AutoKMS.exe
AutoKMS
Warning 190 antivirus scanners has detected malware in various versions of AutoKMS.exe.
Overview
autokms.exe has 13 known versions, the most recent one is 2.5.0.0. During installation, a run registry key for all users is added that will cause the program to run each time any user logs on to Windows. In order execute the program with adminsitrator rights and prevent a UAC prompt, the program will add a job to the Windows Task Scheduler that will automtaiclaly start it when a user logs on. The average file size is about 1.82 MB. This is a .NET Common Language Runtime (CLR) assembly.
 Details
|
| File name: | autokms.exe |
| Product name: | AutoKMS |
| Typical file path: | C:\windows\autokms\autokms.exe |
Behaviors
(Note, the behaviors below are for all versions of autokms.exe, select a unique version for details.)
Scheduled tasks
- The job 'AutoKMSCustom' runs daily in the path '\AutoKMSCustom'
- The task 'AutoKMSDaily' runs daily in the path '\AutoKMSDaily'
- The job 'AutoKMS' runs daily in the path '\AutoKMS'
- Entry path '\AutoKMSDaily'
- Entry path '\AutoKMS'
- Entry path 'C:\WINDOWS\Tasks\AutoKMS.job'
Scheduled tasks startups
Set to load on user login (bypasses Windows UAC if enabled)
- Login entry path '\AutoKMS'
Startup files (all users) run
Runs under the registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
- 'AutoKMS' → C:\WINDOWS\AutoKMS.exe
Malware detections
Based on 40+ industry antivirus scanners, 190 of them detected the following malware.
| Antivirus engine | Engine version | Detection | File version |
| Agnitum |
5.5.1.3 |
Trojan.Meredrop!Fzg3EZJAohU |
2.1.3.0 |
| Agnitum |
5.5.1.3 |
Trojan.Meredrop!FRcm9CKzHag |
2.1.5.0 |
| Agnitum |
5.5.1.3 |
Trojan.DR.Agent!vUMtdLQQGW8 |
2.2.2.0 |
| Agnitum |
5.5.1.3 |
Trojan.Gendal!1f/JuUgpm9g |
2.1.6.0 |
| Agnitum |
5.5.1.3 |
Trojan.Meredrop!pMjFc1ZBsZw |
2.0.0.0 |
| Agnitum |
5.5.1.3 |
Trojan.DR.Agent!LrNEZV2Q4uQ |
2.2.0.0 |
| Agnitum |
5.5.1.3 |
Trojan.Meredrop!b2VmcmZh45I |
2.0.0.0 |
| AhnLab V3 Internet Security |
2013.04.04.04 |
Trojan/Win32.Gen |
2.1.5.0 |
| AhnLab V3 Internet Security |
2013.07.10 |
Trojan/Win32.Gen |
2.2.0.0 |
| AhnLab V3 Internet Security |
2013.07.05 |
Win-AppCare/Hacktool.647168.B |
2.0.0.0 |
| Avira AntiVir |
7.11.70.32 |
TR/Meredrop.A.10879 |
2.1.5.0 |
| Avira AntiVir |
7.11.72.208 |
TR/Dropper.Gen |
2.2.2.0 |
| Avira AntiVir |
7.11.73.120 |
TR/Meredrop.A.8924 |
2.0.0.0 |
| Avira AntiVir |
7.11.89.160 |
TR/Dropper.Gen |
2.2.0.0 |
| Avira AntiVir |
7.11.88.224 |
SPR/Tool.Keygen.BI.38 |
2.0.0.0 |
| Antiy Labs AVL |
2.0.3.7 |
Trojan/win32.agent.gen |
2.1.3.0 |
| Antiy Labs AVL |
2.0.3.7 |
Trojan/Win32.Pakes.gen |
2.2.2.0 |
| avast! |
6.0.1289.0 |
Win32:PUP-gen [PUP] |
2.1.3.0 |
| avast! |
6.0.1289.0 |
Win32:PUP-gen [PUP] |
2.2.2.0 |
| avast! |
6.0.1289.0 |
Win32:PUP-gen [PUP] |
2.0.0.0 |
| avast! |
8.0.1489.320 |
Win32:PUP-gen [PUP] |
2.2.0.0 |
| avast! |
8.0.1489.320 |
Win32:PUP-gen [PUP] |
2.0.0.0 |
| AVG |
2014.0.3629 |
Generic22.GWB |
2.1.3.0 |
| AVG |
2014.0.3629 |
Generic23.BLCV |
2.1.5.0 |
| AVG |
2014.0.3629 |
HackTool.TEO |
2.2.2.0 |
| AVG |
2014.0.3629 |
Generic23.CYP |
2.1.6.0 |
| AVG |
2014.0.3629 |
Generic19.AVDB |
2.0.0.0 |
| AVG |
2014.0.3629 |
Dropper.Generic4.NFC |
2.2.0.0 |
| AVG |
2014.0.3629 |
Generic20.AIOK |
2.0.0.0 |
| Baidu Antivirus |
3.5.1.41473 |
Malware.Win32.Activator.42 |
2.4.3.0 |
| BitDefender |
7.2 |
Trojan.Generic.5963867 |
2.1.3.0 |
| BitDefender |
7.2 |
Application.Keygen.BY |
2.0.0.0 |
| BitDefender |
7.2 |
Trojan.Generic.6325903 |
2.2.0.0 |
| Bkav Security |
1.3.0.4246 |
W32.RadusateW.Trojan |
2.4.3.0 |
| CAT Quick Heal |
4.13.12.00 |
Trojan.Meredrop |
2.1.5.0 |
| CAT Quick Heal |
7.13.12.00 |
Trojan.Meredrop |
2.2.0.0 |
| Commtouch |
5.4.1.7 |
W32/Trojan.HIML-8905 |
2.1.3.0 |
| Commtouch |
5.4.1.7 |
W32/Trojan.PUGW-4060 |
2.1.5.0 |
| Commtouch |
5.4.1.7 |
W32/Trojan.IOLG-8678 |
2.2.2.0 |
| Commtouch |
5.4.1.7 |
W32/Trojan.XSZZ-7616 |
2.1.6.0 |
| Commtouch |
5.4.1.7 |
W32/Risk.IALF-3386 |
2.0.0.0 |
| Commtouch |
5.4.1.7 |
W32/Trojan.WNVD-6506 |
2.2.0.0 |
| Commtouch |
5.4.1.7 |
W32/Risk.SRKH-7905 |
2.0.0.0 |
| Commtouch |
5.4.1.7 |
W32/Trojan.IRFE-3779 |
2.4.3.0 |
| Comodo Internet Security |
15736 |
UnclassifiedMalware |
2.1.3.0 |
| Comodo Internet Security |
15806 |
UnclassifiedMalware |
2.1.5.0 |
| Comodo Internet Security |
15943 |
UnclassifiedMalware |
2.2.2.0 |
| Comodo Internet Security |
15875 |
UnclassifiedMalware |
2.1.6.0 |
| Comodo Internet Security |
15977 |
UnclassifiedMalware |
2.0.0.0 |
| Comodo Internet Security |
16572 |
UnclassifiedMalware |
2.2.0.0 |
| Comodo Internet Security |
16548 |
UnclassifiedMalware |
2.0.0.0 |
| Comodo Internet Security |
17056 |
UnclassifiedMalware |
2.4.3.0 |
| Dr.Web |
8.13.7.11 |
Trojan.Inject1.6910 |
2.2.0.0 |
| Dr.Web |
8.13.10.6 |
Trojan.MulDrop4.36254 |
2.4.3.0 |
| Dr.Web |
8.13.11.25 |
Trojan.MulDrop4.57531 |
2.4.7.0 |
| Emsisoft Anti-Malware |
3.0.0.575 |
Trojan.Generic.5963867 (B) |
2.1.3.0 |
| Emsisoft Anti-Malware |
3.0.0.575 |
Application.Keygen.BY (B) |
2.0.0.0 |
| Emsisoft Anti-Malware |
3.0.0.583 |
Trojan.Generic.6325903 (B) |
2.2.0.0 |
| eSafe |
7.0.17.0 |
Win32.SPRTool.Keygen |
2.1.3.0 |
| eSafe |
7.0.17.0 |
Win32.Trojan |
2.1.5.0 |
| eSafe |
7.0.17.0 |
Win32.TRDropper |
2.2.2.0 |
| eSafe |
7.0.17.0 |
Win32.Trojan |
2.1.6.0 |
| eSafe |
7.0.17.0 |
Win32.TRDropper |
2.2.0.0 |
| eSafe |
7.0.17.0 |
Win32.Trojan |
2.0.0.0 |
| ESET NOD32 |
7.8172 |
a variant of Win32/HackKMS.B |
2.1.3.0 |
| ESET NOD32 |
7.8193 |
a variant of Win32/HackKMS.B |
2.1.5.0 |
| ESET NOD32 |
7.8231 |
a variant of Win32/HackKMS.B |
2.2.2.0 |
| ESET NOD32 |
7.8211 |
a variant of Win32/HackKMS.B |
2.1.6.0 |
| ESET NOD32 |
7.8243 |
Win32/HackKMS.A |
2.0.0.0 |
| ESET NOD32 |
7.8547 |
a variant of Win32/HackKMS.B |
2.2.0.0 |
| ESET NOD32 |
7.8529 |
a variant of Win32/HackKMS.B |
2.0.0.0 |
| Fortinet |
5.0.43.0 |
W32/SPNR.1CJI11!tr |
2.1.3.0 |
| Fortinet |
5.0.43.0 |
W32/Malware_fam.NB |
2.1.5.0 |
| Fortinet |
5.0.43.0 |
W32/CrackOffice.0A24!tr |
2.2.2.0 |
| Fortinet |
5.0.43.0 |
W32/Dx.UQG!tr |
2.0.0.0 |
| Fortinet |
5.1.146.0 |
W32/Dropper.DGT!tr |
2.0.0.0 |
| Fortinet |
5.1.147.0 |
W32/Generic!tr |
2.4.3.0 |
| F-Prot |
v6.4.7.1.166 |
W32/MalwareF.OISJ |
2.0.0.0 |
| F-Prot |
v6.4.7.1.166 |
W32/MalwareF.TCON |
2.0.0.0 |
| F-Secure |
11.0.19020.35 |
Trojan.Generic.5963867 |
2.1.3.0 |
| F-Secure |
11.0.19020.35 |
Application.Keygen.BY |
2.0.0.0 |
| F-Secure |
11.0.19100.45 |
Trojan.Generic.6325903 |
2.2.0.0 |
| G Data |
13.4.22 |
Trojan.Generic.5963867 |
2.1.3.0 |
| G Data |
13.4.22 |
Application.Keygen.BY |
2.0.0.0 |
| G Data |
13.7.22 |
Trojan.Generic.6325903 |
2.2.0.0 |
| Ikarus |
T3.1.4.0.0 |
not-a-virus.Actiavtion.KMS |
2.1.3.0 |
| Ikarus |
T3.1.4.0.0 |
possible-Threat.Tool.Keygen |
2.1.5.0 |
| Ikarus |
T3.1.4.0.0 |
not-a-virus:Activator.MSOffice |
2.2.2.0 |
| Ikarus |
T3.1.4.0.0 |
not-a-virus.Keygen.KMS |
2.1.6.0 |
| Ikarus |
T3.1.4.0.0 |
possible-Threat.Patch.KMS |
2.0.0.0 |
| Ikarus |
T3.1.4.3.0 |
possible-Threat.Tool.Keygen |
2.2.0.0 |
| Ikarus |
T3.1.4.3.0 |
possible-Threat.ActivationTool.KMS |
2.0.0.0 |
| K7 AntiVirus |
9.164.8447 |
Riskware |
2.1.3.0 |
| K7 AntiVirus |
9.164.8499 |
Riskware |
2.1.6.0 |
| K7 AntiVirus |
9.164.8548 |
Riskware |
2.0.0.0 |
| K7 AntiVirus |
9.170.8983 |
Riskware |
2.2.0.0 |
| K7 AntiVirus |
9.170.8961 |
Riskware |
2.0.0.0 |
| K7 AntiVirus |
9.173.9789 |
Trojan |
2.4.3.0 |
| K7GW |
12.7.0.8 |
Riskware |
2.0.0.0 |
| K7GW |
12.7.0.12 |
Riskware |
2.2.0.0 |
| K7GW |
12.7.0.14 |
Trojan |
2.4.3.0 |
| Kaspersky |
9.0.0.837 |
UDS:DangerousObject.Multi.Generic |
2.4.3.0 |
| Kingsoft |
2013.4.9.267 |
Win32.Troj.Generic.a.(kcloud) |
2.0.0.0 |
| Malwarebytes |
1.70.0.9 |
Trojan.AutoKMS |
2.2.2.0 |
| Malwarebytes |
1.70.0.9 |
Trojan.Agent.H |
2.1.6.0 |
| Malwarebytes |
1.75.0.1 |
Riskware.Keygen |
2.0.0.0 |
| Malwarebytes |
1.75.0.1 |
Riskware.Keygen |
2.0.0.0 |
| McAfee |
5.400.1158 |
Generic Dropper!1f3 |
2.1.3.0 |
| McAfee |
5.400.1158 |
Generic Dropper!dvv |
2.1.5.0 |
| McAfee |
5.400.1158 |
Generic KeyGen |
2.2.2.0 |
| McAfee |
5.400.1158 |
Generic PUP.z!gp |
2.1.6.0 |
| McAfee |
5.400.1158 |
Generic.dx!uqg |
2.0.0.0 |
| McAfee |
5.400.1158 |
Artemis!49BB8D0B9E07 |
2.2.0.0 |
| McAfee |
5.400.1158 |
Crack-Generic |
2.0.0.0 |
| McAfee |
5.600.1067 |
Artemis!D4F602B1F775 |
2.4.3.0 |
| McAfee Gateway Anti-Malware |
v2012.1-dat |
Generic Dropper!1f3 |
2.1.3.0 |
| McAfee Gateway Anti-Malware |
v2012.1-dat |
Generic Dropper!dvv |
2.1.5.0 |
| McAfee Gateway Anti-Malware |
v2012.1-dat |
Generic KeyGen |
2.2.2.0 |
| McAfee Gateway Anti-Malware |
v2012.1-dat |
Generic PUP.z!gp |
2.1.6.0 |
| McAfee Gateway Anti-Malware |
v2012.1-dat |
Generic.dx!uqg |
2.0.0.0 |
| McAfee Gateway Anti-Malware |
v2013-dat |
Artemis!49BB8D0B9E07 |
2.2.0.0 |
| McAfee Gateway Anti-Malware |
v2013-dat |
Crack-Generic |
2.0.0.0 |
| McAfee Gateway Anti-Malware |
v2013-dat |
Artemis!D4F602B1F775 |
2.4.3.0 |
| Microsoft Security Essentials |
1.9302.0 |
HackTool:Win32/Keygen |
2.1.3.0 |
| Microsoft Security Essentials |
1.9302.0 |
HackTool:Win32/Keygen |
2.1.5.0 |
| Microsoft Security Essentials |
1.9302.0 |
HackTool:Win32/Keygen |
2.1.6.0 |
| Microsoft Security Essentials |
1.9402.0 |
HackTool:Win32/Keygen |
2.0.0.0 |
| Microsoft Security Essentials |
1.9607.0 |
HackTool:Win32/Keygen |
2.2.0.0 |
| Microsoft Security Essentials |
1.9607.0 |
HackTool:Win32/Keygen |
2.0.0.0 |
| eScan by MicroWorld |
12.0.250.0 |
Trojan.Generic.5963867 |
2.1.3.0 |
| eScan by MicroWorld |
12.0.250.0 |
Application.Keygen.BY |
2.0.0.0 |
| NANO AntiVirus |
0.24.0.52049 |
Trojan.Win32.Meredrop.zevmu |
2.0.0.0 |
| NANO AntiVirus |
0.24.0.53443 |
Trojan.Win32.MLW.dzbvf |
2.2.0.0 |
| Norman |
7.00.22 |
Suspicious_Gen2.MKFVJ |
2.1.3.0 |
| Norman |
7.00.22 |
Suspicious_Gen2.NPCVJ |
2.1.5.0 |
| Norman |
7.00.22 |
Suspicious_Gen2.PQUNW |
2.2.2.0 |
| Norman |
7.00.22 |
Suspicious_Gen2.NOZBW |
2.1.6.0 |
| Norman |
7.00.22 |
Suspicious_Gen2.ENOUR |
2.0.0.0 |
| Norman |
7.01.04 |
Suspicious_Gen2.PSYEM |
2.2.0.0 |
| Norman |
7.01.04 |
Suspicious_Gen2.FMSYS |
2.0.0.0 |
| Norman |
7.02.06 |
Suspicious_Gen5.SENU |
2.4.3.0 |
| nProtect |
2013-03-28.01 |
Trojan.Generic.5963867 |
2.1.3.0 |
| Panda Antivirus |
10.0.3.5 |
Generic Malware |
2.1.3.0 |
| Panda Antivirus |
10.0.3.5 |
Generic Trojan |
2.0.0.0 |
| Panda Antivirus |
10.0.3.5 |
Generic Trojan |
2.2.0.0 |
| Panda Antivirus |
10.0.3.5 |
Generic Trojan |
2.0.0.0 |
| Panda Antivirus |
10.0.3.5 |
Trj/OCJ.D |
2.4.3.0 |
| PC Tools |
9.0.0.2 |
Trojan.Gen |
2.1.5.0 |
| PC Tools |
9.0.0.2 |
Trojan.Gen |
2.0.0.0 |
| PC Tools |
9.0.0.2 |
Trojan.Gen |
2.2.0.0 |
| PC Tools |
9.0.0.2 |
Trojan.Gen |
2.0.0.0 |
| Rising Antivirus |
24.57.00.04 |
Trojan.Win32.Generic.12A30279 |
2.1.6.0 |
| Rising Antivirus |
24.70.00.04 |
Trojan.Win32.Generic.129A33EC |
2.2.0.0 |
| Rising Antivirus |
24.81.06.04 |
Trojan.Win32.Generic.1462B887 |
2.4.3.0 |
| Sophos |
4.87.0 |
Mal/Meredrop-B |
2.1.3.0 |
| Sophos |
4.87.0 |
Mal/Meredrop-B |
2.1.5.0 |
| Sophos |
4.87.0 |
Troj/AutoKMS-A |
2.2.2.0 |
| Sophos |
4.88.0 |
Mal/Keygen-N |
2.0.0.0 |
| Sophos |
4.90.0 |
Generic PUA CO |
2.2.0.0 |
| Sophos |
4.90.0 |
Troj/Keygen-EI |
2.0.0.0 |
| Sophos |
4.93.0 |
Troj/AutoKMS-A |
2.4.3.0 |
| Symantec |
20121.3.0.76 |
WS.Reputation.1 |
2.1.3.0 |
| Symantec |
20121.3.0.76 |
Trojan.Gen |
2.1.5.0 |
| Symantec |
20121.3.0.76 |
Trojan.Gen |
2.0.0.0 |
| Symantec |
20131.1.0.101 |
Trojan.Gen |
2.2.0.0 |
| Symantec |
20131.1.0.101 |
Trojan.Gen.2 |
2.0.0.0 |
| Trend Micro |
9.740.0.1012 |
TROJ_SPNR.1CJI11 |
2.1.3.0 |
| Trend Micro |
9.740.0.1012 |
TROJ_SPNR.0BGS11 |
2.1.5.0 |
| Trend Micro |
9.740.0.1012 |
HKTL_HACKMS |
2.2.2.0 |
| Trend Micro |
9.740.0.1012 |
TROJ_SPNR.0BJS11 |
2.1.6.0 |
| Trend Micro |
9.740.0.1012 |
CRCK_KEYGEN |
2.0.0.0 |
| Trend Micro |
9.740.0.1012 |
CRCK_ACTIVATE |
2.2.0.0 |
| Trend Micro |
9.740.0.1012 |
TROJ_SPNR.04CI11 |
2.0.0.0 |
| Trend Micro |
9.740.0.1012 |
TROJ_SPNR.1CD213 |
2.4.3.0 |
| Trend Micro HouseCall |
9.700.0.1001 |
TROJ_SPNR.1CJI11 |
2.1.3.0 |
| Trend Micro HouseCall |
9.700.0.1001 |
TROJ_SPNR.0BGS11 |
2.1.5.0 |
| Trend Micro HouseCall |
9.700.0.1001 |
HKTL_HACKMS |
2.2.2.0 |
| Trend Micro HouseCall |
9.700.0.1001 |
TROJ_SPNR.0BJS11 |
2.1.6.0 |
| Trend Micro HouseCall |
9.700.0.1001 |
CRCK_KEYGEN |
2.0.0.0 |
| Trend Micro HouseCall |
9.700.0.1001 |
CRCK_ACTIVATE |
2.2.0.0 |
| Trend Micro HouseCall |
9.700.0.1001 |
TROJ_SPNR.04CI11 |
2.0.0.0 |
| Trend Micro HouseCall |
9.700.0.1001 |
TROJ_SPNR.1CD213 |
2.4.3.0 |
| VIPRE Antivirus |
16356 |
Trojan.Win32.Generic!BT |
2.1.3.0 |
| VIPRE Antivirus |
16550 |
Trojan.Win32.Generic!BT |
2.1.5.0 |
| VIPRE Antivirus |
16902 |
Trojan.Win32.Generic!BT |
2.2.2.0 |
| VIPRE Antivirus |
16716 |
Trojan.Win32.Generic!BT |
2.1.6.0 |
| VIPRE Antivirus |
16986 |
Trojan.Win32.Generic!BT |
2.0.0.0 |
| VIPRE Antivirus |
19442 |
Trojan.Win32.Meredrop |
2.2.0.0 |
| VIPRE Antivirus |
19310 |
Trojan.Win32.Generic!BT |
2.0.0.0 |
| VIPRE Antivirus |
22110 |
Trojan.Win32.Generic!BT |
2.4.3.0 |
All file variations of autokms.exe
Distribution by Windows OS
| OS version | distribution |
| Windows 7 Ultimate |
32.91% |
|
| Windows 7 Home Premium |
16.46% |
|
| Windows 8 |
7.59% |
|
| Windows 7 Professional |
7.59% |
|
| Windows 8 Pro |
7.59% |
|
| Windows 8.1 |
5.06% |
|
| Windows 8.1 Pro with Media Center |
3.80% |
|
| Windows 8.1 Single Language |
2.53% |
|
| Windows 8 Enterprise N |
2.53% |
|
| Microsoft Windows XP |
2.53% |
|
| Windows 7 Enterprise |
2.53% |
|
| Windows 7 Starter |
2.53% |
|
| Windows 8 Enterprise |
2.53% |
|
| Windows 8.1 Pro |
1.27% |
|
| Windows 8.1 Pro Preview with Media Center |
1.27% |
|
| Windows 7 Home Basic |
1.27% |
|
Distribution by country
United States installs about 11.39% of AutoKMS.
Distribution by PC manufacturer
| PC Manufacturer | distribution |
| Lenovo |
33.71% |
|
| ASUS |
15.73% |
|
| Toshiba |
13.48% |
|
| Acer |
8.99% |
|
| Hewlett-Packard |
7.87% |
|
| Intel |
4.49% |
|
| Dell |
4.49% |
|
| GIGABYTE |
4.49% |
|
| American Megatrends |
3.37% |
|
| Samsung |
3.37% |
|
