本帖最后由 lifan88 于 2019-10-22 00:04 编辑
求顶置!!!
大致完整的ROOTKIT组件(云端下载下来的):https://www.lanzous.com/i6vqt4b
动作较多,而且是云端控制的,扔下来一个配置文件就没了。。。但是读取了配置文件后开始有大量动作!几乎全部为杀毒软件不可视!
这里是由:一个下载型的sys,一个rootkit型sys,还有一个7KB左右的重启保护的SYS,还有一个exe组成大致完整的rootkit!
1,测试环境:Vmware-WIN8.1-X64
2,测试样本:kmzkkfoje.sys
3,关键词解释:
SYS_regsrv:注册服务
SYS_load_kmod:加载内核模块
SYS_enumproc:枚举进程
SYS_opendev:打开设备
REG_openkey:打开注册表项
REG_getval:获取注册表键值
REG_mkkey:创建注册表项
REG_setval:设置注册表项值
REG_rmval:删除注册表键值
REG_rmkey:删除注册表键
FILE_open:打开文件
FILE_touch:创建文件
FILE_truncate:截断文件
FILE_write:写文件
FILE_chmod:设置文件属性
FILE_modified:文件被修改
PROC_open:打开进程
PROC_readvm:跨进程读内存
PROC_writevm:跨进程写内存
EXEC_create:进程启动
EXEC_destroy:进程退出
NET_connect:网络连接
NET_send:发送数据包
NET_http:HTTP请求
4,加载后动作:
21:47:41:008, 加驱用.exe, 3164:3764, 3164, SYS_regsrv, C:\Users\j8qq_000\Desktop\OUO-kmzkkfoje.sys, access:0x000F01FF type:0x00000001 start_type:0x00000003 srvname:'OUO-kmzkkfoje_Service' , 0x00000000 [操作成功完成。 ],
21:48:14:250, services.exe, 592:3532, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OUO-kmzkkfoje_Service, access:0x00020019 , 0x00000000 [操作成功完成。 ],
21:48:15:241, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OUO-kmzkkfoje_Service, access:0x00020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:241, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OUO-kmzkkfoje_Service, access:0x00020019 , 0x00000000 [操作成功完成。 ],
21:48:15:241, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OUO-kmzkkfoje_Service\ImagePath, type:0x00000002 datalen:96 data:'5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 55 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:241, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OUO-kmzkkfoje_Service\Type, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:241, System, 4:396, 0, FILE_open, C:\Users\j8qq_000\Desktop\OUO-kmzkkfoje.sys, access:0x00000020 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000000 , 0x00000000 [操作成功完成。 ],
21:48:15:413, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Compatibility\Driver\OUO-kmzkkfoje.sys, access:0x00020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:413, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Compatibility\Driver\OUO-kmzkkfoje.sys, access:0x00020019 , 0xC0000034 [系统找不到指定的文件。 ],
21:48:15:413, System, 4:396, 0, FILE_open, C:\Windows\apppatch\drvmain.sdb, access:0x00120089 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000000 , 0x00000000 [操作成功完成。 ],
21:48:15:428, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OUO-kmzkkfoje_Service\ImagePath, type:0x00000002 datalen:96 data:'5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 55 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:428, System, 4:396, 0, FILE_open, C:\Windows\apppatch\drvmain.sdb, access:0x00120089 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000000 , 0x00000000 [操作成功完成。 ],
21:48:15:694, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName, access:0x00020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:694, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName, access:0x00020019 , 0x00000000 [操作成功完成。 ],
21:48:15:694, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName\ComputerName, type:0x00000001 datalen:8 data:'48 00 48 00 48 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:710, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OUO-kmzkkfoje_Service, access:0x000F003F , 0x00000000 [操作成功完成。 ],
21:48:15:710, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OUO-kmzkkfoje_Service\ImagePath, type:0x00000002 datalen:96 data:'5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 55 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:710, System, 4:396, 0, FILE_open, C:\Users\j8qq_000\Desktop\OUO-kmzkkfoje.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
21:48:15:710, System, 4:396, 0, FILE_open, C:\Users\j8qq_000\Desktop\OUO-kmzkkfoje.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
21:48:15:741, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:741, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:741, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\.NET CLR Data, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:741, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\.NET CLR Data, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:741, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\.NETFramework, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:741, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\.NETFramework, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:741, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BAPIDRV64, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:741, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BAPIDRV64, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:741, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BAPIDRV64\Start, type:0x00000004 datalen:4 data:'03 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:741, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BthHFEnum, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:741, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BthHFEnum, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:741, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BthHFEnum\Start, type:0x00000004 datalen:4 data:'03 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:741, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\COMSysApp, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:741, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\COMSysApp, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:741, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\COMSysApp\Start, type:0x00000004 datalen:4 data:'03 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:741, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DCLocator, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:741, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DCLocator, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:741, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\defragsvc, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:741, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\defragsvc, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:741, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\defragsvc\Start, type:0x00000004 datalen:4 data:'03 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:741, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceInstall, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:741, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceInstall, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:741, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceInstall\Start, type:0x00000004 datalen:4 data:'03 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:741, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Filetrace, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:741, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Filetrace, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:741, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Filetrace\Start, type:0x00000004 datalen:4 data:'03 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:741, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FontCache, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:741, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FontCache, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:741, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FontCache\Start, type:0x00000004 datalen:4 data:'02 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:741, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FsDepends, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:741, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FsDepends, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:741, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FsDepends\Start, type:0x00000004 datalen:4 data:'03 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:741, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FsWriteBack64, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:741, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FsWriteBack64, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:741, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FsWriteBack64\Start, type:0x00000004 datalen:4 data:'03 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:741, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mshidkmdf, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:741, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mshidkmdf, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:741, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mshidkmdf\Start, type:0x00000004 datalen:4 data:'03 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:741, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mshidumdf, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:741, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mshidumdf, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:741, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mshidumdf\Start, type:0x00000004 datalen:4 data:'03 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:741, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msiserver, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msiserver, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msiserver\Start, type:0x00000004 datalen:4 data:'03 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NdisWanLegacy, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NdisWanLegacy, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NdisWanLegacy\Start, type:0x00000004 datalen:4 data:'03 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\npsvctrig, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\npsvctrig, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\npsvctrig\Start, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\npsvctrig\Group, type:0x00000001 datalen:2 data:'00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PortProxy, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PortProxy, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Processor, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Processor, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Processor\Start, type:0x00000004 datalen:4 data:'03 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RegFilter, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RegFilter, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\spaceport, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\spaceport, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\spaceport\Start, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\svga_wddm, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\svga_wddm, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TFsfltdrv, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TFsfltdrv, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TFsfltdrv\Start, type:0x00000004 datalen:4 data:'03 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UGatherer, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UGatherer, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UI0Detect, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UI0Detect, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UI0Detect\Start, type:0x00000004 datalen:4 data:'03 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VGAuthService, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VGAuthService, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VGAuthService\Start, type:0x00000004 datalen:4 data:'02 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vm3dmp_loader, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vm3dmp_loader, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vm3dmp_loader\Start, type:0x00000004 datalen:4 data:'03 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vmicheartbeat, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vmicheartbeat, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vmicheartbeat\Start, type:0x00000004 datalen:4 data:'03 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WdiSystemHost, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WdiSystemHost, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WdiSystemHost\Start, type:0x00000004 datalen:4 data:'03 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WebClient, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WebClient, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WebClient\Start, type:0x00000004 datalen:4 data:'03 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wercplsupport, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wercplsupport, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wercplsupport\Start, type:0x00000004 datalen:4 data:'03 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinDefend, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinDefend, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinDefend\Start, type:0x00000004 datalen:4 data:'03 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WMPNetworkSvc, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WMPNetworkSvc, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WMPNetworkSvc\Start, type:0x00000004 datalen:4 data:'03 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpdUpFltr, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpdUpFltr, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpdUpFltr\Start, type:0x00000004 datalen:4 data:'03 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WSService, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WSService, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WSService\Start, type:0x00000004 datalen:4 data:'03 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WUDFWpdFs, access:0x001F0000 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:756, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WUDFWpdFs, access:0x001F0000 , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WUDFWpdFs\Start, type:0x00000004 datalen:4 data:'03 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, FILE_open, C:\Windows\System32\drivers\bthhfenum.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
21:48:15:756, System, 4:396, 0, FILE_open, C:\Windows\System32\drivers\bthhfenum.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
21:48:15:783, System, 4:396, 0, FILE_open, C:\Windows\System32\drivers\filetrace.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
21:48:15:783, System, 4:396, 0, FILE_open, C:\Windows\System32\drivers\filetrace.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
21:48:15:799, System, 4:396, 0, FILE_open, C:\Windows\System32\drivers\fsdepends.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
21:48:15:799, System, 4:396, 0, FILE_open, C:\Windows\System32\drivers\fsdepends.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
21:48:15:815, System, 4:396, 0, FILE_open, C:\Windows\System32\drivers\msgpioclx.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
21:48:15:815, System, 4:396, 0, FILE_open, C:\Windows\System32\drivers\msgpioclx.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
21:48:15:819, System, 4:396, 0, FILE_open, C:\Windows\System32\drivers\mshidkmdf.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
21:48:15:819, System, 4:396, 0, FILE_open, C:\Windows\System32\drivers\mshidkmdf.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
21:48:15:819, System, 4:396, 0, FILE_open, C:\Windows\System32\drivers\mshidumdf.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
21:48:15:819, System, 4:396, 0, FILE_open, C:\Windows\System32\drivers\mshidumdf.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
21:48:15:835, System, 4:396, 0, FILE_open, C:\Windows\System32\drivers\npsvctrig.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
21:48:15:835, System, 4:396, 0, FILE_open, C:\Windows\System32\drivers\npsvctrig.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
21:48:15:835, System, 4:396, 0, FILE_open, C:\Windows\System32\drivers\spaceport.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
21:48:15:835, System, 4:396, 0, FILE_open, C:\Windows\System32\drivers\spaceport.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
21:48:15:851, System, 4:396, 0, FILE_open, C:\Windows\System32\drivers\werkernel.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
21:48:15:851, System, 4:396, 0, FILE_open, C:\Windows\System32\drivers\werkernel.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
21:48:15:866, System, 4:396, 0, FILE_open, C:\Windows\System32\drivers\WpdUpFltr.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
21:48:15:866, System, 4:396, 0, FILE_open, C:\Windows\System32\drivers\WpdUpFltr.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
21:48:15:866, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lvhmvkrjd, access:0x000F003F , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:866, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lvhmvkrjd, access:0x000F003F , 0xC0000034 [系统找不到指定的文件。 ],
21:48:15:866, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ombzvrjmi, access:0x000F003F , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:866, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ombzvrjmi, access:0x000F003F , 0xC0000034 [系统找不到指定的文件。 ],
21:48:15:866, System, 4:396, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ombzvrjmi, access:0x000F003F , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:866, System, 4:396, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ombzvrjmi, access:0x000F003F , 0x00000000 [操作成功完成。 ],
21:48:15:866, System, 4:396, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ombzvrjmi\DisplayName, type:0x00000001 datalen:28 data:'6C 76 68 6D 76 6B 72 6A 64 2E 73 79 73 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:866, System, 4:396, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ombzvrjmi\ErrorControl, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:866, System, 4:396, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ombzvrjmi\ImagePath, type:0x00000001 datalen:92 data:'5C 3F 3F 5C 43 3A 5C 57 49 4E 44 4F 57 53 5C 73 ' , 0x00000000 [操作成功完成。 ],
21:48:15:866, System, 4:396, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ombzvrjmi\Start, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:866, System, 4:396, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ombzvrjmi\Group, type:0x00000001 datalen:8 data:'54 44 49 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:866, System, 4:396, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ombzvrjmi\Type, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:866, System, 4:396, 0, FILE_touch, C:\Windows\System32\drivers\kqccwawxy.sys, access:0x001F01FF alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000005 options:0x00000020 , 0x00000000 [操作成功完成。 ],
21:48:15:866, System, 4:396, 0, FILE_truncate, C:\Windows\System32\drivers\kqccwawxy.sys, eof:0x00000000 , 0x00000000 [操作成功完成。 ],
21:48:15:866, System, 4:396, 0, FILE_write, C:\Windows\System32\drivers\kqccwawxy.sys, offset:0x00000000 datalen:0x00001E20 , 0x00000000 [操作成功完成。 ],
21:48:15:866, System, 4:396, 0, FILE_modified, C:\Windows\System32\drivers\kqccwawxy.sys, , 0x00000000 [操作成功完成。 ],
21:48:15:866, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wbmypegmj, access:0x000F003F , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:866, System, 4:396, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wbmypegmj, access:0x000F003F , 0xC0000034 [系统找不到指定的文件。 ],
21:48:15:866, System, 4:396, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wbmypegmj.sys, access:0x000F003F , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:882, System, 4:396, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wbmypegmj.sys, access:0x000F003F , 0x00000000 [操作成功完成。 ],
21:48:15:882, System, 4:396, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wbmypegmj.sys\DisplayName, type:0x00000001 datalen:10 data:'2E 73 79 73 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:882, System, 4:396, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wbmypegmj.sys\ErrorControl, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:882, System, 4:396, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wbmypegmj.sys\ImagePath, type:0x00000001 datalen:92 data:'5C 3F 3F 5C 43 3A 5C 57 49 4E 44 4F 57 53 5C 73 ' , 0x00000000 [操作成功完成。 ],
21:48:15:882, System, 4:396, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wbmypegmj.sys\Start, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:882, System, 4:396, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wbmypegmj.sys\Group, type:0x00000001 datalen:8 data:'54 44 49 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:882, System, 4:396, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wbmypegmj.sys\Type, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:48:15:882, System, 4:396, 0, FILE_touch, C:\Windows\System32\drivers\wbmypegmj.sys, access:0x001F01FF alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000005 options:0x00000020 , 0x00000000 [操作成功完成。 ],
21:48:15:882, System, 4:396, 0, FILE_truncate, C:\Windows\System32\drivers\wbmypegmj.sys, eof:0x00000000 , 0x00000000 [操作成功完成。 ],
21:48:15:882, System, 4:396, 0, FILE_write, C:\Windows\System32\drivers\wbmypegmj.sys, offset:0x00000000 datalen:0x000ED400 , 0x00000000 [操作成功完成。 ],
21:48:15:882, System, 4:396, 0, FILE_modified, C:\Windows\System32\drivers\wbmypegmj.sys, , 0x00000000 [操作成功完成。 ],
21:48:15:882, services.exe, 592:3532, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OUO-kmzkkfoje_Service, access:0x00020019 , 0x00000000 [操作成功完成。 ],
21:48:15:882, System, 4:2540, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}, access:0x000F003F , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:48:15:882, 加驱用.exe, 3164:3764, 3164, SYS_load_kmod, C:\Users\j8qq_000\Desktop\OUO-kmzkkfoje.sys, , 0x00000000 [操作成功完成。 ],
加载完毕后联网:
1:49:16:523, System, 4:2540, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Tcpip\Parameters, access:0x00020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
21:49:16:523, System, 4:2540, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Tcpip\Parameters, access:0x00020019 , 0x00000000 [操作成功完成。 ],
21:49:16:523, System, 4:2540, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Hostname, type:0x00000001 datalen:8 data:'68 00 68 00 68 00 00 00 ' , 0x00000000 [操作成功完成。 ],
21:49:16:523, System, 4:2540, 0, NET_connect, 114.114.114.114:53, protocol:(UDP)1 , 0x00000000 [操作成功完成。 ],
21:49:16:523, System, 4:2540, 0, NET_send, 114.114.114.114:53, protocol:(UDP)1 datalen:25 data:'4D 47 01 00 00 01 00 00 00 00 00 00 04 34 31 6B ' , 0x00000000 [操作成功完成。 ],
21:49:16:585, System, 4:2540, 0, REG_mkkey, HKEY_LOCAL_MACHINE\SOFTWARE\GMPROT, access:0x000F003F , 0x00000000 [操作成功完成。 ],
21:49:16:585, System, 4:2540, 0, REG_setval, HKEY_LOCAL_MACHINE\SOFTWARE\GMPROT\DN, type:0x00000001 datalen:76 data:'7B 37 63 30 34 64 31 65 64 2D 66 33 33 65 2D 31 ' , 0x00000000 [操作成功完成。 ],
21:49:16:585, System, 4:2540, 0, NET_connect, 103.71.239.27:10100, protocol:(TCP)0 , 0x00000000 [操作成功完成。 ],
21:49:16:616, System, 4:2540, 0, NET_http, 41ku.cn:10100/api/service/getinfo, protocol:(TCP)0 cmd:'POST' datalen:239 , 0x00000000 [操作成功完成。 ],
21:49:16:616, System, 4:2540, 0, NET_send, 103.71.239.27:10100, protocol:(TCP)0 datalen:239 data:'50 4F 53 54 20 2F 61 70 69 2F 73 65 72 76 69 63 ' , 0x00000000 [操作成功完成。 ],
21:49:19:791, System, 4:2540, 0, NET_connect, 103.71.239.27:10100, protocol:(TCP)0 , 0x00000000 [操作成功完成。 ],
21:49:19:866, System, 4:2540, 0, NET_http, 41ku.cn:10100/xccdd, protocol:(TCP)0 cmd:'GET' datalen:141 , 0x00000000 [操作成功完成。 ],
21:49:19:866, System, 4:2540, 0, NET_send, 103.71.239.27:10100, protocol:(TCP)0 datalen:141 data:'47 45 54 20 2F 78 63 63 64 64 20 48 54 54 50 2F ' , 0x00000000 [操作成功完成。 ],
21:49:19:913, System, 4:2540, 0, NET_connect, 114.114.114.114:53, protocol:(UDP)1 , 0x00000000 [操作成功完成。 ],
21:49:19:913, System, 4:2540, 0, NET_send, 114.114.114.114:53, protocol:(UDP)1 datalen:33 data:'4D 4B 01 00 00 01 00 00 00 00 00 00 05 69 6D 67 ' , 0x00000000 [操作成功完成。 ],
21:49:19:929, System, 4:2540, 0, NET_connect, 180.163.198.48:80, protocol:(TCP)0 , 0x00000000 [操作成功完成。 ],
21:49:19:929, System, 4:2540, 0, NET_http, imgsa.baidu.com /forum/pic/item/c27b6634970a304e89ce03f6dec8a786c8175cb6.jpg, protocol:(TCP)0 cmd:'GET' datalen:213 , 0x00000000 [操作成功完成。 ],
21:49:19:929, System, 4:2540, 0, NET_send, 180.163.198.48:80, protocol:(TCP)0 datalen:213 data:'47 45 54 20 2F 66 6F 72 75 6D 2F 70 69 63 2F 69 ' , 0x00000000 [操作成功完成。 ],
21:49:19:944, System, 4:2540, 0, NET_connect, 180.163.198.48:80, protocol:(TCP)0 , 0x00000000 [操作成功完成。 ],
21:49:19:944, System, 4:2540, 0, NET_http, imgsa.baidu.com /forum/pic/item/758909738bd4b31c8f9237b788d6277f9f2ff8f0.jpg, protocol:(TCP)0 cmd:'GET' datalen:213 , 0x00000000 [操作成功完成。 ],
21:49:19:944, System, 4:2540, 0, NET_send, 180.163.198.48:80, protocol:(TCP)0 datalen:213 data:'47 45 54 20 2F 66 6F 72 75 6D 2F 70 69 63 2F 69 ' , 0x00000000 [操作成功完成。 ],
21:49:20:112, System, 4:2540, 0, FILE_touch, C:\Windows\System32\amdintelcfg1.dat, access:0x001F01FF alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000005 options:0x00000020 , 0x00000000 [操作成功完成。 ],
21:49:20:116, System, 4:2540, 0, FILE_truncate, C:\Windows\System32\amdintelcfg1.dat, eof:0x00000000 , 0x00000000 [操作成功完成。 ],
21:49:20:116, System, 4:2540, 0, FILE_write, C:\Windows\System32\amdintelcfg1.dat, offset:0x00000000 datalen:0x00058F24 , 0x00000000 [操作成功完成。 ],
21:49:20:116, System, 4:2540, 0, FILE_modified, C:\Windows\System32\amdintelcfg1.dat, , 0x00000000 [操作成功完成。 ],
5,染毒现象:大概率云端控制,在虚拟机上没有多少生效,没有保护,只有裸奔的内核线程,三个裸奔驱动,一个7KB的驱动,两个等大小驱动,除了一个是加载的,其余都是挂在注册表里等着但是没有加载。。。然后调用System下载了个配置文件dat,300多K。。
钩子就一个Shutdown,三个内核钩子,没了。
配置文件:
但是有一点要注意,System对其他进程的进程操作在火绒剑和火绒已经看不见了,火绒默认是会阻止System对关键进程的插入的!Explorer.exe和svchost.exe可能用某种方式插入线程了。。explorer一直在打开PCH,火绒,和驱动文件。。。还有一堆对注册表SateBoot的操作。。。
6,云端控制后的动作:
A,入侵流程描述:
1.sys为一个下载-加载组件,本身没有过强的自保功能,只负责下载文件,插入进程,加载驱动和运行文件。
2.sys为组件之一,标准ROOTKIT,封锁读写,内核回调挂满,检查所有驱动文件,发现360的驱动就删。。。
B,云端入侵动作:
22:48:04:235, System, 4:260, 0, FILE_open, C:\Windows\System32\drivers\condrv.sys, access:0x00000020 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000000 , 0x00000000 [操作成功完成。 ],
22:48:04:262, winaudio.exe, 2548:0, 0, EXEC_create, C:\Windows\System32\Conhost.exe, parent_pid:2560 cmdline:'\??\C:\Windows\system32\conhost.exe 0xffffffff' image_base:0x00007FF70DAD0000 image_size:0x0005E000 , 0x00000000 [操作成功完成。 ],
22:48:04:278, System, 4:260, 0, FILE_open, C:\Windows\System32\conhost.exe, access:0x000000A1 alloc_size:0 attrib:0x00000080 share_access:0x00000007 disposition:0x00000001 options:0x00000140 , 0x00000000 [操作成功完成。 ],
22:48:04:325, winaudio.exe, 2548:2460, 0, FILE_open, C:\Windows\System32\conhost.exe, access:0x001200A9 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:48:04:419, winaudio.exe, 2548:2460, 0, FILE_open, C:\Windows\Fonts\simsun.ttc, access:0x001200A9 alloc_size:0 attrib:0x00000080 share_access:0x00000005 disposition:0x00000001 options:0x00000010 , 0x00000000 [操作成功完成。 ],
22:48:04:778, winaudio.exe, 2548:0, 0, EXEC_destroy, C:\Windows\System32\Conhost.exe, parent_pid:2560 cmdline:'\??\C:\Windows\system32\conhost.exe 0xffffffff' , 0x00000000 [操作成功完成。 ],
22:48:11:468, Explorer.EXE, 2796:2732, 0, NET_connect, 117.18.237.29:80, protocol:(TCP)0 , 0x00000000 [操作成功完成。 ],
22:48:11:747, Explorer.EXE, 2796:796, 0, PROC_kill, C:\Users\j8qq_000\Desktop\tools\PCHunter_free\PCHunter64.exe, target_pid:1860 exitcode:-1073740756 , 0x00000000 [操作成功完成。 ],
22:48:11:763, System, 4:260, 0, FILE_open, C:\Users\j8qq_000\Desktop\tools\PCHunter_free\PCHunter64.exe, access:0x000000A1 alloc_size:0 attrib:0x00000080 share_access:0x00000007 disposition:0x00000001 options:0x00000140 , 0x00000000 [操作成功完成。 ],
22:48:11:778, System, 4:260, 0, FILE_open, C:\Users\j8qq_000\Desktop\tools\PCHunter_free\PCHunter64.cfg, access:0x000000A1 alloc_size:0 attrib:0x00000080 share_access:0x00000007 disposition:0x00000001 options:0x00000140 , 0x00000000 [操作成功完成。 ],
22:48:36:872, System, 4:32, 0, REG_rmval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\hivelist\\REGISTRY\MACHINE\DRIVERS, keyname:'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\hivelist' , 0x00000000 [操作成功完成。 ],
22:48:36:903, System, 4:264, 0, FILE_chmod, C:\Windows\System32\config\DRIVERS, attrib:0x00000020 , 0x00000000 [操作成功完成。 ],
22:49:56:999, System, 4:1728, 0, NET_connect, 114.114.114.114:53, protocol:(UDP)1 , 0x00000000 [操作成功完成。 ],
22:49:56:999, System, 4:1728, 0, NET_send, 114.114.114.114:53, protocol:(UDP)1 datalen:33 data:'4B 69 01 00 00 01 00 00 00 00 00 00 05 69 6D 67 ' , 0x00000000 [操作成功完成。 ],
22:49:57:015, System, 4:1728, 0, NET_connect, 180.163.198.48:80, protocol:(TCP)0 , 0x00000000 [操作成功完成。 ],
22:49:57:028, System, 4:1728, 0, NET_http, imgsa.baidu.com /forum/pic/item/90a75e310a55b3191a5321794ca98226cefc17fc.jpg, protocol:(TCP)0 cmd:'GET' datalen:213 , 0x00000000 [操作成功完成。 ],
22:49:57:028, System, 4:1728, 0, NET_send, 180.163.198.48:80, protocol:(TCP)0 datalen:213 data:'47 45 54 20 2F 66 6F 72 75 6D 2F 70 69 63 2F 69 ' , 0x00000000 [操作成功完成。 ],
22:49:57:450, System, 4:1728, 0, FILE_touch, C:\Windows\System32\drivers\tsddxyckhm.sys, access:0x001F01FF alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000005 options:0x00000020 , 0x00000000 [操作成功完成。 ],
22:49:57:450, System, 4:1728, 0, FILE_truncate, C:\Windows\System32\drivers\tsddxyckhm.sys, eof:0x00000000 , 0x00000000 [操作成功完成。 ],
22:49:57:450, System, 4:1728, 0, FILE_write, C:\Windows\System32\drivers\tsddxyckhm.sys, offset:0x00000000 datalen:0x000E2E00 , 0x00000000 [操作成功完成。 ],
22:49:57:450, System, 4:1728, 0, FILE_modified, C:\Windows\System32\drivers\tsddxyckhm.sys, , 0x00000000 [操作成功完成。 ],
22:49:57:450, System, 4:1728, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mqtnxcunax, access:0x000F003F , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
22:49:57:450, System, 4:1728, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mqtnxcunax, access:0x000F003F , 0x00000000 [操作成功完成。 ],
22:49:57:450, System, 4:1728, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mqtnxcunax\DisplayName, type:0x00000001 datalen:20 data:'71 76 69 76 62 66 63 6B 7A 00 ' , 0x00000000 [操作成功完成。 ],
22:49:57:450, System, 4:1728, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mqtnxcunax\ErrorControl, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
22:49:57:450, System, 4:1728, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mqtnxcunax\ImagePath, type:0x00000001 datalen:94 data:'5C 3F 3F 5C 43 3A 5C 57 49 4E 44 4F 57 53 5C 73 ' , 0x00000000 [操作成功完成。 ],
22:49:57:450, System, 4:1728, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mqtnxcunax\Start, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
22:49:57:450, System, 4:1728, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mqtnxcunax\Group, type:0x00000001 datalen:8 data:'54 44 49 00 ' , 0x00000000 [操作成功完成。 ],
22:49:57:450, System, 4:1728, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mqtnxcunax\Type, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
22:49:57:450, System, 4:1728, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mqtnxcunax, access:0x00020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
22:49:57:450, System, 4:1728, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mqtnxcunax, access:0x00020019 , 0x00000000 [操作成功完成。 ],
22:49:57:450, System, 4:1728, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mqtnxcunax\ImagePath, type:0x00000001 datalen:94 data:'5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 ' , 0x00000000 [操作成功完成。 ],
22:49:57:450, System, 4:1728, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mqtnxcunax\Type, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
22:49:57:450, System, 4:1728, 0, FILE_open, C:\Windows\System32\drivers\tsddxyckhm.sys, access:0x00000020 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000000 , 0x00000000 [操作成功完成。 ],
22:49:57:498, System, 4:1728, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Compatibility\Driver\tsddxyckhm.sys, access:0x00020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
22:49:57:498, System, 4:1728, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Compatibility\Driver\tsddxyckhm.sys, access:0x00020019 , 0xC0000034 [系统找不到指定的文件。 ],
22:49:57:498, System, 4:1728, 0, FILE_open, C:\Windows\apppatch\drvmain.sdb, access:0x00120089 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000000 , 0x00000000 [操作成功完成。 ],
22:49:57:498, System, 4:1728, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mqtnxcunax\ImagePath, type:0x00000001 datalen:94 data:'5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 ' , 0x00000000 [操作成功完成。 ],
22:49:57:498, System, 4:1728, 0, FILE_open, C:\Windows\apppatch\drvmain.sdb, access:0x00120089 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000000 , 0x00000000 [操作成功完成。 ],
22:49:57:709, System, 4:1728, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager, access:0x02020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
22:49:57:709, System, 4:1728, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager, access:0x02020019 , 0x00000000 [操作成功完成。 ],
22:49:57:709, System, 4:1728, 0, REG_openkey, HKEY_LOCAL_MACHINE\HARDWAREDEVICEMAPScsi, access:0x00020019 , 0xC0000034 [系统找不到指定的文件。 ],
22:49:57:709, System, 4:1728, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\SCSI, access:0x00020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
22:49:57:709, System, 4:1728, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\SCSI, access:0x00020019 , 0x00000000 [操作成功完成。 ],
22:49:57:709, System, 4:1728, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName, access:0x00020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
22:49:57:709, System, 4:1728, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName, access:0x00020019 , 0x00000000 [操作成功完成。 ],
22:49:57:709, System, 4:1728, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName\ComputerName, type:0x00000001 datalen:8 data:'48 00 48 00 48 00 00 00 ' , 0x00000000 [操作成功完成。 ],
22:49:57:709, System, 4:1728, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mqtnxcunax, access:0x000F003F , 0x00000000 [操作成功完成。 ],
22:49:57:709, System, 4:1728, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mqtnxcunax\ImagePath, type:0x00000001 datalen:94 data:'5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 ' , 0x00000000 [操作成功完成。 ],
22:49:57:709, System, 4:1728, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mqtnxcunax, access:0x00020019 , 0x00000000 [操作成功完成。 ],
22:49:57:709, System, 4:1728, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mqtnxcunax, access:0x00020019 , 0x00000000 [操作成功完成。 ],
22:49:57:709, System, 4:1728, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mqtnxcunax, access:0x0002001F , 0x00000000 [操作成功完成。 ],
22:49:57:709, System, 4:1728, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mqtnxcunax\ImagePath, type:0x00000001 datalen:94 data:'5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 ' , 0x00000000 [操作成功完成。 ],
22:49:57:709, System, 4:1728, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mqtnxcunax\Start, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
22:49:57:709, System, 4:1728, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mqtnxcunax\Group, type:0x00000001 datalen:8 data:'54 00 44 00 49 00 00 00 ' , 0x00000000 [操作成功完成。 ],
22:49:57:709, System, 4:1728, 0, FILE_open, C:\Windows\System32\drivers\tsddxyckhm.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:49:57:716, System, 4:1728, 0, FILE_open, C:\Windows\System32\drivers\tsddxyckhm.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:49:57:747, System, 4:1728, 0, FILE_open, C:\Windows\System32\drivers\tsddxyckhm.sys, access:0x00000080 alloc_size:0 attrib:0x00000000 share_access:0x00000007 disposition:0x00000001 options:0x00204000 , 0x00000000 [操作成功完成。 ],
22:49:57:747, System, 4:1728, 0, FILE_open, C:\Windows\System32\drivers\tsddxyckhm.sys, access:0x00000080 alloc_size:0 attrib:0x00000000 share_access:0x00000000 disposition:0x00000001 options:0x00000020 , 0x00000000 [操作成功完成。 ],
22:49:57:747, System, 4:1728, 0, FILE_open, C:\Windows\System32\drivers\tsddxyckhm.sys, access:0x00000080 alloc_size:0 attrib:0x00000000 share_access:0x00000007 disposition:0x00000001 options:0x00204000 , 0x00000000 [操作成功完成。 ],
22:49:57:747, System, 4:1728, 0, FILE_open, C:\Windows\System32\drivers\tsddxyckhm.sys, access:0x00000080 alloc_size:0 attrib:0x00000000 share_access:0x00000000 disposition:0x00000001 options:0x00000020 , 0x00000000 [操作成功完成。 ],
22:49:57:747, System, 4:1728, 0, FILE_open, C:\Windows\System32\drivers\tsddxyckhm.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000020 , 0x00000000 [操作成功完成。 ],
22:49:57:747, System, 4:1728, 0, FILE_open, C:\Windows\System32\ntdll.dll, access:0x00100020 alloc_size:0 attrib:0x00000000 share_access:0x00000001 disposition:0x00000001 options:0x00000020 , 0x00000000 [操作成功完成。 ],
22:49:57:747, System, 4:2272, 0, FILE_open, C:\Windows\System32\ntoskrnl.exe, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:49:57:747, System, 4:2272, 0, FILE_open, C:\Windows\System32\hal.dll, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:49:57:747, System, 4:2272, 0, FILE_open, C:\Windows\System32\kd.dll, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:49:57:747, System, 4:2256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager, access:0x0002001F , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
22:49:57:747, System, 4:1728, 0, FILE_open, C:\Windows\System32\ntdll.dll, access:0x00100020 alloc_size:0 attrib:0x00000000 share_access:0x00000001 disposition:0x00000001 options:0x00000020 , 0x00000000 [操作成功完成。 ],
22:49:57:747, System, 4:2272, 0, FILE_open, C:\Windows\System32\mcupdate_GenuineIntel.dll, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:49:57:747, System, 4:2272, 0, FILE_open, C:\Windows\System32\drivers\werkernel.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:49:57:747, System, 4:2272, 0, FILE_open, C:\Windows\System32\drivers\clfs.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:49:57:747, System, 4:2256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager, access:0x0002001F , 0x00000000 [操作成功完成。 ],
22:49:57:747, System, 4:2272, 0, FILE_open, C:\Windows\System32\drivers\tm.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:49:57:747, System, 4:1092, 0, FILE_open, C:\Windows\System32\drivers\tsddxyckhm.sys, access:0x00000080 alloc_size:0 attrib:0x00000000 share_access:0x00000007 disposition:0x00000001 options:0x00204000 , 0x00000000 [操作成功完成。 ],
22:49:57:747, System, 4:2272, 0, FILE_open, C:\Windows\System32\PSHED.DLL, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:49:57:747, System, 4:1092, 0, FILE_open, C:\Windows\System32\drivers\tsddxyckhm.sys, access:0x00000080 alloc_size:0 attrib:0x00000000 share_access:0x00000007 disposition:0x00000001 options:0x00204000 , 0x00000000 [操作成功完成。 ],
22:49:57:747, System, 4:2272, 0, FILE_open, C:\Windows\System32\BOOTVID.DLL, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:49:57:747, System, 4:2272, 0, FILE_open, C:\Windows\System32\ci.dll, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:49:57:747, System, 4:1092, 0, FILE_open, C:\Windows\System32\drivers\tsddxyckhm.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000020 , 0x00000000 [操作成功完成。 ],
22:49:57:747, System, 4:2272, 0, FILE_open, C:\Windows\System32\drivers\msrpc.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:49:57:747, System, 4:2272, 0, FILE_open, C:\Windows\System32\drivers\Wdf01000.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:49:57:747, System, 4:2272, 0, FILE_open, C:\Windows\System32\drivers\WdfLdr.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:49:57:747, System, 4:1092, 0, FILE_open, C:\Windows\System32\drivers\tsddxyckhm.sys, access:0x00000080 alloc_size:0 attrib:0x00000000 share_access:0x00000007 disposition:0x00000001 options:0x00204000 , 0x00000000 [操作成功完成。 ],
22:49:57:747, System, 4:2272, 0, FILE_open, C:\Windows\System32\drivers\acpiex.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:49:57:762, System, 4:1092, 0, FILE_open, C:\Windows\System32\drivers\tsddxyckhm.sys, access:0x00000080 alloc_size:0 attrib:0x00000000 share_access:0x00000007 disposition:0x00000001 options:0x00204000 , 0x00000000 [操作成功完成。 ],
22:49:57:762, System, 4:2272, 0, FILE_open, C:\Windows\System32\drivers\WppRecorder.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:49:57:762, System, 4:1092, 0, FILE_open, C:\Windows\System32\drivers\tsddxyckhm.sys, access:0x00000080 alloc_size:0 attrib:0x00000000 share_access:0x00000000 disposition:0x00000001 options:0x00000020 , 0x00000000 [操作成功完成。 ],
22:49:57:762, System, 4:2272, 0, FILE_open, C:\Windows\System32\drivers\acpi.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:49:57:762, System, 4:2272, 0, FILE_open, C:\Windows\System32\drivers\wmilib.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:49:57:762, System, 4:1092, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mqtnxcunax, access:0x0002001F , 0x00000000 [操作成功完成。 ],
22:49:57:762, System, 4:2272, 0, FILE_open, C:\Windows\System32\drivers\cng.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:49:57:762, System, 4:1092, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mqtnxcunax\ImagePath, type:0x00000001 datalen:94 data:'5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 ' , 0x00000000 [操作成功完成。 ],
22:49:57:762, System, 4:1092, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mqtnxcunax\ImagePath, type:0x00000001 datalen:96 data:'5C 3F 3F 5C 43 3A 5C 57 49 4E 44 4F 57 53 5C 73 ' , 0x00000000 [操作成功完成。 ],
22:49:57:762, System, 4:2272, 0, FILE_open, C:\Windows\System32\drivers\msisadrv.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:49:57:762, System, 4:1092, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mqtnxcunax\Tag, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ],
22:49:57:762, System, 4:2272, 0, FILE_open, C:\Windows\System32\drivers\pci.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:49:57:762, System, 4:2272, 0, FILE_open, C:\Windows\System32\drivers\vdrvroot.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
。。。。。。。开始扫描所有SYS。。。。
22:49:58:715, System, 4:2272, 0, FILE_open, C:\Windows\System32\drivers\FsWriteBack64.sys, access:0x00010000 alloc_size:0 attrib:0x00000000 share_access:0x00000007 disposition:0x00000001 options:0x00001000 , 0x00000000 [操作成功完成。 ],
22:49:58:715, System, 4:2272, 0, FILE_remove, C:\Windows\System32\drivers\FsWriteBack64.sys, , 0x00000000 [操作成功完成。 ],
。。。。。。。
22:50:44:209, System, 4:2224, 0, NET_connect, 180.163.198.48:80, protocol:(TCP)0 , 0x00000000 [操作成功完成。 ],
22:50:44:253, System, 4:2224, 0, NET_http, imgsa.baidu.com /forum/pic/item/6d02f7160924ab1842b2423b3afae6cd7a890bfe.jpg, protocol:(TCP)0 cmd:'GET' datalen:213 , 0x00000000 [操作成功完成。 ],
22:50:44:253, System, 4:2224, 0, NET_send, 180.163.198.48:80, protocol:(TCP)0 datalen:213 data:'47 45 54 20 2F 66 6F 72 75 6D 2F 70 69 63 2F 69 ' , 0x00000000 [操作成功完成。 ],
22:50:47:278, System, 4:2224, 0, FILE_touch, C:\Windows\Temp\winaudio.dll, access:0x001F01FF alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000005 options:0x00000020 , 0x00000000 [操作成功完成。 ],
22:50:47:278, System, 4:2224, 0, FILE_truncate, C:\Windows\Temp\winaudio.dll, eof:0x00000000 , 0x00000000 [操作成功完成。 ],
22:50:47:278, System, 4:2224, 0, FILE_write, C:\Windows\Temp\winaudio.dll, offset:0x00000000 datalen:0x00057600 , 0x00000000 [操作成功完成。 ],
22:50:47:278, System, 4:2224, 0, FILE_modified, C:\Windows\Temp\winaudio.dll, , 0x00000000 [操作成功完成。 ],
22:50:47:278, System, 4:2224, 0, FILE_open, C:\Windows\Temp\winaudio.dll, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:50:47:294, System, 4:2224, 0, FILE_open, C:\Windows\Temp\winaudio.dll, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:50:50:434, System, 4:2224, 0, FILE_touch, C:\Windows\Temp\winaudio64.dll, access:0x001F01FF alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000005 options:0x00000020 , 0x00000000 [操作成功完成。 ],
22:50:50:434, System, 4:2224, 0, FILE_truncate, C:\Windows\Temp\winaudio64.dll, eof:0x00000000 , 0x00000000 [操作成功完成。 ],
22:50:50:434, System, 4:2224, 0, FILE_write, C:\Windows\Temp\winaudio64.dll, offset:0x00000000 datalen:0x0005FE00 , 0x00000000 [操作成功完成。 ],
22:50:50:434, System, 4:2224, 0, FILE_modified, C:\Windows\Temp\winaudio64.dll, , 0x00000000 [操作成功完成。 ],
22:50:50:434, System, 4:2224, 0, FILE_open, C:\Windows\Temp\winaudio64.dll, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:50:50:450, System, 4:2224, 0, FILE_open, C:\Windows\Temp\winaudio64.dll, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:50:53:661, System, 4:2224, 0, FILE_touch, C:\Windows\Temp\winaudio.exe, access:0x001F01FF alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000005 options:0x00000020 , 0x00000000 [操作成功完成。 ],
22:50:53:661, System, 4:2224, 0, FILE_truncate, C:\Windows\Temp\winaudio.exe, eof:0x00000000 , 0x00000000 [操作成功完成。 ],
22:50:53:661, System, 4:2224, 0, FILE_write, C:\Windows\Temp\winaudio.exe, offset:0x00000000 datalen:0x00122000 , 0x00000000 [操作成功完成。 ],
22:50:53:661, System, 4:2224, 0, FILE_modified, C:\Windows\Temp\winaudio.exe, , 0x00000000 [操作成功完成。 ],
22:50:53:661, System, 4:2224, 0, FILE_open, C:\Windows\Temp\winaudio.exe, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:50:53:716, System, 4:2224, 0, FILE_open, C:\Windows\Temp\winaudio.exe, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:50:53:716, System, 4:2224, 0, FILE_open, C:\Windows\Temp\winaudio.exe, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:50:53:809, Explorer.EXE, 2796:2996, 0, FILE_open, C:\Windows\Temp\winaudio.exe, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000003 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:50:53:809, Explorer.EXE, 2796:0, 0, PROC_exec, C:\WINDOWS\temp\winaudio.exe, target_pid:3068 , 0x00000000 [操作成功完成。 ],
22:50:53:856, System, 4:2284, 0, FILE_open, C:\Windows\Temp\winaudio.exe, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:50:54:564, winaudio.exe, 3068:0, 3068, EXEC_create, C:\WINDOWS\temp\winaudio.exe, parent_pid:2796 cmdline:'C:\WINDOWS\temp\winaudio.exe' image_base:0x0000000000AA0000 image_size:0x0012A000 , 0x00000000 [操作成功完成。 ],
22:50:54:575, System, 4:2880, 0, FILE_open, C:\Windows\System32\conhost.exe, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
22:50:54:575, Conhost.exe, 2412:0, 3068, EXEC_create, C:\Windows\System32\Conhost.exe, parent_pid:3068 cmdline:'\??\C:\Windows\system32\conhost.exe 0xffffffff' image_base:0x00007FF70DAD0000 image_size:0x0005E000 , 0x00000000 [操作成功完成。 ],
22:50:54:622, Conhost.exe, 2412:2872, 3068, FILE_open, C:\Windows\Fonts\vga936.fon, access:0x001200A9 alloc_size:0 attrib:0x00000080 share_access:0x00000005 disposition:0x00000001 options:0x00000010 , 0x00000000 [操作成功完成。 ],
22:50:54:622, Conhost.exe, 2412:2872, 3068, FILE_open, C:\Windows\Fonts\app936.fon, access:0x001200A9 alloc_size:0 attrib:0x00000080 share_access:0x00000005 disposition:0x00000001 options:0x00000010 , 0x00000000 [操作成功完成。 ],
22:50:54:622, Conhost.exe, 2412:2872, 3068, FILE_open, C:\Windows\Fonts\cga40woa.fon, access:0x001200A9 alloc_size:0 attrib:0x00000080 share_access:0x00000005 disposition:0x00000001 options:0x00000010 , 0x00000000 [操作成功完成。 ],
22:50:54:622, Conhost.exe, 2412:2872, 3068, FILE_open, C:\Windows\Fonts\cga80woa.fon, access:0x001200A9 alloc_size:0 attrib:0x00000080 share_access:0x00000005 disposition:0x00000001 options:0x00000010 , 0x00000000 [操作成功完成。 ],
22:50:54:622, Conhost.exe, 2412:2872, 3068, FILE_open, C:\Windows\Fonts\ega40woa.fon, access:0x001200A9 alloc_size:0 attrib:0x00000080 share_access:0x00000005 disposition:0x00000001 options:0x00000010 , 0x00000000 [操作成功完成。 ],
22:50:54:637, Conhost.exe, 2412:2872, 3068, FILE_open, C:\Windows\Fonts\ega80woa.fon, access:0x001200A9 alloc_size:0 attrib:0x00000080 share_access:0x00000005 disposition:0x00000001 options:0x00000010 , 0x00000000 [操作成功完成。 ],
22:50:54:778, winaudio.exe, 3068:3152, 3068, SYS_opendev, \Device\Afd, devtype:17 access:0xC0140000 share:0x00000003 , 0x00000000 [操作成功完成。 ],
22:50:55:809, winaudio.exe, 3068:3152, 3068, SYS_opendev, \Device\HarddiskVolume2, devtype:7 access:0x00100080 share:0x00000007 , 0x00000000 [操作成功完成。 ],
22:50:55:825, winaudio.exe, 3068:3720, 3068, SYS_opendev, \Device\Afd, devtype:17 access:0xC0140000 share:0x00000003 , 0x00000000 [操作成功完成。 ],
23:23:19:381, winaudio.exe, 2548:4476, 2548, NET_send, 180.153.105.140:443, protocol:(TCP)0 datalen:318 data:'16 03 01 01 39 01 00 01 35 03 03 40 30 66 00 63 ' , 0x00000000 [操作成功完成。 ],
23:23:19:397, winaudio.exe, 2548:4476, 2548, NET_send, 180.153.105.140:443, protocol:(TCP)0 datalen:126 data:'16 03 03 00 46 10 00 00 42 41 04 DA 10 D8 24 66 ' , 0x00000000 [操作成功完成。 ],
23:23:20:881, winaudio.exe, 2548:4476, 2548, FILE_open, C:\Windows\Temp\server.crt, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000003 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
23:23:20:881, winaudio.exe, 2548:4476, 2548, FILE_open, C:\Windows\Temp\server.key, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000003 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
23:23:20:959, winaudio.exe, 2548:4476, 2548, FILE_touch, C:\Windows\Temp\startcom.crt, access:0x00120196 alloc_size:0 attrib:0x00000080 share_access:0x00000003 disposition:0x00000005 options:0x00000060 , 0x00000000 [操作成功完成。 ],
23:23:20:959, winaudio.exe, 2548:4476, 2548, FILE_truncate, C:\Windows\Temp\startcom.crt, eof:0x00000000 , 0x00000000 [操作成功完成。 ],
23:23:20:959, winaudio.exe, 2548:4476, 2548, FILE_write, C:\Windows\Temp\startcom.crt, offset:0x00000000 datalen:0x00001000 , 0x00000000 [操作成功完成。 ],
23:23:20:959, winaudio.exe, 2548:4476, 2548, FILE_modified, C:\Windows\Temp\startcom.crt, , 0x00000000 [操作成功完成。 ],
23:23:20:975, winaudio.exe, 2548:4476, 2548, FILE_touch, C:\Windows\Temp\startcom.key, access:0x00120196 alloc_size:0 attrib:0x00000080 share_access:0x00000003 disposition:0x00000005 options:0x00000060 , 0x00000000 [操作成功完成。 ],
23:23:20:975, winaudio.exe, 2548:4476, 2548, FILE_truncate, C:\Windows\Temp\startcom.key, eof:0x00000000 , 0x00000000 [操作成功完成。 ],
23:23:20:975, winaudio.exe, 2548:4476, 2548, FILE_write, C:\Windows\Temp\startcom.key, offset:0x00000000 datalen:0x000006A8 , 0x00000000 [操作成功完成。 ],
23:23:20:975, winaudio.exe, 2548:4476, 2548, FILE_modified, C:\Windows\Temp\startcom.key, , 0x00000000 [操作成功完成。 ],
23:23:20:975, winaudio.exe, 2548:4476, 2548, SYS_writedev, \Device\ConDrv, devtype:80 offset:0x00000000 datalen:9 data:'73 74 61 72 74 2E 2E 0D 0A ' , 0x00000000 [操作成功完成。 ],
23:23:20:975, winaudio.exe, 2548:4476, 2548, FILE_open, C:\Windows\Temp\server.der, access:0x00120089 alloc_size:0 attrib:0x00000000 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
23:23:23:991, System, 4:2256, 0, NET_http, blog-1259797220.cos.ap-hongkong.myqcloud.com /xccdd, protocol:(TCP)0 cmd:'GET' datalen:172 , 0x00000000 [操作成功完成。 ],
D,工作流程:
1.SYS加载后潜伏,下载对应系统的配置文件。1.sys还在更新自身和2.sys,所有更新和组件都下载在windows/temp中!
根据配置文件下载2.sys,并加载之(不可视)。而且2.sys不随着系统启动,而由云端更新启动。
2.sys对着系统的sys一顿扫描,发现360就灭掉,把能插入的进程插了个遍。。。
不知道是哪一个运行了winaudio.exe...
|
发表于 2019-10-19 22:51:27
发表于 2019-10-20 00:48:05
蜘蛛也一样。