VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

文件信息
安全评分 :87
基本信息
MD5:fc3943beed66d093c35d93202232ec02
文件类型:Rar
出品公司:
版本:
壳或编译器信息:
子文件信息:DevComponents.DotNetBar2.dll / 1397b23f30681f97049df61f94f54d05 / DLL
Windows10、0ffice2016 一键激活工具 - 7act.exe / 143b595ff00c5d7c8dcfd1431a2867e5 / EXE
KMSpico_setup.exe / a02164371a50c5ff9fa2870ef6e8cfa3 / EXE
pkeyconfig.xrm-ms / 4f2dade1bf4871558ccb974d2f99a32b / Unknown
KMSELDI.exe / f0280de3880ef581bf14f9cc72ec1c16 / EXE
AutoPico.exe / cfe1c391464c446099a5eb33276f6d57 / EXE
pkeyconfig.xrm-ms / 165740d0f3f98c13415c562a3853b02d / Unknown
pkeyconfig-office.xrm-ms / 6a46a4977e1b2780b9907de0530f5ee7 / Unknown
pkeyconfig.xrm-ms / d01628fe44818c0d0bbbc3cea69fec6b / Unknown
pkeyconfig.xrm-ms / 11265109d35f36311b823f63fd5f6bbe / Unknown
pkeyconfig-office.xrm-ms / 22bb6d79ac6f5a39f95252e934fd6af9 / Unknown
pkeyconfig.xrm-ms / c22763abd23d2b273ba4ac1de8024ced / Unknown
tap-windows-9.21.0.exe / 05230afdeeb13718e926fd654de63f12 / EXE
Vestris.ResourceLib.dll / 3d733144477cadcf77009ef614413630 / DLL
proplus.reg / bb8c109f6af5fc88f6384c1ae5e90d56 / Unknown
visio.reg / 59c5e0d3d6f19589daa32d52ba43bd95 / Unknown
pkeyconfig-embedded.xrm-ms / 80becae556155ab3fed93088a1d52fc6 / Unknown
Security-SPP-Component-SKU-Professional-VLKMS1-ul-phn.xrm-ms / 19ec8caec934ebe18fa83297bdd98dda / Unknown
Security-Licensing-SLC-Component-SKU-Enterprise-VL-KMS1-ul-phn.xrm-ms / 13b557b681c2eb8d422406f9e56488f6 / Unknown
关键行为
行为描述:获取TickCount值
详情信息:TickCount = 239228, SleepMilliseconds = 10.
TickCount = 258713, SleepMilliseconds = 10.
TickCount = 258728, SleepMilliseconds = 10.
TickCount = 258838, SleepMilliseconds = 10.
TickCount = 261713, SleepMilliseconds = 10.
TickCount = 261760, SleepMilliseconds = 10.
TickCount = 261775, SleepMilliseconds = 10.
进程行为
行为描述:隐藏窗口创建进程
详情信息:ImagePath = , CmdLine = sc config W32Time start= auto
ImagePath = , CmdLine = sc stop w32time
ImagePath = , CmdLine = sc start w32time
ImagePath = , CmdLine = C:\WINDOWS\system32\cmd.exe /c del /f /s /q "%appdata%\microsoft\Templates\*.dot*"
ImagePath = , CmdLine = C:\WINDOWS\system32\cmd.exe /c del /f /s /q "%appdata%\microsoft\Word\Startup\*.dot*"
ImagePath = , CmdLine = C:\WINDOWS\system32\cmd.exe /c schtasks /delete /tn "autokms" /f
行为描述:创建进程
详情信息:[0x00000680]ImagePath = C:\WINDOWS\system32\sc.exe, CmdLine = sc config W32Time start= auto
[0x0000067c]ImagePath = C:\WINDOWS\system32\sc.exe, CmdLine = sc stop w32time
[0x0000066c]ImagePath = C:\WINDOWS\system32\sc.exe, CmdLine = sc start w32time
[0x00000650]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c del /f /s /q "%appdata%\microsoft\Templates\*.dot*"
[0x00000620]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c del /f /s /q "%appdata%\microsoft\Word\Startup\*.dot*"
[0x00000108]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c schtasks /delete /tn "autokms" /f
[0x000005ac]ImagePath = C:\WINDOWS\system32\schtasks.exe, CmdLine = schtasks /delete /tn "autokms" /f
[0x00000760]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c schtasks /delete /tn "autokms" /f
[0x00000710]ImagePath = C:\WINDOWS\system32\schtasks.exe, CmdLine = schtasks /delete /tn "autokms" /f
[0x000008e0]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c schtasks /delete /tn "autokms" /f
[0x000008e8]ImagePath = C:\WINDOWS\system32\schtasks.exe, CmdLine = schtasks /delete /tn "autokms" /f
[0x00000928]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c schtasks /delete /tn "autokms" /f
[0x00000948]ImagePath = C:\WINDOWS\system32\schtasks.exe, CmdLine = schtasks /delete /tn "autokms" /f
[0x00000984]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c schtasks /delete /tn "autokms" /f
[0x0000098c]ImagePath = C:\WINDOWS\system32\schtasks.exe, CmdLine = schtasks /delete /tn "autokms" /f
行为描述:创建本地线程
详情信息:TargetProcess: Windows10、0ffice2016 一键激活工具 - 7act.exe, InheritedFromPID = 2000, ProcessID = 1940, ThreadID = 1336, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: Windows10、0ffice2016 一键激活工具 - 7act.exe, InheritedFromPID = 2000, ProcessID = 1940, ThreadID = 1604, StartAddress = 00467296, Parameter = 00D0B6F0
行为描述:枚举进程
详情信息:N/A
文件行为
行为描述:创建文件
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temp\aut10.tmp
C:\WINDOWS\system32\Readme.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\aut11.tmp
C:\WINDOWS\system32\bootsect.exe
行为描述:创建可执行文件
详情信息:C:\WINDOWS\system32\bootsect.exe
行为描述:覆盖已有文件
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temp\aut10.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\aut11.tmp
行为描述:查找文件
详情信息:FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\KMSpico
FileName = C:\WINDOWS\autokms\autokms.exe
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\sc.exe
FileName = C:\WINDOWS\system32\cmd.exe
FileName = C:\WINDOWS\system32\Readme.txt
FileName = C:\Documents and Settings\Administrator\Application Data\microsoft\Templates\*.dot*
FileName = C:\Documents and Settings\Administrator\Application Data\microsoft\Templates\*
FileName = C:\Documents and Settings\Administrator\Application Data\microsoft\Templates\Document Themes\*.dot*
FileName = C:\Documents and Settings\Administrator\Application Data\microsoft\Templates\Document Themes\*
FileName = C:\Documents and Settings\Administrator\Application Data\microsoft\Templates\Document Themes\Theme Colors\*.dot*
FileName = C:\Documents and Settings\Administrator\Application Data\microsoft\Templates\Document Themes\Theme Colors\*
行为描述:删除文件
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temp\aut10.tmp
C:\WINDOWS\system32\Readme.txt
C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\8开双面双页码密封试卷模板2007.dotx
C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\Normal.dotm
C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\Normal11.dot
C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\信息技术试卷模板.dot
C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\物理图形一.dot
C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\物理图形二.dot
C:\Documents and Settings\Administrator\Local Settings\Temp\aut11.tmp
行为描述:修改文件内容
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temp\aut10.tmp ---> Offset = 0
C:\WINDOWS\system32\Readme.txt ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\aut11.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\aut11.tmp ---> Offset = 49152
C:\WINDOWS\system32\bootsect.exe ---> Offset = 0
C:\WINDOWS\system32\bootsect.exe ---> Offset = 65536
C:\WINDOWS\system32\bootsect.exe ---> Offset = 102400
注册表行为
行为描述:修改注册表
详情信息:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\W32Time\Config\MaxNegPhaseCorrection
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\W32Time\Config\MaxPosPhaseCorrection
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval
行为描述:删除注册表键
详情信息:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{BDEADF00-C265-11d0-BCED-00A0C90AB50F}\
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\
其他行为
行为描述:检测自身是否被调试
详情信息:IsDebuggerPresent
行为描述:创建互斥体
详情信息:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
MSCTF.Shared.MUTEX.EIH
行为描述:创建事件对象
详情信息:EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceive.Event.EIH.IC
EventName = MSCTF.SendReceiveConection.Event.EIH.IC
行为描述:窗口信息
详情信息:Pid = 1940, Hwnd=0x1034a, Text = =:=, ClassName = Static.
Pid = 1940, Hwnd=0x10350, Text = 系统信息, ClassName = Button(GroupBox).
Pid = 1940, Hwnd=0x10352, Text = 系统名称:Microsoft Windows XP, ClassName = Static.
Pid = 1940, Hwnd=0x10354, Text = 系统标识:5.1.2600, ClassName = Static.
Pid = 1940, Hwnd=0x1035a, Text = 软改模块, ClassName = Button(GroupBox).
Pid = 1940, Hwnd=0x1035c, Text = 模块1, ClassName = Button(RadioButton).
Pid = 1940, Hwnd=0x1035e, Text = 模块2, ClassName = Button(RadioButton).
Pid = 1940, Hwnd=0x10360, Text = 模块3, ClassName = Button(RadioButton).
Pid = 1940, Hwnd=0x10362, Text = KMS, ClassName = Button(RadioButton).
Pid = 1940, Hwnd=0x10366, Text = 自动续期, ClassName = Button(CheckBox).
Pid = 1940, Hwnd=0x1036c, Text = 激活, ClassName = Button.
Pid = 1940, Hwnd=0x10370, Text = 查看, ClassName = Button.
Pid = 1940, Hwnd=0x10376, Text = 卸载, ClassName = Button.
Pid = 1940, Hwnd=0x10378, Text = 软件简介:本程序基于Vista Loader和vlmcsd KMS内核,原理是 利用GRLDR模拟品牌机SLIC,实现Vista/2008/7的OEM软改激活, 以及10/8.1/8/Office2016/2013/2010的KMS离线激活。免刷BIOS, 简单安全,傻瓜化操作,一键激活。 运行平台:Windows Vista/2008/7/8/2012/10 使用方法:右击7act.exe,选"以管理员身份运行",点击“激活” 按钮后,本工具会在后台进行一系列的激活操作,此时稍安勿躁, 稍, ClassName = Edit.
Pid = 1940, Hwnd=0x50348, Text = Windows一键激活 1.6.9.23, ClassName = AutoIt v3 GUI.
行为描述:查找指定窗口
详情信息:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
行为描述:启动系统服务
详情信息:[服务启动成功]: LocalSystem, Windows Time, C:\WINDOWS\System32\svchost.exe -k netsvcs
行为描述:打开事件
详情信息:HookSwitchHookEnabledEvent
Global\SvcctrlStartEvent_A3752DX
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
行为描述:获取TickCount值
详情信息:TickCount = 239228, SleepMilliseconds = 10.
TickCount = 258713, SleepMilliseconds = 10.
TickCount = 258728, SleepMilliseconds = 10.
TickCount = 258838, SleepMilliseconds = 10.
TickCount = 261713, SleepMilliseconds = 10.
TickCount = 261760, SleepMilliseconds = 10.
TickCount = 261775, SleepMilliseconds = 10.
行为描述:获取光标位置
详情信息:CursorPos = (80,18468), SleepMilliseconds = 10.
CursorPos = (6373,26501), SleepMilliseconds = 10.
CursorPos = (19208,15725), SleepMilliseconds = 10.
CursorPos = (11517,29359), SleepMilliseconds = 10.
CursorPos = (27001,24465), SleepMilliseconds = 10.
CursorPos = (5744,28146), SleepMilliseconds = 10.
CursorPos = (23320,16828), SleepMilliseconds = 10.
CursorPos = (10000,492), SleepMilliseconds = 10.
CursorPos = (3034,11943), SleepMilliseconds = 10.
CursorPos = (4866,5437), SleepMilliseconds = 10.
CursorPos = (32430,14605), SleepMilliseconds = 10.
CursorPos = (3941,154), SleepMilliseconds = 10.
CursorPos = (331,12383), SleepMilliseconds = 10.
CursorPos = (17460,18717), SleepMilliseconds = 10.
CursorPos = (19757,19896), SleepMilliseconds = 10.
行为描述:枚举窗口
详情信息:N/A
行为描述:停止系统服务
详情信息:ServiceName = Windows Time
行为描述:可执行文件签名信息
详情信息:C:\WINDOWS\system32\bootsect.exe(签名验证: 通过)
行为描述:调用Sleep函数
详情信息:[1]: MilliSeconds = 0.
[2]: MilliSeconds = 0.
[3]: MilliSeconds = 0.
[4]: MilliSeconds = 0.
[5]: MilliSeconds = 0.
[6]: MilliSeconds = 0.
[7]: MilliSeconds = 0.
[8]: MilliSeconds = 0.
[9]: MilliSeconds = 0.
[10]: MilliSeconds = 0.
行为描述:隐藏指定窗口
详情信息:[Window,Class] = [AutoIt v3,AutoIt v3]
[Window,Class] = [系统信息,Button]
[Window,Class] = [,Static]
[Window,Class] = [,Button]
[Window,Class] = [软改模块,Button]
[Window,Class] = [模块1,Button]
[Window,Class] = [模块2,Button]
[Window,Class] = [模块3,Button]
[Window,Class] = [KMS,Button]
[Window,Class] = [自动续期,Button]
[Window,Class] = [激活,Button]
[Window,Class] = [查看,Button]
[Window,Class] = [卸载,Button]
[Window,Class] = [软件简介:本程序基于Vista Loader和vlmcsd KMS内核,原理是 利用GRLDR模拟品牌机SLIC,实现Vista/2008/7的OEM软改激活, 以及10/8.1/8/Office2016/2013/2010的KMS离线激活。免刷BIOS, 简单安全,傻瓜化操作,一键激活。 运行平台:Windows Vista/2008/7/8/2012/10 使用方法:右击7act.exe,选"以管理员身份运行",点击“激活” 按钮后,本工具会在后台进行一
[Window,Class] = [ Windows一键激活 1.6.9.23,AutoIt v3 GUI]
行为描述:可执行文件MD5
详情信息:C:\WINDOWS\system32\bootsect.exe ---> dba3e8620db43046b9ee78add41865f4
行为描述:打开互斥体
详情信息:ShimCacheMutex
运行截图
VirSCAN

About VirSCAN | Privacy Policy | Contact us | link | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号