本帖最后由 ppy0606 于 2016-1-13 21:51 编辑
2016/1/13 21:48:18,C:\Windows\explorer.exe,53,Allowed ;执行应用程序 ("C:\Users\abc\Desktop\20160113-1_5\e0b89421d82e4ba8ba4dc5c29a6415830288be9c87380af7fa79ff8c1ecc34e8.exe" )
2016/1/13 21:48:22,C:\Users\abc\Desktop\20160113-1_5\e0b89421d82e4ba8ba4dc5c29a6415830288be9c87380af7fa79ff8c1ecc34e8.exe,53,Allowed ;执行应用程序 (C:\Users\abc\Desktop\20160113-1_5\e0b89421d82e4ba8ba4dc5c29a6415830288be9c87380af7fa79ff8c1ecc34e8.exe)
2016/1/13 21:48:24,C:\Users\abc\Desktop\20160113-1_5\e0b89421d82e4ba8ba4dc5c29a6415830288be9c87380af7fa79ff8c1ecc34e8.exe,36,Allowed ;DLL 注入 (e0b89421d82e4ba8ba4dc5c29a6415830288be9c87380af7fa79ff8c1ecc34e8.exe(pid=3764))
2016/1/13 21:48:45,C:\Windows\System32\SearchIndexer.exe,53,Allowed ;执行应用程序 ("C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1010850973-1749967244-3704614482-10003_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1010850973-1749967244-3704614482-10003 1 -2147483646 "Software\Microsoft\Windows Search")
2016/1/13 21:48:45,C:\Windows\System32\SearchIndexer.exe,53,Allowed ;执行应用程序 ("C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 532 )
2016/1/13 21:49:02,C:\Users\abc\Desktop\20160113-1_5\e0b89421d82e4ba8ba4dc5c29a6415830288be9c87380af7fa79ff8c1ecc34e8.exe,26,Allowed ;修改受保护的注册表键 (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,twunk_32.exe)
2016/1/13 21:49:07,C:\Users\abc\Desktop\20160113-1_5\e0b89421d82e4ba8ba4dc5c29a6415830288be9c87380af7fa79ff8c1ecc34e8.exe,47,Allowed ;创建交换数据流 (C:\Users\abc\AppData\Roaming\Y1FeZFVYXllb\twunk_32.exe:Zone.Identifier)
2016/1/13 21:49:10,C:\Users\abc\Desktop\20160113-1_5\e0b89421d82e4ba8ba4dc5c29a6415830288be9c87380af7fa79ff8c1ecc34e8.exe,53,Allowed ;执行应用程序 (C:\Users\abc\AppData\Roaming\Y1FeZFVYXllb\twunk_32.exe C:\Users\abc\Desktop\201601~1\E0B894~1.EXE)
2016/1/13 21:49:12,C:\Users\abc\AppData\Roaming\Y1FeZFVYXllb\twunk_32.exe,53,Allowed ;执行应用程序 (C:\Users\abc\AppData\Roaming\Y1FeZFVYXllb\twunk_32.exe)
2016/1/13 21:49:15,C:\Users\abc\AppData\Roaming\Y1FeZFVYXllb\twunk_32.exe,36,Allowed ;DLL 注入 (twunk_32.exe(pid=1348))
2016/1/13 21:49:34,C:\Windows\System32\svchost.exe,53,Allowed ;执行应用程序 (wmiadap.exe /F /T)
2016/1/13 21:49:52,C:\Users\abc\AppData\Roaming\Y1FeZFVYXllb\twunk_32.exe,51,Allowed ;进程间通信 (Svchost.OLE.BackgroundCopyManager)
2016/1/13 21:49:54,C:\Users\abc\AppData\Roaming\Y1FeZFVYXllb\twunk_32.exe,50,Allowed ;使用 DNS 解析服务访问网络
2016/1/13 21:49:58,C:\Users\abc\AppData\Roaming\Y1FeZFVYXllb\twunk_32.exe,48,Allowed ;出站网络访问
2016/1/13 21:49:58,C:\Users\abc\AppData\Roaming\Y1FeZFVYXllb\twunk_32.exe,48,Allowed ;出站网络访问
2016/1/13 21:50:31,C:\Users\abc\AppData\Roaming\Y1FeZFVYXllb\twunk_32.exe,40,Allowed ;以修改权限打开进程或线程 (iexplore.exe(pid=3384))
2016/1/13 21:50:34,C:\Users\abc\AppData\Roaming\Y1FeZFVYXllb\twunk_32.exe,29,Allowed ;修改进程内存 (iexplore.exe(pid=3384))
2016/1/13 21:50:36,C:\Users\abc\AppData\Roaming\Y1FeZFVYXllb\twunk_32.exe,29,Allowed ;修改进程内存 (iexplore.exe(pid=3384))
2016/1/13 21:50:37,C:\Users\abc\AppData\Roaming\Y1FeZFVYXllb\twunk_32.exe,29,Allowed ;修改进程内存 (iexplore.exe(pid=3384))
2016/1/13 21:50:40,C:\Users\abc\AppData\Roaming\Y1FeZFVYXllb\twunk_32.exe,30,Allowed ;创建远程进程 (iexplore.exe(pid=3384))
2016/1/13 21:50:40,C:\Program Files\Internet Explorer\iexplore.exe,33,Blocked ;设置钩子以监控网络请求 (C:\Program Files\Internet Explorer\iexplore.exe(PID=3384))
2016/1/13 21:50:42,C:\Users\abc\AppData\Roaming\Y1FeZFVYXllb\twunk_32.exe,29,Allowed ;修改进程内存 (iexplore.exe(pid=3428)) |