|
|
关键行为
行为描述: 跨进程写入数据
详情信息:
TargetProcess = C:\WINDOWS\system32\Steam.exe, WriteAddress = 0x00290000, Size = 0x0000005b TargetPID = 0x00000ac4
TargetProcess = C:\WINDOWS\system32\Steam.exe, WriteAddress = 0x004f0000, Size = 0x0000005b TargetPID = 0x00000ac4
TargetProcess = C:\WINDOWS\system32\Steam.exe, WriteAddress = 0x00500000, Size = 0x0000005b TargetPID = 0x00000ac4
TargetProcess = C:\WINDOWS\system32\Steam.exe, WriteAddress = 0x00510000, Size = 0x0000005b TargetPID = 0x00000ac4
TargetProcess = C:\WINDOWS\system32\Steam.exe, WriteAddress = 0x00520000, Size = 0x0000005b TargetPID = 0x00000ac4
TargetProcess = C:\WINDOWS\system32\Steam.exe, WriteAddress = 0x00530000, Size = 0x0000005b TargetPID = 0x00000ac4
TargetProcess = C:\WINDOWS\system32\Steam.exe, WriteAddress = 0x00540000, Size = 0x0000005b TargetPID = 0x00000ac4
TargetProcess = C:\WINDOWS\system32\Steam.exe, WriteAddress = 0x00550000, Size = 0x0000005b TargetPID = 0x00000ac4
TargetProcess = C:\WINDOWS\system32\Steam.exe, WriteAddress = 0x00560000, Size = 0x0000005b TargetPID = 0x00000ac4
TargetProcess = C:\WINDOWS\system32\Steam.exe, WriteAddress = 0x00570000, Size = 0x0000005b TargetPID = 0x00000ac4
TargetProcess = C:\WINDOWS\system32\Steam.exe, WriteAddress = 0x00580000, Size = 0x0000005b TargetPID = 0x00000ac4
TargetProcess = C:\WINDOWS\system32\Steam.exe, WriteAddress = 0x00590000, Size = 0x0000005b TargetPID = 0x00000ac4
TargetProcess = C:\WINDOWS\system32\Steam.exe, WriteAddress = 0x005a0000, Size = 0x0000005b TargetPID = 0x00000ac4
TargetProcess = C:\WINDOWS\system32\Steam.exe, WriteAddress = 0x005b0000, Size = 0x0000005b TargetPID = 0x00000ac4
TargetProcess = C:\WINDOWS\system32\Steam.exe, WriteAddress = 0x005c0000, Size = 0x0000005b TargetPID = 0x00000ac4
行为描述: 常规加载驱动
详情信息:
\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dEi48dBP.sys
行为描述: 创建远程线程
详情信息:
TargetProcess: Steam.exe, InheritedFromPID = 2000, ProcessID = 2756, ThreadID = 2764, StartAddress = 7C801D7B, Parameter = 00290000
TargetProcess: Steam.exe, InheritedFromPID = 2000, ProcessID = 2756, ThreadID = 2768, StartAddress = 7C801D7B, Parameter = 004F0000
TargetProcess: Steam.exe, InheritedFromPID = 2000, ProcessID = 2756, ThreadID = 2772, StartAddress = 7C801D7B, Parameter = 00500000
TargetProcess: Steam.exe, InheritedFromPID = 2000, ProcessID = 2756, ThreadID = 2776, StartAddress = 7C801D7B, Parameter = 00510000
TargetProcess: Steam.exe, InheritedFromPID = 2000, ProcessID = 2756, ThreadID = 2780, StartAddress = 7C801D7B, Parameter = 00520000
TargetProcess: Steam.exe, InheritedFromPID = 2000, ProcessID = 2756, ThreadID = 2784, StartAddress = 7C801D7B, Parameter = 00530000
TargetProcess: Steam.exe, InheritedFromPID = 2000, ProcessID = 2756, ThreadID = 2788, StartAddress = 7C801D7B, Parameter = 00540000
TargetProcess: Steam.exe, InheritedFromPID = 2000, ProcessID = 2756, ThreadID = 2816, StartAddress = 7C801D7B, Parameter = 00550000
TargetProcess: Steam.exe, InheritedFromPID = 2000, ProcessID = 2756, ThreadID = 2832, StartAddress = 7C801D7B, Parameter = 00560000
TargetProcess: Steam.exe, InheritedFromPID = 2000, ProcessID = 2756, ThreadID = 2848, StartAddress = 7C801D7B, Parameter = 00570000
TargetProcess: Steam.exe, InheritedFromPID = 2000, ProcessID = 2756, ThreadID = 2852, StartAddress = 7C801D7B, Parameter = 00580000
TargetProcess: Steam.exe, InheritedFromPID = 2000, ProcessID = 2756, ThreadID = 2864, StartAddress = 7C801D7B, Parameter = 00590000
TargetProcess: Steam.exe, InheritedFromPID = 2000, ProcessID = 2756, ThreadID = 2868, StartAddress = 7C801D7B, Parameter = 005A0000
TargetProcess: Steam.exe, InheritedFromPID = 2000, ProcessID = 2756, ThreadID = 2872, StartAddress = 7C801D7B, Parameter = 005B0000
TargetProcess: Steam.exe, InheritedFromPID = 2000, ProcessID = 2756, ThreadID = 2876, StartAddress = 7C801D7B, Parameter = 005C0000
行为描述: 尝试打开调试器或监控软件的驱动设备对象
详情信息:
\??\SICE
\??\SIWVID
\??\NTICE
行为描述: 获取TickCount值
详情信息:
TickCount = 225484, SleepMilliseconds = 2000.
TickCount = 225500, SleepMilliseconds = 2000.
TickCount = 228078, SleepMilliseconds = 2000.
行为描述: 设置特殊文件属性
详情信息:
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\._cache_VSS.exe
C:\WINDOWS\system32\sysshdu.exe
C:\WINDOWS\system32\Synaptics\Synaptics.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\._cache_sysshdu.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\000.dll
行为描述: 查找PE资源信息
详情信息:
(FindResourceA) hModule = 0x00400000, ResName: EXERESX, ResType:
行为描述: 设置特殊文件夹属性
详情信息:
C:\WINDOWS\system32\Synaptics
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述: 创建系统服务
详情信息:
[服务创建成功]: dEi48dBP, C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\dEi48dBP.sys
行为描述: 查找反病毒常用工具窗口
详情信息:
NtUserFindWindowEx: [Class,Window] = [OLLYDBG,]
行为描述: 修改注册表_启动项
详情信息:
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver |
|
好评
贡献
海币
交易币
发表于 2019-10-6 12:20:06
收藏
转播
淘帖
支持
反对
提升卡
置顶卡
变色卡
千斤顶
照妖镜
