Concrete signature match: Hack Tool - Tool used to exploit vulnerabilities for 32-bit Windows platform, family AutoKMS
HackTool:Win32/AutoKMS!pz is a concrete detection of an unauthorized Key Management Service (KMS) activator. It illegally activates Microsoft Windows and Office products by modifying system licensing components, potentially installing drivers, and setting up a local KMS server, thereby compromising system integrity and security.
Relevant strings associated with this threat:
- oem-drv86.pdb (PEHSTR_EXT)
- SystemRoot\system32\DRIVERS\oem-drv86.sys (PEHSTR_EXT)
- http://forum.ru-board.com (PEHSTR_EXT)
- https://money.yandex.ru (PEHSTR_EXT)
- kms789.com (PEHSTR_EXT)
- kms.03k.org (PEHSTR_EXT)
- kms.digiboy.ir (PEHSTR_EXT)
- taskkill /t /f /IM KMS8Load.exe >nul 2>&1 (PEHSTR_EXT)
- SppExtComObjHook.dll (PEHSTR_EXT)
- %05u-%05u-%03u-%06u-03-%u-%04u.0000-%03d%04d (PEHSTR_EXT)
- verify /v /ph /sha1 648384a4dee53d4c1c87e10d67cc99307ccc9c98 (PEHSTR_EXT)
- /delete /TN KMSTools / (PEHSTR_EXT)
- Program Files\Windows Defender\MsMpEng.exe (PEHSTR_EXT)
- \KMS Server.pdb (PEHSTR_EXT)
- (KMS V5) sent. (PEHSTR_EXT)
- ()$^.*+?[]|\-{},:=! (PEHSTR_EXT)
- 55041-00168-305-246209-03-1033-7600.0000-0522010 (PEHSTR_EXT)
- RpcServerUseProtseqEp failed with code %i. (PEHSTR_EXT)
- RpcServerRegisterIfEx failed with code %i. (PEHSTR_EXT)
- RpcServerListen failed with code %i. (PEHSTR_EXT)
- SppExtComObjPatcher-kms\Debug\x64\KMS.pdb (PEHSTR_EXT)
- Setup=KMSpico-setup.exe (PEHSTR_EXT)
- Setup=kmsh.exe (PEHSTR_EXT)
- Setup=dllservsys.exe (PEHSTR_EXT)
- Setup=kmsb.exe (PEHSTR_EXT)
- Setup=kmspicoh.exe (PEHSTR_EXT)
- Setup=kmsdlli.exe (PEHSTR_EXT)
- Setup=kmspicov.exe (PEHSTR_EXT)
- FullCrack.vn_KMSpico_10. (PEHSTR_EXT)
- _setup.rar (PEHSTR_EXT)
- Password : fullcrack.vn (PEHSTR_EXT)
- \KMSpico-setup.exe (PEHSTR_EXT)
- \kmsdll.exe (PEHSTR_EXT)
- !185.125.230.210/KMSpico-setup.exe (PEHSTR)
- Setup=KMSpico-setup.exe (PEHSTR)
- Visual Studio\SppExtComObjHook\SppExtComObjHook\bin\x64\Release\SppExtComObjHook.pdb (PEHSTR_EXT)
- Office 2010 Toolkit.pdb (PEHSTR)
- $\TunMirror\obj\Release\TunMirror.pdb (PEHSTR)
- KMSELDI.pdb (PEHSTR_EXT)
- a.E+M (NID)
- WnBv\I0 (SNID)
- h[OS}aPG.' (SNID)
- WY:.Z (SNID)
- \vuT* (SNID)
- e.}w[Lo} (SNID)
- v]|/# (SNID)
- JSu* (SNID)
- O=T.8 (SNID)
- ioX\cZ (SNID)
- |>?/k (SNID)
- +/g{N (SNID)
- D\@04 (SNID)
- T/Z^{ (SNID)
- [L*h. (SNID)
- K`o1. (SNID)
- Wj/:. (SNID)
- i;ul}.0) (SNID)
- !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
- rundll32 (PEHSTR_EXT)
- !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
- !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
- !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)951cf36358700207066a5b20601cc5e13c7072fffb400aa34593a56a296ae4a6Isolate the affected system, perform a full scan with an updated antivirus/anti-malware solution to remove all detected components. Afterward, ensure Microsoft Windows and Office are legitimately activated using valid product keys or licenses, and review the system for other potentially unwanted programs (PUPs).