Microsoft security software detects and removes this threat.

This tool can be used to activate a pirated version of Microsoft Windows and Microsoft Office.

We recommend you don't run this hacktool as it can be associated with malware or unwanted software. In the past, we have seen malware on many PCs where hacktools are detected. You can read more in Volume 13 of the Security Intelligence Report.

What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

This hacktool can be used to activate a pirated version of Microsoft Windows (Windows Vista, Windows 7, Windows 8 and Windows 8.1) and Microsoft Office (Office 2003, Office 2007, Office 2010 and Office 2013).

It is installed as a Key Management Service (KMS) in %SystemDrive% and a front end GUI usually uses this service to automatically activate Windows and Office. An example of the GUI can be seen below.

Analysis by Zhitao Zhou


Alerts from your security software may be the only symptom.


Alert level: Medium
First detected by definition: 1.175.768.0
Latest detected by definition: 1.179.2201.0 and higher
First detected on: May 29, 2014
This entry was first published on: Jun 16, 2014
This entry was updated on: Aug 22, 2014

This threat is also detected as:
No known aliases