文件检测评级:未发现风险
基本信息| 文件名称: | OTool.zip | | MD5: | 89b13aee692947215a75b3108a43ce91 | | 文件类型: | Cab | | 上传时间: | 2018-02-20 19:05:34 | | 出品公司: | N/A | | 版本: | N/A | | 壳或编译器信息: | N/A | | 子文件信息: | | aria2c.exe / 717d0f91d78f95fa0e9a43474eff12ba / EXE | | setup.exe / 87a30f7e1d7c48d699c432b2deb088e4 / EXE | | CodeResource.dll / a22692fb998b2a1ac12412053caf3bf1 / DLL | | o15-ctrremove.diagcab / 4874105a5002fc5066c3b535e6afd2ed / Cab | | license.Proplus15.reg / 182a8a1df2ab9c63e5c02806b9f447e7 / Unknown | | license.Project15.reg / 29ac35fce705a58bcab59b79e8712c1b / Unknown | | license.Visio15.reg / e15d5ea812b5fad9393dd239deac1631 / Unknown | | download_engine.dll / c818df90f4eda9a4a048dd656d0a4ea7 / DLL | | msvcr100.dll / df3ca8d16bded6a54977b30e66864d33 / DLL | | cleanospp.cab / c7183ef242377ce512d41965788ec6ad / Cab | | msvcr100.dll / bf38660a9125935658cfa3e53fdc7d65 / DLL | | Office Tool Plus.exe / 5f6b99a7c42d3691dd4d240d95dbcf84 / EXE | | 7za.exe / e3c061fa0450056e30285fd44a74cd2a / EXE | | pkeyconfig-office.xrm-ms / fe268686d5485b3a7fb301d7178be057 / Unknown | | pkeyconfig-office.xrm-ms / fe268686d5485b3a7fb301d7178be057 / Unknown | | pkeyconfig-office.xrm-ms / fe268686d5485b3a7fb301d7178be057 / Unknown | | pkeyconfig-office.xrm-ms / fe268686d5485b3a7fb301d7178be057 / Unknown | | pkeyconfig-office-client15.xrm-ms / b7786a85291ab8b736718be0bdb8c8e8 / Unknown | | pkeyconfig-office-client15.xrm-ms / b7786a85291ab8b736718be0bdb8c8e8 / Unknown |
|
关键行为| 行为描述: | 设置特殊文件夹属性 | | 详情信息: | C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5 | | 行为描述: | 直接获取CPU时钟 | | 详情信息: | EAX = 0x463758cf, EDX = 0x0000008e EAX = 0x4637591b, EDX = 0x0000008e EAX = 0x46375967, EDX = 0x0000008e EAX = 0x463759b3, EDX = 0x0000008e EAX = 0xe553dcc6, EDX = 0x0000008e EAX = 0xe553dd12, EDX = 0x0000008e EAX = 0xe553dd5e, EDX = 0x0000008e EAX = 0xe553ddaa, EDX = 0x0000008e EAX = 0xe553ddf6, EDX = 0x0000008e EAX = 0xe553de42, EDX = 0x0000008e | | 行为描述: | 获取TickCount值 | | 详情信息: | TickCount = 227781, SleepMilliseconds = 60000. TickCount = 227906, SleepMilliseconds = 60000. TickCount = 228281, SleepMilliseconds = 60000. TickCount = 228468, SleepMilliseconds = 60000. TickCount = 228859, SleepMilliseconds = 60000. TickCount = 229453, SleepMilliseconds = 60000. TickCount = 229484, SleepMilliseconds = 60000. TickCount = 229500, SleepMilliseconds = 60000. TickCount = 229640, SleepMilliseconds = 60000. TickCount = 229812, SleepMilliseconds = 60000. TickCount = 230515, SleepMilliseconds = 60000. TickCount = 230531, SleepMilliseconds = 60000. TickCount = 230562, SleepMilliseconds = 60000. TickCount = 230593, SleepMilliseconds = 60000. TickCount = 230640, SleepMilliseconds = 60000. |
进程行为
文件行为| 行为描述: | 创建文件 | | 详情信息: | C:\ProgramData\OTP\MRO.cab C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\navcancl[1] C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3KY9KWG8\navcancl[1] | | 行为描述: | 覆盖已有文件 | | 详情信息: | C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\navcancl[1] C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3KY9KWG8\navcancl[1] | | 行为描述: | 查找文件 | | 详情信息: | FileName = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll FileName = C:\Windows\Microsoft.NET\Framework\\* FileName = C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\* FileName = C:\Users FileName = C:\Users\Administrator\AppData FileName = C:\Users\Administrator\AppData\Local FileName = C:\Users\Administrator\AppData\Local\Temp FileName = C:\Users\Administrator\AppData\Local\%temp% FileName = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\OTool FileName = C:\Users\Administrator FileName = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump FileName = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\OTool\Office Tool Plus.exe FileName = C:\Windows\assembly\NativeImages_v4.0.30319_32\Office Tool Plus\* FileName = C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\* FileName = C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\* | | 行为描述: | 删除文件 | | 详情信息: | C:\ProgramData\OTP\MRO.cab C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\navcancl[1] | | 行为描述: | 设置特殊文件夹属性 | | 详情信息: | C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5 | | 行为描述: | 修改文件内容 | | 详情信息: | C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\navcancl[1] ---> Offset = 0 C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3KY9KWG8\navcancl[1] ---> Offset = 0 |
网络行为| 行为描述: | 连接指定站点 | | 详情信息: | InternetConnectA: ServerName = se****om, PORT = 443, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00800000 | | 行为描述: | 打开HTTP连接 | | 详情信息: | InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2), hSession = 0x00cc0004 | | 行为描述: | 建立到一个指定的套接字连接 | | 详情信息: | URL: se****om, IP: **.133.40.**:443, SOCKET = 0x0000057c URL: se****om, IP: **.133.40.**:443, SOCKET = 0x00000610 URL: se****om, IP: **.133.40.**:443, SOCKET = 0x00000794 URL: of****om, IP: **.133.40.**:80, SOCKET = 0x00000760 | | 行为描述: | 读取网络文件 | | 详情信息: | hFile = 0x00cc000c, BytesToRead =4096, BytesRead = 4096. | | 行为描述: | 发送HTTP包 | | 详情信息: | GET /pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114/office/data/MRO.cab HTTP/1.1 Host: of****om Connection: Keep-Alive | | 行为描述: | 打开HTTP请求 | | 详情信息: | HttpOpenRequestA: se****om:443/landian/officetoolplus/otp_google_analytics.html, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00e00200 HttpOpenRequestA: se****om:443/landian/officetoolplus/otp_baidu_analytics.html, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00e00200 | | 行为描述: | 按名称获取主机地址 | | 详情信息: | GetAddrInfoW: se****om GetAddrInfoW: of****om |
注册表行为| 行为描述: | 修改注册表 | | 详情信息: | \REGISTRY\USER\S-*\Software\Microsoft\Direct3D\MostRecentApplication\Name \REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Office Tool Plus_RASAPI32\EnableFileTracing \REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Office Tool Plus_RASAPI32\EnableConsoleTracing \REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Office Tool Plus_RASAPI32\FileTracingMask \REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Office Tool Plus_RASAPI32\ConsoleTracingMask \REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Office Tool Plus_RASAPI32\MaxFileSize \REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Office Tool Plus_RASAPI32\FileDirectory \REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Office Tool Plus_RASMANCS\EnableFileTracing \REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Office Tool Plus_RASMANCS\EnableConsoleTracing \REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Office Tool Plus_RASMANCS\FileTracingMask \REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Office Tool Plus_RASMANCS\ConsoleTracingMask \REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Office Tool Plus_RASMANCS\MaxFileSize \REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Office Tool Plus_RASMANCS\FileDirectory \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings | | 行为描述: | 删除注册表键值 | | 详情信息: | \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL |
其他行为| 行为描述: | 检测自身是否被调试 | | 详情信息: | IsDebuggerPresent | | 行为描述: | 创建互斥体 | | 详情信息: | Local\__DDrawExclMode__ Local\__DDrawCheckExclMode__ Local\!IETld!Mutex Local\ZonesCounterMutex Local\ZoneAttributeCacheCounterMutex Local\ZonesCacheCounterMutex Local\ZonesLockedCacheCounterMutex Local\_!MSFTHISTORY!_ Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5! Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies! Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5! Local\WininetStartupMutex Local\WininetConnectionMutex Local\WininetProxyRegistryMutex RasPbFile | | 行为描述: | 创建事件对象 | | 详情信息: | EventName = Global\CPFATE_3764_v4.0.30319 | | 行为描述: | 打开互斥体 | | 详情信息: | Local\MSCTF.Asm.MutexDefault1 Local\!IETld!Mutex Local\_!MSFTHISTORY!_ Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5! Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies! Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5! Local\WininetStartupMutex Local\WininetConnectionMutex Local\WininetProxyRegistryMutex | | 行为描述: | 查找指定窗口 | | 详情信息: | NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,] NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,] NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,] | | 行为描述: | 窗口信息 | | 详情信息: | Pid = 3764, Hwnd=0x101ba, Text = Office Tool Plus, ClassName = HwndWrapper[Office Tool Plus.exe;;9c5a393f-b34b-48d5-b97b-75a5fe629c88]. | | 行为描述: | 获取TickCount值 | | 详情信息: | TickCount = 227781, SleepMilliseconds = 60000. TickCount = 227906, SleepMilliseconds = 60000. TickCount = 228281, SleepMilliseconds = 60000. TickCount = 228468, SleepMilliseconds = 60000. TickCount = 228859, SleepMilliseconds = 60000. TickCount = 229453, SleepMilliseconds = 60000. TickCount = 229484, SleepMilliseconds = 60000. TickCount = 229500, SleepMilliseconds = 60000. TickCount = 229640, SleepMilliseconds = 60000. TickCount = 229812, SleepMilliseconds = 60000. TickCount = 230515, SleepMilliseconds = 60000. TickCount = 230531, SleepMilliseconds = 60000. TickCount = 230562, SleepMilliseconds = 60000. TickCount = 230593, SleepMilliseconds = 60000. TickCount = 230640, SleepMilliseconds = 60000. | | 行为描述: | 调整进程token权限 | | 详情信息: | SE_DEBUG_PRIVILEGE | | 行为描述: | 打开事件 | | 详情信息: | Global\CLR_PerfMon_StartEnumEvent \KernelObjects\LowMemoryCondition HookSwitchHookEnabledEvent MSFT.VSA.COM.DISABLE.3764 MSFT.VSA.IEC.STATUS.6c736db0 Global\TermSrvReadyEvent \KernelObjects\MaximumCommitCondition Local\MSCTF.CtfActivated.Default1 Local\MSCTF.AsmCacheReady.Default1 \SECURITY\LSA_AUTHENTICATION_INITIALIZED Global\SvcctrlStartEvent_A3752DX \KernelObjects\SystemErrorPortReady | | 行为描述: | 调用Sleep函数 | | 详情信息: | [1]: MilliSeconds = 60000. [2]: MilliSeconds = 60000. [3]: MilliSeconds = 0. [4]: MilliSeconds = 0. [5]: MilliSeconds = 0. [6]: MilliSeconds = 0. [7]: MilliSeconds = 0. [8]: MilliSeconds = 0. [9]: MilliSeconds = 0. [10]: MilliSeconds = 0. | | 行为描述: | 隐藏指定窗口 | | 详情信息: | [Window,Class] = [,SysLink] [Window,Class] = [,Static] | | 行为描述: | 获取光标位置 | | 详情信息: | CursorPos = (48,18794), SleepMilliseconds = 60000. CursorPos = (6341,26827), SleepMilliseconds = 58937. CursorPos = (19176,16051), SleepMilliseconds = 58937. | | 行为描述: | 直接获取CPU时钟 | | 详情信息: | EAX = 0x463758cf, EDX = 0x0000008e EAX = 0x4637591b, EDX = 0x0000008e EAX = 0x46375967, EDX = 0x0000008e EAX = 0x463759b3, EDX = 0x0000008e EAX = 0xe553dcc6, EDX = 0x0000008e EAX = 0xe553dd12, EDX = 0x0000008e EAX = 0xe553dd5e, EDX = 0x0000008e EAX = 0xe553ddaa, EDX = 0x0000008e EAX = 0xe553ddf6, EDX = 0x0000008e EAX = 0xe553de42, EDX = 0x0000008e | | 行为描述: | 导入密钥 | | 详情信息: | [CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x6C09D99C, DataLen: 148, Flags: 0x00000000 [CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x6C15B90C, DataLen: 148, Flags: 0x00000000 [CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x68890B70, DataLen: 148, Flags: 0x00000000 [CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x68B11B5B, DataLen: 148, Flags: 0x00000000 [CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x676CAD00, DataLen: 148, Flags: 0x00000000 [CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x67B4AF7F, DataLen: 148, Flags: 0x00000000 [CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x005A906C, DataLen: 148, Flags: 0x00000000 [CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x005A9114, DataLen: 148, Flags: 0x00000000 [CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x005A9264, DataLen: 148, Flags: 0x00000000 [CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x66488A1C, DataLen: 148, Flags: 0x00000000 [CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x664B27FE, DataLen: 148, Flags: 0x00000000 [CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x005AA764, DataLen: 148, Flags: 0x00000000 [CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x00590AF4, DataLen: 148, Flags: 0x00000000 [CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x00590AFC, DataLen: 148, Flags: 0x00000000 [CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x00590AEC, DataLen: 148, Flags: 0x00000000 |
运行截图
|
发表于 2018-2-20 18:51:09
