VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:73
Behavior list
Behavior analysis report:         Threatbook file behavior analysis report
Basic Information
MD5:2ac6e3a371d2f3fda5d54df70b928022
file type:EXE
Production company:HEU CNST
version:11.1.0.0---11.1.0.0
Shell or compiler information:COMPILER:Microsoft Visual Studio .NET 2005 -- 2008 -> Microsoft Corporation [Overlay] *
Subfile information:KMSmini.7z / a1e25667cb4a4fab430b126c9430bb0f / 7z
HEU_KMS_Renewal.exedumpFile / bd6b24734d0f426b5f4aa9d2a2ba323c / Autoit
HEU_KMS_TAP.exedumpFile / e0ea83eb18e7120fefdbdd98b0033535 / Autoit
kms_x64.exedumpFile / a0fc0b113b45708bb319199afd889f4b / Autoit
kms.exedumpFile / 58eeec5e0b75161f93f28774d93072d4 / Autoit
Licenses.sl.PKEYCONFIG.SIGNED.xrm-msdumpFile / 3dcff1dcdeb1b837ec8f13351c8a92ac / Unknown
SppExtComObj.ExedumpFile / 31e3678cbf598e4596738f3504bf706b / EXE
SppExtComObj.ExedumpFile / a1036bb2d54672afc4d6d166394a79dd / EXE
7Z.EXE / 2c3378903654f844d818fc2f0d619617 / EXE
Licenses.sl.PKEYCONFIG.SIGNED.xrm-msdumpFile / 22bb6d79ac6f5a39f95252e934fd6af9 / Unknown
mdmlasno.PNFdumpFile / a185844c96bd50166fa4d2dfe40c2f4a / lzma
ICO_211.icodumpFile / c6c1bffd7d5c3173449b8af7707dfd3b / Unknown
KMS-Client.exedumpFile / 1185d4bebe0977e4df193951ec012b6a / EXE
ICO_221.icodumpFile / 94306384efdadfdcea096a022738bf1e / Unknown
office.regdumpFile / 3b1593e0c15703d7258562a8770fa09f / Unknown
office.regdumpFile / 4b3d78a1f366b86178d4db3f2ebbcd4f / Unknown
office.regdumpFile / c0675fe933ad3b8f42ac6c330b24b855 / Unknown
office.regdumpFile / 7c103254b45c83d2e44d7c89259112f9 / Unknown
LicenseSetData._ED34DC89_1C27_4ECD_8B2F_63D0F4CEDC32.PHN.xrm-msdumpFile / a962c4032214937b31186a142678cced / Unknown
Key behavior
Behavior description:检测自身是否被调试
details:N/A
Behavior description:设置特殊文件属性
details:C:\Documents and Settings\Administrator\Local Settings\Temp\HEU_KMS_Mini_111\HEU_KMS_Service.exe
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7Z.EXE x C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\KMSmini.7z -y -oC:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HEU_KMS_Mini_111\
Behavior description:创建进程
details:ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HEU_KMS_Mini_111\kms.exe, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HEU_KMS_Mini_111\kms.exe
Behavior description:创建新文件进程
details:ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7Z.EXE, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7Z.EXE x C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\KMSmini.7z -y -oC:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HEU_KMS_Mini_111\
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\aut14.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\KMSmini.7z
C:\Documents and Settings\Administrator\Local Settings\Temp\aut15.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\7Z.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\aut16.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\HEU_KMS_Mini_111\HEU_KMS_Service.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF9B37.tmp
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\7Z.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\HEU_KMS_Mini_111\HEU_KMS_Service.exe
Behavior description:覆盖已有文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\aut14.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\aut15.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\aut16.tmp
Behavior description:复制文件
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aut14.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\KMSmini.7z
Behavior description:设置特殊文件属性
details:C:\Documents and Settings\Administrator\Local Settings\Temp\HEU_KMS_Mini_111\HEU_KMS_Service.exe
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\aut14.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\aut15.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\aut16.tmp
Behavior description:查找文件
details:FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Temp\aut14.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\aut14.tmp ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\aut14.tmp ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\Temp\aut14.tmp ---> Offset = 196608
C:\Documents and Settings\Administrator\Local Settings\Temp\aut14.tmp ---> Offset = 262144
C:\Documents and Settings\Administrator\Local Settings\Temp\KMSmini.7z ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\KMSmini.7z ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\KMSmini.7z ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\Temp\KMSmini.7z ---> Offset = 196608
C:\Documents and Settings\Administrator\Local Settings\Temp\KMSmini.7z ---> Offset = 262144
C:\Documents and Settings\Administrator\Local Settings\Temp\aut15.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\aut15.tmp ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\aut15.tmp ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\Temp\aut15.tmp ---> Offset = 196608
C:\Documents and Settings\Administrator\Local Settings\Temp\aut15.tmp ---> Offset = 262144
Other behavior
Behavior description:检测自身是否被调试
details:N/A
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.ANO
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceive.Event.ANO.IC
EventName = MSCTF.SendReceiveConection.Event.ANO.IC
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\Temp\7Z.EXE(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\HEU_KMS_Mini_111\HEU_KMS_Service.exe(签名验证: 未通过)
Behavior description:隐藏指定窗口
details:[Window,Class] = [AutoIt v3,AutoIt v3]
[Window,Class] = [激活 Windows VL,Button]
[Window,Class] = [激活 Office 2010 VL,Button]
[Window,Class] = [激活 Office 2013 VL,Button]
[Window,Class] = [激活 Office 2016 VL,Button]
[Window,Class] = [查看 Windows 激活状态,Button]
[Window,Class] = [查看 Office 激活状态,Button]
[Window,Class] = [安装 自动续期服务,Button]
[Window,Class] = [卸载 自动续期服务,Button]
[Window,Class] = [安装 Windows GVLK 密钥,Button]
[Window,Class] = [安装 Office GVLK 密钥,Button]
[Window,Class] = [重置 Windows 激活状态,Button]
[Window,Class] = [重置 Office 激活状态,Button]
[Window,Class] = [KMS激活流程,Button]
[Window,Class] = [请输入服务器IP:,Static]
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\Temp\7Z.EXE ---> 2c3378903654f844d818fc2f0d619617
C:\Documents and Settings\Administrator\Local Settings\Temp\HEU_KMS_Mini_111\HEU_KMS_Service.exe ---> 45b9b807a7dbf1b186f2e148749ebbb9
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号