VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

File information

Basic Information

MD5: ee379ce66837a90d7f016df28c70f17f
file type: EXE
Production company: Q币回收系统
version: 1.0.17.629---1.0.17.629
Shell or compiler information: COMPILER:Elan

Key behavior

Behavior description: 设置特殊文件夹属性
details: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\IETldCache
Behavior description: 获取TickCount值
details: TickCount = 219562, SleepMilliseconds = 250.

File behavior

Behavior description: 创建文件
details: C:\Documents and Settings\Administrator\Local Settings\%temp%\config.db
C:\Documents and Settings\Administrator\Local Settings\%temp%\update.exe
Behavior description: 创建可执行文件
details: C:\Documents and Settings\Administrator\Local Settings\%temp%\update.exe
Behavior description: 修改文件内容
details: C:\Documents and Settings\Administrator\Local Settings\%temp%\config.db ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\update.exe ---> Offset = 0
Behavior description: 设置特殊文件夹属性
details: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\IETldCache
Behavior description: 查找文件
details: FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\update.dat
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\update.exe
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\WINDOWS\system32\Ras\*.pbk
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\update.tmp

Network behavior

Behavior description: 连接指定站点
details: WinHttpConnect: ServerName = qb****cn, PORT = 80, UserName = , Password = , hSession = 0x011c4000, hConnect = 0x011c4100, Flags = 0x00000000
Behavior description: 打开HTTP连接
details: WinHttpOpen: UserAgent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2), hSession = 0x011c4000
Behavior description: 建立到一个指定的套接字连接
details: URL: qb****cn, IP: **.133.40.**:80, SOCKET = 0x0000027c
Behavior description: 发送HTTP包
details: GET /index.php?s=/Admin/Public/softInfo.html HTTP/1.1 Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://qb.dodk.cn/index.php?s=/Admin/Index/index.html Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ZHCN) Connection: Keep-Alive Cache-Control: no-cache Accept-Encoding: gbk, GB2312 Host: qb****cn
Behavior description: 打开HTTP请求
details: WinHttpOpenRequest: qb****cn:80/index.php?s=/admin/public/softinfo.html, hConnect = 0x011c4100, hRequest = 0x01230000, Verb: GET, Referer: , Flags = 0x00000000
Behavior description: 按名称获取主机地址
details: GetAddrInfoW: qb****cn

Registry behavior

Behavior description: 修改注册表
details: \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Administrator\Local Settings\%temp%\update.exe
Behavior description: 删除注册表键值
details: \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL

Other behavior

Behavior description: 创建互斥体
details: CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
QB_AB1573198_HS
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Local\c:!documents and settings!administrator!ietldcache!
RasPbFile
Behavior description: 创建事件对象
details: EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
Behavior description: 获取TickCount值
details: TickCount = 219562, SleepMilliseconds = 250.
Behavior description: 调整进程token权限
details: SE_LOAD_DRIVER_PRIVILEGE
Behavior description: 打开事件
details: HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
\INSTALLATION_SECURITY_HOLD
_fCanRegisterWithShellService
Behavior description: 可执行文件签名信息
details: C:\Documents and Settings\Administrator\Local Settings\%temp%\update.exe(签名验证: 未通过)
Behavior description: 调用Sleep函数
details: [1]: MilliSeconds = 250.
Behavior description: 可执行文件MD5
details: C:\Documents and Settings\Administrator\Local Settings\%temp%\update.exe ---> bca1c0b8af00e416af0b077dcd2586b1
Behavior description: 打开互斥体
details: ShimCacheMutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Local\!IETld!Mutex
Local\c:!documents and settings!administrator!ietldcache!
RasPbFile

Run screenshot

VirSCAN