Tool.KMS.35

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe] 'Debugger' = 'rundll32.exe SECOPatcher.dll,PatcherMain'

Malicious functions

Executes the following

'<SYSTEM32>\taskkill.exe' /t /f /IM SppExtComObj.Exe
'<SYSTEM32>\netsh.exe' Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
'<SYSTEM32>\taskkill.exe' /t /f /IM KMSSS.exe

Modifies file system

Creates the following files

%WINDIR%\aact_tools\aact.exe
%APPDATA%\microsoft\windows\start menu\programs\kms-activator.lnk
%WINDIR%\aact_tools\aact_files\secopatcher.dll
%WINDIR%\aact_tools\aact_files\kmsss.exe

Sets the 'hidden' attribute to the following files

%WINDIR%\aact_tools\aact_files\kmsss.exe

Network activity

Connects to

'12#.0.0.2':1688

Miscellaneous

Searches for the following windows

ClassName: 'EDIT' WindowName: ''
ClassName: '' WindowName: ''

Creates and executes the following

'%WINDIR%\aact_tools\aact.exe' /ofs=act /taskofs
'%WINDIR%\aact_tools\aact_files\kmsss.exe' -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID

Executes the following

'<SYSTEM32>\cmd.exe' /c REG QUERY HKLM\Software\Microsoft\Office /s /v Path /reg:64
'<SYSTEM32>\cmd.exe' /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="%WINDIR%\AAct_Tools\AAct.exe"
'<SYSTEM32>\reg.exe' QUERY HKLM\Software\Microsoft\Office /s /v Path /reg:64
'<SYSTEM32>\wbem\wmic.exe' /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="%WINDIR%\AAct_Tools\AAct.exe"
'<SYSTEM32>\cmd.exe' /c REG QUERY HKLM\Software\WOW6432Node\Microsoft\Office /s /v Path
'<SYSTEM32>\reg.exe' QUERY HKLM\Software\WOW6432Node\Microsoft\Office /s /v Path
'<SYSTEM32>\cmd.exe' /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="%WINDIR%\AAct_Tools\AAct_files"
'<SYSTEM32>\wbem\wmic.exe' /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="%WINDIR%\AAct_Tools\AAct_files"
'<SYSTEM32>\cmd.exe' /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="<SYSTEM32>\SppExtComObjPatcher.exe"
'<SYSTEM32>\wbem\wmic.exe' /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="<SYSTEM32>\SppExtComObjPatcher.exe"
'<SYSTEM32>\cmd.exe' /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="<SYSTEM32>\SppExtComObjHook.dll"
'<SYSTEM32>\cmd.exe' /c taskkill.exe /t /f /IM SppExtComObj.Exe
'<SYSTEM32>\wbem\wmic.exe' /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="<SYSTEM32>\SppExtComObjHook.dll"
'<SYSTEM32>\cmd.exe' /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="%WINDIR%\AAct_Tools\AAct_files\KMSSS.exe"
'<SYSTEM32>\wbem\wmic.exe' /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="%WINDIR%\AAct_Tools\AAct_files\KMSSS.exe"
'<SYSTEM32>\cmd.exe' /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger"
'<SYSTEM32>\reg.exe' delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger"
'<SYSTEM32>\cmd.exe' /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f
'<SYSTEM32>\reg.exe' delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f
'<SYSTEM32>\cmd.exe' /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
'<SYSTEM32>\netsh.exe' Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
'<SYSTEM32>\cmd.exe' /c icacls "<SYSTEM32>\SECOPatcher.dll" /reset
'<SYSTEM32>\icacls.exe' "<SYSTEM32>\SECOPatcher.dll" /reset
'<SYSTEM32>\cmd.exe' /c mklink "<SYSTEM32>\SECOPatcher.dll" "%WINDIR%\AAct_Tools\AAct_files\SECOPatcher.dll"
'<SYSTEM32>\cmd.exe' /c icacls "<SYSTEM32>\SECOPatcher.dll" /findsid *S-1-5-32-545
'<SYSTEM32>\icacls.exe' "<SYSTEM32>\SECOPatcher.dll" /findsid *S-1-5-32-545
'<SYSTEM32>\cmd.exe' /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger" /t REG_SZ /d "rundll32.exe SECOPatcher.dll,PatcherMain"
'<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger" /t REG_SZ /d "rundll32.exe SECOPatcher.dll,PatcherMain"
'<SYSTEM32>\cmd.exe' /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
'<SYSTEM32>\cmd.exe' /c taskkill.exe /t /f /IM KMSSS.exe
'<SYSTEM32>\cmd.exe' /c ipconfig.exe /flushdns
'<SYSTEM32>\ipconfig.exe' /flushdns
'<SYSTEM32>\reg.exe' DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /reg:64
'<SYSTEM32>\cmd.exe' /c cscript.exe "%ProgramFiles(x86)%\Microsoft Office\Office16\ospp.vbs" //NoLogo /remhst
'<SYSTEM32>\cscript.exe' "%ProgramFiles(x86)%\Microsoft Office\Office16\ospp.vbs" //NoLogo /remhst
'<SYSTEM32>\cmd.exe' /c cscript.exe "%ProgramFiles(x86)%\Microsoft Office\Office16\ospp.vbs" //NoLogo /sethst:10.#.0.20
'<SYSTEM32>\cscript.exe' "%ProgramFiles(x86)%\Microsoft Office\Office16\ospp.vbs" //NoLogo /sethst:10.#.0.20
'<SYSTEM32>\cmd.exe' /c cscript.exe "%ProgramFiles(x86)%\Microsoft Office\Office16\ospp.vbs" //NoLogo /setprt:1688
'<SYSTEM32>\cscript.exe' "%ProgramFiles(x86)%\Microsoft Office\Office16\ospp.vbs" //NoLogo /setprt:1688
'<SYSTEM32>\cmd.exe' /c cscript.exe "%ProgramFiles(x86)%\Microsoft Office\Office16\ospp.vbs" //NoLogo /act
'<SYSTEM32>\cscript.exe' "%ProgramFiles(x86)%\Microsoft Office\Office16\ospp.vbs" //NoLogo /act
'<SYSTEM32>\cmd.exe' /c REG QUERY HKLM\Software\Microsoft\Office /s /v Path /reg:64' (with hidden window)
'<SYSTEM32>\cmd.exe' /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="%WINDIR%\AAct_Tools\AAct.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c REG QUERY HKLM\Software\WOW6432Node\Microsoft\Office /s /v Path' (with hidden window)
'<SYSTEM32>\cmd.exe' /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="%WINDIR%\AAct_Tools\AAct_files"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="<SYSTEM32>\SppExtComObjPatcher.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="<SYSTEM32>\SppExtComObjHook.dll"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c taskkill.exe /t /f /IM SppExtComObj.Exe' (with hidden window)
'<SYSTEM32>\cmd.exe' /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="%WINDIR%\AAct_Tools\AAct_files\KMSSS.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f' (with hidden window)
'<SYSTEM32>\cmd.exe' /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP' (with hidden window)
'<SYSTEM32>\cmd.exe' /c icacls "<SYSTEM32>\SECOPatcher.dll" /reset' (with hidden window)
'<SYSTEM32>\cmd.exe' /c mklink "<SYSTEM32>\SECOPatcher.dll" "%WINDIR%\AAct_Tools\AAct_files\SECOPatcher.dll"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c icacls "<SYSTEM32>\SECOPatcher.dll" /findsid *S-1-5-32-545' (with hidden window)
'<SYSTEM32>\cmd.exe' /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger" /t REG_SZ /d "rundll32.exe SECOPatcher.dll,PatcherMain"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688' (with hidden window)
'%WINDIR%\aact_tools\aact_files\kmsss.exe' -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID' (with hidden window)
'<SYSTEM32>\cmd.exe' /c taskkill.exe /t /f /IM KMSSS.exe' (with hidden window)
'<SYSTEM32>\cmd.exe' /c ipconfig.exe /flushdns' (with hidden window)
'<SYSTEM32>\reg.exe' DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /reg:64' (with hidden window)
'<SYSTEM32>\cmd.exe' /c cscript.exe "%ProgramFiles(x86)%\Microsoft Office\Office16\ospp.vbs" //NoLogo /remhst' (with hidden window)
'<SYSTEM32>\cmd.exe' /c cscript.exe "%ProgramFiles(x86)%\Microsoft Office\Office16\ospp.vbs" //NoLogo /sethst:10.#.0.20' (with hidden window)
'<SYSTEM32>\cmd.exe' /c cscript.exe "%ProgramFiles(x86)%\Microsoft Office\Office16\ospp.vbs" //NoLogo /setprt:1688' (with hidden window)
'<SYSTEM32>\cmd.exe' /c cscript.exe "%ProgramFiles(x86)%\Microsoft Office\Office16\ospp.vbs" //NoLogo /act' (with hidden window)

Tecnologie

Termini

Formazione ed informazione

Falsi miti

Technical Information

Curing recommendations

Free trial