VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

File information

Basic Information

MD5: 8392c7714254526006775ade718cde98
file type: EXE
Production company:
version: 1.0.0.0---1.0.0.0
Shell or compiler information: COMPILER:Microsoft Visual C# / Basic .NET [Overlay]

Key behavior

Behavior description: 直接获取CPU时钟
details: EAX = 0x66598867, EDX = 0x000000b6
EAX = 0x665988b3, EDX = 0x000000b6
EAX = 0x68e1583c, EDX = 0x000000b6
EAX = 0x68e15888, EDX = 0x000000b6
EAX = 0x68e158d4, EDX = 0x000000b6
EAX = 0x68e15920, EDX = 0x000000b6
EAX = 0x6e4757cc, EDX = 0x000000b6
EAX = 0x6e475818, EDX = 0x000000b6
EAX = 0x88989078, EDX = 0x000000b6
EAX = 0x889890c4, EDX = 0x000000b6

File behavior

Behavior description: 创建文件
details: C:\Documents and Settings\Administrator\Local Settings\Temp\tamamen.exe
Behavior description: 覆盖已有文件
details: C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
Behavior description: 创建可执行文件
details: C:\Documents and Settings\Administrator\Local Settings\Temp\tamamen.exe
Behavior description: 修改文件内容
details: C:\Documents and Settings\Administrator\Local Settings\Temp\tamamen.exe ---> Offset = 0
Behavior description: 查找文件
details: FileName = C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
FileName = C:\WINDOWS\Microsoft.NET\Framework\\*
FileName = C:\WINDOWS
FileName = C:\WINDOWS\WinSxS
FileName = C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
FileName = C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\996E.INI
FileName = C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.INI
FileName = C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI

Registry behavior

Behavior description: 修改注册表
details: \REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Administrator\Local Settings\Temp\tamamen.exe

Other behavior

Behavior description: 检测自身是否被调试
details: IsDebuggerPresent
Behavior description: 创建互斥体
details: CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
MSCTF.Shared.MUTEX.IOH
MSCTF.Shared.MUTEX.MGK
Behavior description: 创建事件对象
details: EventName = Global\CorDBIPCSetupSyncEvent_2664
EventName = MSCTF.SendReceive.Event.MGK.IC
EventName = MSCTF.SendReceiveConection.Event.MGK.IC
Behavior description: 打开互斥体
details: ShimCacheMutex
Global\CLR_CASOFF_MUTEX
Local\!IETld!Mutex
Behavior description: 查找指定窗口
details: NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description: 加密数据
details: [CryptEncrypt] Data: 0x001BB6B8, PlainTextLen: 16, CipherTextLen: 16, Flags: 0x00000000
Behavior description: 打开事件
details: Global\CLR_PerfMon_StartEnumEvent
\KernelObjects\LowMemoryCondition
HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
CTF.ThreadMIConnectionEvent.000007E8.00000000.0000000F
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.0000000F
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Behavior description: 调整进程token权限
details: SE_LOAD_DRIVER_PRIVILEGE
Behavior description: 窗口信息
details: Pid = 2664, Hwnd=0x1034e, Text = Unhandled exception has occurred in your application. If you click Continue, the application will ignore this error and attempt to continue. If you click Quit, the application will close immediately. %1 不是有效的 Win32 应用程序。., ClassName = WindowsForms10.STATIC.app.0.378734a.
Pid = 2664, Hwnd=0x10356, Text = &Details, ClassName = WindowsForms10.BUTTON.app.0.378734a.
Pid = 2664, Hwnd=0x10358, Text = &Continue, ClassName = WindowsForms10.BUTTON.app.0.378734a.
Pid = 2664, Hwnd=0x1035a, Text = &Quit, ClassName = WindowsForms10.BUTTON.app.0.378734a.
Pid = 2664, Hwnd=0x1035c, Text = See the end of this message for details on invoking just-in-time (JIT) debugging instead of this dialog box. ************** Exception Text ************** System.ComponentModel.Win32Exception: %1 不是有效的 Win32 应用程序。 at System.Diagnostics.Process.StartW, ClassName = WindowsForms10.EDIT.app.0.378734a.
Pid = 2664, Hwnd=0x10350, Text = Microsoft .NET Framework, ClassName = WindowsForms10.Window.8.app.0.378734a.
Pid = 2664, Hwnd=0x10346, Text = Form1, ClassName = WindowsForms10.Window.8.app.0.378734a.
Behavior description: 可执行文件签名信息
details: C:\Documents and Settings\Administrator\Local Settings\Temp\tamamen.exe(签名验证: 未通过)
Behavior description: 隐藏指定窗口
details: [Window,Class] = [Microsoft .NET Framework,WindowsForms10.Window.8.app.0.378734a]
Behavior description: 可执行文件MD5
details: C:\Documents and Settings\Administrator\Local Settings\Temp\tamamen.exe ---> c2d47ccec784ee1224cf47c9ba2411ba
Behavior description: 直接获取CPU时钟
details: EAX = 0x66598867, EDX = 0x000000b6
EAX = 0x665988b3, EDX = 0x000000b6
EAX = 0x68e1583c, EDX = 0x000000b6
EAX = 0x68e15888, EDX = 0x000000b6
EAX = 0x68e158d4, EDX = 0x000000b6
EAX = 0x68e15920, EDX = 0x000000b6
EAX = 0x6e4757cc, EDX = 0x000000b6
EAX = 0x6e475818, EDX = 0x000000b6
EAX = 0x88989078, EDX = 0x000000b6
EAX = 0x889890c4, EDX = 0x000000b6
Behavior description: 解密数据
details: [CryptDecrypt] Data: 0x001CDF68, CipherTextLen: 232, PlainTextLen: 232, Flags: 0x00000000
Behavior description: 导入密钥
details: [CryptImportKey] Algorithm: CALG_DES (0x00006601), Data: 0x001C14D8, DataLen: 20, Flags: 0x00000001

Run screenshot

VirSCAN