行为描述: 写权限映射文件
详情信息:
\WINDOWS\system32\zh-cn\ieframe.dll.mui
Local\UrlZonesSM_Administrator
Local\!PrivacIE!SharedMem!Counter
AtlDebugAllocator_FileMappingNameStatic3_12c
CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
\WINDOWS\system32\zh-cn\mshtml.dll.mui
行为描述: 设置特殊文件夹属性
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述: 修改文件内容
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\dnserrordiagoff_webOC[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6P4O8QNJ\errorPageStrings[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\httpErrorPagesScripts[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\background_gradient[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\info_48[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\bullet[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\down[1]---> Offset = 0
网络行为
行为描述: 连接指定站点
详情信息:
InternetConnectA: ServerName = user.ttliuliang.com, PORT = 80
InternetConnectA: ServerName = user5.ttliuliang.com, PORT = 80
InternetConnectA: ServerName = user3.ttliuliang.com, PORT = 80
InternetConnectA: ServerName = user1.ttliuliang.com, PORT = 80
InternetConnectA: ServerName = int.dpool.sina.com.cn, PORT = 80
InternetConnectA: ServerName = tbcart.ttliuliang.com, PORT = 80
InternetConnectA: ServerName = uzhan.ttliuliang.com, PORT = 80
行为描述: 建立到一个指定的套接字连接
详情信息:
127.0.0.1:1040
行为描述: 下载文件
详情信息:
URLDownloadToFileW: http://update.ttliuliang.com/upd ... .txt?rnd=1419695183 ---> c:\monitor\update.txt
C:\monitor\update.txt
行为描述: 读取网络文件
详情信息:
hFile = 0x00000360, BytesToRead =4096, BytesRead = 4096.
hFile = 0x000004b0, BytesToRead =4096, BytesRead = 4096.
hFile = 0x000004ac, BytesToRead =4096, BytesRead = 4096.
行为描述: 打开HTTP请求
详情信息:
HttpOpenRequestA: user.ttliuliang.com:80/clnt/tips_flownews.htm, hConnect = 0x00000530
HttpOpenRequestA: user5.ttliuliang.com:80/?act=getmemberuid&hostid=9d271956f01ee021a61f470e680b5960&ver=166&isclnt=1&r=1419695185070&mode=2, hConnect = 0x0000035c
HttpOpenRequestA: user3.ttliuliang.com:80/?act=getmemberpoints&hostid=9d271956f01ee021a61f470e680b5960&ver=166&isclnt=1&r=1419695185148&mode=2, hConnect = 0x0000035c
HttpOpenRequestA: user1.ttliuliang.com:80/?act=getconstinfo&hostid=9d271956f01ee021a61f470e680b5960&ver=166&isclnt=1&r=1419695185242&mode=2, hConnect = 0x0000035c
HttpOpenRequestA: int.dpool.sina.com.cn:80/iplookup/iplookup.php?format=js, hConnect = 0x000004ac
HttpOpenRequestA: tbcart.ttliuliang.com:80/?act=gettask&hostid=9d271956f01ee021a61f470e680b5960&ver=166&isclnt=1&r=1419695187195&mode=2, hConnect = 0x000004ac
HttpOpenRequestA: uzhan.ttliuliang.com:80/?act=gettask&hostid=9d271956f01ee021a61f470e680b5960&ver=166&isclnt=1&r=1419695217289&mode=2, hConnect = 0x000003a0
注册表行为
行为描述: 修改注册表
详情信息:
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\sample\DEBUG\Trace Level
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Local AppWizard-Generated Applications\挂机版\Settings\c_bClearCookie
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Local AppWizard-Generated Applications\挂机版\Settings\c_bClearCache
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Local AppWizard-Generated Applications\挂机版\Settings\c_bNotActiveX
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Local AppWizard-Generated Applications\挂机版\Settings\c_bFlowCheckCookie
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Local AppWizard-Generated Applications\挂机版\Settings\c_bExitIfRefNavFail
行为描述: 删除注册表键值
详情信息:
\REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\sample\DEBUG\Trace Level
行为描述: 删除注册表键值_IE连接设置
详情信息:
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
其他行为
行为描述: 创建互斥体
详情信息:
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
RasPbFile
Local\!PrivacIE!SharedMemory!Mutex
CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500
行为描述: 查找指定窗口
详情信息:
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
行为描述: 隐藏指定窗口
详情信息:
[Window,Class] = [,ComboLBox]
[Window,Class] = [,tooltips_class32]
[Window,Class] = [Progress1,msctls_progress32]
[Window,Class] = [STWorker,Afx:400000:8:10011:0:3001c5]
[Window,Class] = [0,Edit]
行为描述: 窗口信息
详情信息:
Pid = 300, Hwnd=0xc01d6, Text = 什么是天天挂机版?, ClassName = Button.
Pid = 300, Hwnd=0xd01c8, Text = 系统设置, ClassName = Button.
Pid = 300, Hwnd=0xc01c2, Text = 关于, ClassName = Button.
Pid = 300, Hwnd=0xb0184, Text = 会员账号或挂机编号(UID):, ClassName = Static.
Pid = 300, Hwnd=0xa01aa, Text = 0, ClassName = Edit.
Pid = 300, Hwnd=0xb01b0, Text = 注册账号, ClassName = Button.
Pid = 300, Hwnd=0xa018c, Text = 查询编号, ClassName = Button.
Pid = 300, Hwnd=0xe016e, Text = 停止挂机, ClassName = Button.
Pid = 300, Hwnd=0xa0198, Text = 一键隐藏, ClassName = Button.
Pid = 300, Hwnd=0xd01a4, Text = 挂机速度:, ClassName = Static.
Pid = 300, Hwnd=0xc01e8, Text = 智能模式, ClassName = ComboBox.
Pid = 300, Hwnd=0xb01be, Text = 可用天币:, ClassName = Static.
Pid = 300, Hwnd=0xb0170, Text = 0 正在挂机中, ClassName = msctls_progress32.
Pid = 300, Hwnd=0xb01ce, Text = 0, ClassName = Static.
Pid = 300, Hwnd=0xd01ac, Text = 升级, ClassName = Button.
抱歉其实我也看不懂, |
发表于 2014-12-27 23:18:33
楼主
