12
返回列表 发新帖
楼主: w153140
收起左侧

[可疑文件] 帮忙看看这个工具有问题不?

[复制链接]
milben
发表于 2017-5-26 12:33:59 | 显示全部楼层
KIS

not-a-virus:HEUR:AdWare.NSIS.Generic
我爱舒肤佳
发表于 2017-5-26 12:55:34 | 显示全部楼层

直接扫描是没有问题的,但是运行中有一个存在可疑行为的exe进程。目前已转交管家官方那边审核。
zst470396853
发表于 2017-5-26 14:57:28 | 显示全部楼层
本帖最后由 zst470396853 于 2017-6-4 20:31 编辑

如图

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
songwanyu
发表于 2017-5-26 18:02:14 | 显示全部楼层
瑞星安全云终端
[mw_shl_code=css,true]D:\病毒测试\KMSPICO 10.2.2.EXE        Malware.9478A493898596F2        文件监控        木马        删除成功
D:\病毒测试\KMSPICO 10.2.2.EXE.CRDOWNLOAD        Dropper.Kaymundler!8.2CFB        文件监控        木马        删除成功
[/mw_shl_code]
真小读者
发表于 2017-5-26 19:39:09 | 显示全部楼层
被ESET家长控制拦截了
钓喵的鱼
发表于 2017-5-30 14:48:20 | 显示全部楼层
文件检测评级:
未发现风险
文件名称: KMSPico 10.2.2.exe

下载电脑管家
上传分析其他文件>
基本信息
关键行为
进程行为
文件行为
注册表行为
其他行为
进程树
文件分析图谱(PortEx)
运行截图
基本信息
文件名称:       
KMSPico 10.2.2.exe
MD5:        03f5cf06f3b64005061ffff8fffcd3b8
文件类型:        EXE
上传时间:        2017-05-30 14:46:09
出品公司:        N/A
版本:        N/A
壳或编译器信息:        COMPILER:Microsoft Visual C++ 6.0 [Overlay]
关键行为
行为描述:        获取硬件属性检测虚拟机
详情信息:       
检测Vmware: 调用WMI接口获取硬件信息
行为描述:        获取TickCount值
详情信息:       
TickCount = 5435328, SleepMilliseconds = 500.
TickCount = 5435343, SleepMilliseconds = 500.
TickCount = 5437831, SleepMilliseconds = 50.
TickCount = 5437846, SleepMilliseconds = 50.
TickCount = 5437878, SleepMilliseconds = 50.
TickCount = 5437893, SleepMilliseconds = 50.
TickCount = 5437909, SleepMilliseconds = 50.
TickCount = 5437925, SleepMilliseconds = 50.
TickCount = 5437940, SleepMilliseconds = 50.
TickCount = 5437956, SleepMilliseconds = 50.
TickCount = 5437971, SleepMilliseconds = 50.
TickCount = 5440940, SleepMilliseconds = 50.
TickCount = 5440956, SleepMilliseconds = 50.
TickCount = 5441471, SleepMilliseconds = 50.
TickCount = 5502468, SleepMilliseconds = 60000.
进程行为
行为描述:        隐藏窗口创建进程
详情信息:       
ImagePath = , CmdLine = net.exe session
行为描述:        创建进程
详情信息:       
[0x00000470]ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net.exe session
[0x000005c0]ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 session
[0x0000082c]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c ""C:\Program Files\KMSPico\jaykms.bat""
行为描述:        创建本地线程
详情信息:       
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 1180, ThreadID = 564, StartAddress = 00EF0000, Parameter = 00000000
TargetProcess: KMSPico10.2.1__11516_il2 .exe, InheritedFromPID = 2092, ProcessID = 2112, ThreadID = 2260, StartAddress = 77E56C7D, Parameter = 002A87B8
TargetProcess: KMSPico10.2.1__11516_il2 .exe, InheritedFromPID = 2092, ProcessID = 2112, ThreadID = 2264, StartAddress = 769AE43B, Parameter = 002AB0D0
TargetProcess: KMSPico10.2.1__11516_il2 .exe, InheritedFromPID = 2092, ProcessID = 2112, ThreadID = 2268, StartAddress = 77E56C7D, Parameter = 002AB878
行为描述:        创建新文件进程
详情信息:       
[0x00000840]ImagePath = C:\Program Files\KMSPico\KMSPico10.2.1__11516_il2 .exe, CmdLine = "KMSPico10.2.1__11516_il2 .exe"
行为描述:        枚举进程
详情信息:       
N/A
文件行为
行为描述:        创建文件
详情信息:       
C:\Documents and Settings\Administrator\Local Settings\Temp\genteert.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\gentee14.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\gentee14\guig.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\gentee14\setup_temp.gea
C:\Documents and Settings\Administrator\Local Settings\Temp\gentee14\3default - 1.bmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFB861.tmp
C:\Program Files\KMSPico\jaykms.bat
C:\Program Files\KMSPico\KMSPico10.2.1__11516_il2 .exe
C:\Program Files\KMSPico\best erning installers\1\Registrypatch.exe
C:\Program Files\KMSPico\best erning installers\2\Registrypatch.exe
C:\Program Files\KMSPico\Registrypatch.exe
C:\Program Files\KMSPico\best erning installers\1\KMSpico_patch.exe
C:\Program Files\KMSPico\best erning installers\2\KMSpico_patch.exe
C:\Program Files\KMSPico\KMSpico_patch.exe
C:\Program Files\KMSPico\395c48ebd078c81a6235f7da464d45bd.exe
行为描述:        创建可执行文件
详情信息:       
C:\Documents and Settings\Administrator\Local Settings\Temp\genteert.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\gentee14\guig.dll
C:\Program Files\KMSPico\KMSPico10.2.1__11516_il2 .exe
C:\Program Files\KMSPico\best erning installers\1\Registrypatch.exe
C:\Program Files\KMSPico\best erning installers\2\Registrypatch.exe
C:\Program Files\KMSPico\Registrypatch.exe
C:\Program Files\KMSPico\best erning installers\1\KMSpico_patch.exe
C:\Program Files\KMSPico\best erning installers\2\KMSpico_patch.exe
C:\Program Files\KMSPico\KMSpico_patch.exe
C:\Program Files\KMSPico\395c48ebd078c81a6235f7da464d45bd.exe
行为描述:        查找文件
详情信息:       
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\gentee14\*.*
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Application Data
FileName = C:\Documents and Settings\Administrator\SendTo
FileName = C:\Documents and Settings\All Users
FileName = C:\Documents and Settings\All Users\Application Data
FileName = C:\Documents and Settings\Administrator\桌面
FileName = C:\Documents and Settings\All Users\桌面
FileName = C:\Program Files
FileName = C:\Program Files\Common Files
FileName = C:\Documents and Settings\Administrator\「开始」菜单
FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序
FileName = C:\Documents and Settings\All Users\「开始」菜单
FileName = C:\Documents and Settings\All Users\「开始」菜单\程序
行为描述:        删除文件
详情信息:       
C:\Documents and Settings\Administrator\Local Settings\Temp\gentee14\3default - 1.bmp
C:\Documents and Settings\Administrator\Local Settings\Temp\gentee14\guig.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\gentee14\setup_temp.gea
C:\Documents and Settings\Administrator\Local Settings\Temp\gentee14.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFB861.tmp
行为描述:        修改BAT脚本文件
详情信息:       
C:\Program Files\KMSPico\jaykms.bat ---> Offset = 0
行为描述:        修改文件内容
详情信息:       
C:\Documents and Settings\Administrator\Local Settings\Temp\genteert.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\gentee14\guig.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\gentee14\setup_temp.gea ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\gentee14\3default - 1.bmp ---> Offset = 0
C:\Program Files\KMSPico\KMSPico10.2.1__11516_il2 .exe ---> Offset = 0
C:\Program Files\KMSPico\best erning installers\1\Registrypatch.exe ---> Offset = 0
C:\Program Files\KMSPico\best erning installers\2\Registrypatch.exe ---> Offset = 0
C:\Program Files\KMSPico\Registrypatch.exe ---> Offset = 0
C:\Program Files\KMSPico\best erning installers\1\KMSpico_patch.exe ---> Offset = 0
C:\Program Files\KMSPico\best erning installers\2\KMSpico_patch.exe ---> Offset = 0
C:\Program Files\KMSPico\KMSpico_patch.exe ---> Offset = 0
C:\Program Files\KMSPico\395c48ebd078c81a6235f7da464d45bd.exe ---> Offset = 0
注册表行为
行为描述:        删除注册表键
详情信息:       
\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\
行为描述:        删除注册表键值
详情信息:       
\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\DWFileTreeRoot
其他行为
行为描述:        创建互斥体
详情信息:       
ci4870375
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.ABD
Global\AmInst__Runing_1
行为描述:        获取硬件属性检测虚拟机
详情信息:       
检测Vmware: 调用WMI接口获取硬件信息
行为描述:        创建事件对象
详情信息:       
EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceive.Event.ABD.IC
EventName = MSCTF.SendReceiveConection.Event.ABD.IC
行为描述:        查找指定窗口
详情信息:       
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
行为描述:        打开事件
详情信息:       
HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
_fCanRegisterWithShellService
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000053
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000053
MSCTF.SendReceiveConection.Event.ELH.IC
MSCTF.SendReceive.Event.ELH.IC
MSFT.VSA.COM.DISABLE.2112
MSFT.VSA.IEC.STATUS.6c736db0
行为描述:        获取TickCount值
详情信息:       
TickCount = 5435328, SleepMilliseconds = 500.
TickCount = 5435343, SleepMilliseconds = 500.
TickCount = 5437831, SleepMilliseconds = 50.
TickCount = 5437846, SleepMilliseconds = 50.
TickCount = 5437878, SleepMilliseconds = 50.
TickCount = 5437893, SleepMilliseconds = 50.
TickCount = 5437909, SleepMilliseconds = 50.
TickCount = 5437925, SleepMilliseconds = 50.
TickCount = 5437940, SleepMilliseconds = 50.
TickCount = 5437956, SleepMilliseconds = 50.
TickCount = 5437971, SleepMilliseconds = 50.
TickCount = 5440940, SleepMilliseconds = 50.
TickCount = 5440956, SleepMilliseconds = 50.
TickCount = 5441471, SleepMilliseconds = 50.
TickCount = 5502468, SleepMilliseconds = 60000.
行为描述:        调整进程token权限
详情信息:       
SE_LOAD_DRIVER_PRIVILEGE
SE_DEBUG_PRIVILEGE
行为描述:        窗口信息
详情信息:       
Pid = 1180, Hwnd=0x2102bc, Text = CreateInstall Free , ClassName = Static.
Pid = 1180, Hwnd=0x16032e, Text = &Next >, ClassName = Button.
Pid = 1180, Hwnd=0x100320, Text = &Cancel, ClassName = Button.
Pid = 1180, Hwnd=0xf034a, Text = To stop or pause the installation process, click Cancel., ClassName = Static.
Pid = 1180, Hwnd=0x603c6, Text = Directory:, ClassName = Static.
Pid = 1180, Hwnd=0xc038a, Text = File:, ClassName = Static.
Pid = 1180, Hwnd=0x15030c, Text = C:\Program Files\KMSPico, ClassName = Static.
Pid = 1180, Hwnd=0x403ca, Text = 395c48ebd078c81a6235f7da464d45bd.exe, ClassName = Static.
Pid = 1180, Hwnd=0x1f0324, Text = Installing KMSPico, ClassName = #32770.
Pid = 1180, Hwnd=0x1f02fe, Text = 是(&Y), ClassName = Button.
Pid = 1180, Hwnd=0xa03ac, Text = 否(&N), ClassName = Button.
Pid = 1180, Hwnd=0x170340, Text = Are you sure you want to abort the installation?, ClassName = Static.
Pid = 1180, Hwnd=0x603b2, Text = Installing KMSPico, ClassName = #32770.
行为描述:        可执行文件签名信息
详情信息:       
C:\Documents and Settings\Administrator\Local Settings\Temp\genteert.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\gentee14\guig.dll(签名验证: 未通过)
C:\Program Files\KMSPico\KMSPico10.2.1__11516_il2 .exe(签名验证: 未通过)
C:\Program Files\KMSPico\best erning installers\1\Registrypatch.exe(签名验证: 未通过)
C:\Program Files\KMSPico\best erning installers\2\Registrypatch.exe(签名验证: 未通过)
C:\Program Files\KMSPico\Registrypatch.exe(签名验证: 未通过)
C:\Program Files\KMSPico\best erning installers\1\KMSpico_patch.exe(签名验证: 未通过)
C:\Program Files\KMSPico\best erning installers\2\KMSpico_patch.exe(签名验证: 未通过)
C:\Program Files\KMSPico\KMSpico_patch.exe(签名验证: 未通过)
C:\Program Files\KMSPico\395c48ebd078c81a6235f7da464d45bd.exe(签名验证: 未通过)
行为描述:        调用Sleep函数
详情信息:       
[1]: MilliSeconds = 50.
[2]: MilliSeconds = 500.
[3]: MilliSeconds = 50.
[1]: MilliSeconds = 60000.
[2]: MilliSeconds = 60000.
[3]: MilliSeconds = 60000.
[4]: MilliSeconds = 60000.
[5]: MilliSeconds = 60000.
[6]: MilliSeconds = 60000.
行为描述:        隐藏指定窗口
详情信息:       
[Window,Class] = [&Next >,Button]
行为描述:        可执行文件MD5
详情信息:       
C:\Documents and Settings\Administrator\Local Settings\Temp\genteert.dll ---> 6ce814fd1ad7ae07a9e462c26b3a0f69
C:\Documents and Settings\Administrator\Local Settings\Temp\gentee14\guig.dll ---> ddd4a31094764a9deb6a82c8658fd9c5
C:\Program Files\KMSPico\KMSPico10.2.1__11516_il2 .exe ---> 2c5f983f442232f70a5e6b9e080ff565
C:\Program Files\KMSPico\best erning installers\1\Registrypatch.exe ---> 432d486da3fd0a1f39d364092b965e53
C:\Program Files\KMSPico\best erning installers\2\Registrypatch.exe ---> 432d486da3fd0a1f39d364092b965e53
C:\Program Files\KMSPico\Registrypatch.exe ---> 200022f979e5d7de2b0cdc9f9daf5bbc
C:\Program Files\KMSPico\best erning installers\1\KMSpico_patch.exe ---> d74eab398c8ea249e73f27e5e39528f3
C:\Program Files\KMSPico\best erning installers\2\KMSpico_patch.exe ---> 0ab6f0dd86ff7140fb2552a08a1dde3d
C:\Program Files\KMSPico\KMSpico_patch.exe ---> 32ae169b2e944b0bac8c3f8691be5600
C:\Program Files\KMSPico\395c48ebd078c81a6235f7da464d45bd.exe ---> 395c48ebd078c81a6235f7da464d45bd
行为描述:        打开互斥体
详情信息:       
ShimCacheMutex
行为描述:        加载新释放的文件
详情信息:       
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\genteert.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\gentee14\guig.dll.
进程树
cmd.exe (PID: 0x0000082c)
kmspico10.2.1__11516_il2 .exe (PID: 0x00000840)
****.exe (PID: 0x0000049c)
net.exe session (PID: 0x00000470)
net1.exe net1 session (PID: 0x000005c0)
cmd.exe (PID: 0x0000082c)
kmspico10.2.1__11516_il2 .exe (PID: 0x00000840)
cz88
头像被屏蔽
发表于 2017-6-4 12:52:57 | 显示全部楼层
\KMSPico 10.2.2.exe;not-a-virus:HEUR:AdWare.NSIS.Generic;广告软件;06/04/2017 12:52:18
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-3-29 17:23 , Processed in 0.095979 second(s), 14 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表