マイライブラリ
マイライブラリ

+ マイライブラリに追加

電話

お問い合わせ履歴

電話(英語)

+7 (495) 789-45-86

Profile

Trojan.DownLoader25.57120

Added to the Dr.Web virus database: 2017-11-20

Virus description added:

Technical Information

Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
  • [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%TEMP%\RarSFX0\KMSELDI.exe' = '%TEMP%\RarSFX0\KMSELDI.exe:*:Enabled:KM...
Creates and executes the following:
  • '%TEMP%\RarSFX0\KMSELDI.exe'
Modifies file system:
Creates the following files:
  • %TEMP%\RarSFX0\cert\kmscert2016\VisioStd\VisioStdVL_KMS_Client-ppd.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\VisioStd\VisioStdVL_KMS_Client-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\VisioStd\VisioStdVL_KMS_Client-ul.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\VisioPro\VisioProVL_KMS_Client-ppd.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\VisioPro\VisioProVL_KMS_Client-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\VisioPro\VisioProVL_KMS_Client-ul.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW10\Core\Core-Volume-GVLK-1-ul-oob-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW10\Core\Core-Volume-GVLK-1-ul-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW10\Education\Education-Volume-GVLK-1-ul-oob-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\Word\WordVL_KMS_Client-ppd.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\Word\WordVL_KMS_Client-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\Word\WordVL_KMS_Client-ul.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\Publisher\PublisherVL_KMS_Client-ppd.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\Publisher\PublisherVL_KMS_Client-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\Publisher\PublisherVL_KMS_Client-ul.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\ProPlus\ProPlusVL_KMS_Client-ppd.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\ProPlus\ProPlusVL_KMS_Client-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\ProPlus\ProPlusVL_KMS_Client-ul.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\Standard\StandardVL_KMS_Client-ppd.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\Standard\StandardVL_KMS_Client-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\Standard\StandardVL_KMS_Client-ul.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\SkypeforBusiness\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\SkypeforBusiness\SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\SkypeforBusiness\SkypeforBusinessVL_KMS_Client-ul.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\Business\Security-Licensing-SLC-Component-SKU-Business-VL-BYPASS-ul.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\Business\Security-Licensing-SLC-Component-SKU-Business-VL-KMS-pl.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\Business\Security-Licensing-SLC-Component-SKU-Business-VL-KMS-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\Business\Security-Licensing-SLC-Component-SKU-Business-VL-BYPASS-RAC-private.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\Business\Security-Licensing-SLC-Component-SKU-Business-VL-BYPASS-RAC-public.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\Business\Security-Licensing-SLC-Component-SKU-Business-VL-BYPASS-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\Business\Security-Licensing-SLC-Component-SKU-Business-VL-KMS1-ul-phn.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\BusinessN\Security-Licensing-SLC-Component-SKU-BusinessN-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\BusinessN\Security-Licensing-SLC-Component-SKU-BusinessN-ul-phn.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\Business\Security-Licensing-SLC-Component-SKU-Business-VL-KMS-ul-phn.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\Business\Security-Licensing-SLC-Component-SKU-Business-VL-KMS1-pl.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\Business\Security-Licensing-SLC-Component-SKU-Business-VL-KMS1-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW10\EnterpriseS\EnterpriseS-Volume-GVLK-1-ul-oob-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW10\EnterpriseS\EnterpriseS-Volume-GVLK-1-ul-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW10\EnterpriseS\EnterpriseS-Volume-GVLK-2-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW10\Education\Education-Volume-GVLK-1-ul-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW10\Enterprise\Enterprise-Volume-GVLK-1-ul-oob-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW10\Enterprise\Enterprise-Volume-GVLK-1-ul-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW10\Professional\Professional-Volume-GVLK-1-ul-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\Business\Security-Licensing-SLC-Component-SKU-Business-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\Business\Security-Licensing-SLC-Component-SKU-Business-ul-phn.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW10\EnterpriseS\EnterpriseS-Volume-GVLK-2-ul.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW10\pkeyconfig.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW10\Professional\Professional-Volume-GVLK-1-ul-oob-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\Word\LicenseSetData._D9F5B1C6_5386_495A_88F9_9AD6B41AC9B3.PL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\Word\LicenseSetData._D9F5B1C6_5386_495A_88F9_9AD6B41AC9B3.PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\Access\AccessVL_KMS_Client-ppd.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\VisioStd\LicenseSetData._AC4EFAF0_F81F_4F61_BDF7_EA32B02AB117.PL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\VisioStd\LicenseSetData._AC4EFAF0_F81F_4F61_BDF7_EA32B02AB117.PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\Word\LicenseSetData._D9F5B1C6_5386_495A_88F9_9AD6B41AC9B3.OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\client-issuance-root-bridge-test.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\client-issuance-root.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\client-issuance-stil.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\Access\AccessVL_KMS_Client-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\Access\AccessVL_KMS_Client-ul.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\client-issuance-bridge-office.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\Publisher\LicenseSetData._00C79FF1_6850_443D_BF61_71CDE0DE305F.PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\Standard\LicenseSetData._B13AFB38_CD79_4AE5_9F7F_EED058D750CA.OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\Standard\LicenseSetData._B13AFB38_CD79_4AE5_9F7F_EED058D750CA.PL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\ProPlus\proplus.reg
  • %TEMP%\RarSFX0\cert\kmscert2013\Publisher\LicenseSetData._00C79FF1_6850_443D_BF61_71CDE0DE305F.OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\Publisher\LicenseSetData._00C79FF1_6850_443D_BF61_71CDE0DE305F.PL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\VisioPro\LicenseSetData._E13AC10E_75D0_4AFF_A0CD_764982CF541C.PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\VisioPro\visio.reg
  • %TEMP%\RarSFX0\cert\kmscert2013\VisioStd\LicenseSetData._AC4EFAF0_F81F_4F61_BDF7_EA32B02AB117.OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\Standard\LicenseSetData._B13AFB38_CD79_4AE5_9F7F_EED058D750CA.PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\VisioPro\LicenseSetData._E13AC10E_75D0_4AFF_A0CD_764982CF541C.OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\VisioPro\LicenseSetData._E13AC10E_75D0_4AFF_A0CD_764982CF541C.PL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\PowerPoint\PowerPointVL_KMS_Client-ppd.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\PowerPoint\PowerPointVL_KMS_Client-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\PowerPoint\PowerPointVL_KMS_Client-ul.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\Outlook\OutlookVL_KMS_Client-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\Outlook\OutlookVL_KMS_Client-ul.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\pkeyconfig-office.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\ProjectStd\ProjectStdVL_KMS_Client-ppd.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\ProjectStd\ProjectStdVL_KMS_Client-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\ProjectStd\ProjectStdVL_KMS_Client-ul.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\ProjectPro\ProjectProVL_KMS_Client-ppd.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\ProjectPro\ProjectProVL_KMS_Client-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\ProjectPro\ProjectProVL_KMS_Client-ul.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\Excel\ExcelVL_KMS_Client-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\Excel\ExcelVL_KMS_Client-ul.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\Mondo\MondoVL_KMS_Client-ppd.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\client-issuance-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\client-issuance-ul.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\Excel\ExcelVL_KMS_Client-ppd.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\OneNote\OneNoteVL_KMS_Client-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\OneNote\OneNoteVL_KMS_Client-ul.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\Outlook\OutlookVL_KMS_Client-ppd.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\Mondo\MondoVL_KMS_Client-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\Mondo\MondoVL_KMS_Client-ul.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2016\OneNote\OneNoteVL_KMS_Client-ppd.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW81\Enterprise\Enterprise-Volume-GVLK-1-ul-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW81\pkeyconfig.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW81\Professional\Professional-Volume-GVLK-1-ul-oob-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW81\EmbeddedIndustry\EmbeddedIndustry-Volume-GVLK-1-ul-oob-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW81\EmbeddedIndustry\EmbeddedIndustry-Volume-GVLK-1-ul-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW81\Enterprise\Enterprise-Volume-GVLK-1-ul-oob-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW81\ServerDatacenter\ServerDatacenter-Volume-GVLK-1-ul-oob-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW81\ServerDatacenter\ServerDatacenter-Volume-GVLK-1-ul-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW81\ServerStandard\ServerStandard-Volume-GVLK-1-ul-oob-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW81\Professional\Professional-Volume-GVLK-1-ul-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW81\ProfessionalWMC\ProfessionalWMC-Volume-GVLK-1-ul-oob-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW81\ProfessionalWMC\ProfessionalWMC-Volume-GVLK-1-ul-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW8\Professional\Professional-Volume-GVLK-1-ul-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW8\ProfessionalN\ProfessionalN-Volume-GVLK-1-ul-oob-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW8\ProfessionalN\ProfessionalN-Volume-GVLK-1-ul-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW8\EnterpriseN\EnterpriseN-Volume-GVLK-1-ul-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW8\pkeyconfig.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW8\Professional\Professional-Volume-GVLK-1-ul-oob-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW81\Core\Core-Volume-GVLK-1-ul-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW81\CoreConnectedSingleLanguage\CoreConnectedSingleLanguage-Volume-GVLK-1-ul-oob-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW81\CoreConnectedSingleLanguage\CoreConnectedSingleLanguage-Volume-GVLK-1-ul-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW8\ProfessionalWMC\ProfessionalWMC-Volume-GVLK-1-ul-oob-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW8\ProfessionalWMC\ProfessionalWMC-Volume-GVLK-1-ul-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW81\Core\Core-Volume-GVLK-1-ul-oob-rtm.xrm-ms
  • %TEMP%\RarSFX0\scripts\EnableSmartScreen.cmd
  • %TEMP%\RarSFX0\scripts\EnableSmartScreen.reg
  • %TEMP%\RarSFX0\scripts\Install_Service.cmd
  • %TEMP%\RarSFX0\scripts\AddExceptionsWD.reg
  • %TEMP%\RarSFX0\scripts\AddExceptions_Defender.cmd
  • %TEMP%\RarSFX0\scripts\DisableSmartScreen.reg
  • %TEMP%\RarSFX0\scripts\Restore_Watermark.cmd
  • %TEMP%\RarSFX0\scripts\Silent.cmd
  • %TEMP%\RarSFX0\scripts\UnInstall_Service.cmd
  • %TEMP%\RarSFX0\scripts\Install_Task.cmd
  • %TEMP%\RarSFX0\scripts\Log.cmd
  • %TEMP%\RarSFX0\scripts\RemoveExceptionsWD.reg
  • %TEMP%\RarSFX0\driver\OpenVPN.cer
  • %TEMP%\RarSFX0\driver\tap-windows-9.21.0.exe
  • %TEMP%\RarSFX0\driver\UnInstallDriver.cmd
  • %TEMP%\RarSFX0\cert\kmscertW81\ServerStandard\ServerStandard-Volume-GVLK-1-ul-rtm.xrm-ms
  • %TEMP%\RarSFX0\driver\Cert.cmd
  • %TEMP%\RarSFX0\driver\certELDI.pfx
  • %TEMP%\RarSFX0\icons\Warning.png
  • %TEMP%\RarSFX0\logs\AutoPico.log
  • %TEMP%\RarSFX0\logs\KMSELDI.log
  • %TEMP%\RarSFX0\icons\Error.png
  • %TEMP%\RarSFX0\icons\Information.png
  • %TEMP%\RarSFX0\icons\Question.png
  • %TEMP%\RarSFX0\cert\kmscertW6\Enterprise\Security-Licensing-SLC-Component-SKU-Enterprise-VL-BYPASS-ul.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\Enterprise\Security-Licensing-SLC-Component-SKU-Enterprise-VL-KMS-pl.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\Enterprise\Security-Licensing-SLC-Component-SKU-Enterprise-VL-KMS-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\Enterprise\Security-Licensing-SLC-Component-SKU-Enterprise-VL-BYPASS-RAC-private.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\Enterprise\Security-Licensing-SLC-Component-SKU-Enterprise-VL-BYPASS-RAC-public.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\Enterprise\Security-Licensing-SLC-Component-SKU-Enterprise-VL-BYPASS-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\Enterprise\Security-Licensing-SLC-Component-SKU-Enterprise-VL-KMS1-ul-phn.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\pkeyconfig.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW7\Embedded\pkeyconfig-embedded.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\Enterprise\Security-Licensing-SLC-Component-SKU-Enterprise-VL-KMS-ul-phn.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\Enterprise\Security-Licensing-SLC-Component-SKU-Enterprise-VL-KMS1-pl.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\Enterprise\Security-Licensing-SLC-Component-SKU-Enterprise-VL-KMS1-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\BusinessN\Security-Licensing-SLC-Component-SKU-BusinessN-VL-BYPASS-ul.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\BusinessN\Security-Licensing-SLC-Component-SKU-BusinessN-VL-KMS-pl.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\BusinessN\Security-Licensing-SLC-Component-SKU-BusinessN-VL-KMS-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\BusinessN\Security-Licensing-SLC-Component-SKU-BusinessN-VL-BYPASS-RAC-private.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\BusinessN\Security-Licensing-SLC-Component-SKU-BusinessN-VL-BYPASS-RAC-public.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\BusinessN\Security-Licensing-SLC-Component-SKU-BusinessN-VL-BYPASS-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\BusinessN\Security-Licensing-SLC-Component-SKU-BusinessN-VL-KMS1-ul-phn.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\Enterprise\Security-Licensing-SLC-Component-SKU-Enterprise-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\Enterprise\Security-Licensing-SLC-Component-SKU-Enterprise-ul-phn.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\BusinessN\Security-Licensing-SLC-Component-SKU-BusinessN-VL-KMS-ul-phn.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\BusinessN\Security-Licensing-SLC-Component-SKU-BusinessN-VL-KMS1-pl.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW6\BusinessN\Security-Licensing-SLC-Component-SKU-BusinessN-VL-KMS1-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW8\Core\Core-Volume-GVLK-1-ul-oob-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW8\Core\Core-Volume-GVLK-1-ul-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW8\CoreN\CoreN-Volume-GVLK-1-ul-oob-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW7\Professional\Security-SPP-Component-SKU-Professional-VLKMS1-pl.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW7\Professional\Security-SPP-Component-SKU-Professional-VLKMS1-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW7\Professional\Security-SPP-Component-SKU-Professional-VLKMS1-ul-phn.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW8\Enterprise\Enterprise-Volume-GVLK-1-ul-oob-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW8\Enterprise\Enterprise-Volume-GVLK-1-ul-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW8\EnterpriseN\EnterpriseN-Volume-GVLK-1-ul-oob-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW8\CoreN\CoreN-Volume-GVLK-1-ul-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW8\CoreSingleLanguage\CoreSingleLanguage-Volume-GVLK-1-ul-oob-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW8\CoreSingleLanguage\CoreSingleLanguage-Volume-GVLK-1-ul-rtm.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW7\Embedded\Security-SPP-Component-SKU-Embedded-VLBA-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW7\Embedded\Security-SPP-Component-SKU-Embedded-VLBA-ul.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW7\Professional\pkeyconfig.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW7\Embedded\Security-SPP-Component-SKU-Embedded-pl.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW7\Embedded\Security-SPP-Component-SKU-Embedded-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW7\Embedded\Security-SPP-Component-SKU-Embedded-ul-phn.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW7\Professional\Security-SPP-Component-SKU-Professional-VL-BYPASS-RAC-public.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW7\Professional\Security-SPP-Component-SKU-Professional-VL-BYPASS-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW7\Professional\Security-SPP-Component-SKU-Professional-VL-BYPASS-ul.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW7\Professional\Security-SPP-Component-SKU-Professional-ul-oob.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW7\Professional\Security-SPP-Component-SKU-Professional-ul-phn.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscertW7\Professional\Security-SPP-Component-SKU-Professional-VL-BYPASS-RAC-private.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\OneNote\OneNote_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\OneNote\OneNote_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Outlook\OutlookVLReg32.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\OneNote\OneNote_KMS_Client.OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\OneNote\OneNote_KMS_Client.PL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\OneNote\OneNote_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Outlook\Outlook_KMS_Client.PL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Outlook\Outlook_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Outlook\Outlook_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Outlook\OutlookVLReg64.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\Outlook\OutlookVLRegWOW.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\Outlook\Outlook_KMS_Client.OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\InfoPath\InfoPathVLRegWOW.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\InfoPath\InfoPath_KMS_Client.OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\InfoPath\InfoPath_KMS_Client.PL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Groove\Groove_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\InfoPath\InfoPathVLReg32.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\InfoPath\InfoPathVLReg64.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\OneNote\OneNoteVLReg32.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\OneNote\OneNoteVLReg64.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\OneNote\OneNoteVLRegWOW.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\InfoPath\InfoPath_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\InfoPath\InfoPath_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\InfoPath\InfoPath_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\ProjectPro\ProjectPro_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\ProjectPro\ProjectPro_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\ProjectStd\ProjectStdVLReg32.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\ProjectPro\ProjectPro_KMS_Client.OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\ProjectPro\ProjectPro_KMS_Client.PL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\ProjectPro\ProjectPro_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\ProjectStd\ProjectStd_KMS_Client.PL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\ProjectStd\ProjectStd_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\ProjectStd\ProjectStd_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\ProjectStd\ProjectStdVLReg64.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\ProjectStd\ProjectStdVLRegWOW.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\ProjectStd\ProjectStd_KMS_Client.OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\PowerPoint\PowerPointVLRegWOW.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\PowerPoint\PowerPoint_KMS_Client.OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\PowerPoint\PowerPoint_KMS_Client.PL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Outlook\Outlook_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\PowerPoint\PowerPointVLReg32.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\PowerPoint\PowerPointVLReg64.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\ProjectPro\ProjectProVLReg32.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\ProjectPro\ProjectProVLReg64.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\ProjectPro\ProjectProVLRegWOW.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\PowerPoint\PowerPoint_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\PowerPoint\PowerPoint_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\PowerPoint\PowerPoint_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\RarSFX0\TokensBackup\Windows\pkeyconfig.xrm-ms
  • %TEMP%\RarSFX0\TokensBackup\Windows\tokens.dat
  • %TEMP%\RarSFX0\AutoPico.exe
  • %TEMP%\RarSFX0\TokensBackup\Keys.txt
  • %TEMP%\RarSFX0\TokensBackup\Windows\cache\cache.dat
  • %TEMP%\RarSFX0\TokensBackup\Windows\data.dat
  • %TEMP%\RarSFX0\unins000.dat
  • %TEMP%\RarSFX0\unins000.exe
  • %TEMP%\RarSFX0\UninsHs.exe
  • %TEMP%\RarSFX0\DevComponents.DotNetBar2.dll
  • %TEMP%\RarSFX0\KMSELDI.exe
  • %TEMP%\RarSFX0\Service_KMS.exe
  • %TEMP%\RarSFX0\sounds\diagnostic.mp3
  • %TEMP%\RarSFX0\sounds\enterauthorizationcode.mp3
  • %TEMP%\RarSFX0\sounds\incomingtransmission.mp3
  • %TEMP%\RarSFX0\sounds\affirmative.mp3
  • %TEMP%\RarSFX0\sounds\begin.mp3
  • %TEMP%\RarSFX0\sounds\complete.mp3
  • %TEMP%\RarSFX0\sounds\transfer.mp3
  • %TEMP%\RarSFX0\sounds\verified.mp3
  • %TEMP%\RarSFX0\sounds\warning.mp3
  • %TEMP%\RarSFX0\sounds\inputfailed.mp3
  • %TEMP%\RarSFX0\sounds\inputok.mp3
  • %TEMP%\RarSFX0\sounds\processing.mp3
  • %TEMP%\RarSFX0\cert\kmscert2010\Excel\Excel_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Excel\Excel_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Groove\GrooveVLReg32.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\Excel\Excel_KMS_Client.OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Excel\Excel_KMS_Client.PL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Excel\Excel_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Groove\Groove_KMS_Client.PL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Groove\Groove_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Groove\Groove_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Groove\GrooveVLReg64.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\Groove\GrooveVLRegWOW.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\Groove\Groove_KMS_Client.OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Access\AccessVLRegWOW.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\Access\Access_KMS_Client.OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Access\Access_KMS_Client.PL.xrm-ms
  • %TEMP%\RarSFX0\Vestris.ResourceLib.dll
  • %TEMP%\RarSFX0\cert\kmscert2010\Access\AccessVLReg32.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\Access\AccessVLReg64.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\Excel\ExcelVLReg32.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\Excel\ExcelVLReg64.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\Excel\ExcelVLRegWOW.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\Access\Access_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Access\Access_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Access\Access_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\Excel\LicenseSetData._F7461D52_7C2B_43B2_8744_EA958E0BD09A.PL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\Excel\LicenseSetData._F7461D52_7C2B_43B2_8744_EA958E0BD09A.PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\InfoPath\LicenseSetData._A30B8040_D68A_423F_B0B5_9CE292EA5A8F.OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\Access\AccessVL_KMS_Client_PL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\Access\AccessVL_KMS_Client_PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\Excel\LicenseSetData._F7461D52_7C2B_43B2_8744_EA958E0BD09A.OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\Licenses.sl.ISSUANCE.CLIENT_ROOT.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\Licenses.sl.ISSUANCE.CLIENT_ROOT_BRIDGE_TEST.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\Licenses.sl.ISSUANCE.CLIENT_STIL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\InfoPath\LicenseSetData._A30B8040_D68A_423F_B0B5_9CE292EA5A8F.PL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\InfoPath\LicenseSetData._A30B8040_D68A_423F_B0B5_9CE292EA5A8F.PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\Licenses.sl.ISSUANCE.CLIENT_BRIDGE_OFFICE.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Word\WordVLReg32.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\Word\WordVLReg64.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\Word\WordVLRegWOW.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\Visio\VisioVLReg32.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\Visio\VisioVLReg64.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\Visio\VisioVLRegWOW.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\Word\Word_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Word\Word_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\Access\AccessVL_KMS_Client_OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Word\Word_KMS_Client.OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Word\Word_KMS_Client.PL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Word\Word_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\ProjectPro\LicenseSetData._4A5D124A_E620_44BA_B6FF_658961B33B9A.OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\ProjectPro\LicenseSetData._4A5D124A_E620_44BA_B6FF_658961B33B9A.PL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\ProjectPro\LicenseSetData._4A5D124A_E620_44BA_B6FF_658961B33B9A.PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\PowerPoint\LicenseSetData._8C762649_97D1_4953_AD27_B7E2C25B972E.OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\PowerPoint\LicenseSetData._8C762649_97D1_4953_AD27_B7E2C25B972E.PL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\PowerPoint\LicenseSetData._8C762649_97D1_4953_AD27_B7E2C25B972E.PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\ProPlus\LicenseSetData._B322DA9C_A2E2_4058_9E4E_F59A6970BD69.OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\ProPlus\LicenseSetData._B322DA9C_A2E2_4058_9E4E_F59A6970BD69.PL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\ProPlus\LicenseSetData._B322DA9C_A2E2_4058_9E4E_F59A6970BD69.PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\ProjectStd\LicenseSetData._427A28D1_D17C_4ABF_B717_32C780BA6F07.OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\ProjectStd\LicenseSetData._427A28D1_D17C_4ABF_B717_32C780BA6F07.PL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\ProjectStd\LicenseSetData._427A28D1_D17C_4ABF_B717_32C780BA6F07.PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\Lync\LicenseSetData._1B9F11E3_C85C_4E1B_BB29_879AD2C909E3.PL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\Lync\LicenseSetData._1B9F11E3_C85C_4E1B_BB29_879AD2C909E3.PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\OneNote\LicenseSetData._EFE1F3E6_AEA2_4144_A208_32AA872B6545.OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\Licenses.sl.ISSUANCE.CLIENT_UL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\Licenses.sl.ISSUANCE.CLIENT_UL_OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\Lync\LicenseSetData._1B9F11E3_C85C_4E1B_BB29_879AD2C909E3.OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\Outlook\LicenseSetData._771C3AFA_50C5_443F_B151_FF2546D863A0.PL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\Outlook\LicenseSetData._771C3AFA_50C5_443F_B151_FF2546D863A0.PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\pkeyconfig-office.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\OneNote\LicenseSetData._EFE1F3E6_AEA2_4144_A208_32AA872B6545.PL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\OneNote\LicenseSetData._EFE1F3E6_AEA2_4144_A208_32AA872B6545.PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2013\Outlook\LicenseSetData._771C3AFA_50C5_443F_B151_FF2546D863A0.OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Publisher\Publisher_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Publisher\Publisher_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\SmallBusBasics\SmallBusBasicsVLReg32.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\Publisher\Publisher_KMS_Client.OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Publisher\Publisher_KMS_Client.PL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Publisher\Publisher_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\SmallBusBasics\SmallBusBasics_KMS_Client.PL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\SmallBusBasics\SmallBusBasics_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\SmallBusBasics\SmallBusBasics_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\SmallBusBasics\SmallBusBasicsVLReg64.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\SmallBusBasics\SmallBusBasicsVLRegWOW.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\SmallBusBasics\SmallBusBasics_KMS_Client.OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\ProPlus\ProPlusVLRegWOW.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\ProPlus\ProPlus_KMS_Client.OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\ProPlus\ProPlus_KMS_Client.PL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\ProjectStd\ProjectStd_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\ProPlus\ProPlusVLReg32.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\ProPlus\ProPlusVLReg64.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\Publisher\PublisherVLReg32.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\Publisher\PublisherVLReg64.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\Publisher\PublisherVLRegWOW.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\ProPlus\ProPlus_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\ProPlus\ProPlus_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\ProPlus\ProPlus_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Visio\VisioPro_KMS_Client.PL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Visio\VisioPro_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Visio\VisioPro_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Visio\VisioPrem_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Visio\VisioPrem_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Visio\VisioPro_KMS_Client.OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Visio\VisioStd_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Visio\VisioStd_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Visio\VisioStd_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Visio\VisioPro_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Visio\VisioStd_KMS_Client.OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Visio\VisioStd_KMS_Client.PL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Standard\StandardVLRegWOW.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\Standard\Standard_KMS_Client.OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Standard\Standard_KMS_Client.PL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\SmallBusBasics\SmallBusBasics_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Standard\StandardVLReg32.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\Standard\StandardVLReg64.reg
  • %TEMP%\RarSFX0\cert\kmscert2010\Visio\VisioPrem_KMS_Client.OOB.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Visio\VisioPrem_KMS_Client.PL.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Visio\VisioPrem_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Standard\Standard_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Standard\Standard_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\RarSFX0\cert\kmscert2010\Standard\Standard_KMS_Client.RAC_Pub.xrm-ms
Sets the 'hidden' attribute to the following files:
  • %TEMP%\RarSFX0\TokensBackup\Windows\data.dat
Deletes the following files:
  • %TEMP%\RarSFX0\logs\KMSELDI.log
Substitutes the following files:
  • %TEMP%\RarSFX0\logs\KMSELDI.log
Network activity:
Connects to:
  • '2.###l.ntp.org':123
UDP:
  • DNS ASK 2.###l.ntp.org
Miscellaneous:
Searches for the following windows:
  • ClassName: 'EDIT' WindowName: ''

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android