| 文件名 | KMSTools.exe |
| 文件类型 |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| 扫描器版本 | 1.0.147.174 |
| 数据库版本 | 2023-11-20 14:02:37 UTC |
恶意软件家族: KMS
| 哈希类型 | 值 | 操作 |
|---|---|---|
| MD5 |
9828f7b373e722da225b8455542b41e8
|
|
| SHA1 |
e3512b651c51e187a452a74e3e51651f24d6fdc1
|
|
| SHA256 |
b0e5352b737bf904cb50a9e8aaacd88b30b7e35ba344e31dc9298de20146ed9b
|
|
| SHA512 |
578ce01609993e402c93bfc03ff554724173b7f08cddd0b8996519d2b2cd3b0acd43bbd2ccdb95440c6e62fc95076d642b216acf0f6299bc0f32bbee8c665f7b
|
|
| ImpHash |
dbab39f0229f5161855ba872bf93162d
|
| 图标 |
哈希: 94411a7ac6c8b4bf932b5dac2210f721
模糊: 73da8a07a83dd014e1f1a85021f0cd92 dHash: b848c8f8b8d87426 |
| 映像基址 | 0x00400000 |
| 入口点 | 0x00401000 |
| 编译时间 | 2018-09-01 04:24:04 |
| 校验和 | 0x01f7d52c (实际: 0x01f7d52c) |
| 操作系统版本 | 4.0 |
| PEiD 签名 |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| 数字签名 | Chain verification from CN=WZTeam (serial:-34590325592400973612903392563650996340, sha1:87b3a6c360b37d6db7f970dd1dc0009fbbd13ba0) failed: The X.509 certificate provided is self-signed - "Common Name: WZTeam" |
| 导入 | 22 库 |
| 导出 | 0 函数 |
| 资源 | 9 资源 |
| 节 | 5 节 |
| WZTeam | () |
| UTN-USERFirst-Object | COMODO CA Limited (GB) |
| CompanyName | Ratiborus |
| ProductName | KMS Tools Portable x86 |
| LegalCopyright | Ratiborus |
| Translation | 0x0000 0x04b0 |
| 名称 | 虚拟地址 | 虚拟大小 | 原始大小 | 熵 | 特征 | MD5 |
|---|---|---|---|---|---|---|
.code |
0x00001000 |
79,696 bytes | 79,872 bytes | 5.87 (正常) |
IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ
|
5D44321E7BD969DC4ACF8E588FA725A8 |
.text |
0x00015000 |
467,249 bytes | 467,456 bytes | 6.61 (压缩) |
IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ
|
71650CECA4011CC3AB51C27FA204BF52 |
.rdata |
0x00088000 |
105,188 bytes | 105,472 bytes | 5.74 (正常) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ
|
35D3F1FEFF30240709F6D9A3CE354D8C |
.data |
0x000a2000 |
32,221,152 bytes | 32,214,528 bytes | 7.98 (打包/加密) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE
|
0F8EDFC9EFE1774CBF52E4281E10330C |
.rsrc |
0x01f5d000 |
107,368 bytes | 107,520 bytes | 7.72 (打包/加密) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ
|
5B4CDA1E1040417C4775900CF4C39A9C |
2 检测到高熵(≥7.5)的节 - 可能存在打包/加密
1 检测到较高熵(≥6.5)的节 - 可能存在压缩
| 资源类型 | 数量 | 总大小 | 百分比 |
|---|---|---|---|
| RT_ICON | 6 | 105,502 字节 | |
| RT_GROUP_ICON | 1 | 90 字节 | |
| RT_VERSION | 1 | 408 字节 | |
| RT_MANIFEST | 1 | 814 字节 |
| 主题 |
WZTeam |
| 颁发者 | WZTeam |
| 序列号 | -155843482902537470358085606074993314206 |
| 主题 |
COMODO SHA-1 Time Stamping Signer COMODO CA Limited GB |
| 颁发者 | UTN-USERFirst-Object |
| 序列号 | 117007971038687812527568897756771083 |
Chain verification from CN=WZTeam (serial:-34590325592400973612903392563650996340, sha1:87b3a6c360b37d6db7f970dd1dc0009fbbd13ba0) failed: The X.509 certificate provided is self-signed - "Common Name: WZTeam"
建议: 验证文件来源并确保它来自可信的发布者.
按照以下步骤完全从系统中移除威胁
