM32>\reg.exe' delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f
- '<SYSTEM32>\reg.exe' delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
- '<SYSTEM32>\reg.exe' delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
- '%WINDIR%\syswow64\sc.exe' stop KMSEmulator
- '%WINDIR%\syswow64\sc.exe' delete KMSEmulator
- '<SYSTEM32>\cmd.exe' /D /c reg.exe DELETE HKLM\SYSTEM\CurrentControlSet\Services\KMSEmulator /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\SYSTEM\CurrentControlSet\Services\KMSEmulator /f
- '<SYSTEM32>\cmd.exe' /c rd "%PROGRAMDATA%\KMSAuto" /S /Q
- '<SYSTEM32>\cmd.exe' /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
- '<SYSTEM32>\route.exe' -p add 100.100.0.10 0.0.0.0 IF 1
- '<SYSTEM32>\cmd.exe' /D /c FakeClient.exe 100.100.0.10
- '<SYSTEM32>\cmd.exe' /D /c route delete 100.100.0.10 0.0.0.0
- '<SYSTEM32>\route.exe' delete 100.100.0.10 0.0.0.0
- '%WINDIR%\syswow64\cmd.exe' /c taskkill /t /f /IM FakeClient.exe
- '%WINDIR%\syswow64\sc.exe' stop WinDivert1.1
- '%WINDIR%\syswow64\sc.exe' delete WinDivert1.1
- '<SYSTEM32>\cmd.exe' /D /c WMIC Path Win32_NetworkAdapter WHERE ServiceName="tap0901" get Manufacturer >"%TEMP%\KMSSettmp159.tmp
- '<SYSTEM32>\reg.exe' delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55C92734-D682-4D71-983E-D6EC3F16059F" /f
- '<SYSTEM32>\wbem\wmic.exe' Path Win32_NetworkAdapter WHERE ServiceName="tap0901" get Manufacturer
- '%WINDIR%\syswow64\sc.exe' start KMSEmulator
- '<SYSTEM32>\netsh.exe' Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCP
- '%WINDIR%\syswow64\cmd.exe' /c md "%LOCALAPPDATA%\MSfree Inc"
- '<SYSTEM32>\cmd.exe' /c echo test>>"%WINDIR%\kms\test.test"
- '<SYSTEM32>\cmd.exe' /D /c del /F /Q "test.test"
- '<SYSTEM32>\cmd.exe' /D /c md "%PROGRAMDATA%\KMSAuto"
- '<SYSTEM32>\cmd.exe' /D /c wzt.dat -y -pkmsauto
- '<SYSTEM32>\cmd.exe' /D /c del /F /Q "wzt.dat"
- '<SYSTEM32>\cmd.exe' /D /c certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine ROOT
- '<SYSTEM32>\cmd.exe' /D /c certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine TRUSTEDPUBLISHER
- '<SYSTEM32>\cmd.exe' /c rd "%PROGRAMDATA%\KMSAuto\wzt" /S /Q
- '<SYSTEM32>\cmd.exe' /D /c bin.dat -y -pkmsauto
- '<SYSTEM32>\cmd.exe' /D /c del /F /Q "bin.dat"
- '<SYSTEM32>\cmd.exe' /D /c AESDecoder.exe
- '<SYSTEM32>\cmd.exe' /D /c del /F /Q "AESDecoder.exe"
- '<SYSTEM32>\cmd.exe' /D /c bin_x64.dat -y -pkmsauto
- '<SYSTEM32>\cmd.exe' /D /c del /F /Q "bin_x64.dat"
- '<SYSTEM32>\cmd.exe' /D /c for /f "tokens=5 delims=, " %i in ('netstat -ano ^| find ":1688 "') do taskkill /pid %i /f
- '<SYSTEM32>\cmd.exe' /c netstat -ano | find ":1688 "
- '<SYSTEM32>\netstat.exe' -ano
- '<SYSTEM32>\find.exe' ":1688 "
- '%WINDIR%\syswow64\sc.exe' create KMSEmulator binpath= temp.exe type= own start= auto
- '<SYSTEM32>\cmd.exe' /D /c WMIC Path Win32_NetworkAdapter WHERE ServiceName="tapoas" get Manufacturer >"%TEMP%\KMSSettmp159.tmp