VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

File information

Basic Information

MD5: 4111364152af57495adaa6499eb51277
file type: Rar
Production company:
version:
Shell or compiler information: COMPILER:UPolyX v0.5
{$lang.habo.subfile_info}>: aria2c.exe / 4943ba11f55a2140a95847f09ead2fe6 / EXE
aria2c.exe / 4943ba11f55a2140a95847f09ead2fe6 / EXE

Key behavior

Behavior description: 修改原系统的EXE文件
details: C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\百度网盘下载器+公众号:TOPO\百度网盘下载器\PanData\aria2c.exe
Behavior description: 查找PE资源信息
details: (FindResourceW) hModule = 0x00400000, ResName: 84(ID), ResType: EXE
Behavior description: 获取TickCount值
details: TickCount = 222907, SleepMilliseconds = 1.
TickCount = 222922, SleepMilliseconds = 1.
TickCount = 222938, SleepMilliseconds = 1.
TickCount = 222985, SleepMilliseconds = 1.
TickCount = 223032, SleepMilliseconds = 1.
TickCount = 223079, SleepMilliseconds = 1.
TickCount = 223235, SleepMilliseconds = 1.
TickCount = 223251, SleepMilliseconds = 1.
TickCount = 223266, SleepMilliseconds = 1.
TickCount = 223465, SleepMilliseconds = 200.
TickCount = 223282, SleepMilliseconds = 1.
TickCount = 223297, SleepMilliseconds = 1.
TickCount = 223313, SleepMilliseconds = 1.
TickCount = 223344, SleepMilliseconds = 1.
TickCount = 223376, SleepMilliseconds = 1.
Behavior description: 直接获取CPU时钟
details: EAX = 0x0d5f3d87, EDX = 0x000000bc
EAX = 0x206f6816, EDX = 0x000000bc
Behavior description: 杀掉进程
details: C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\百度网盘下载器+公众号:TOPO\百度网盘下载器\PanData\aria2c.exe

File behavior

Behavior description: 创建文件
details: C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\百度网盘下载器+公众号:TOPO\百度网盘下载器\PanData\log\20170718091401.log
Behavior description: 修改原系统的EXE文件
details: C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\百度网盘下载器+公众号:TOPO\百度网盘下载器\PanData\aria2c.exe
Behavior description: 覆盖已有文件
details: C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\百度网盘下载器+公众号:TOPO\百度网盘下载器\PanData\pan.conf
Behavior description: 修改文件内容
details: C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\百度网盘下载器+公众号:TOPO\百度网盘下载器\PanData\log\20170718091401.log ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\百度网盘下载器+公众号:TOPO\百度网盘下载器\PanData\log\20170718091401.log ---> Offset = 34
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\百度网盘下载器+公众号:TOPO\百度网盘下载器\PanData\log\20170718091401.log ---> Offset = 81
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\百度网盘下载器+公众号:TOPO\百度网盘下载器\PanData\log\20170718091401.log ---> Offset = 140
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\百度网盘下载器+公众号:TOPO\百度网盘下载器\PanData\aria2c.exe ---> Offset = 262144
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\百度网盘下载器+公众号:TOPO\百度网盘下载器\PanData\aria2c.exe ---> Offset = 327680
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\百度网盘下载器+公众号:TOPO\百度网盘下载器\PanData\aria2c.exe ---> Offset = 393216
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\百度网盘下载器+公众号:TOPO\百度网盘下载器\PanData\aria2c.exe ---> Offset = 458752
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\百度网盘下载器+公众号:TOPO\百度网盘下载器\PanData\aria2c.exe ---> Offset = 524288
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\百度网盘下载器+公众号:TOPO\百度网盘下载器\PanData\pan.conf ---> Offset = 0
Behavior description: 查找文件
details: FileName = PanData
FileName = PanData\log
FileName = PanData\log\20170718091401.log
FileName = PanData\temp
FileName = PanData\aria2c.exe
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\百度网盘下载器+公众号:TOPO\百度网盘下载器
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\百度网盘下载器+公众号:TOPO\百度网盘下载器\PanData
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\百度网盘下载器+公众号:TOPO\百度网盘下载器\PanData\aria2c.exe
FileName = C:/Documents and Settings/Administrator/.aria2/aria2.conf
FileName = C:/Documents and Settings/Administrator/.aria2/dht.dat
FileName = C:/Documents and Settings/Administrator/.aria2/dht6.dat
FileName = C:/Documents and Settings/Administrator/.config/aria2/aria2.conf
FileName = C:/Documents and Settings/Administrator/.netrc

Network behavior

Behavior description: 连接指定站点
details: WinHttpConnect: ServerName = **.112.211.**, PORT = 80, UserName = , Password = , hSession = 0x02d43100, hConnect = 0x02d43200, Flags = 0x00000000
WinHttpConnect: ServerName = **.112.211.**, PORT = 80, UserName = , Password = , hSession = 0x02ee1100, hConnect = 0x02ee1200, Flags = 0x00000000
WinHttpConnect: ServerName = pa****ub, PORT = 80, UserName = , Password = , hSession = 0x02f01100, hConnect = 0x02f01200, Flags = 0x00000000
WinHttpConnect: ServerName = pa****ub, PORT = 80, UserName = , Password = , hSession = 0x02e41100, hConnect = 0x02e41200, Flags = 0x00000000
Behavior description: 打开HTTP连接
details: WinHttpOpen: UserAgent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5), hSession = 0x02f01100
WinHttpOpen: UserAgent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5), hSession = 0x02d43100
WinHttpOpen: UserAgent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5), hSession = 0x02ee1100
WinHttpOpen: UserAgent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5), hSession = 0x02e41100
Behavior description: 建立到一个指定的套接字连接
details: IP: **.112.211.**:80, SOCKET = 0x000002f8
IP: **.112.211.**:80, SOCKET = 0x000002f0
URL: pa****ub, IP: **.133.40.**:80, SOCKET = 0x0000028c
URL: pa****ub, IP: **.133.40.**:80, SOCKET = 0x00000270
IP: **.0.0.**:6801, SOCKET = 0x00000300
Behavior description: 发送HTTP包
details: GET /cgi-bin/update?version=1.3.5&plus=0&t=1500340489 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 Accept: */* Host: **.112.211.** Connection: Keep-Alive
GET /cgi-bin/update?version=1.3.5&plus=0&t=1500340489 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 Accept: */* Host: pa****ub Connection: Keep-Alive
POST /jsonrpc HTTP/1.1 Host: **.0.0.**:6801 Content-Length: 83 Connection:close {"id":1,"jsonrpc":"2.0","method":"aria2.getVersion","params":["token:0b9c266877"]}
Behavior description: 打开HTTP请求
details: WinHttpOpenRequest: **.112.211.**:80/cgi-bin/update?version=1.3.5&plus=0&t=1500340489, hConnect = 0x02d43200, hRequest = 0x02bb0000, Verb: GET, Referer: , Flags = 0x00000080
WinHttpOpenRequest: **.112.211.**:80/cgi-bin/update?version=1.3.5&plus=0&t=1500340489, hConnect = 0x02ee1200, hRequest = 0x02be0000, Verb: GET, Referer: , Flags = 0x00000080
WinHttpOpenRequest: pa****ub:80/cgi-bin/update?version=1.3.5&plus=0&t=1500340489, hConnect = 0x02e41200, hRequest = 0x02f40000, Verb: GET, Referer: , Flags = 0x00000080
WinHttpOpenRequest: pa****ub:80/cgi-bin/update?version=1.3.5&plus=0&t=1500340489, hConnect = 0x02f01200, hRequest = 0x02c10000, Verb: GET, Referer: , Flags = 0x00000080
Behavior description: 按名称获取主机地址
details: GetAddrInfoW: pa****ub

Registry behavior

Behavior description: 修改注册表
details: \REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\aria2c\DEBUG\Trace Level
Behavior description: 删除注册表键值
details: \REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\aria2c\DEBUG\Trace Level

Other behavior

Behavior description: 创建互斥体
details: PanDownload
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
RasPbFile
Behavior description: 创建事件对象
details: EventName = DINPUTWINMM
EventName = Global\crypt32LogoffEvent
Behavior description: 打开互斥体
details: ShimCacheMutex
RasPbFile
Behavior description: 查找指定窗口
details: NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
Behavior description: 窗口信息
details: Pid = 2736, Hwnd=0x20342, Text = 获取数据失败, ClassName = MsgBoxUI.
Pid = 2736, Hwnd=0x10344, Text = PanDownload, ClassName = PanFrameUI.
Behavior description: 获取TickCount值
details: TickCount = 222907, SleepMilliseconds = 1.
TickCount = 222922, SleepMilliseconds = 1.
TickCount = 222938, SleepMilliseconds = 1.
TickCount = 222985, SleepMilliseconds = 1.
TickCount = 223032, SleepMilliseconds = 1.
TickCount = 223079, SleepMilliseconds = 1.
TickCount = 223235, SleepMilliseconds = 1.
TickCount = 223251, SleepMilliseconds = 1.
TickCount = 223266, SleepMilliseconds = 1.
TickCount = 223465, SleepMilliseconds = 200.
TickCount = 223282, SleepMilliseconds = 1.
TickCount = 223297, SleepMilliseconds = 1.
TickCount = 223313, SleepMilliseconds = 1.
TickCount = 223344, SleepMilliseconds = 1.
TickCount = 223376, SleepMilliseconds = 1.
Behavior description: 打开事件
details: HookSwitchHookEnabledEvent
Global\crypt32LogoffEvent
CTF.ThreadMIConnectionEvent.000007E8.00000000.0000000F
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.0000000F
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Behavior description: 修改后的可执行文件签名信息
details: C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\百度网盘下载器+公众号:TOPO\百度网盘下载器\PanData\aria2c.exe(签名验证: 未通过)
Behavior description: 调用Sleep函数
details: [1]: MilliSeconds = 1.
[2]: MilliSeconds = 1.
[3]: MilliSeconds = 1.
[4]: MilliSeconds = 1.
[5]: MilliSeconds = 1.
[6]: MilliSeconds = 1.
[7]: MilliSeconds = 1.
[8]: MilliSeconds = 1.
[10]: MilliSeconds = 1.
[9]: MilliSeconds = 1.
[1]: MilliSeconds = 50.
[2]: MilliSeconds = 50.
Behavior description: 查找PE资源信息
details: (FindResourceW) hModule = 0x00400000, ResName: 84(ID), ResType: EXE
Behavior description: 直接获取CPU时钟
details: EAX = 0x0d5f3d87, EDX = 0x000000bc
EAX = 0x206f6816, EDX = 0x000000bc
Behavior description: 修改后的可执行文件MD5
details: C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\百度网盘下载器+公众号:TOPO\百度网盘下载器\PanData\aria2c.exe ---> 4943ba11f55a2140a95847f09ead2fe6

Run screenshot

VirSCAN