VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:80
Behavior list
Basic Information
MD5:2828806ac53eaa9890afdb502f4357a7
file type:Nsis
Production company:
version:
Shell or compiler information:COMPILER:NSIS
Subfile information:icudt54.dll / big file / DLL
vcredist_x86.exe / big file / Cab
Qt5Gui.dll / 02737d896f2ce36fa8df30435a1ad313 / DLL
Qt5Core.dll / d6b239d2b8a022226716ffa606094f5d / DLL
Qt5Widgets.dll / 2ff65eb0669728e99448cee07497e1fe / DLL
sqlitebrowser.exe / 4c0fccf7c848d7efeb03c4d8d385dce4 / EXE
icuin54.dll / 691ae05799f458b777bd8b7378c51738 / DLL
icuuc54.dll / 4575c9d1b2c51a545d1075bb9e6f4691 / DLL
libeay32.dll / 47ca4bfc26537b3b5512b11b6f86cea8 / DLL
qwindows.dll / c8a87b360b6fb0c3754ee6f0b3f353cb / DLL
Qt5Network.dll / c6e586373ef7f9118ac7c0cdfef12971 / DLL
sqlite3.dll / 8a818a700cc51af4187d54b6e10188dc / DLL
ssleay32.dll / 484d1cd13ac86594e271f7bce6409c02 / DLL
Qt5PrintSupport.dll / 8a083b11b34089f8159f4c37be4e25cc / DLL
modern-header.bmp / 81ba8530f35a47588e0c17dc3e48cce6 / Unknown
modern-wizard.bmp / cbe40fd2b1ec96daedc65da172d90022 / Unknown
InstallOptions.dll / eee2912bd1ee421cf1f1dfb1cc327d97 / DLL
[NSIS].nsi / 0ef6b59d3a48287580e30d4e397f4ae0 / Unknown
StartMenu.dll / 5831d36066b6daf42fbf2ab1773308c8 / DLL
Key behavior
Behavior description:打开注册表_检测虚拟机相关
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x000b02d8, Text = DB Browser for SQLite 安装 , ClassName = #32770.
Behavior description:获取TickCount值
details:TickCount = 1172531, SleepMilliseconds = 60000.
TickCount = 1172546, SleepMilliseconds = 60000.
TickCount = 1172578, SleepMilliseconds = 60000.
TickCount = 1172593, SleepMilliseconds = 60000.
TickCount = 1172843, SleepMilliseconds = 60000.
TickCount = 1172937, SleepMilliseconds = 60000.
TickCount = 1173156, SleepMilliseconds = 60000.
TickCount = 1173359, SleepMilliseconds = 60000.
TickCount = 1173468, SleepMilliseconds = 60000.
TickCount = 1173656, SleepMilliseconds = 60000.
TickCount = 1173734, SleepMilliseconds = 60000.
TickCount = 1173750, SleepMilliseconds = 60000.
TickCount = 1173781, SleepMilliseconds = 60000.
TickCount = 1173796, SleepMilliseconds = 60000.
TickCount = 1173812, SleepMilliseconds = 60000.
Behavior description:修改注册表_启动项
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{f65db027-aff3-4070-886a-0d87064aabb1}
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.be\vcredist_x86.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.be\vcredist_x86.exe" -q -burn.elevated BurnPipe.{B4F930AA-1D6A-435D-97B6-5D9960CAEB39} {99B75A86-73D4-4D22-A4D3-9B4DC3746162} 1408
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 3576, ThreadID = 3732, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 3576, ThreadID = 3736, StartAddress = 7C930230, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 3576, ThreadID = 3948, StartAddress = 00404F35, Parameter = 00050366
TargetProcess: vcredist_x86.exe, InheritedFromPID = 3576, ProcessID = 1408, ThreadID = 392, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: vcredist_x86.exe, InheritedFromPID = 3576, ProcessID = 1408, ThreadID = 1584, StartAddress = 00426231, Parameter = 0012F874
TargetProcess: vcredist_x86.exe, InheritedFromPID = 3576, ProcessID = 1408, ThreadID = 1952, StartAddress = 00411377, Parameter = 0012F8A8
TargetProcess: vcredist_x86.exe, InheritedFromPID = 3576, ProcessID = 1408, ThreadID = 1588, StartAddress = 10003F64, Parameter = 016E3D70
TargetProcess: vcredist_x86.exe, InheritedFromPID = 1408, ProcessID = 460, ThreadID = 388, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: vcredist_x86.exe, InheritedFromPID = 1408, ProcessID = 460, ThreadID = 1536, StartAddress = 00426231, Parameter = 0012F874
TargetProcess: vcredist_x86.exe, InheritedFromPID = 1408, ProcessID = 460, ThreadID = 1472, StartAddress = 00411377, Parameter = 0012F8A4
TargetProcess: vcredist_x86.exe, InheritedFromPID = 1408, ProcessID = 460, ThreadID = 716, StartAddress = 00410E3A, Parameter = 0012F838
TargetProcess: vcredist_x86.exe, InheritedFromPID = 1408, ProcessID = 460, ThreadID = 1268, StartAddress = 77E56C7D, Parameter = 001B3D10
TargetProcess: vcredist_x86.exe, InheritedFromPID = 1408, ProcessID = 460, ThreadID = 876, StartAddress = 769AE43B, Parameter = 001B2FA0
TargetProcess: vcredist_x86.exe, InheritedFromPID = 3576, ProcessID = 1408, ThreadID = 572, StartAddress = 0040C157, Parameter = 0012F850
TargetProcess: vcredist_x86.exe, InheritedFromPID = 3576, ProcessID = 1408, ThreadID = 1608, StartAddress = 00426231, Parameter = 025DFEC4
Behavior description:创建新文件进程
details:ImagePath = C:\Program Files\SqliteBrowser3\tmp\vcredist_x86.exe, CmdLine = "C:\Program Files\SqliteBrowser3\tmp\vcredist_x86.exe" /install /passive /quiet
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.be\vcredist_x86.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.be\vcredist_x86.exe" -q -burn.elevated BurnPipe.{B4F930AA-1D6A-435D-97B6-5D9960CAEB39} {99B75A86-73D4-4D22-A4D3-9B4DC3746162} 1408
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsj13.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp\UserInfo.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp\ioSpecial.ini
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp\modern-wizard.bmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp\modern-header.bmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp\InstallOptions.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp\StartMenu.dll
C:\Program Files\SqliteBrowser3\bin\Qt5Core.dll
C:\Program Files\SqliteBrowser3\bin\Qt5Gui.dll
C:\Program Files\SqliteBrowser3\bin\Qt5Network.dll
C:\Program Files\SqliteBrowser3\bin\Qt5PrintSupport.dll
C:\Program Files\SqliteBrowser3\bin\Qt5Widgets.dll
C:\Program Files\SqliteBrowser3\bin\icudt54.dll
C:\Program Files\SqliteBrowser3\bin\icuin54.dll
Behavior description:在系统敏感位置(如开始菜单等)释放链接或快捷方式
details:C:\Documents and Settings\All Users\「开始」菜单\程序\DB Browser for SQLite\SqliteBrowser.lnk
C:\Documents and Settings\All Users\「开始」菜单\程序\DB Browser for SQLite\Uninstall.lnk
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp\UserInfo.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp\InstallOptions.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp\StartMenu.dll
C:\Program Files\SqliteBrowser3\bin\Qt5Core.dll
C:\Program Files\SqliteBrowser3\bin\Qt5Gui.dll
C:\Program Files\SqliteBrowser3\bin\Qt5Network.dll
C:\Program Files\SqliteBrowser3\bin\Qt5PrintSupport.dll
C:\Program Files\SqliteBrowser3\bin\Qt5Widgets.dll
C:\Program Files\SqliteBrowser3\bin\icudt54.dll
C:\Program Files\SqliteBrowser3\bin\icuin54.dll
C:\Program Files\SqliteBrowser3\bin\icuuc54.dll
C:\Program Files\SqliteBrowser3\bin\libeay32.dll
C:\Program Files\SqliteBrowser3\bin\sqlite3.dll
C:\Program Files\SqliteBrowser3\bin\sqlitebrowser.exe
C:\Program Files\SqliteBrowser3\bin\ssleay32.dll
Behavior description:覆盖已有文件
details:C:\Documents and Settings\All Users\Application Data\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\state.rsm
Behavior description:复制文件
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.be\vcredist_x86.exe ---> C:\Documents and Settings\All Users\Application Data\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsj13.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\BootstrapperApplicationData.xml
C:\Documents and Settings\Administrator\Local Settings\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\license.rtf
C:\Documents and Settings\Administrator\Local Settings\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\logo.png
C:\Documents and Settings\Administrator\Local Settings\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\thm.wxl
C:\Documents and Settings\Administrator\Local Settings\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\thm.xml
C:\Documents and Settings\Administrator\Local Settings\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\wixstdba.dll
Behavior description:查找文件
details:FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsu14.tmp
FileName = C:\Program Files\SqliteBrowser3
FileName = C:\Program Files
FileName = C:\Documents and Settings\All Users
FileName = C:\Documents and Settings\All Users\「开始」菜单
FileName = C:\Documents and Settings\All Users\「开始」菜单\程序
FileName = C:\Documents and Settings\All Users\「开始」菜单\程序\*.*
FileName = C:\Documents and Settings\Administrator\「开始」菜单
FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序
FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\*.*
Behavior description:重命名文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\vcRuntimeMinimum_x86 ---> C:\Documents and Settings\All Users\Application Data\Package Cache\.unverified\vcRuntimeMinimum_x86
C:\Documents and Settings\All Users\Application Data\Package Cache\.unverified\vcRuntimeMinimum_x86 ---> C:\Documents and Settings\All Users\Application Data\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi
C:\Documents and Settings\Administrator\Local Settings\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\cab54A5CABBE7274D8A22EB58060AAB7623 ---> C:\Documents and Settings\All Users\Application Data\Package Cache\.unverified\cab54A5CABBE7274D8A22EB58060AAB7623
C:\Documents and Settings\All Users\Application Data\Package Cache\.unverified\cab54A5CABBE7274D8A22EB58060AAB7623 ---> C:\Documents and Settings\All Users\Application Data\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\cab1.cab
C:\Documents and Settings\Administrator\Local Settings\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\vcRuntimeAdditional_x86 ---> C:\Documents and Settings\All Users\Application Data\Package Cache\.unverified\vcRuntimeAdditional_x86
C:\Documents and Settings\All Users\Application Data\Package Cache\.unverified\vcRuntimeAdditional_x86 ---> C:\Documents and Settings\All Users\Application Data\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi
C:\Documents and Settings\Administrator\Local Settings\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\cabB3E1576D1FEFBB979E13B1A5379E0B16 ---> C:\Documents and Settings\All Users\Application Data\Package Cache\.unverified\cabB3E1576D1FEFBB979E13B1A5379E0B16
C:\Documents and Settings\All Users\Application Data\Package Cache\.unverified\cabB3E1576D1FEFBB979E13B1A5379E0B16 ---> C:\Documents and Settings\All Users\Application Data\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\vcRuntimeAdditional_x86\cab1.cab
C:\Documents and Settings\Administrator\Local Settings\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.be\vcredist_x86.exe ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DEL1C.tmp
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp\UserInfo.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp\ioSpecial.ini ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp\ioSpecial.ini ---> Offset = 36
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp\modern-wizard.bmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp\ioSpecial.ini ---> Offset = 124
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp\modern-header.bmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp\modern-header.bmp ---> Offset = 32768
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp\modern-header.bmp ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp\ioSpecial.ini ---> Offset = 33
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp\ioSpecial.ini ---> Offset = 43
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp\ioSpecial.ini ---> Offset = 60
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp\ioSpecial.ini ---> Offset = 278
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp\ioSpecial.ini ---> Offset = 324
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp\ioSpecial.ini ---> Offset = 379
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp\ioSpecial.ini ---> Offset = 387
Network behavior
Behavior description:连接指定站点
details:WinHttpConnect: ServerName = cr****om, PORT = 80, UserName = , Password = , hSession = 0x02682000, hConnect = 0x02682100, Flags = 0x00000000
Behavior description:打开HTTP连接
details:WinHttpOpen: UserAgent: Microsoft-CryptoAPI/5.131.2600.5512, hSession = 0x02682000
Behavior description:建立到一个指定的套接字连接
details:URL: w****., IP: **.133.40.**:80, SOCKET = 0x00000500
URL: w****., IP: **.133.40.**:80, SOCKET = 0x00000510
URL: cr****om, IP: **.133.40.**:80, SOCKET = 0x00000508
URL: w****., IP: **.133.40.**:80, SOCKET = 0x00000450
URL: w****., IP: **.133.40.**:80, SOCKET = 0x0000050c
URL: cr****om, IP: **.133.40.**:80, SOCKET = 0x00000450
Behavior description:发送HTTP包
details:GET /wpad.dat HTTP/1.1 Accept: */* User-Agent: Microsoft-CryptoAPI/5.131.2600.5512 Host: **.133.40.** Connection: Keep-Alive
GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1 Accept: */* User-Agent: Microsoft-CryptoAPI/5.131.2600.5512 Host: cr****om Connection: Keep-Alive Cache-Control: no-cache Pragma: no-cache
GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1 Accept: */* User-Agent: Microsoft-CryptoAPI/5.131.2600.5512 Host: cr****om Connection: Keep-Alive Cache-Control: no-cache Pragma: no-cache
GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1 Accept: */* User-Agent: Microsoft-CryptoAPI/5.131.2600.5512 Host: cr****om Connection: Keep-Alive Cache-Control: no-cache Pragma: no-cache
Behavior description:打开HTTP请求
details:WinHttpOpenRequest: cr****om:80/pki/crl/products/microsoftrootcert.crl, hConnect = 0x02682100, hRequest = 0x026f0000, Verb: GET, Referer: , Flags = 0x00000100
WinHttpOpenRequest: cr****om:80/pki/crl/products/miccodsigpca_08-31-2010.crl, hConnect = 0x02682100, hRequest = 0x026f0000, Verb: GET, Referer: , Flags = 0x00000100
WinHttpOpenRequest: cr****om:80/pki/crl/products/microsofttimestamppca.crl, hConnect = 0x02682100, hRequest = 0x026f0000, Verb: GET, Referer: , Flags = 0x00000100
Behavior description:按名称获取主机地址
details:gethostbyname: w****.
GetAddrInfoW: cr****om
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\oldsch00l\SqliteBrowser3\
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SqliteBrowser3\DisplayName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SqliteBrowser3\DisplayVersion
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SqliteBrowser3\Publisher
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SqliteBrowser3\UninstallString
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SqliteBrowser3\NoRepair
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SqliteBrowser3\NoModify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SqliteBrowser3\DisplayIcon
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SqliteBrowser3\HelpLink
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SqliteBrowser3\URLInfoAbout
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SqliteBrowser3\Contact
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SqliteBrowser3\StartMenu
\REGISTRY\MACHINE\SOFTWARE\oldsch00l\SqliteBrowser3\Start Menu Folder
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.be\vcredist_x86.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f65db027-aff3-4070-886a-0d87064aabb1}\BundleCachePath
Behavior description:修改注册表_延迟重命名项
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Session Manager\PendingFileRenameOperations
Behavior description:打开注册表_检测虚拟机相关
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions
Behavior description:删除注册表键值
details:\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{f65db027-aff3-4070-886a-0d87064aabb1}\Dependents\{f65db027-aff3-4070-886a-0d87064aabb1}\MinVersion
\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{f65db027-aff3-4070-886a-0d87064aabb1}\Dependents\{f65db027-aff3-4070-886a-0d87064aabb1}\MaxVersion
\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v12\Dependents\{f65db027-aff3-4070-886a-0d87064aabb1}\MinVersion
\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v12\Dependents\{f65db027-aff3-4070-886a-0d87064aabb1}\MaxVersion
\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v12\Dependents\{f65db027-aff3-4070-886a-0d87064aabb1}\MinVersion
\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v12\Dependents\{f65db027-aff3-4070-886a-0d87064aabb1}\MaxVersion
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{f65db027-aff3-4070-886a-0d87064aabb1}
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f65db027-aff3-4070-886a-0d87064aabb1}\BundleResumeCommandLine
Behavior description:修改注册表_启动项
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{f65db027-aff3-4070-886a-0d87064aabb1}
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.MPN
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
_SHuassist.mtx
WBEMPROVIDERSTATICMUTEX
Global\WindowsUpdateTracingMutex
Behavior description:隐藏指定窗口
details:[Window,Class] = [,Button]
[Window,Class] = [Nullsoft Install System v3.0b1,Static]
[Window,Class] = [Nullsoft Install System v3.0b1 ,Static]
[Window,Class] = [,Static]
[Window,Class] = [,Auto-Suggest Dropdown]
[Window,Class] = [显示细节(&D),Button]
[Window,Class] = [安装完成,Static]
[Window,Class] = [安装程序已成功地运行完成。,Static]
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [#32770,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [OleMainThreadWndClass,]
Behavior description:窗口信息
details:Pid = 3576, Hwnd=0xa0302, Text = 下一步(&N) >, ClassName = Button.
Pid = 3576, Hwnd=0x6034e, Text = 取消(&C), ClassName = Button.
Pid = 3576, Hwnd=0x4036c, Text = Nullsoft Install System v3.0b1 , ClassName = Static.
Pid = 3576, Hwnd=0x6035e, Text = Nullsoft Install System v3.0b1, ClassName = Static.
Pid = 3576, Hwnd=0xb02b0, Text = 欢迎使用 DB Browser for SQLite 安装向导, ClassName = Static.
Pid = 3576, Hwnd=0xa0322, Text = 这个向导将指引你完成 DB Browser for SQLite 的安装进程。 在开始安装之前,建议先关闭其他所有应用程序。这将允许“安装程序”更新指, ClassName = Static.
Pid = 3576, Hwnd=0xb02d8, Text = DB Browser for SQLite 安装, ClassName = #32770.
Pid = 3576, Hwnd=0xe031e, Text = < 上一步(&P), ClassName = Button.
Pid = 3576, Hwnd=0xa0302, Text = 我接受(&I), ClassName = Button.
Pid = 3576, Hwnd=0x4036a, Text = 许可证协议, ClassName = Static.
Pid = 3576, Hwnd=0x6034a, Text = 在安装 DB Browser for SQLite 之前,请检阅授权条款。, ClassName = Static.
Pid = 3576, Hwnd=0xb0322, Text = 检阅协议的其余部分,按 [PgDn] 往下卷动页面。, ClassName = Static.
Pid = 3576, Hwnd=0xc02b0, Text = DB Browser for SQLite is bi-licensed under the Mozilla Public License Version 2, as well as the GNU General Public License Versi, ClassName = RichEdit20A.
Pid = 3576, Hwnd=0x70362, Text = 如果你接受协议中的条款,单击 [我同意(I)] 继续安装。必须要接受协议才能安装 DB Browser for SQLite 。, ClassName = Static.
Pid = 3576, Hwnd=0x4036a, Text = 选定安装位置, ClassName = Static.
Behavior description:获取TickCount值
details:TickCount = 1172531, SleepMilliseconds = 60000.
TickCount = 1172546, SleepMilliseconds = 60000.
TickCount = 1172578, SleepMilliseconds = 60000.
TickCount = 1172593, SleepMilliseconds = 60000.
TickCount = 1172843, SleepMilliseconds = 60000.
TickCount = 1172937, SleepMilliseconds = 60000.
TickCount = 1173156, SleepMilliseconds = 60000.
TickCount = 1173359, SleepMilliseconds = 60000.
TickCount = 1173468, SleepMilliseconds = 60000.
TickCount = 1173656, SleepMilliseconds = 60000.
TickCount = 1173734, SleepMilliseconds = 60000.
TickCount = 1173750, SleepMilliseconds = 60000.
TickCount = 1173781, SleepMilliseconds = 60000.
TickCount = 1173796, SleepMilliseconds = 60000.
TickCount = 1173812, SleepMilliseconds = 60000.
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
SE_SHUTDOWN_PRIVILEGE
SE_INCREASE_QUOTA_PRIVILEGE
SE_CREATE_TOKEN_PRIVILEGE
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x000b02d8, Text = DB Browser for SQLite 安装 , ClassName = #32770.
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000028
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000028
MSCTF.SendReceiveConection.Event.ELH.IC
MSCTF.SendReceive.Event.ELH.IC
CTF.ThreadMIConnectionEvent.000007B4.00000000.0000002A
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.0000002A
Global\crypt32LogoffEvent
CTF.ThreadMIConnectionEvent.000007B4.00000000.0000002B
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.0000002B
CTF.ThreadMIConnectionEvent.000007B4.00000000.0000002C
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.0000002C
MSFT.VSA.COM.DISABLE.460
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp\UserInfo.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp\InstallOptions.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp\StartMenu.dll(签名验证: 未通过)
C:\Program Files\SqliteBrowser3\bin\Qt5Core.dll(签名验证: 未通过)
C:\Program Files\SqliteBrowser3\bin\Qt5Gui.dll(签名验证: 未通过)
C:\Program Files\SqliteBrowser3\bin\Qt5Network.dll(签名验证: 未通过)
C:\Program Files\SqliteBrowser3\bin\Qt5PrintSupport.dll(签名验证: 未通过)
C:\Program Files\SqliteBrowser3\bin\Qt5Widgets.dll(签名验证: 未通过)
C:\Program Files\SqliteBrowser3\bin\icudt54.dll(签名验证: 未通过)
C:\Program Files\SqliteBrowser3\bin\icuin54.dll(签名验证: 未通过)
C:\Program Files\SqliteBrowser3\bin\icuuc54.dll(签名验证: 未通过)
C:\Program Files\SqliteBrowser3\bin\libeay32.dll(签名验证: 未通过)
C:\Program Files\SqliteBrowser3\bin\sqlite3.dll(签名验证: 未通过)
C:\Program Files\SqliteBrowser3\bin\sqlitebrowser.exe(签名验证: 未通过)
C:\Program Files\SqliteBrowser3\bin\ssleay32.dll(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 100.
[2]: MilliSeconds = 100.
[1]: MilliSeconds = 60000.
[2]: MilliSeconds = 60000.
[3]: MilliSeconds = 60000.
[4]: MilliSeconds = 60000.
[5]: MilliSeconds = 60000.
[6]: MilliSeconds = 60000.
[7]: MilliSeconds = 60000.
[8]: MilliSeconds = 60000.
[9]: MilliSeconds = 60000.
[10]: MilliSeconds = 60000.
Behavior description:创建事件对象
details:EventName = MSCTF.SendReceive.Event.MPN.IC
EventName = MSCTF.SendReceiveConection.Event.MPN.IC
EventName = Global\userenv: User Profile setup event
EventName = Global\crypt32LogoffEvent
EventName = DINPUTWINMM
EventName = DisableLowDiskWarning
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp\UserInfo.dll ---> d9a3fc12d56726dde60c1ead1df366f7
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp\InstallOptions.dll ---> eee2912bd1ee421cf1f1dfb1cc327d97
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu14.tmp\StartMenu.dll ---> 5831d36066b6daf42fbf2ab1773308c8
C:\Program Files\SqliteBrowser3\bin\Qt5Core.dll ---> d6b239d2b8a022226716ffa606094f5d
C:\Program Files\SqliteBrowser3\bin\Qt5Gui.dll ---> 02737d896f2ce36fa8df30435a1ad313
C:\Program Files\SqliteBrowser3\bin\Qt5Network.dll ---> c6e586373ef7f9118ac7c0cdfef12971
C:\Program Files\SqliteBrowser3\bin\Qt5PrintSupport.dll ---> 8a083b11b34089f8159f4c37be4e25cc
C:\Program Files\SqliteBrowser3\bin\Qt5Widgets.dll ---> 2ff65eb0669728e99448cee07497e1fe
C:\Program Files\SqliteBrowser3\bin\icudt54.dll ---> 文件过大!
C:\Program Files\SqliteBrowser3\bin\icuin54.dll ---> 691ae05799f458b777bd8b7378c51738
C:\Program Files\SqliteBrowser3\bin\icuuc54.dll ---> 4575c9d1b2c51a545d1075bb9e6f4691
C:\Program Files\SqliteBrowser3\bin\libeay32.dll ---> 47ca4bfc26537b3b5512b11b6f86cea8
C:\Program Files\SqliteBrowser3\bin\sqlite3.dll ---> 8a818a700cc51af4187d54b6e10188dc
C:\Program Files\SqliteBrowser3\bin\sqlitebrowser.exe ---> 4c0fccf7c848d7efeb03c4d8d385dce4
C:\Program Files\SqliteBrowser3\bin\ssleay32.dll ---> 484d1cd13ac86594e271f7bce6409c02
Behavior description:打开互斥体
details:ShimCacheMutex
Local\!IETld!Mutex
RasPbFile
Behavior description:加载新释放的文件
details:Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsu14.tmp\UserInfo.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsu14.tmp\InstallOptions.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsu14.tmp\StartMenu.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\wixstdba.dll.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号