VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

File information

Basic Information

MD5: 8f2432c8704c90f429731aee083d171e
file type: EXE
Production company: SafeBytes Software Inc.
version: 1.11.0.6---1.11.0.6
Shell or compiler information: COMPILER:NSIS
{$lang.habo.subfile_info}>: [NSIS].nsi / 6e088e779399871c6f17e4591fc0a32d / Unknown
[NSIS].nsi / 6e088e779399871c6f17e4591fc0a32d / Unknown

Key behavior

Behavior description: 设置特殊文件夹属性
details: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description: 直接获取CPU时钟
details: EAX = 0xa2d00089, EDX = 0x000000b7
EAX = 0xa2d000d5, EDX = 0x000000b7
EAX = 0xccfcd46f, EDX = 0x000000b7
EAX = 0xccfcd4bb, EDX = 0x000000b7
EAX = 0xccfcd507, EDX = 0x000000b7
EAX = 0xccfcd553, EDX = 0x000000b7
EAX = 0x65d4879d, EDX = 0x000000b8
EAX = 0x685c5726, EDX = 0x000000b9
EAX = 0x6831277f, EDX = 0x000000ba
EAX = 0x75db53ae, EDX = 0x000000ba
Behavior description: 获取TickCount值
details: TickCount = 221811, SleepMilliseconds = -1.
TickCount = 221827, SleepMilliseconds = -1.
TickCount = 221842, SleepMilliseconds = -1.
TickCount = 221893, SleepMilliseconds = 50.
TickCount = 221905, SleepMilliseconds = -1.
TickCount = 222406, SleepMilliseconds = 500.
TickCount = 221967, SleepMilliseconds = -1.
TickCount = 222030, SleepMilliseconds = -1.
TickCount = 222092, SleepMilliseconds = -1.
TickCount = 222155, SleepMilliseconds = -1.
TickCount = 222217, SleepMilliseconds = -1.
TickCount = 222718, SleepMilliseconds = 500.
TickCount = 223031, SleepMilliseconds = 500.
TickCount = 222545, SleepMilliseconds = -1.
TickCount = 222608, SleepMilliseconds = -1.

File behavior

Behavior description: 创建文件
details: C:\Documents and Settings\Administrator\Local Settings\Temp\nsb3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsg4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsg4.tmp\TotalSystemCare\Install\TotalSystemCare-Setup.exe.config
C:\Documents and Settings\Administrator\Local Settings\Temp\nsg4.tmp\TotalSystemCare\Install\TotalSystemCare-Setup.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\1rzlmwbt.jsc\spritesheet.png
C:\Documents and Settings\Administrator\Local Settings\Temp\1rzlmwbt.jsc\index.html
C:\Documents and Settings\Administrator\Local Settings\Temp\1rzlmwbt.jsc\script.js
C:\Documents and Settings\Administrator\Local Settings\Temp\1rzlmwbt.jsc\style.css
Behavior description: 创建可执行文件
details: C:\Documents and Settings\Administrator\Local Settings\Temp\nsg4.tmp\TotalSystemCare\Install\TotalSystemCare-Setup.exe
Behavior description: 覆盖已有文件
details: C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
Behavior description: 查找文件
details: FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg4.tmp
FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg4.tmp\TotalSystemCare\Install
FileName = C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
FileName = C:\WINDOWS\Microsoft.NET\Framework\\*
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.INI
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg4.tmp\TotalSystemCare
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsg4.tmp\TotalSystemCare\Install\TotalSystemCare-Setup.exe
FileName = C:\Documents and Settings\ADMINI~1
FileName = C:\Documents and Settings\Administrator\LOCALS~1
Behavior description: 删除文件
details: C:\Documents and Settings\Administrator\Local Settings\Temp\nsb3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsg4.tmp
Behavior description: 设置特殊文件夹属性
details: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description: 修改文件内容
details: C:\Documents and Settings\Administrator\Local Settings\Temp\nsg4.tmp\TotalSystemCare\Install\TotalSystemCare-Setup.exe.config ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nsg4.tmp\TotalSystemCare\Install\TotalSystemCare-Setup.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nsg4.tmp\TotalSystemCare\Install\TotalSystemCare-Setup.exe ---> Offset = 32768
C:\Documents and Settings\Administrator\Local Settings\Temp\nsg4.tmp\TotalSystemCare\Install\TotalSystemCare-Setup.exe ---> Offset = 37645
C:\Documents and Settings\Administrator\Local Settings\Temp\nsg4.tmp\TotalSystemCare\Install\TotalSystemCare-Setup.exe ---> Offset = 70413
C:\Documents and Settings\Administrator\Local Settings\Temp\nsg4.tmp\TotalSystemCare\Install\TotalSystemCare-Setup.exe ---> Offset = 78344
C:\Documents and Settings\Administrator\Local Settings\Temp\1rzlmwbt.jsc\spritesheet.png ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\1rzlmwbt.jsc\spritesheet.png ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\1rzlmwbt.jsc\spritesheet.png ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\Temp\1rzlmwbt.jsc\spritesheet.png ---> Offset = 196608
C:\Documents and Settings\Administrator\Local Settings\Temp\1rzlmwbt.jsc\index.html ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\1rzlmwbt.jsc\index.html ---> Offset = 4096
C:\Documents and Settings\Administrator\Local Settings\Temp\1rzlmwbt.jsc\index.html ---> Offset = 8192
C:\Documents and Settings\Administrator\Local Settings\Temp\1rzlmwbt.jsc\script.js ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\1rzlmwbt.jsc\script.js ---> Offset = 4096

Network behavior

Behavior description: 建立到一个指定的套接字连接
details: URL: is****om, IP: **.133.40.**:443, SOCKET = 0x00000720
Behavior description: 按名称获取主机地址
details: gethostbyname: is****om

Registry behavior

Behavior description: 修改注册表
details: \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\Total System Care\EventMessageFile
\REGISTRY\MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name
\REGISTRY\MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\ID
\REGISTRY\MACHINE\SOFTWARE\TotalSystemCare\InstallID
\REGISTRY\MACHINE\SOFTWARE\TotalSystemCare\InitialStats
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name

Other behavior

Behavior description: 检测自身是否被调试
details: IsDebuggerPresent
Behavior description: 创建互斥体
details: CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Global\netfxeventlog.1.0
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Local\!PrivacIE!SharedMemory!Mutex
DDrawWindowListMutex
DDrawDriverObjectListMutex
__DDrawExclMode__
Behavior description: 创建事件对象
details: EventName = Global\CPFATE_2836_v4.0.30319
EventName = Global\crypt32LogoffEvent
EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
Behavior description: 打开互斥体
details: ShimCacheMutex
Local\!IETld!Mutex
CtfmonInstMutexDefaultS-*
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
RasPbFile
Behavior description: 查找指定窗口
details: NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
Behavior description: 窗口信息
details: Pid = 2836, Hwnd=0x10366, Text = Installer - Total System Care, ClassName = WindowsForms10.Window.8.app.0.2aeb54d_r19_ad1.
Behavior description: 获取TickCount值
details: TickCount = 221811, SleepMilliseconds = -1.
TickCount = 221827, SleepMilliseconds = -1.
TickCount = 221842, SleepMilliseconds = -1.
TickCount = 221893, SleepMilliseconds = 50.
TickCount = 221905, SleepMilliseconds = -1.
TickCount = 222406, SleepMilliseconds = 500.
TickCount = 221967, SleepMilliseconds = -1.
TickCount = 222030, SleepMilliseconds = -1.
TickCount = 222092, SleepMilliseconds = -1.
TickCount = 222155, SleepMilliseconds = -1.
TickCount = 222217, SleepMilliseconds = -1.
TickCount = 222718, SleepMilliseconds = 500.
TickCount = 223031, SleepMilliseconds = 500.
TickCount = 222545, SleepMilliseconds = -1.
TickCount = 222608, SleepMilliseconds = -1.
Behavior description: 调整进程token权限
details: SE_LOAD_DRIVER_PRIVILEGE
Behavior description: 打开事件
details: HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
Global\CLR_PerfMon_StartEnumEvent
\KernelObjects\LowMemoryCondition
Global\crypt32LogoffEvent
MSFT.VSA.COM.DISABLE.2836
MSFT.VSA.IEC.STATUS.6c736db0
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Behavior description: 可执行文件签名信息
details: C:\Documents and Settings\Administrator\Local Settings\Temp\nsg4.tmp\TotalSystemCare\Install\TotalSystemCare-Setup.exe(签名验证: 未通过)
Behavior description: 调用Sleep函数
details: [1]: MilliSeconds = -1.
[2]: MilliSeconds = -1.
[3]: MilliSeconds = 50.
[4]: MilliSeconds = 0.
[5]: MilliSeconds = 0.
[6]: MilliSeconds = 0.
[7]: MilliSeconds = 0.
[8]: MilliSeconds = 0.
[9]: MilliSeconds = 0.
[10]: MilliSeconds = 0.
Behavior description: 获取光标位置
details: CursorPos = (80,18468), SleepMilliseconds = 500.
CursorPos = (6373,26501), SleepMilliseconds = 500.
CursorPos = (19208,15725), SleepMilliseconds = 500.
CursorPos = (11517,29359), SleepMilliseconds = 500.
CursorPos = (27001,24465), SleepMilliseconds = 500.
CursorPos = (5744,28146), SleepMilliseconds = 500.
CursorPos = (23320,16828), SleepMilliseconds = 500.
CursorPos = (10000,492), SleepMilliseconds = 500.
CursorPos = (3034,11943), SleepMilliseconds = 500.
CursorPos = (4866,5437), SleepMilliseconds = 500.
CursorPos = (32430,14605), SleepMilliseconds = 500.
CursorPos = (3941,154), SleepMilliseconds = 500.
CursorPos = (331,12383), SleepMilliseconds = 500.
CursorPos = (17460,18717), SleepMilliseconds = 500.
CursorPos = (19757,19896), SleepMilliseconds = 500.
Behavior description: 可执行文件MD5
details: C:\Documents and Settings\Administrator\Local Settings\Temp\nsg4.tmp\TotalSystemCare\Install\TotalSystemCare-Setup.exe ---> 38fe46ca7a8d5558029f29d20bbf2016
Behavior description: 直接获取CPU时钟
details: EAX = 0xa2d00089, EDX = 0x000000b7
EAX = 0xa2d000d5, EDX = 0x000000b7
EAX = 0xccfcd46f, EDX = 0x000000b7
EAX = 0xccfcd4bb, EDX = 0x000000b7
EAX = 0xccfcd507, EDX = 0x000000b7
EAX = 0xccfcd553, EDX = 0x000000b7
EAX = 0x65d4879d, EDX = 0x000000b8
EAX = 0x685c5726, EDX = 0x000000b9
EAX = 0x6831277f, EDX = 0x000000ba
EAX = 0x75db53ae, EDX = 0x000000ba

Run screenshot

VirSCAN