Concrete signature match: Hack Tool - Tool used to exploit vulnerabilities for 32-bit Windows platform, family AutoKMS
This is a HackTool:Win32/AutoKMS variant designed to illegally activate Microsoft Windows and Office products by emulating a Key Management Service (KMS). It typically modifies core system activation components, potentially installs drivers, and creates scheduled tasks to maintain unauthorized activation.
Relevant strings associated with this threat:
- oem-drv86.pdb (PEHSTR_EXT)
- SystemRoot\system32\DRIVERS\oem-drv86.sys (PEHSTR_EXT)
- http://forum.ru-board.com (PEHSTR_EXT)
- https://money.yandex.ru (PEHSTR_EXT)
- kms789.com (PEHSTR_EXT)
- kms.03k.org (PEHSTR_EXT)
- kms.digiboy.ir (PEHSTR_EXT)
- taskkill /t /f /IM KMS8Load.exe >nul 2>&1 (PEHSTR_EXT)
- SppExtComObjHook.dll (PEHSTR_EXT)
- %05u-%05u-%03u-%06u-03-%u-%04u.0000-%03d%04d (PEHSTR_EXT)
- verify /v /ph /sha1 648384a4dee53d4c1c87e10d67cc99307ccc9c98 (PEHSTR_EXT)
- /delete /TN KMSTools / (PEHSTR_EXT)
- Program Files\Windows Defender\MsMpEng.exe (PEHSTR_EXT)
- \KMS Server.pdb (PEHSTR_EXT)
- (KMS V5) sent. (PEHSTR_EXT)
- ()$^.*+?[]|\-{},:=! (PEHSTR_EXT)
- 55041-00168-305-246209-03-1033-7600.0000-0522010 (PEHSTR_EXT)
- RpcServerUseProtseqEp failed with code %i. (PEHSTR_EXT)
- RpcServerRegisterIfEx failed with code %i. (PEHSTR_EXT)
- RpcServerListen failed with code %i. (PEHSTR_EXT)
- SppExtComObjPatcher-kms\Debug\x64\KMS.pdb (PEHSTR_EXT)
- Setup=KMSpico-setup.exe (PEHSTR_EXT)
- Setup=kmsh.exe (PEHSTR_EXT)
- Setup=dllservsys.exe (PEHSTR_EXT)
- Setup=kmsb.exe (PEHSTR_EXT)
- Setup=kmspicoh.exe (PEHSTR_EXT)
- Setup=kmsdlli.exe (PEHSTR_EXT)
- Setup=kmspicov.exe (PEHSTR_EXT)
- FullCrack.vn_KMSpico_10. (PEHSTR_EXT)
- _setup.rar (PEHSTR_EXT)
- Password : fullcrack.vn (PEHSTR_EXT)
- \KMSpico-setup.exe (PEHSTR_EXT)
- \kmsdll.exe (PEHSTR_EXT)
- !185.125.230.210/KMSpico-setup.exe (PEHSTR)
- Setup=KMSpico-setup.exe (PEHSTR)
- Visual Studio\SppExtComObjHook\SppExtComObjHook\bin\x64\Release\SppExtComObjHook.pdb (PEHSTR_EXT)
- Office 2010 Toolkit.pdb (PEHSTR)
- $\TunMirror\obj\Release\TunMirror.pdb (PEHSTR)
- KMSELDI.pdb (PEHSTR_EXT)
- a.E+M (NID)
- WnBv\I0 (SNID)
- h[OS}aPG.' (SNID)
- WY:.Z (SNID)
- \vuT* (SNID)
- e.}w[Lo} (SNID)
- v]|/# (SNID)
- JSu* (SNID)
- O=T.8 (SNID)
- ioX\cZ (SNID)
- |>?/k (SNID)
- +/g{N (SNID)
- D\@04 (SNID)
- T/Z^{ (SNID)
- [L*h. (SNID)
- K`o1. (SNID)
- Wj/:. (SNID)
- i;ul}.0) (SNID)
- !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
- rundll32 (PEHSTR_EXT)
- !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
- !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
- !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)b6992a4eaac69e053158e017749233db2f13f73542343916365d95adb22e1343Allow Windows Defender to remove or quarantine the detected files. Perform a full system scan to ensure all components of the hack tool are removed, and re-activate Windows and Office using legitimate product keys.