VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

文件信息
安全评分 :50
基本信息
MD5:32473be45ee452edb75d9c9794f54f2c
文件类型:zip
出品公司:
版本:
壳或编译器信息:
子文件信息:QQwry.dat / 2c59cc67dc088a4a220ad3ede2031100 / Unknown
Gh0st2.3.exe / 4d93ea9f67739d64feeaa8e275206160 / EXE
HTTP.exe / 46702d8dd81752e4d2378db4f7d59773 / EXE
mstscax.dll / 625de62ea78b25f8ce804f5f7ede6d07 / DLL
FTPServer.exe / 3a81dc6f83f6ff671a5eac99fb215dbe / EXE
Install.dat / 2f6c683db482645197453deeab9532cb / EXE
mstsc.exe / fd98da40199391f549c988f3953e6ed1 / EXE
qq1.ico / c57c4363fd7aa7a711167f45f773220f / Unknown
qq.ico / 1864e729011a403d67fdc486bf25911a / Unknown
re.ICO / 86dc230c815b833be0e286caee98cc0b / Unknown
SkinH.dll / 205e3693cb24b95018eaee62af86ae03 / DLL
upx.exe / 701ea1fe6d0f6ecac9911be58c94a0f7 / EXE
DllMain.dll / 28fe481267a31336c369342482c61a8d / DLL
Exe.dat / 0bc20291d230230bf5351e30adc36a4e / EXE
aaa.ICO / e13fc0cda6f11e8d3e09291f35d65784 / Unknown
28.ico / 54849e769298aeda1edb2ce382062204 / Unknown
ss.ICO / 3627db4593f92c373941049958d13f81 / Unknown
ghmg44.ico / a5904876d475e4ffe297e35e2983a9fc / Unknown
ghmg23.ico / 9e9547247104d959d2354e2f15fec72e / Unknown
关键行为
行为描述:屏蔽窗口关闭消息
详情信息:hWnd = 0x00020346, Text = 神农网络_远程管理系统 V_<Delicate_2.3>, ClassName = XTPMainFrame.
行为描述:直接获取CPU时钟
详情信息:EAX = 0x3c288ab7, EDX = 0x000000ba
EAX = 0x3c288b03, EDX = 0x000000ba
EAX = 0x3c288b4f, EDX = 0x000000ba
EAX = 0x3c288b9b, EDX = 0x000000ba
EAX = 0x41635a54, EDX = 0x000000ba
EAX = 0x41635aa0, EDX = 0x000000ba
EAX = 0x41635aec, EDX = 0x000000ba
EAX = 0x41635b38, EDX = 0x000000ba
行为描述:获取窗口截图信息
详情信息:Foreground window Info: HWND = 0x0001035e, DC = 0x0a010375.
Foreground window Info: HWND = 0x0001035e, DC = 0x1101070c.
Foreground window Info: HWND = 0x0001035e, DC = 0x01010055.
Foreground window Info: HWND = 0x0001035c, DC = 0x1101070c.
Foreground window Info: HWND = 0x0001035c, DC = 0x0a010375.
Foreground window Info: HWND = 0x0001046a, DC = 0x1101070c.
行为描述:获取TickCount值
详情信息:TickCount = 287125, SleepMilliseconds = 60000.
TickCount = 287140, SleepMilliseconds = 60000.
TickCount = 287171, SleepMilliseconds = 60000.
TickCount = 287187, SleepMilliseconds = 60000.
TickCount = 287203, SleepMilliseconds = 60000.
TickCount = 287234, SleepMilliseconds = 60000.
TickCount = 287671, SleepMilliseconds = 60000.
TickCount = 287687, SleepMilliseconds = 60000.
进程行为
行为描述:创建本地线程
详情信息:TargetProcess: Gh0st2.3.exe, InheritedFromPID = 2000, ProcessID = 1932, ThreadID = 504, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: Gh0st2.3.exe, InheritedFromPID = 2000, ProcessID = 1932, ThreadID = 360, StartAddress = 77E56C7D, Parameter = 001BC4A0
TargetProcess: Gh0st2.3.exe, InheritedFromPID = 2000, ProcessID = 1932, ThreadID = 1480, StartAddress = 769AE43B, Parameter = 001BAA20
TargetProcess: Gh0st2.3.exe, InheritedFromPID = 2000, ProcessID = 1932, ThreadID = 1908, StartAddress = 004921B2, Parameter = 021DEE60
TargetProcess: Gh0st2.3.exe, InheritedFromPID = 2000, ProcessID = 1932, ThreadID = 2032, StartAddress = 004921B2, Parameter = 0222F470
TargetProcess: Gh0st2.3.exe, InheritedFromPID = 2000, ProcessID = 1932, ThreadID = 1348, StartAddress = 004921B2, Parameter = 0222F4F8
TargetProcess: Gh0st2.3.exe, InheritedFromPID = 2000, ProcessID = 1932, ThreadID = 760, StartAddress = 004921B2, Parameter = 0222F580
TargetProcess: Gh0st2.3.exe, InheritedFromPID = 2000, ProcessID = 1932, ThreadID = 1452, StartAddress = 004921B2, Parameter = 0222F608
TargetProcess: Gh0st2.3.exe, InheritedFromPID = 2000, ProcessID = 1932, ThreadID = 1356, StartAddress = 004921B2, Parameter = 0222F690
TargetProcess: Gh0st2.3.exe, InheritedFromPID = 2000, ProcessID = 1932, ThreadID = 1416, StartAddress = 004921B2, Parameter = 0222F718
网络行为
行为描述:按名称获取主机地址
详情信息:gethostbyname: computer
注册表行为
行为描述:修改注册表
详情信息:\REGISTRY\USER\S-*\Software\Microsoft\Multimedia\DrawDib\vga.drv 1920x973x32(BGR 0)
\REGISTRY\USER\S-*\Software\Local AppWizard-Generated Applications\Gh0st\CommandBars-Options\Schema
\REGISTRY\USER\S-*\Software\Local AppWizard-Generated Applications\Gh0st\CommandBars-Options\AlwaysShowFullMenus
\REGISTRY\USER\S-*\Software\Local AppWizard-Generated Applications\Gh0st\CommandBars-Options\ShowFullAfterDelay
\REGISTRY\USER\S-*\Software\Local AppWizard-Generated Applications\Gh0st\CommandBars-Options\ToolBarScreenTips
\REGISTRY\USER\S-*\Software\Local AppWizard-Generated Applications\Gh0st\CommandBars-Options\ToolBarAccelTips
\REGISTRY\USER\S-*\Software\Local AppWizard-Generated Applications\Gh0st\CommandBars-Options\LargeIcons
\REGISTRY\USER\S-*\Software\Local AppWizard-Generated Applications\Gh0st\CommandBars-Options\Animation
\REGISTRY\USER\S-*\Software\Local AppWizard-Generated Applications\Gh0st\CommandBars-Summary\Bars
\REGISTRY\USER\S-*\Software\Local AppWizard-Generated Applications\Gh0st\CommandBars-Summary\ScreenCX
\REGISTRY\USER\S-*\Software\Local AppWizard-Generated Applications\Gh0st\CommandBars-Summary\ScreenCY
\REGISTRY\USER\S-*\Software\Local AppWizard-Generated Applications\Gh0st\CommandBars-Controls\Controls
\REGISTRY\USER\S-*\Software\Local AppWizard-Generated Applications\Gh0st\CommandBars-Controls\LoadFromFile
行为描述:删除注册表键
详情信息:\REGISTRY\USER\S-*\Software\Local AppWizard-Generated Applications\Gh0st\Recent File List\
行为描述:删除注册表键值
详情信息:\REGISTRY\USER\S-*\Software\Local AppWizard-Generated Applications\Gh0st\CommandBars\StatusBar
其他行为
行为描述:创建互斥体
详情信息:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
MSCTF.Shared.MUTEX.AJH
行为描述:创建事件对象
详情信息:EventName = DINPUTWINMM
EventName = MSCTF.SendReceive.Event.AJH.IC
EventName = MSCTF.SendReceiveConection.Event.AJH.IC
行为描述:打开互斥体
详情信息:ShimCacheMutex
行为描述:查找指定窗口
详情信息:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [MS_WINHELP,]
行为描述:打开事件
详情信息:HookSwitchHookEnabledEvent
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
MSFT.VSA.COM.DISABLE.1932
MSFT.VSA.IEC.STATUS.6c736db0
行为描述:获取TickCount值
详情信息:TickCount = 287125, SleepMilliseconds = 60000.
TickCount = 287140, SleepMilliseconds = 60000.
TickCount = 287171, SleepMilliseconds = 60000.
TickCount = 287187, SleepMilliseconds = 60000.
TickCount = 287203, SleepMilliseconds = 60000.
TickCount = 287234, SleepMilliseconds = 60000.
TickCount = 287671, SleepMilliseconds = 60000.
TickCount = 287687, SleepMilliseconds = 60000.
行为描述:获取光标位置
详情信息:CursorPos = (80,18468), SleepMilliseconds = 60000.
CursorPos = (6373,26501), SleepMilliseconds = 60000.
CursorPos = (19208,15725), SleepMilliseconds = 60000.
CursorPos = (11517,29359), SleepMilliseconds = 60000.
CursorPos = (27001,24465), SleepMilliseconds = 60000.
CursorPos = (5744,28146), SleepMilliseconds = 60000.
CursorPos = (23320,16828), SleepMilliseconds = 60000.
CursorPos = (10000,492), SleepMilliseconds = 60000.
CursorPos = (3034,11943), SleepMilliseconds = 60000.
CursorPos = (4866,5437), SleepMilliseconds = 60000.
CursorPos = (32430,14605), SleepMilliseconds = 60000.
CursorPos = (3941,154), SleepMilliseconds = 60000.
CursorPos = (331,12383), SleepMilliseconds = 60000.
CursorPos = (17460,18717), SleepMilliseconds = 60000.
CursorPos = (19757,19896), SleepMilliseconds = 60000.
行为描述:屏蔽窗口关闭消息
详情信息:hWnd = 0x00020346, Text = 神农网络_远程管理系统 V_<Delicate_2.3>, ClassName = XTPMainFrame.
行为描述:窗口信息
详情信息:Pid = 1932, Hwnd=0x10346, Text = Progress1, ClassName = msctls_progress32.
Pid = 1932, Hwnd=0x103a4, Text = 希网3322域名IP更新, ClassName = Button(GroupBox).
Pid = 1932, Hwnd=0x103a6, Text = 账号:, ClassName = Static.
Pid = 1932, Hwnd=0x103a8, Text = admin, ClassName = Edit.
Pid = 1932, Hwnd=0x103aa, Text = 密码:, ClassName = Static.
Pid = 1932, Hwnd=0x103ae, Text = 域名:, ClassName = Static.
Pid = 1932, Hwnd=0x103b0, Text = IP地址:, ClassName = Static.
Pid = 1932, Hwnd=0x103b2, Text = xxx.3322.org, ClassName = Edit.
Pid = 1932, Hwnd=0x103b4, Text = 更新, ClassName = Button.
Pid = 1932, Hwnd=0x103b8, Text = 取外网IP, ClassName = Button.
Pid = 1932, Hwnd=0x103ba, Text = 花生壳域名IP更新, ClassName = Button(GroupBox).
Pid = 1932, Hwnd=0x103bc, Text = 账号:, ClassName = Static.
Pid = 1932, Hwnd=0x103be, Text = admin, ClassName = Edit.
Pid = 1932, Hwnd=0x103c0, Text = 密码:, ClassName = Static.
Pid = 1932, Hwnd=0x103c4, Text = 域名:, ClassName = Static.
行为描述:获取窗口截图信息
详情信息:Foreground window Info: HWND = 0x0001035e, DC = 0x0a010375.
Foreground window Info: HWND = 0x0001035e, DC = 0x1101070c.
Foreground window Info: HWND = 0x0001035e, DC = 0x01010055.
Foreground window Info: HWND = 0x0001035c, DC = 0x1101070c.
Foreground window Info: HWND = 0x0001035c, DC = 0x0a010375.
Foreground window Info: HWND = 0x0001046a, DC = 0x1101070c.
行为描述:调用Sleep函数
详情信息:[1]: MilliSeconds = 60000.
[2]: MilliSeconds = 100.
[3]: MilliSeconds = 100.
[4]: MilliSeconds = 100.
[5]: MilliSeconds = 100.
[6]: MilliSeconds = 100.
[7]: MilliSeconds = 100.
[8]: MilliSeconds = 0.
行为描述:隐藏指定窗口
详情信息:[Window,Class] = [,SysListView32]
[Window,Class] = [,ComboLBox]
[Window,Class] = [神农网络_远程管理系统 V_<Delicate_2.3>,XTPMainFrame]
行为描述:直接获取CPU时钟
详情信息:EAX = 0x3c288ab7, EDX = 0x000000ba
EAX = 0x3c288b03, EDX = 0x000000ba
EAX = 0x3c288b4f, EDX = 0x000000ba
EAX = 0x3c288b9b, EDX = 0x000000ba
EAX = 0x41635a54, EDX = 0x000000ba
EAX = 0x41635aa0, EDX = 0x000000ba
EAX = 0x41635aec, EDX = 0x000000ba
EAX = 0x41635b38, EDX = 0x000000ba
运行截图
VirSCAN

About VirSCAN | Privacy Policy | Contact us | link | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号