文件检测评级:
未发现风险
文件名称: KMSPico 10.2.2.exe
下载电脑管家
上传分析其他文件>
基本信息
关键行为
进程行为
文件行为
注册表行为
其他行为
进程树
文件分析图谱(PortEx)
运行截图
基本信息
文件名称:
KMSPico 10.2.2.exe
MD5: 03f5cf06f3b64005061ffff8fffcd3b8
文件类型: EXE
上传时间: 2017-05-30 14:46:09
出品公司: N/A
版本: N/A
壳或编译器信息: COMPILER:Microsoft Visual C++ 6.0 [Overlay]
关键行为
行为描述: 获取硬件属性检测虚拟机
详情信息:
检测Vmware: 调用WMI接口获取硬件信息
行为描述: 获取TickCount值
详情信息:
TickCount = 5435328, SleepMilliseconds = 500.
TickCount = 5435343, SleepMilliseconds = 500.
TickCount = 5437831, SleepMilliseconds = 50.
TickCount = 5437846, SleepMilliseconds = 50.
TickCount = 5437878, SleepMilliseconds = 50.
TickCount = 5437893, SleepMilliseconds = 50.
TickCount = 5437909, SleepMilliseconds = 50.
TickCount = 5437925, SleepMilliseconds = 50.
TickCount = 5437940, SleepMilliseconds = 50.
TickCount = 5437956, SleepMilliseconds = 50.
TickCount = 5437971, SleepMilliseconds = 50.
TickCount = 5440940, SleepMilliseconds = 50.
TickCount = 5440956, SleepMilliseconds = 50.
TickCount = 5441471, SleepMilliseconds = 50.
TickCount = 5502468, SleepMilliseconds = 60000.
进程行为
行为描述: 隐藏窗口创建进程
详情信息:
ImagePath = , CmdLine = net.exe session
行为描述: 创建进程
详情信息:
[0x00000470]ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net.exe session
[0x000005c0]ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 session
[0x0000082c]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c ""C:\Program Files\KMSPico\jaykms.bat""
行为描述: 创建本地线程
详情信息:
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 1180, ThreadID = 564, StartAddress = 00EF0000, Parameter = 00000000
TargetProcess: KMSPico10.2.1__11516_il2 .exe, InheritedFromPID = 2092, ProcessID = 2112, ThreadID = 2260, StartAddress = 77E56C7D, Parameter = 002A87B8
TargetProcess: KMSPico10.2.1__11516_il2 .exe, InheritedFromPID = 2092, ProcessID = 2112, ThreadID = 2264, StartAddress = 769AE43B, Parameter = 002AB0D0
TargetProcess: KMSPico10.2.1__11516_il2 .exe, InheritedFromPID = 2092, ProcessID = 2112, ThreadID = 2268, StartAddress = 77E56C7D, Parameter = 002AB878
行为描述: 创建新文件进程
详情信息:
[0x00000840]ImagePath = C:\Program Files\KMSPico\KMSPico10.2.1__11516_il2 .exe, CmdLine = "KMSPico10.2.1__11516_il2 .exe"
行为描述: 枚举进程
详情信息:
N/A
文件行为
行为描述: 创建文件
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temp\genteert.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\gentee14.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\gentee14\guig.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\gentee14\setup_temp.gea
C:\Documents and Settings\Administrator\Local Settings\Temp\gentee14\3default - 1.bmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFB861.tmp
C:\Program Files\KMSPico\jaykms.bat
C:\Program Files\KMSPico\KMSPico10.2.1__11516_il2 .exe
C:\Program Files\KMSPico\best erning installers\1\Registrypatch.exe
C:\Program Files\KMSPico\best erning installers\2\Registrypatch.exe
C:\Program Files\KMSPico\Registrypatch.exe
C:\Program Files\KMSPico\best erning installers\1\KMSpico_patch.exe
C:\Program Files\KMSPico\best erning installers\2\KMSpico_patch.exe
C:\Program Files\KMSPico\KMSpico_patch.exe
C:\Program Files\KMSPico\395c48ebd078c81a6235f7da464d45bd.exe
行为描述: 创建可执行文件
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temp\genteert.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\gentee14\guig.dll
C:\Program Files\KMSPico\KMSPico10.2.1__11516_il2 .exe
C:\Program Files\KMSPico\best erning installers\1\Registrypatch.exe
C:\Program Files\KMSPico\best erning installers\2\Registrypatch.exe
C:\Program Files\KMSPico\Registrypatch.exe
C:\Program Files\KMSPico\best erning installers\1\KMSpico_patch.exe
C:\Program Files\KMSPico\best erning installers\2\KMSpico_patch.exe
C:\Program Files\KMSPico\KMSpico_patch.exe
C:\Program Files\KMSPico\395c48ebd078c81a6235f7da464d45bd.exe
行为描述: 查找文件
详情信息:
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\gentee14\*.*
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Application Data
FileName = C:\Documents and Settings\Administrator\SendTo
FileName = C:\Documents and Settings\All Users
FileName = C:\Documents and Settings\All Users\Application Data
FileName = C:\Documents and Settings\Administrator\桌面
FileName = C:\Documents and Settings\All Users\桌面
FileName = C:\Program Files
FileName = C:\Program Files\Common Files
FileName = C:\Documents and Settings\Administrator\「开始」菜单
FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序
FileName = C:\Documents and Settings\All Users\「开始」菜单
FileName = C:\Documents and Settings\All Users\「开始」菜单\程序
行为描述: 删除文件
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temp\gentee14\3default - 1.bmp
C:\Documents and Settings\Administrator\Local Settings\Temp\gentee14\guig.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\gentee14\setup_temp.gea
C:\Documents and Settings\Administrator\Local Settings\Temp\gentee14.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFB861.tmp
行为描述: 修改BAT脚本文件
详情信息:
C:\Program Files\KMSPico\jaykms.bat ---> Offset = 0
行为描述: 修改文件内容
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temp\genteert.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\gentee14\guig.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\gentee14\setup_temp.gea ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\gentee14\3default - 1.bmp ---> Offset = 0
C:\Program Files\KMSPico\KMSPico10.2.1__11516_il2 .exe ---> Offset = 0
C:\Program Files\KMSPico\best erning installers\1\Registrypatch.exe ---> Offset = 0
C:\Program Files\KMSPico\best erning installers\2\Registrypatch.exe ---> Offset = 0
C:\Program Files\KMSPico\Registrypatch.exe ---> Offset = 0
C:\Program Files\KMSPico\best erning installers\1\KMSpico_patch.exe ---> Offset = 0
C:\Program Files\KMSPico\best erning installers\2\KMSpico_patch.exe ---> Offset = 0
C:\Program Files\KMSPico\KMSpico_patch.exe ---> Offset = 0
C:\Program Files\KMSPico\395c48ebd078c81a6235f7da464d45bd.exe ---> Offset = 0
注册表行为
行为描述: 删除注册表键
详情信息:
\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\
行为描述: 删除注册表键值
详情信息:
\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\DWFileTreeRoot
其他行为
行为描述: 创建互斥体
详情信息:
ci4870375
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.ABD
Global\AmInst__Runing_1
行为描述: 获取硬件属性检测虚拟机
详情信息:
检测Vmware: 调用WMI接口获取硬件信息
行为描述: 创建事件对象
详情信息:
EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceive.Event.ABD.IC
EventName = MSCTF.SendReceiveConection.Event.ABD.IC
行为描述: 查找指定窗口
详情信息:
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
行为描述: 打开事件
详情信息:
HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
_fCanRegisterWithShellService
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000053
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000053
MSCTF.SendReceiveConection.Event.ELH.IC
MSCTF.SendReceive.Event.ELH.IC
MSFT.VSA.COM.DISABLE.2112
MSFT.VSA.IEC.STATUS.6c736db0
行为描述: 获取TickCount值
详情信息:
TickCount = 5435328, SleepMilliseconds = 500.
TickCount = 5435343, SleepMilliseconds = 500.
TickCount = 5437831, SleepMilliseconds = 50.
TickCount = 5437846, SleepMilliseconds = 50.
TickCount = 5437878, SleepMilliseconds = 50.
TickCount = 5437893, SleepMilliseconds = 50.
TickCount = 5437909, SleepMilliseconds = 50.
TickCount = 5437925, SleepMilliseconds = 50.
TickCount = 5437940, SleepMilliseconds = 50.
TickCount = 5437956, SleepMilliseconds = 50.
TickCount = 5437971, SleepMilliseconds = 50.
TickCount = 5440940, SleepMilliseconds = 50.
TickCount = 5440956, SleepMilliseconds = 50.
TickCount = 5441471, SleepMilliseconds = 50.
TickCount = 5502468, SleepMilliseconds = 60000.
行为描述: 调整进程token权限
详情信息:
SE_LOAD_DRIVER_PRIVILEGE
SE_DEBUG_PRIVILEGE
行为描述: 窗口信息
详情信息:
Pid = 1180, Hwnd=0x2102bc, Text = CreateInstall Free , ClassName = Static.
Pid = 1180, Hwnd=0x16032e, Text = &Next >, ClassName = Button.
Pid = 1180, Hwnd=0x100320, Text = &Cancel, ClassName = Button.
Pid = 1180, Hwnd=0xf034a, Text = To stop or pause the installation process, click Cancel., ClassName = Static.
Pid = 1180, Hwnd=0x603c6, Text = Directory:, ClassName = Static.
Pid = 1180, Hwnd=0xc038a, Text = File:, ClassName = Static.
Pid = 1180, Hwnd=0x15030c, Text = C:\Program Files\KMSPico, ClassName = Static.
Pid = 1180, Hwnd=0x403ca, Text = 395c48ebd078c81a6235f7da464d45bd.exe, ClassName = Static.
Pid = 1180, Hwnd=0x1f0324, Text = Installing KMSPico, ClassName = #32770.
Pid = 1180, Hwnd=0x1f02fe, Text = 是(&Y), ClassName = Button.
Pid = 1180, Hwnd=0xa03ac, Text = 否(&N), ClassName = Button.
Pid = 1180, Hwnd=0x170340, Text = Are you sure you want to abort the installation?, ClassName = Static.
Pid = 1180, Hwnd=0x603b2, Text = Installing KMSPico, ClassName = #32770.
行为描述: 可执行文件签名信息
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temp\genteert.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\gentee14\guig.dll(签名验证: 未通过)
C:\Program Files\KMSPico\KMSPico10.2.1__11516_il2 .exe(签名验证: 未通过)
C:\Program Files\KMSPico\best erning installers\1\Registrypatch.exe(签名验证: 未通过)
C:\Program Files\KMSPico\best erning installers\2\Registrypatch.exe(签名验证: 未通过)
C:\Program Files\KMSPico\Registrypatch.exe(签名验证: 未通过)
C:\Program Files\KMSPico\best erning installers\1\KMSpico_patch.exe(签名验证: 未通过)
C:\Program Files\KMSPico\best erning installers\2\KMSpico_patch.exe(签名验证: 未通过)
C:\Program Files\KMSPico\KMSpico_patch.exe(签名验证: 未通过)
C:\Program Files\KMSPico\395c48ebd078c81a6235f7da464d45bd.exe(签名验证: 未通过)
行为描述: 调用Sleep函数
详情信息:
[1]: MilliSeconds = 50.
[2]: MilliSeconds = 500.
[3]: MilliSeconds = 50.
[1]: MilliSeconds = 60000.
[2]: MilliSeconds = 60000.
[3]: MilliSeconds = 60000.
[4]: MilliSeconds = 60000.
[5]: MilliSeconds = 60000.
[6]: MilliSeconds = 60000.
行为描述: 隐藏指定窗口
详情信息:
[Window,Class] = [&Next >,Button]
行为描述: 可执行文件MD5
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temp\genteert.dll ---> 6ce814fd1ad7ae07a9e462c26b3a0f69
C:\Documents and Settings\Administrator\Local Settings\Temp\gentee14\guig.dll ---> ddd4a31094764a9deb6a82c8658fd9c5
C:\Program Files\KMSPico\KMSPico10.2.1__11516_il2 .exe ---> 2c5f983f442232f70a5e6b9e080ff565
C:\Program Files\KMSPico\best erning installers\1\Registrypatch.exe ---> 432d486da3fd0a1f39d364092b965e53
C:\Program Files\KMSPico\best erning installers\2\Registrypatch.exe ---> 432d486da3fd0a1f39d364092b965e53
C:\Program Files\KMSPico\Registrypatch.exe ---> 200022f979e5d7de2b0cdc9f9daf5bbc
C:\Program Files\KMSPico\best erning installers\1\KMSpico_patch.exe ---> d74eab398c8ea249e73f27e5e39528f3
C:\Program Files\KMSPico\best erning installers\2\KMSpico_patch.exe ---> 0ab6f0dd86ff7140fb2552a08a1dde3d
C:\Program Files\KMSPico\KMSpico_patch.exe ---> 32ae169b2e944b0bac8c3f8691be5600
C:\Program Files\KMSPico\395c48ebd078c81a6235f7da464d45bd.exe ---> 395c48ebd078c81a6235f7da464d45bd
行为描述: 打开互斥体
详情信息:
ShimCacheMutex
行为描述: 加载新释放的文件
详情信息:
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\genteert.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\gentee14\guig.dll.
进程树
cmd.exe (PID: 0x0000082c)
kmspico10.2.1__11516_il2 .exe (PID: 0x00000840)
****.exe (PID: 0x0000049c)
net.exe session (PID: 0x00000470)
net1.exe net1 session (PID: 0x000005c0)
cmd.exe (PID: 0x0000082c)
kmspico10.2.1__11516_il2 .exe (PID: 0x00000840) |