找回密码
注册 登录
查看: 3996|回复: 6

[求助区] Scpt.exe好像有风险

[复制链接]
  • TA的每日心情

    2019-6-18 08:04
  • 签到天数: 17 天

    [LV.4]偶尔看看III

    发表于 2017-12-1 13:30:09 | 显示全部楼层 |阅读模式
    TIM截图20171201132353.png

    基本信息
    文件名称:
    Scpt.exe
    MD5:2237001d4b702467651133f890da4b9a
    文件类型:EXE
    上传时间:2017-11-27 12:33:54
    出品公司:SysCeo.Com
    版本:2.2016.3.7---2.2016.3.7
    壳或编译器信息:PACKER:NsPacK V3.7 -> LiuXingPing [Overlay] *


    关键行为
    行为描述:设置特殊文件夹属性
    详情信息:
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
    C:\Documents and Settings\Administrator\Local Settings\History
    C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
    C:\Documents and Settings\Administrator\Cookies
    行为描述:获取窗口截图信息
    详情信息:
    Foreground window Info: HWND = 0x00010472, DC = 0x0a010375.
    行为描述:获取TickCount值
    详情信息:
    TickCount = 231053, SleepMilliseconds = 100.
    TickCount = 290953, SleepMilliseconds = 60000.
    TickCount = 290984, SleepMilliseconds = 60000.
    TickCount = 291000, SleepMilliseconds = 60000.
    TickCount = 231115, SleepMilliseconds = 100.
    TickCount = 231131, SleepMilliseconds = 100.
    TickCount = 231162, SleepMilliseconds = 100.
    TickCount = 231178, SleepMilliseconds = 100.
    TickCount = 231193, SleepMilliseconds = 100.
    TickCount = 231287, SleepMilliseconds = 100.
    TickCount = 231303, SleepMilliseconds = 100.
    TickCount = 231318, SleepMilliseconds = 100.
    TickCount = 231334, SleepMilliseconds = 100.
    TickCount = 231365, SleepMilliseconds = 100.
    TickCount = 291265, SleepMilliseconds = 60000.


    进程行为
    行为描述:创建本地线程
    详情信息:
    TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2764, ThreadID = 2884, StartAddress = 4AEA7456, Parameter = 00000000
    TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2764, ThreadID = 2888, StartAddress = 77DC845A, Parameter = 00000000
    TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2764, ThreadID = 2892, StartAddress = 0040490C, Parameter = 03BB62AC
    TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2764, ThreadID = 2920, StartAddress = 7C947EBB, Parameter = 00000000
    TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2764, ThreadID = 2924, StartAddress = 7C930230, Parameter = 00000000
    TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2764, ThreadID = 2952, StartAddress = 77E56C7D, Parameter = 0024A468
    TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2764, ThreadID = 2956, StartAddress = 769AE43B, Parameter = 00205CD0
    TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2764, ThreadID = 2960, StartAddress = 0451507F, Parameter = 0012936C
    TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2764, ThreadID = 2968, StartAddress = 6359727B, Parameter = 05E0D200
    TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2764, ThreadID = 2996, StartAddress = 6359727B, Parameter = 05E4D920
    TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2764, ThreadID = 3000, StartAddress = 6359727B, Parameter = 05E4D9C0
    TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2764, ThreadID = 3020, StartAddress = 0040490C, Parameter = 03BE44FC


    文件行为
    行为描述:创建文件
    详情信息:
    C:\WINDOWS\Sclng.sc
    C:\Documents and Settings\Administrator\Local Settings\%temp%\Scdata.ini
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\wan[1].html
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ver[1].html
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\tj[1]
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\navcancl[2]
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[1]
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\errorPageStrings[1]
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\httpErrorPagesScripts[1]
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\background_gradient[1]
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\info_48[1]
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\bullet[1]
    行为描述:覆盖已有文件
    详情信息:
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\navcancl[2]
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[1]
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\errorPageStrings[1]
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\httpErrorPagesScripts[1]
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\background_gradient[1]
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\info_48[1]
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\bullet[1]
    行为描述:查找文件
    详情信息:
    FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\Sclng.ini
    FileName = C:\WINDOWS\Sclng.sc
    FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\\Scdata.ini
    FileName = C:\Documents and Settings
    FileName = C:\Documents and Settings\Administrator
    FileName = C:\Documents and Settings\Administrator\Local Settings
    FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
    FileName = C:\WINDOWS\system32\Ras\*.pbk
    FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
    FileName = C:\WINDOWS\ScRestart.exe
    FileName = C:\pagefile.sys
    FileName = C:\WINDOWS
    FileName = C:\WINDOWS\system32
    FileName = C:\WINDOWS\system32\urlmon.dll
    FileName = C:\WINDOWS\system32\ieframe.dll
    行为描述:删除文件
    详情信息:
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\wan[1].html
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ver[1].html
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\tj[1]
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\navcancl[1]
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\ErrorPageTemplate[2]
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\errorPageStrings[1]
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\httpErrorPagesScripts[1]
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\background_gradient[3]
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\info_48[2]
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\bullet[2]
    行为描述:设置特殊文件夹属性
    详情信息:
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
    C:\Documents and Settings\Administrator\Local Settings\History
    C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
    C:\Documents and Settings\Administrator\Cookies
    行为描述:修改文件内容
    详情信息:
    C:\WINDOWS\Sclng.sc ---> Offset = 0
    C:\Documents and Settings\Administrator\Local Settings\%temp%\Scdata.ini ---> Offset = 0
    C:\Documents and Settings\Administrator\Local Settings\%temp%\Scdata.ini ---> Offset = 25
    C:\Documents and Settings\Administrator\Local Settings\%temp%\Scdata.ini ---> Offset = 54
    C:\Documents and Settings\Administrator\Local Settings\%temp%\Scdata.ini ---> Offset = 78
    C:\Documents and Settings\Administrator\Local Settings\%temp%\Scdata.ini ---> Offset = 102
    C:\Documents and Settings\Administrator\Local Settings\%temp%\Scdata.ini ---> Offset = 129
    C:\Documents and Settings\Administrator\Local Settings\%temp%\Scdata.ini ---> Offset = 155
    C:\Documents and Settings\Administrator\Local Settings\%temp%\Scdata.ini ---> Offset = 180
    C:\Documents and Settings\Administrator\Local Settings\%temp%\Scdata.ini ---> Offset = 205
    C:\Documents and Settings\Administrator\Local Settings\%temp%\Scdata.ini ---> Offset = 230
    C:\Documents and Settings\Administrator\Local Settings\%temp%\Scdata.ini ---> Offset = 250
    C:\Documents and Settings\Administrator\Local Settings\%temp%\Scdata.ini ---> Offset = 272
    C:\Documents and Settings\Administrator\Local Settings\%temp%\Scdata.ini ---> Offset = 295
    C:\Documents and Settings\Administrator\Local Settings\%temp%\Scdata.ini ---> Offset = 329


    网络行为
    行为描述:连接指定站点
    详情信息:
    InternetConnectA: ServerName = ww****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
    行为描述:打开HTTP连接
    详情信息:
    InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489), hSession = 0x00cc0004
    行为描述:建立到一个指定的套接字连接
    详情信息:
    URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x00000394
    URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x000001d8
    URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x000004b0
    行为描述:读取网络文件
    详情信息:
    hFile = 0x00cc000c, BytesToRead =4096, BytesRead = 4096.
    行为描述:发送HTTP包
    详情信息:
    GET /noime/sc/wan.html HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: ww****om Connection: Keep-Alive
    GET /noime/sc/ver.html HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: ww****om Connection: Keep-Alive
    GET /noime/sc/tj/ HTTP/1.1 Accept: */* Accept-Language: zh-cn Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: ww****om Connection: Keep-Alive
    行为描述:打开HTTP请求
    详情信息:
    HttpOpenRequestA: ww****om:80/noime/sc/wan.html, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400000
    HttpOpenRequestA: ww****om:80/noime/sc/ver.html, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400000
    HttpOpenRequestA: ww****om:80/noime/sc/tj/, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400200
    HttpOpenRequestA: ww****om:80/noime/sc/tj/, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
    行为描述:按名称获取主机地址
    详情信息:
    GetAddrInfoW: ww****om


    注册表行为
    行为描述:修改注册表
    详情信息:
    \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
    行为描述:删除注册表键值
    详情信息:
    \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
    \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
    \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL


    其他行为
    行为描述:调整进程token权限
    详情信息:
    SE_LOAD_DRIVER_PRIVILEGE
    SE_INC_BASE_PRIORITY_PRIVILEGE
    行为描述:创建互斥体
    详情信息:
    CTF.LBES.MutexDefaultS-*
    CTF.Compart.MutexDefaultS-*
    CTF.Asm.MutexDefaultS-*
    CTF.Layouts.MutexDefaultS-*
    CTF.TMD.MutexDefaultS-*
    CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
    {2BE6D96E-827F-4BF9-B33E-8740412CSSC8}
    Local\ZonesCounterMutex
    Local\ZoneAttributeCacheCounterMutex
    Local\ZonesCacheCounterMutex
    Local\ZonesLockedCacheCounterMutex
    RasPbFile
    Local\!PrivacIE!SharedMemory!Mutex
    CritOpMutex
    MSIMGSIZECacheMutex









    2.png




    上一篇:SC封装后出现了全家桶(罪魁祸首XX天空万能驱动)
    下一篇:封装win10后默认浏览器和图片查看器被强制还原的问题
  • TA的每日心情

    2017-12-6 09:14
  • 签到天数: 4 天

    [LV.2]偶尔看看I

    发表于 2017-12-1 14:20:59 | 显示全部楼层
    国内就2家做系统封装工具的论坛、国内大多数GHO的系统基本都是SC封装工具做出来的、
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    2018-12-18 15:53
  • 签到天数: 202 天

    [LV.7]常住居民III

    发表于 2017-12-1 15:12:46 | 显示全部楼层
    sc封装系统还是挺好用的放心用就行了
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    2019-5-30 20:45
  • 签到天数: 6 天

    [LV.2]偶尔看看I

    发表于 2017-12-1 18:59:36 | 显示全部楼层
    封装本来是涉及系统底层敏感操作的,先了解什么叫封装再来喷。
    回复 支持 反对

    使用道具 举报

  • TA的每日心情

    2019-6-18 08:04
  • 签到天数: 17 天

    [LV.4]偶尔看看III

     楼主| 发表于 2017-12-6 07:32:34 | 显示全部楼层
    jiny 发表于 2017-12-1 18:59
    封装本来是涉及系统底层敏感操作的,先了解什么叫封装再来喷。

    系统封装,说简单就是把系统制作成镜像的方法刻录到光盘,用在系统安装上面.系统封装,不同于系统的正常安装。最本质的区别在于 系统封装 是将一个完整的系统以拷贝的形式打包,然后用粘贴的形式安装在另外一个系统盘上,而正常安装则是通过 Setup程序进行安装。

    举一个不太贴切的例子,你要铺草坪,你可以在那片土地上撒草籽等待草的长成,也可以直接购买草皮。而这层草皮就相当于系统封装。
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    2022-11-29 17:33
  • 签到天数: 853 天

    [LV.10]以坛为家III

    发表于 2017-12-11 12:14:01 | 显示全部楼层
    这个很正常的,天空的封装工具也一样。
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2017-12-18 03:11:16 | 显示全部楼层
    1767519181@qq.c 发表于 2017-12-6 07:32
    系统封装,说简单就是把系统制作成镜像的方法刻录到光盘,用在系统安装上面.系统封装,不同于系统的正常 ...

    原来我现在才知道从XP年代开始所有品牌笔记本预装的系统,都是草皮。
    你难道不晓得sysprep 后HKEY_LOCAL_MACHINE\SYSTEM\Setup\Cmdline 里默认也是Setup.exe?
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 立即注册

    本版积分规则