[mw_shl_code=css,true]
基本信息
文件名称:
記憶6.2.18B .exe
MD5: 429bfcd239f48f00ee3eb8b32fcc3ef4
文件类型: EXE
上传时间: 2016-02-20 19:37:00
出品公司: N/A
版本: N/A
壳或编译器信息: N/A
关键行为
行为描述: 探测 Virtual PC是否存在
详情信息:
N/A
行为描述: 尝试打开调试器或监控软件的驱动设备对象
详情信息:
\??\SICE
\??\SIWVID
\??\NTICE
行为描述: 获取TickCount值
详情信息:
TickCount = 491784, SleepMilliseconds = 50.
TickCount = 491940, SleepMilliseconds = 50.
TickCount = 491987, SleepMilliseconds = 50.
TickCount = 492050, SleepMilliseconds = 50.
TickCount = 492987, SleepMilliseconds = 50.
TickCount = 493034, SleepMilliseconds = 50.
TickCount = 493050, SleepMilliseconds = 50.
TickCount = 493065, SleepMilliseconds = 50.
TickCount = 493096, SleepMilliseconds = 50.
TickCount = 493128, SleepMilliseconds = 50.
TickCount = 493159, SleepMilliseconds = 50.
TickCount = 493175, SleepMilliseconds = 50.
TickCount = 493409, SleepMilliseconds = 50.
TickCount = 493440, SleepMilliseconds = 50.
TickCount = 493456, SleepMilliseconds = 50.
行为描述: 修改注册表
详情信息:
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\996E\DEBUG\Trace Level
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
行为描述: 设置特殊文件夹属性
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述: 查询注册表_检测虚拟机相关
详情信息:
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
行为描述: 查找指定内核模块
详情信息:
lstrcmpiA: ntice.sys <------> ntkrnlpa.exe (ntice.sys)
lstrcmpiA: ntice.sys <------> hal.dll (ntice.sys)
lstrcmpiA: ntice.sys <------> KDCOM.DLL (ntice.sys)
lstrcmpiA: ntice.sys <------> BOOTVID.dll (ntice.sys)
lstrcmpiA: ntice.sys <------> ACPI.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> WMILIB.SYS (ntice.sys)
lstrcmpiA: ntice.sys <------> pci.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> isapnp.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> compbatt.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> BATTC.SYS (ntice.sys)
lstrcmpiA: ntice.sys <------> intelide.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> PCIIDEX.SYS (ntice.sys)
lstrcmpiA: ntice.sys <------> MountMgr.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> ftdisk.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> dmload.sys (ntice.sys)
行为描述: 查找反病毒常用工具窗口
详情信息:
NtUserFindWindowEx: [Class,Window] = [OLLYDBG,]
NtUserFindWindowEx: [Class,Window] = [GBDYLLO,]
NtUserFindWindowEx: [Class,Window] = [pediy06,]
NtUserFindWindowEx: [Class,Window] = [FilemonClass,]
NtUserFindWindowEx: [Class,Window] = [,File Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]
NtUserFindWindowEx: [Class,Window] = [,Process Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [RegmonClass,]
NtUserFindWindowEx: [Class,Window] = [,Registry Monitor - Sysinternals: www.sysinternals.com]
进程行为
行为描述: 创建本地线程
详情信息:
N/A
行为描述: 枚举进程
详情信息:
N/A
文件行为
行为描述: 创建文件
详情信息:
C:\x5zsAdm.ini
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DB27145.TMP
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\wpad[1].dat
行为描述: 删除文件
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\wpad[1].dat
行为描述: 设置特殊文件夹属性
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述: 修改文件内容
详情信息:
C:\x5zsAdm.ini---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DB27145.TMP---> Offset = 0
行为描述: 查找文件
详情信息:
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\WINDOWS\system32\Ras\*.pbk
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\urlmon.dll
网络行为
行为描述: 联网打开网址
详情信息:
InternetOpenUrlA: http://110.110.110.110:80/wpad.dat hInternet = 0x00cc0010
行为描述: 连接指定站点
详情信息:
InternetConnectA: ServerName = www.x5zs.com, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008
InternetConnectA: ServerName = 110.110.110.110, PORT = 80, UserName = , Password = , hSession = 0x00cc0010, hConnect = 0x00cc0014
InternetConnectA: ServerName = qqx5zs.blog.163.com, PORT = 80, UserName = , Password = , hSession = 0x00cc0010, hConnect = 0x00cc0014
行为描述: 打开HTTP连接
详情信息:
InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489), hSession = 0x00cc0004
InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0), hSession = 0x00cc0010
InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0), hSession = 0x00cc0010
行为描述: 建立到一个指定的套接字连接
详情信息:
127.0.0.1:1031, SOCKET = 0x000003f4
110.110.110.110:80, SOCKET = 0x00000368
行为描述: 读取网络文件
详情信息:
hFile = 0x00cc000c, BytesToRead =4096, BytesRead = 4096.
hFile = 0x00cc0018, BytesToRead =4010, BytesRead = 4010.
行为描述: 发送HTTP包
详情信息:
GET /wpad.dat HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0) Host: 110.110.110.110
行为描述: 打开HTTP请求
详情信息:
HttpOpenRequestA: www.x5zs.com:80/postc.html, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer:
HttpOpenRequestA: 110.110.110.110:80/wpad.dat, hConnect = 0x00cc0014, hRequest = 0x00cc0018, Verb: GET, Referer:
HttpOpenRequestA: qqx5zs.blog.163.com:80/blog/static/243232075201411149422396/, hConnect = 0x00cc0014, hRequest = 0x00cc0018, Verb: GET, Referer:
行为描述: 按名称获取主机地址
详情信息:
computer
wpad
110.110.110.110
注册表行为
行为描述: 修改注册表
详情信息:
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\996E\DEBUG\Trace Level
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
行为描述: 删除注册表键值
详情信息:
\REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\996E\DEBUG\Trace Level
\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\DWFileTreeRoot
行为描述: 查询注册表_检测虚拟机相关
详情信息:
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
行为描述: 删除注册表键值_IE连接设置
详情信息:
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
行为描述: 删除注册表键
详情信息:
\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW
其他行为
行为描述: 探测 Virtual PC是否存在
详情信息:
N/A
行为描述: 创建互斥体
详情信息:
RasPbFile
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
CritOpMutex
行为描述: 创建事件对象
详情信息:
EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = Global\crypt32LogoffEvent
行为描述: 查找指定窗口
详情信息:
NtUserFindWindowEx: [Class,Window] = [18467-41,]
行为描述: 尝试打开调试器或监控软件的驱动设备对象
详情信息:
\??\SICE
\??\SIWVID
\??\NTICE
行为描述: 获取TickCount值
详情信息:
TickCount = 491784, SleepMilliseconds = 50.
TickCount = 491940, SleepMilliseconds = 50.
TickCount = 491987, SleepMilliseconds = 50.
TickCount = 492050, SleepMilliseconds = 50.
TickCount = 492987, SleepMilliseconds = 50.
TickCount = 493034, SleepMilliseconds = 50.
TickCount = 493050, SleepMilliseconds = 50.
TickCount = 493065, SleepMilliseconds = 50.
TickCount = 493096, SleepMilliseconds = 50.
TickCount = 493128, SleepMilliseconds = 50.
TickCount = 493159, SleepMilliseconds = 50.
TickCount = 493175, SleepMilliseconds = 50.
TickCount = 493409, SleepMilliseconds = 50.
TickCount = 493440, SleepMilliseconds = 50.
TickCount = 493456, SleepMilliseconds = 50.
行为描述: 获取光标位置
详情信息:
CursorPos = (106,18467), SleepMilliseconds = 50.
行为描述: 窗口信息
详情信息:
Pid = 1476, Hwnd=0x202d2, Text = 启动模式:, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 1476, Hwnd=0x202d0, Text = 选择框, ClassName = Button(CheckBox).
Pid = 1476, Hwnd=0x702c0, Text = 1.8, ClassName = Afx:400000:b:10011:1900015:0.
行为描述: 调用Sleep函数
详情信息:
[1]: MilliSeconds = 60000.
[2]: MilliSeconds = 100.
[3]: MilliSeconds = 60000.
行为描述: 隐藏指定窗口
详情信息:
[Window,Class] = [,ComboLBox]
[Window,Class] = [,Afx:400000:8:10011:1900015:0]
[Window,Class] = [,SysLink]
[Window,Class] = [,Static]
行为描述: 查找指定内核模块
详情信息:
lstrcmpiA: ntice.sys <------> ntkrnlpa.exe (ntice.sys)
lstrcmpiA: ntice.sys <------> hal.dll (ntice.sys)
lstrcmpiA: ntice.sys <------> KDCOM.DLL (ntice.sys)
lstrcmpiA: ntice.sys <------> BOOTVID.dll (ntice.sys)
lstrcmpiA: ntice.sys <------> ACPI.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> WMILIB.SYS (ntice.sys)
lstrcmpiA: ntice.sys <------> pci.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> isapnp.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> compbatt.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> BATTC.SYS (ntice.sys)
lstrcmpiA: ntice.sys <------> intelide.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> PCIIDEX.SYS (ntice.sys)
lstrcmpiA: ntice.sys <------> MountMgr.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> ftdisk.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> dmload.sys (ntice.sys)
行为描述: 查找反病毒常用工具窗口
详情信息:
NtUserFindWindowEx: [Class,Window] = [OLLYDBG,]
NtUserFindWindowEx: [Class,Window] = [GBDYLLO,]
NtUserFindWindowEx: [Class,Window] = [pediy06,]
NtUserFindWindowEx: [Class,Window] = [FilemonClass,]
NtUserFindWindowEx: [Class,Window] = [,File Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]
NtUserFindWindowEx: [Class,Window] = [,Process Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [RegmonClass,]
NtUserFindWindowEx: [Class,Window] = [,Registry Monitor - Sysinternals: www.sysinternals.com] [/mw_shl_code] |
楼主: 1446547521
发表于 2016-2-20 19:11:27
楼主
