Concrete signature match: Hack Tool - Tool used to exploit vulnerabilities for 32-bit Windows platform, family AutoKMS
HackTool:Win32/AutoKMS!MTB is a concrete detection of an unauthorized activation tool for Microsoft products (Windows/Office). It operates by emulating a Key Management Service (KMS) server and deeply modifying system components, including installing kernel drivers and patching the Windows Software Protection Platform (SPP), to bypass genuine software activation. Such tools, despite their intended function, carry significant risks of system instability and are often bundled with additional malware or backdoors.
Relevant strings associated with this threat:
- oem-drv86.pdb (PEHSTR_EXT)
- SystemRoot\system32\DRIVERS\oem-drv86.sys (PEHSTR_EXT)
- http://forum.ru-board.com (PEHSTR_EXT)
- https://money.yandex.ru (PEHSTR_EXT)
- kms789.com (PEHSTR_EXT)
- kms.03k.org (PEHSTR_EXT)
- kms.digiboy.ir (PEHSTR_EXT)
- taskkill /t /f /IM KMS8Load.exe >nul 2>&1 (PEHSTR_EXT)
- SppExtComObjHook.dll (PEHSTR_EXT)
- %05u-%05u-%03u-%06u-03-%u-%04u.0000-%03d%04d (PEHSTR_EXT)
- verify /v /ph /sha1 648384a4dee53d4c1c87e10d67cc99307ccc9c98 (PEHSTR_EXT)
- /delete /TN KMSTools / (PEHSTR_EXT)
- Program Files\Windows Defender\MsMpEng.exe (PEHSTR_EXT)
- \KMS Server.pdb (PEHSTR_EXT)
- (KMS V5) sent. (PEHSTR_EXT)
- ()$^.*+?[]|\-{},:=! (PEHSTR_EXT)
- 55041-00168-305-246209-03-1033-7600.0000-0522010 (PEHSTR_EXT)
- RpcServerUseProtseqEp failed with code %i. (PEHSTR_EXT)
- RpcServerRegisterIfEx failed with code %i. (PEHSTR_EXT)
- RpcServerListen failed with code %i. (PEHSTR_EXT)
- SppExtComObjPatcher-kms\Debug\x64\KMS.pdb (PEHSTR_EXT)
- Setup=KMSpico-setup.exe (PEHSTR_EXT)
- Setup=kmsh.exe (PEHSTR_EXT)
- Setup=dllservsys.exe (PEHSTR_EXT)
- Setup=kmsb.exe (PEHSTR_EXT)
- Setup=kmspicoh.exe (PEHSTR_EXT)
- Setup=kmsdlli.exe (PEHSTR_EXT)
- Setup=kmspicov.exe (PEHSTR_EXT)
- FullCrack.vn_KMSpico_10. (PEHSTR_EXT)
- _setup.rar (PEHSTR_EXT)
- Password : fullcrack.vn (PEHSTR_EXT)
- \KMSpico-setup.exe (PEHSTR_EXT)
- \kmsdll.exe (PEHSTR_EXT)
- !185.125.230.210/KMSpico-setup.exe (PEHSTR)
- Setup=KMSpico-setup.exe (PEHSTR)
- Visual Studio\SppExtComObjHook\SppExtComObjHook\bin\x64\Release\SppExtComObjHook.pdb (PEHSTR_EXT)
- Office 2010 Toolkit.pdb (PEHSTR)
- $\TunMirror\obj\Release\TunMirror.pdb (PEHSTR)
- KMSELDI.pdb (PEHSTR_EXT)
- a.E+M (NID)
- WnBv\I0 (SNID)
- h[OS}aPG.' (SNID)
- WY:.Z (SNID)
- \vuT* (SNID)
- e.}w[Lo} (SNID)
- v]|/# (SNID)
- JSu* (SNID)
- O=T.8 (SNID)
- ioX\cZ (SNID)
- |>?/k (SNID)
- +/g{N (SNID)
- D\@04 (SNID)
- T/Z^{ (SNID)
- [L*h. (SNID)
- K`o1. (SNID)
- Wj/:. (SNID)
- i;ul}.0) (SNID)
- !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
- rundll32 (PEHSTR_EXT)
- !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
- !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
- !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)0f20b9f81a006b42fc0342e41bd990311ca2089c99a9e19722c830fe1e202eb0Immediately allow Windows Defender to quarantine and remove the detected threat. Perform a full system scan with updated antivirus software to identify any other associated or bundled malicious software. Ensure all operating systems and applications are legally licensed and activated to avoid using unauthorized tools, which inherently pose security risks.