awey.my.id - UnknownSec

upload mass deface mass delete console info server
name : data.7
2025-04-13 19:10:28 [Info] Aegis root path is C:/Program Files (x86)/Alibaba/Aegis
2025-04-13 19:10:28 [Info] ipc client:network_ipc_client Reg msg_type:T_MSG_ALI_DETECT_EVENT on BlackList
2025-04-13 19:10:28 [Info] ipc client:network_ipc_client Reg msg_type:T_MSG_CONTAINER_META on BlackList
2025-04-13 19:10:28 [Info] ipc client:network_ipc_client Reg msg_type:T_MSG_CONTAINER_STOP on BlackList
2025-04-13 19:10:28 [Info] ipc client:network_ipc_client Reg msg_type:T_MSG_LOCAL_SCAN on BlackList
2025-04-13 19:10:28 [Info] ipc client:network_ipc_client Reg msg_type:T_MSG_LOCAL_SCAN_RSP on BlackList
2025-04-13 19:10:28 [Info] ipc client:network_ipc_client Reg msg_type:T_MSG_UPDATE_IPC_HEART on BlackList
2025-04-13 19:10:28 [Info] ipc client:network_ipc_client Reg client_name:monitor_ipc_client on BlackList
2025-04-13 19:10:28 [Info] ipc client:network_ipc_client Reg client_name:protocol_ipc_client on BlackList
2025-04-13 19:10:28 [Info] network msg stat report at 2025-04-14 01:59:51
2025-04-13 19:10:28 [Info] try get sys version
2025-04-13 19:10:28 [Info] win sys info:2/6:3:3
2025-04-13 19:10:28 [Info] suit legal version, enable cpu control
2025-04-13 19:10:28 [Info] ====================Start Agent : aegis_11_36,Aug 30 2022 13:47:33====================
2025-04-13 19:10:28 [Info] ipc server init success.
2025-04-13 19:10:28 [Info] Server_Init: 0
2025-04-13 19:10:28 [Info] ipc listen success.
2025-04-13 19:10:28 [Info] Server_Listen: 0
2025-04-13 19:10:28 [Info] curr: 2025-04-13 19:10:28 boot: 2025-04-13 19:09:01
2025-04-13 19:10:28 [Info] win sys info:2/6:3:3
2025-04-13 19:10:28 [Info] init vulfix table success
2025-04-13 19:10:28 [Info] Vul TimerScan Next: begin:2025-04-14 09:51:00
2025-04-13 19:10:28 [Info] Vul TimerClear Next: begin:2025-04-14 09:51:00
2025-04-13 19:10:28 [Info] LoadModule : C:/Program Files (x86)/Alibaba/Aegis/aegis_client/aegis_11_36/ModuleVul.dll
2025-04-13 19:10:28 [Info] Application SeekToLastRecord:249
2025-04-13 19:10:28 [Info] Rdp Key Exist.
2025-04-13 19:10:28 [Info] Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational SeekToLastRecord:12
2025-04-13 19:10:28 [Info] reg event ok.
2025-04-13 19:10:28 [Info] CProtocolHandlerThread::run Enter
2025-04-13 19:10:28 [Info] GetNetWorkLoopTime 20
2025-04-13 19:10:28 [Info] CMonitorPri::run Enter
2025-04-13 19:10:28 [Info] ipc connect running...
2025-04-13 19:10:28 [Info] ipc rr running...
2025-04-13 19:10:28 [Info] aegisIpc::run Enter
2025-04-13 19:10:28 [Info] LoadModule : C:/Program Files (x86)/Alibaba/Aegis/aegis_client/aegis_11_36/ModuleCrack.dll
2025-04-13 19:10:28 [Info] LoadModule : C:/Program Files (x86)/Alibaba/Aegis/aegis_client/aegis_11_36/ModuleUpdate.dll
2025-04-13 19:10:28 [Info] LoadModule : C:/Program Files (x86)/Alibaba/Aegis/aegis_client/aegis_11_36/ModuleCheck.dll
2025-04-13 19:10:28 [Info] RTAP max work num is 4
2025-04-13 19:10:28 [Info] LoadModule : C:/Program Files (x86)/Alibaba/Aegis/aegis_client/aegis_11_36/ModuleRtap.dll
2025-04-13 19:10:28 [Info] LoadModule : C:/Program Files (x86)/Alibaba/Aegis/aegis_client/aegis_11_36/ModuleHex.dll
2025-04-13 19:10:28 [Info] open ccp cache file failed:[C:/Program Files (x86)/Alibaba/Aegis/globalcfg/cache/ccpcache_proc]
2025-04-13 19:10:28 [Info] open ccp cache file failed:[C:/Program Files (x86)/Alibaba/Aegis/globalcfg/cache/ccpcache_conn]
2025-04-13 19:10:28 [Info] open ccp cache file failed:[C:/Program Files (x86)/Alibaba/Aegis/globalcfg/cache/ccpcache_procfile]
2025-04-13 19:10:28 [Info] load proc chain rule ok.
2025-04-13 19:10:28 [Info] ipc client:local_scan_client Reg msg_type:T_MSG_ALI_DETECT_EVENT on WhiteList
2025-04-13 19:10:28 [Info] load proc chain rule ok.
2025-04-13 19:10:28 [Info] Load P3 Db Ok
2025-04-13 19:10:28 [Info] WebShell Scan Begin:2025-04-14 01:01:28
2025-04-13 19:10:28 [Info] target pid:452
2025-04-13 19:10:28 [Info] LoadModule : C:/Program Files (x86)/Alibaba/Aegis/aegis_client/aegis_11_36/ModuleMetadata.dll
2025-04-13 19:10:28 [Info] mt report at 2025-04-13 20:11:19
2025-04-13 19:10:28 [Info] start wait dns work
2025-04-13 19:10:28 [Info] dns work ok
2025-04-13 19:10:28 [Info] start DownLoadNakedBuffer 100.100.100.200/2016-01-01/global-config
2025-04-13 19:10:28 [Info] start enum user...
2025-04-13 19:10:28 [Info] GleLocal::run Enter
2025-04-13 19:10:28 [Info] Tcp Connect Check Start...
2025-04-13 19:10:28 [Info] win evtlog::run Enter
2025-04-13 19:10:28 [Info] Start Process AegisFileSession.
2025-04-13 19:10:28 [Info] enum user finish:2
2025-04-13 19:10:28 [Info] Start Process AegisCommSession.
2025-04-13 19:10:28 [Info] get all user info ok:2
2025-04-13 19:10:28 [Info] stop session:NT Kernel Logger OK, 0
2025-04-13 19:10:28 [Info] DownLoadNakedBuffer ok 100.100.100.200/2016-01-01/global-config
2025-04-13 19:10:28 [Info] get empty metaserver config
2025-04-13 19:10:28 [Info] cpu_sig:AliyunKVM
2025-04-13 19:10:28 [Info] cloud type is 
2025-04-13 19:10:29 [Info] New ClientConnectNotify : Rtap286281744542578 
2025-04-13 19:10:29 [Info] ipc client:Rtap286281744542578 Reg msg_type:T_MSG_IPC_NETWORK_NOTIFY on WhiteList
2025-04-13 19:10:29 [Info] ipc client:Rtap286281744542578 Reg client_name:protocol_ipc_client on WhiteList
2025-04-13 19:10:29 [Info] HttpPostFromBuffer Success:update2.aegis.aliyun.com/uuidRequest,code:200, ret:0
2025-04-13 19:10:29 [Info] http request ret : {"result":{"aegis_update_domain":"aegis-abroad.alicdn.com|update-ap-southeast-5.aegis.aliyuncs.com","aegis_server_domain":"jsrv-ap-southeast-5.aegis.aliyuncs.com","uuid":"820992e8-7461-4d94-990c-699c347c1c4a"},"code":1}
2025-04-13 19:10:29 [Info] Currentuid Ret : 820992e8-7461-4d94-990c-699c347c1c4a
2025-04-13 19:10:29 [Info] jsrv-ap-southeast-5.aegis.aliyuncs.com is not in current tcp domains, reconnect tcp server
2025-04-13 19:10:29 [Info] start DownLoadBuffer update.aegis.aliyun.com/download/cert/root.md5
2025-04-13 19:10:29 [Info] HttpGetToBuffer Success : aegis-abroad.alicdn.com/download/cert/root.md5,code:200, ret:0
2025-04-13 19:10:29 [Info] DownLoadBuffer ok update.aegis.aliyun.com/download/cert/root.md5
2025-04-13 19:10:29 [Info] empty md5 buf
2025-04-13 19:10:29 [Info] cert file in C:/Program Files (x86)/Alibaba/Aegis/globalcfg/aegis.crt not need sync
2025-04-13 19:10:29 [Info] try connect url jsrv-ap-southeast-5.aegis.aliyuncs.com, ip : 100.100.0.116, port : 80
2025-04-13 19:10:29 [Info] Connect Success : jsrv-ap-southeast-5.aegis.aliyuncs.com
2025-04-13 19:10:29 [Info] GetLocalSockIp :172.22.247.89
2025-04-13 19:10:29 [Info] GetLocalSockIp : 172.22.247.89
2025-04-13 19:10:29 [Info] SendMessage T_MSG_LOGIN
2025-04-13 19:10:29 [Info] web server report total dir 0
2025-04-13 19:10:29 [Info] GetMessage : T_MSG_LOGIN_RSP
2025-04-13 19:10:29 [Info] GetMessage : T_MSG_MACHINE_INFO
2025-04-13 19:10:29 [Info] GetMessage : T_MSG_PUSH_FILE_CONF
2025-04-13 19:10:29 [Info] GetMessage : T_MSG_PUSH_CLIENT_CONF
2025-04-13 19:10:29 [Info] vulfix user conf:1
2025-04-13 19:10:29 [Info] vulfix cmd conf:1
2025-04-13 19:10:29 [Info] crack user conf:1
2025-04-13 19:10:29 [Info] rdp_filter user conf:1
2025-04-13 19:10:29 [Info] login event check time user conf:1
2025-04-13 19:10:29 [Info] RTAP timeout config:9600000
2025-04-13 19:10:29 [Info] webshell user conf:1
2025-04-13 19:10:29 [Info] webshell timescan user conf:1
2025-04-13 19:10:29 [Info] proc_info user conf:1
2025-04-13 19:10:29 [Info] tcp_netstat user conf:1
2025-04-13 19:10:29 [Info] bin_repo user conf:1
2025-04-13 19:10:29 [Info] bin_repo_auto_deleted user conf:1
2025-04-13 19:10:29 [Info] kprobe_trace user conf:0
2025-04-13 19:10:29 [Info] kprobe_trace_file user conf:0
2025-04-13 19:10:29 [Info] proc_file_enable user conf:1
2025-04-13 19:10:29 [Info] proc_file_create_new_only user conf:1
2025-04-13 19:10:29 [Info] proc_file_filter user conf:1
2025-04-13 19:10:29 [Info] set send queue limit value [4096]
2025-04-13 19:10:29 [Info] tcp_snapshot user conf:1
2025-04-13 19:10:29 [Info] tcp_trace_clear user conf:0
2025-04-13 19:10:29 [Info] tcp_trace user conf:0
2025-04-13 19:10:29 [Info] bash_shell user conf:0
2025-04-13 19:10:29 [Info] script_repo user conf:1
2025-04-13 19:10:29 [Info] script_no_suffix user conf:0
2025-04-13 19:10:29 [Info] data_send_loop_time user conf:100
2025-04-13 19:10:29 [Info] data_list_limit user conf:10000
2025-04-13 19:10:29 [Info] file_push_timeout user conf:60
2025-04-13 19:10:29 [Info] bin_file_size_limit user conf:20971520
2025-04-13 19:10:29 [Info] monitor_all user conf:0
2025-04-13 19:10:29 [Info] proc_chain user conf:1
2025-04-13 19:10:29 [Info] proc_filter user conf:2
2025-04-13 19:10:29 [Info] proc_filter_statistic user conf:1
2025-04-13 19:10:29 [Info] proc_filter_method user conf:1
2025-04-13 19:10:29 [Info] event_log user conf:0
2025-04-13 19:10:29 [Info] proc_reg user conf:0
2025-04-13 19:10:29 [Info] proc_limit user conf:1
2025-04-13 19:10:29 [Info] proc_parent_check user conf:0
2025-04-13 19:10:29 [Info] queue_size_ratio user conf:80
2025-04-13 19:10:29 [Info] set send queue ratio value [80]
2025-04-13 19:10:29 [Info] kprobe_trace_accept user conf:0
2025-04-13 19:10:29 [Info] thread_inject user conf:0
2025-04-13 19:10:29 [Info] proc_access user conf:0
2025-04-13 19:10:29 [Info] kprobe_trace_unixsocket user conf:0
2025-04-13 19:10:29 [Info] Tcp Event Reg Ok.
2025-04-13 19:10:29 [Info] thread unknown using 0ms
2025-04-13 19:10:29 [Info] stop session:Aegis-Proc OK, 0
2025-04-13 19:10:29 [Info] enable trace ok:
2025-04-13 19:10:29 [Info] File Event Reg Ok, Mode:1
2025-04-13 19:10:29 [Info] thread etw_proc_file using 0ms
2025-04-13 19:10:30 [Info] GetMessage : T_MSG_CHECK
2025-04-13 19:10:30 [Info] task 636e16a2-02e4-432c-9047-9f4589f86988 has 1 items, priority is 1, aggregate is 0
2025-04-13 19:10:30 [Info] GetMessage : T_MSG_RENEW_UPDATE
2025-04-13 19:10:30 [Info] IsUpdateWork true
2025-04-13 19:10:30 [Info] PatchUpdate fail update_10_58
2025-04-13 19:10:30 [Info] Proc Event Reg Ok.
2025-04-13 19:10:30 [Info] thread unknown using 0ms
2025-04-13 19:10:30 [Info] GetMessage : T_MSG_CHECK
2025-04-13 19:10:30 [Info] task 68cf4cc9-548b-4307-bba5-5996fb954513 has 1 items, priority is 1, aggregate is 0
2025-04-13 19:10:31 [Info] start DownLoadBuffer update.aegis.aliyun.com/download/SecureCheck/GrayList
2025-04-13 19:10:31 [Info] HttpGetToBuffer Success : aegis-abroad.alicdn.com/download/SecureCheck/GrayList,code:200, ret:0
2025-04-13 19:10:31 [Info] HttpGetToBuffer Success : aegis-abroad.alicdn.com/download/SecureCheck/GrayList.md5,code:200, ret:0
2025-04-13 19:10:31 [Info] DownLoadBuffer ok update.aegis.aliyun.com/download/SecureCheck/GrayList
2025-04-13 19:10:31 [Info] start to check remote md5
2025-04-13 19:10:31 [Info] start DownLoadFile update.aegis.aliyun.com/download/SecureCheck/Gray/win32/AliSecureCheckAdvanced.zip.md5
2025-04-13 19:10:31 [Info] HttpGetToBuffer Success : aegis-abroad.alicdn.com/download/SecureCheck/Gray/win32/AliSecureCheckAdvanced.zip.md5,code:200, ret:0
2025-04-13 19:10:31 [Info] DownLoadFile ok C:/Program Files (x86)/Alibaba/Aegis/PythonLoader/AliSecureCheckAdvanced.zip.md5.tmp
2025-04-13 19:10:31 [Info] run rtap work --alihips-dumpcheck
2025-04-13 19:10:31 [Info] ipc client:Rtap288011744542631_handler Reg client_name:Rtap288011744542631 on WhiteList
2025-04-13 19:10:31 [Info] New ClientConnectNotify : Rtap288011744542631 
2025-04-13 19:10:31 [Info] ipc client:Rtap288011744542631 Reg msg_type:T_MSG_IPC_NETWORK_NOTIFY on WhiteList
2025-04-13 19:10:31 [Info] ipc client:Rtap288011744542631 Reg client_name:protocol_ipc_client on WhiteList
2025-04-13 19:10:31 [Info] New ClientConnectNotify : Rtap286341744542580 
2025-04-13 19:10:31 [Info] ipc client:Rtap286341744542580 Reg msg_type:T_MSG_IPC_NETWORK_NOTIFY on WhiteList
2025-04-13 19:10:31 [Info] ipc client:Rtap286341744542580 Reg client_name:protocol_ipc_client on WhiteList
2025-04-13 19:10:31 [Info] bin info:c:/program files (x86)/alibaba/aegis/pythonloader/alisecurecheckadvanced.exe 6b7c2c2c4c32456717ad38d39da38e40 2396
2025-04-13 19:10:31 [Info] Rtap Platform Rtap288011744542631 execv work --alihips-dumpcheck on pid 2396
2025-04-13 19:10:33 [Info] start DownLoadBuffer update.aegis.aliyun.com/download/SecureCheck/GrayList
2025-04-13 19:10:33 [Info] HttpGetToBuffer Success : aegis-abroad.alicdn.com/download/SecureCheck/GrayList,code:200, ret:0
2025-04-13 19:10:33 [Info] monitor trans 30 to 5
2025-04-13 19:10:33 [Info] TotalPhys:1023,AvailPhys:451,TotalVirtual:2047,AvailVirtual:1960,TotalPageFile:6143,AvailPageFile:5540,SelfWorkingSet:18984, SelfPageFile:30112
2025-04-13 19:10:33 [Info] CommitTotal:602,CommitLimit:6143,CommitPeak:892,PhysicalTotal:1023,PhysicalAvailable:451,SystemCache:430,KernelTotal:212,KernelPaged:162,KernelNonpaged:49,PageSize:4096,HandleCount:11571,ProcessCount:38,ThreadCount:523
2025-04-13 19:10:33 [Info] mem user conf:204800
2025-04-13 19:10:33 [Info] Get process memory percent[0], real[18936]
2025-04-13 19:10:33 [Info] HttpGetToBuffer Success : aegis-abroad.alicdn.com/download/SecureCheck/GrayList.md5,code:200, ret:0
2025-04-13 19:10:33 [Info] DownLoadBuffer ok update.aegis.aliyun.com/download/SecureCheck/GrayList
2025-04-13 19:10:33 [Info] start to check remote md5
2025-04-13 19:10:33 [Info] start DownLoadFile update.aegis.aliyun.com/download/SecureCheck/Gray/win32/AliSecureCheckAdvanced.zip.md5
2025-04-13 19:10:33 [Info] HttpGetToBuffer Success : aegis-abroad.alicdn.com/download/SecureCheck/Gray/win32/AliSecureCheckAdvanced.zip.md5,code:200, ret:0
2025-04-13 19:10:33 [Info] DownLoadFile ok C:/Program Files (x86)/Alibaba/Aegis/PythonLoader/AliSecureCheckAdvanced.zip.md5.tmp
2025-04-13 19:10:33 [Info] run rtap work --windows-sysinfoext-check
2025-04-13 19:10:33 [Info] ipc client:Rtap288071744542633_handler Reg client_name:Rtap288071744542633 on WhiteList
2025-04-13 19:10:33 [Info] New ClientConnectNotify : Rtap288071744542633 
2025-04-13 19:10:33 [Info] ipc client:Rtap288071744542633 Reg msg_type:T_MSG_IPC_NETWORK_NOTIFY on WhiteList
2025-04-13 19:10:33 [Info] ipc client:Rtap288071744542633 Reg client_name:protocol_ipc_client on WhiteList
2025-04-13 19:10:34 [Info] Rtap Platform Rtap288071744542633 execv work --windows-sysinfoext-check on pid 2648
2025-04-13 19:10:34 [Info] Actively Stop Trace Session.
2025-04-13 19:10:34 [Info] Registry Event Reg Ok.
2025-04-13 19:10:34 [Info] thread unknown using 15ms
2025-04-13 19:10:34 [Warn] Process Trace Exit.
2025-04-13 19:10:34 [Warn] Trace Finish.
2025-04-13 19:10:35 [Info] resource mode user conf:3
2025-04-13 19:10:35 [Info] resource cpu user conf:10
2025-04-13 19:10:35 [Info] resource get res:2
2025-04-13 19:10:35 [Info] not match 0 try to start resource limit
2025-04-13 19:10:35 [Info] get AssignProcessToJobObject handle [000007F8]
2025-04-13 19:10:35 [Info] Set setJobExtended.
2025-04-13 19:10:35 [Info] Set cpu [10%]
2025-04-13 19:10:35 [Info] Set cpu success
2025-04-13 19:10:35 [Info] cpu user conf:10
2025-04-13 19:10:41 [Info] Done Work --windows-sysinfoext-check:1
2025-04-13 19:10:41 [Info] Rtap Platform Rtap288071744542633 Exit:normal exit
2025-04-13 19:10:46 [Info] ClientDisConnectNotify : Rtap288071744542633
2025-04-13 19:10:47 [Info] Done Work --alihips-dumpcheck:1
2025-04-13 19:10:47 [Info] Rtap Platform Rtap288011744542631 Exit:normal exit
2025-04-13 19:10:50 [Info] ClientDisConnectNotify : Rtap288011744542631
2025-04-13 19:11:30 [Info] ClientDisConnectNotify : Rtap286341744542580
2025-04-13 19:11:31 [Info] ClientDisConnectNotify : Rtap286281744542578
2025-04-13 19:11:32 [Info] bin info:c:/windows/system32/msdtc.exe 915747e010a9414b069173284a9b93f4 1896
2025-04-13 19:11:33 [Warn] GetWarningCpu : 9
2025-04-13 19:11:34 [Info] bin info:c:/windows/system32/sppsvc.exe 8b14e197db9c8e2b5447cd8afce92e1f 2748
2025-04-13 19:13:32 [Info] bin info:c:/windows/system32/wbem/wmiadap.exe 75553c46e42f5de6111474ced8ce1748 2408
2025-04-13 19:14:32 [Info] bin info:c:/windows/servicing/trustedinstaller.exe 44a94fb4c76528d2382ffe04b05827c3 1812
2025-04-13 19:14:33 [Info] bin info:c:/windows/winsxs/amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.21562_none_fabae880b450ccda/tiworker.exe 31a44bcc0261760d4cdb63695a201579 704
2025-04-13 19:14:33 [Info] bin info:c:/windows/system32/wbem/wmiprvse.exe ef1ede95aa196c83c4138e4766e0d9fb 2800
2025-04-13 19:15:03 [Warn] GetWarningCpu : 9
2025-04-13 19:16:06 [Warn] GetWarningCpu : 9
2025-04-13 19:16:08 [Warn] GetMaxCpu : 12
2025-04-13 19:16:08 [Warn] GetWarningCpu : 12
2025-04-13 19:16:25 [Info] bin info:c:/windows/system32/taskhost.exe 7016acd1d0c1cc6acf45cbc6c90d0575 1268
2025-04-13 19:16:26 [Info] bin info:c:/windows/system32/compattel/diagtrackrunner.exe ccf0eaacc822ec72830ab56ea29d952f 1828
2025-04-13 19:16:26 [Info] bin info:c:/windows/system32/taskhostex.exe 7e10190f9497903ec69714d721809f8f 2036
2025-04-13 19:16:27 [Info] bin info:c:/windows/system32/wsqmcons.exe 4b8899882458d96fdd8677d49bd0c5b0 792
2025-04-13 19:16:27 [Info] bin info:c:/windows/system32/conhost.exe eaa3ee12b2caa0365f2b4d495b50ad22 620
2025-04-13 19:16:32 [Info] bin info:c:/windows/system32/compattelrunner.exe e6a87c35ddb33cfb1e45902d5641fdb6 2300
2025-04-13 19:17:08 [Info] bin info:c:/windows/system32/genvalobj.exe 6176f8433864da8696a50fc9b4ab69f2 3024
2025-04-13 19:17:48 [Info] bin info:c:/windows/system32/schtasks.exe 2e9e198247bf0e9bd94b42286798a5ac 2680
2025-04-13 19:17:53 [Warn] GetWarningCpu : 9
2025-04-13 19:39:26 [Info] bin info:c:/windows/system32/rundll32.exe 6c308d32afa41d26ce2a0ea8f7b79565 1844
2025-04-13 19:40:13 [Info] shell_script info:c:/programdata/aliyun/assist/2.1.4.920/install.bat 9d16722d3813607be1f76ddc7f680bcf 
2025-04-13 19:40:14 [Warn] GetMaxCpu : 14
2025-04-13 19:40:14 [Warn] GetWarningCpu : 14
2025-04-13 19:40:15 [Warn] GetWarningCpu : 10
2025-04-13 19:40:18 [Info] bin info:c:/programdata/aliyun/assist/2.1.3.857/aliyun_assist_update.exe 75d43d0356bd4722584661fb208f7c36 2588
2025-04-13 19:40:18 [Info] bin info:c:/windows/system32/cmd.exe f5ae03de0ad60f5b17b82f2cd68402fe 1976
2025-04-13 19:40:19 [Info] bin info:c:/programdata/aliyun/assist/2.1.4.920/install.exe 71cff236dbb2f964eb6ebcbcb58cde2c 976
2025-04-13 19:40:19 [Warn] bin info size limit:c:/programdata/aliyun/assist/2.1.4.920/aliyun_assist_service.exe,28465608,20971520
2025-04-13 19:40:20 [Info] bin info:c:/windows/system32/windowspowershell/v1.0/powershell.exe b3ad5364cf04b6ab05616dd483aaf618 2516
2025-04-13 19:42:17 [Info] GetMessage : T_MSG_CHECK
2025-04-13 19:42:17 [Info] task 4a2828b5-cab5-4df8-8bb6-097322a68c6f has 1 items, priority is 1, aggregate is 0
2025-04-13 19:42:18 [Info] start DownLoadBuffer update.aegis.aliyun.com/download/SecureCheck/GrayList
2025-04-13 19:42:18 [Info] HttpGetToBuffer Success : aegis-abroad.alicdn.com/download/SecureCheck/GrayList,code:200, ret:0
2025-04-13 19:42:18 [Info] HttpGetToBuffer Success : aegis-abroad.alicdn.com/download/SecureCheck/GrayList.md5,code:200, ret:0
2025-04-13 19:42:18 [Info] DownLoadBuffer ok update.aegis.aliyun.com/download/SecureCheck/GrayList
2025-04-13 19:42:18 [Info] start to check remote md5
2025-04-13 19:42:18 [Info] start DownLoadFile update.aegis.aliyun.com/download/SecureCheck/Gray/win32/AliSecureCheckAdvanced.zip.md5
2025-04-13 19:42:18 [Info] HttpGetToBuffer Success : aegis-abroad.alicdn.com/download/SecureCheck/Gray/win32/AliSecureCheckAdvanced.zip.md5,code:200, ret:0
2025-04-13 19:42:18 [Info] DownLoadFile ok C:/Program Files (x86)/Alibaba/Aegis/PythonLoader/AliSecureCheckAdvanced.zip.md5.tmp
2025-04-13 19:42:18 [Info] run rtap work --alisecguard-config
2025-04-13 19:42:18 [Info] ipc client:Rtap22601744544538_handler Reg client_name:Rtap22601744544538 on WhiteList
2025-04-13 19:42:18 [Info] New ClientConnectNotify : Rtap22601744544538 
2025-04-13 19:42:18 [Info] ipc client:Rtap22601744544538 Reg msg_type:T_MSG_IPC_NETWORK_NOTIFY on WhiteList
2025-04-13 19:42:18 [Info] ipc client:Rtap22601744544538 Reg client_name:protocol_ipc_client on WhiteList
2025-04-13 19:42:19 [Info] Rtap Platform Rtap22601744544538 execv work --alisecguard-config on pid 3008
2025-04-13 19:42:26 [Info] Done Work --alisecguard-config:1
2025-04-13 19:42:26 [Info] Rtap Platform Rtap22601744544538 Exit:normal exit
2025-04-13 19:42:32 [Info] ClientDisConnectNotify : Rtap22601744544538
2025-04-13 19:42:34 [Info] bin info:c:/windows/system32/wbem/wmic.exe 28c17798ecb0e8d548ceedec6cce2640 1808
2025-04-13 20:07:57 [Info] bin info:c:/windows/system32/sc.exe 7afdba07926be8ab1770cf59a35ff0b7 2704
2025-04-13 20:10:01 [Warn] GetWarningCpu : 9
2025-04-13 20:10:10 [Warn] GetWarningCpu : 9
2025-04-13 20:10:34 [Info] cmdchain cache limit:50000 and over time cache clean now size :[0]
2025-04-13 20:10:34 [Info] cmdchain cache new limit:50000 and over time cache clean now size :[156]
2025-04-13 20:10:47 [Info] TotalPhys:1023,AvailPhys:493,TotalVirtual:2047,AvailVirtual:1959,TotalPageFile:6143,AvailPageFile:5248,SelfWorkingSet:11576, SelfPageFile:30808
2025-04-13 20:10:47 [Info] CommitTotal:894,CommitLimit:6143,CommitPeak:1959,PhysicalTotal:1023,PhysicalAvailable:493,SystemCache:403,KernelTotal:268,KernelPaged:217,KernelNonpaged:51,PageSize:4096,HandleCount:9694,ProcessCount:30,ThreadCount:365
2025-04-13 20:11:15 [Info] cmdchain cache limit:50000 and over time cache clean now size :[0]
2025-04-13 20:11:15 [Info] cmdchain cache new limit:50000 and over time cache clean now size :[21]
2025-04-13 20:11:46 [Info] exception info: {"bin_file_list_drop":"0","conn_first_work_time":"3","conn_work_time":"3","connect_filter_total_count":"137","connect_filter_total_length":"112712","connect_merge_cache_count":"1","connect_merge_filter_count":"68","connect_merge_filter_count1":"68","connect_merge_filter_length":"53278","connect_profile_cache_count":"21","connect_profile_cache_limit":"0","connect_profile_filter_count":"32","connect_profile_filter_count1":"32","connect_profile_filter_length":"27520","connect_profile_no_ccp_count":"0","connect_static_filter_count":"0","connect_static_filter_length":"0","cpu_avg":"0.07","cpu_limit_enable":"1","cpu_limit_error_code":"0","cpu_limit_param_error_code":"0","cpu_warn_count":"0","fanotify_rate_limit":"0","fd_count":"492","file_change_list_drop":"0","inotify_node_limit":"0","ipc_msg_list_drop":"0","md5_file_not_exist":"1","md5_web_file_not_exist":"0","mem_avg":"10332.28","module_load_failed":"0","net_connect_list_drop_count":"0","net_connect_positive_drop_count":"0","net_connect_send_count":"137","net_connect_total_count":"137","net_connect_valid_send_count":"137","net_list_length":"0","net_tx_overflow":"0","network_rx_err":"0","network_tx_drop":"0","network_tx_overflow":"0","proc_filter_level":"2","proc_filter_total_count":"56","proc_filter_total_length":"62479","proc_first_work_time":"1927","proc_list_drop_count":"0","proc_list_length":"0","proc_merge_cache_count":"3","proc_merge_filter_count":"1","proc_merge_filter_count1":"1","proc_merge_filter_length":"917","proc_positive_drop_count":"0","proc_profile_cache_count":"38","proc_profile_cache_limit":"0","proc_profile_filter_count":"3","proc_profile_filter_count1":"3","proc_profile_filter_length":"2900","proc_profile_no_ccp_count":"0","proc_send_count":"56","proc_static_filter_count":"0","proc_static_filter_length":"0","proc_total_count":"56","proc_tx_overflow":"0","proc_valid_send_count":"54","proc_work_time":"-1","procfile_filter_total_count":"237","procfile_filter_total_length":"197897","procfile_first_work_time":"266","procfile_merge_cache_count":"0","procfile_merge_filter_count":"0","procfile_merge_filter_count1":"0","procfile_merge_filter_length":"0","procfile_profile_cache_count":"157","procfile_profile_cache_limit":"0","procfile_profile_filter_count":"57","procfile_profile_filter_count1":"57","procfile_profile_filter_length":"45369","procfile_profile_no_ccp_count":"6","procfile_static_filter_count":"0","procfile_static_filter_length":"0","procfile_work_time":"-1","rtap_instance_abnormal":"0","script_file_list_drop":"0","script_md5_file_not_exist":"0","sys_login_config_error":"1","timer_skew":"0","update_update_fail":"7","web_file_list_drop":"0","web_file_size_fail":"0","web_path_failed":"0","web_rule_load_fail":"0","webshell_scan_timeout":"0"}
2025-04-13 20:12:01 [Info] cmdchain cache limit:50000 and over time cache clean now size :[0]
2025-04-13 20:12:01 [Info] cmdchain cache new limit:50000 and over time cache clean now size :[38]
2025-04-13 20:14:13 [Info] GetMessage : T_MSG_CHECK
2025-04-13 20:14:13 [Info] task b42ba826-7b04-4022-9701-660c02fde39f has 1 items, priority is 1, aggregate is 0
2025-04-13 20:14:14 [Info] start DownLoadBuffer update.aegis.aliyun.com/download/SecureCheck/GrayList
2025-04-13 20:14:14 [Info] HttpGetToBuffer Success : aegis-abroad.alicdn.com/download/SecureCheck/GrayList,code:200, ret:0
2025-04-13 20:14:14 [Info] HttpGetToBuffer Success : aegis-abroad.alicdn.com/download/SecureCheck/GrayList.md5,code:200, ret:0
2025-04-13 20:14:14 [Info] DownLoadBuffer ok update.aegis.aliyun.com/download/SecureCheck/GrayList
2025-04-13 20:14:14 [Info] start to check remote md5
2025-04-13 20:14:14 [Info] start DownLoadFile update.aegis.aliyun.com/download/SecureCheck/Gray/win32/AliSecureCheckAdvanced.zip.md5
2025-04-13 20:14:14 [Info] HttpGetToBuffer Success : aegis-abroad.alicdn.com/download/SecureCheck/Gray/win32/AliSecureCheckAdvanced.zip.md5,code:200, ret:0
2025-04-13 20:14:14 [Info] DownLoadFile ok C:/Program Files (x86)/Alibaba/Aegis/PythonLoader/AliSecureCheckAdvanced.zip.md5.tmp
2025-04-13 20:14:14 [Info] run rtap work --alisecguard-config
2025-04-13 20:14:14 [Info] ipc client:Rtap85171744546454_handler Reg client_name:Rtap85171744546454 on WhiteList
2025-04-13 20:14:14 [Info] New ClientConnectNotify : Rtap85171744546454 
2025-04-13 20:14:14 [Info] ipc client:Rtap85171744546454 Reg msg_type:T_MSG_IPC_NETWORK_NOTIFY on WhiteList
2025-04-13 20:14:14 [Info] ipc client:Rtap85171744546454 Reg client_name:protocol_ipc_client on WhiteList
2025-04-13 20:14:15 [Info] Rtap Platform Rtap85171744546454 execv work --alisecguard-config on pid 2244
2025-04-13 20:14:22 [Info] Done Work --alisecguard-config:1
2025-04-13 20:14:22 [Info] Rtap Platform Rtap85171744546454 Exit:normal exit
2025-04-13 20:14:27 [Info] ClientDisConnectNotify : Rtap85171744546454
2025-04-13 20:16:19 [Info] GetMessage : T_MSG_GET_GRAY_FILE_PUSH
2025-04-13 20:16:19 [Info] GetMessage : T_MSG_GET_GRAY_FILE_PUSH
2025-04-13 20:16:20 [Info] start DownLoadFile update.aegis.aliyun.com/grayfile/16
2025-04-13 20:16:20 [Info] HttpGetToBuffer Success : aegis-abroad.alicdn.com/grayfile/16,code:200, ret:0
2025-04-13 20:16:20 [Info] DownLoadFile ok C:/Program Files (x86)/Alibaba/Aegis/aegis_client/aegis_11_36/rule/procchain.data
2025-04-13 20:16:20 [Info] update rule procchain.data success
2025-04-13 20:16:20 [Info] start DownLoadFile update.aegis.aliyun.com/grayfile/21
2025-04-13 20:16:20 [Info] HttpGetToBuffer Success : aegis-abroad.alicdn.com/grayfile/21,code:200, ret:0
2025-04-13 20:16:20 [Info] DownLoadFile ok C:/Program Files (x86)/Alibaba/Aegis/aegis_client/aegis_11_36/rule/evtlog.data
2025-04-13 20:16:20 [Info] update rule evtlog.data success
2025-04-13 20:16:20 [Info] Subscribe Security Success
2025-04-13 20:16:20 [Info] Subscribe System Success
2025-04-13 20:16:20 [Info] Subscribe Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational Success
2025-04-13 20:16:20 [Info] Subscribe Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Success
2025-04-13 20:16:20 [Info] Subscribe Microsoft-Windows-PowerShell/Operational Success
2025-04-13 20:16:20 [Info] Load win evt log ok.
2025-04-13 20:46:11 [Info] GetMessage : T_MSG_CHECK
2025-04-13 20:46:11 [Info] task 34bd70bf-e116-4b76-bd08-4d134c750eaf has 1 items, priority is 1, aggregate is 0
2025-04-13 20:46:12 [Info] start DownLoadBuffer update.aegis.aliyun.com/download/SecureCheck/GrayList
2025-04-13 20:46:12 [Info] HttpGetToBuffer Success : aegis-abroad.alicdn.com/download/SecureCheck/GrayList,code:200, ret:0
2025-04-13 20:46:12 [Info] HttpGetToBuffer Success : aegis-abroad.alicdn.com/download/SecureCheck/GrayList.md5,code:200, ret:0
2025-04-13 20:46:12 [Info] DownLoadBuffer ok update.aegis.aliyun.com/download/SecureCheck/GrayList
2025-04-13 20:46:12 [Info] start to check remote md5
2025-04-13 20:46:12 [Info] start DownLoadFile update.aegis.aliyun.com/download/SecureCheck/Gray/win32/AliSecureCheckAdvanced.zip.md5
2025-04-13 20:46:12 [Info] HttpGetToBuffer Success : aegis-abroad.alicdn.com/download/SecureCheck/Gray/win32/AliSecureCheckAdvanced.zip.md5,code:200, ret:0
2025-04-13 20:46:12 [Info] DownLoadFile ok C:/Program Files (x86)/Alibaba/Aegis/PythonLoader/AliSecureCheckAdvanced.zip.md5.tmp
2025-04-13 20:46:12 [Info] run rtap work --alisecguard-config
2025-04-13 20:46:12 [Info] ipc client:Rtap147801744548372_handler Reg client_name:Rtap147801744548372 on WhiteList
2025-04-13 20:46:12 [Info] New ClientConnectNotify : Rtap147801744548372 
2025-04-13 20:46:12 [Info] ipc client:Rtap147801744548372 Reg msg_type:T_MSG_IPC_NETWORK_NOTIFY on WhiteList
2025-04-13 20:46:12 [Info] ipc client:Rtap147801744548372 Reg client_name:protocol_ipc_client on WhiteList
2025-04-13 20:46:12 [Warn] GetWarningCpu : 9
2025-04-13 20:46:12 [Info] Rtap Platform Rtap147801744548372 execv work --alisecguard-config on pid 2816
2025-04-13 20:46:19 [Info] Done Work --alisecguard-config:1
2025-04-13 20:46:19 [Info] Rtap Platform Rtap147801744548372 Exit:normal exit
2025-04-13 20:46:25 [Info] ClientDisConnectNotify : Rtap147801744548372
2025-04-13 21:10:57 [Info] cmdchain cache limit:50000 and over time cache clean now size :[0]
2025-04-13 21:10:57 [Info] cmdchain cache new limit:50000 and over time cache clean now size :[169]
2025-04-13 21:10:58 [Info] TotalPhys:1023,AvailPhys:681,TotalVirtual:2047,AvailVirtual:1955,TotalPageFile:6143,AvailPageFile:5425,SelfWorkingSet:12108, SelfPageFile:31020
2025-04-13 21:10:58 [Info] CommitTotal:718,CommitLimit:6143,CommitPeak:1959,PhysicalTotal:1023,PhysicalAvailable:681,SystemCache:351,KernelTotal:170,KernelPaged:119,KernelNonpaged:51,PageSize:4096,HandleCount:9022,ProcessCount:27,ThreadCount:331
2025-04-13 21:11:36 [Info] exception info: {"bin_file_list_drop":"0","conn_first_work_time":"3","conn_work_time":"3","connect_filter_total_count":"93","connect_filter_total_length":"79664","connect_merge_cache_count":"3","connect_merge_filter_count":"41","connect_merge_filter_count1":"41","connect_merge_filter_length":"34624","connect_profile_cache_count":"23","connect_profile_cache_limit":"0","connect_profile_filter_count":"45","connect_profile_filter_count1":"45","connect_profile_filter_length":"38660","connect_profile_no_ccp_count":"0","connect_static_filter_count":"0","connect_static_filter_length":"0","cpu_avg":"0.00","cpu_limit_enable":"1","cpu_limit_error_code":"0","cpu_limit_param_error_code":"0","cpu_warn_count":"0","fanotify_rate_limit":"0","fd_count":"513","file_change_list_drop":"0","inotify_node_limit":"0","ipc_msg_list_drop":"0","md5_file_not_exist":"0","md5_web_file_not_exist":"0","mem_avg":"11948.18","module_load_failed":"0","net_connect_list_drop_count":"0","net_connect_positive_drop_count":"0","net_connect_send_count":"93","net_connect_total_count":"93","net_connect_valid_send_count":"93","net_list_length":"0","net_tx_overflow":"0","network_rx_err":"0","network_tx_drop":"0","network_tx_overflow":"0","proc_filter_level":"2","proc_filter_total_count":"16","proc_filter_total_length":"17348","proc_first_work_time":"1927","proc_list_drop_count":"0","proc_list_length":"0","proc_merge_cache_count":"1","proc_merge_filter_count":"2","proc_merge_filter_count1":"2","proc_merge_filter_length":"1832","proc_positive_drop_count":"0","proc_profile_cache_count":"38","proc_profile_cache_limit":"0","proc_profile_filter_count":"9","proc_profile_filter_count1":"9","proc_profile_filter_length":"9600","proc_profile_no_ccp_count":"0","proc_send_count":"16","proc_static_filter_count":"0","proc_static_filter_length":"0","proc_total_count":"16","proc_tx_overflow":"0","proc_valid_send_count":"15","proc_work_time":"3693","procfile_filter_total_count":"79","procfile_filter_total_length":"66002","procfile_first_work_time":"266","procfile_merge_cache_count":"0","procfile_merge_filter_count":"0","procfile_merge_filter_count1":"0","procfile_merge_filter_length":"0","procfile_profile_cache_count":"169","procfile_profile_cache_limit":"0","procfile_profile_filter_count":"61","procfile_profile_filter_count1":"61","procfile_profile_filter_length":"48827","procfile_profile_no_ccp_count":"0","procfile_static_filter_count":"0","procfile_static_filter_length":"0","procfile_work_time":"3690","rtap_instance_abnormal":"0","script_file_list_drop":"0","script_md5_file_not_exist":"0","sys_login_config_error":"1","timer_skew":"0","update_update_fail":"0","web_file_list_drop":"0","web_file_size_fail":"0","web_path_failed":"0","web_rule_load_fail":"0","webshell_scan_timeout":"0"}
2025-04-13 21:12:02 [Info] cmdchain cache limit:50000 and over time cache clean now size :[0]
2025-04-13 21:12:02 [Info] cmdchain cache new limit:50000 and over time cache clean now size :[23]
2025-04-13 21:12:26 [Info] start to update proc chain rule, path C:/Program Files (x86)/Alibaba/Aegis/aegis_client/aegis_11_36/rule/procchain.data
2025-04-13 21:12:26 [Info] md5 equal:C:/Program Files (x86)/Alibaba/Aegis/aegis_client/aegis_11_36/rule/procchain.data:26a4eab7534891fb1eed4d78ca99f4e7
2025-04-13 21:12:26 [Info] update rule procchain.data success
2025-04-13 21:12:26 [Info] start to update script rule, path C:/Program Files (x86)/Alibaba/Aegis/aegis_client/aegis_11_36/rule/scriptfilter.data
2025-04-13 21:12:26 [Warn] No Type about script_filter_windows
2025-04-13 21:12:26 [Info] start to update event log rule, path C:/Program Files (x86)/Alibaba/Aegis/aegis_client/aegis_11_36/rule/evtlog.data
2025-04-13 21:12:26 [Info] md5 equal:C:/Program Files (x86)/Alibaba/Aegis/aegis_client/aegis_11_36/rule/evtlog.data:ea00b991fae4851d9150c5fdf59d2f03
2025-04-13 21:12:26 [Info] update rule evtlog.data success
2025-04-13 21:12:35 [Info] cmdchain cache limit:50000 and over time cache clean now size :[0]
2025-04-13 21:12:35 [Info] cmdchain cache new limit:50000 and over time cache clean now size :[38]
2025-04-13 21:18:09 [Info] GetMessage : T_MSG_CHECK
2025-04-13 21:18:09 [Info] task 22c65771-e791-4ada-a971-f0a50bb67735 has 1 items, priority is 1, aggregate is 0
2025-04-13 21:18:10 [Info] start DownLoadBuffer update.aegis.aliyun.com/download/SecureCheck/GrayList
2025-04-13 21:18:10 [Info] HttpGetToBuffer Success : aegis-abroad.alicdn.com/download/SecureCheck/GrayList,code:200, ret:0
2025-04-13 21:18:10 [Info] HttpGetToBuffer Success : aegis-abroad.alicdn.com/download/SecureCheck/GrayList.md5,code:200, ret:0
2025-04-13 21:18:10 [Info] DownLoadBuffer ok update.aegis.aliyun.com/download/SecureCheck/GrayList
2025-04-13 21:18:10 [Info] start to check remote md5
2025-04-13 21:18:10 [Info] start DownLoadFile update.aegis.aliyun.com/download/SecureCheck/Gray/win32/AliSecureCheckAdvanced.zip.md5
2025-04-13 21:18:10 [Info] HttpGetToBuffer Success : aegis-abroad.alicdn.com/download/SecureCheck/Gray/win32/AliSecureCheckAdvanced.zip.md5,code:200, ret:0
2025-04-13 21:18:10 [Info] DownLoadFile ok C:/Program Files (x86)/Alibaba/Aegis/PythonLoader/AliSecureCheckAdvanced.zip.md5.tmp
2025-04-13 21:18:10 [Info] run rtap work --alisecguard-config
2025-04-13 21:18:10 [Info] ipc client:Rtap210441744550290_handler Reg client_name:Rtap210441744550290 on WhiteList
2025-04-13 21:18:10 [Info] New ClientConnectNotify : Rtap210441744550290 
2025-04-13 21:18:10 [Info] ipc client:Rtap210441744550290 Reg msg_type:T_MSG_IPC_NETWORK_NOTIFY on WhiteList
2025-04-13 21:18:10 [Info] ipc client:Rtap210441744550290 Reg client_name:protocol_ipc_client on WhiteList
2025-04-13 21:18:11 [Info] Rtap Platform Rtap210441744550290 execv work --alisecguard-config on pid 2128
2025-04-13 21:18:18 [Info] Done Work --alisecguard-config:1
2025-04-13 21:18:18 [Info] Rtap Platform Rtap210441744550290 Exit:normal exit
2025-04-13 21:18:24 [Info] ClientDisConnectNotify : Rtap210441744550290
2025-04-13 22:10:59 [Info] cmdchain cache limit:50000 and over time cache clean now size :[0]
2025-04-13 22:10:59 [Info] cmdchain cache new limit:50000 and over time cache clean now size :[173]
2025-04-13 22:11:10 [Info] TotalPhys:1023,AvailPhys:680,TotalVirtual:2047,AvailVirtual:1959,TotalPageFile:6143,AvailPageFile:5426,SelfWorkingSet:11904, SelfPageFile:30516
2025-04-13 22:11:10 [Info] CommitTotal:717,CommitLimit:6143,CommitPeak:1959,PhysicalTotal:1023,PhysicalAvailable:680,SystemCache:355,KernelTotal:170,KernelPaged:119,KernelNonpaged:51,PageSize:4096,HandleCount:8974,ProcessCount:27,ThreadCount:318
2025-04-13 22:11:26 [Info] exception info: {"bin_file_list_drop":"0","conn_first_work_time":"3","conn_work_time":"3","connect_filter_total_count":"78","connect_filter_total_length":"65937","connect_merge_cache_count":"3","connect_merge_filter_count":"30","connect_merge_filter_count1":"30","connect_merge_filter_length":"24410","connect_profile_cache_count":"23","connect_profile_cache_limit":"0","connect_profile_filter_count":"46","connect_profile_filter_count1":"46","connect_profile_filter_length":"39521","connect_profile_no_ccp_count":"0","connect_static_filter_count":"0","connect_static_filter_length":"0","cpu_avg":"0.00","cpu_limit_enable":"1","cpu_limit_error_code":"0","cpu_limit_param_error_code":"0","cpu_warn_count":"0","fanotify_rate_limit":"0","fd_count":"507","file_change_list_drop":"0","inotify_node_limit":"0","ipc_msg_list_drop":"0","md5_file_not_exist":"0","md5_web_file_not_exist":"0","mem_avg":"12006.03","module_load_failed":"0","net_connect_list_drop_count":"0","net_connect_positive_drop_count":"0","net_connect_send_count":"78","net_connect_total_count":"78","net_connect_valid_send_count":"78","net_list_length":"0","net_tx_overflow":"0","network_rx_err":"0","network_tx_drop":"0","network_tx_overflow":"0","proc_filter_level":"2","proc_filter_total_count":"15","proc_filter_total_length":"15789","proc_first_work_time":"1927","proc_list_drop_count":"0","proc_list_length":"0","proc_merge_cache_count":"5","proc_merge_filter_count":"4","proc_merge_filter_count1":"4","proc_merge_filter_length":"3664","proc_positive_drop_count":"0","proc_profile_cache_count":"38","proc_profile_cache_limit":"0","proc_profile_filter_count":"11","proc_profile_filter_count1":"11","proc_profile_filter_length":"12125","proc_profile_no_ccp_count":"0","proc_send_count":"15","proc_static_filter_count":"0","proc_static_filter_length":"0","proc_total_count":"15","proc_tx_overflow":"0","proc_valid_send_count":"15","proc_work_time":"3693","procfile_filter_total_count":"70","procfile_filter_total_length":"57449","procfile_first_work_time":"266","procfile_merge_cache_count":"0","procfile_merge_filter_count":"0","procfile_merge_filter_count1":"0","procfile_merge_filter_length":"0","procfile_profile_cache_count":"173","procfile_profile_cache_limit":"0","procfile_profile_filter_count":"63","procfile_profile_filter_count1":"63","procfile_profile_filter_length":"50483","procfile_profile_no_ccp_count":"0","procfile_static_filter_count":"0","procfile_static_filter_length":"0","procfile_work_time":"3690","rtap_instance_abnormal":"0","script_file_list_drop":"0","script_md5_file_not_exist":"0","sys_login_config_error":"1","timer_skew":"0","update_update_fail":"0","web_file_list_drop":"0","web_file_size_fail":"0","web_path_failed":"0","web_rule_load_fail":"0","webshell_scan_timeout":"0"}
2025-04-13 22:12:12 [Info] cmdchain cache limit:50000 and over time cache clean now size :[0]
2025-04-13 22:12:12 [Info] cmdchain cache new limit:50000 and over time cache clean now size :[23]
2025-04-13 22:12:36 [Info] cmdchain cache limit:50000 and over time cache clean now size :[0]
2025-04-13 22:12:36 [Info] cmdchain cache new limit:50000 and over time cache clean now size :[38]
2025-04-13 22:28:22 [Info] start DownLoadNakedBuffer 100.100.100.200/2016-01-01/global-config
2025-04-13 22:28:22 [Info] DownLoadNakedBuffer ok 100.100.100.200/2016-01-01/global-config
2025-04-13 22:28:22 [Info] get empty metaserver config
2025-04-13 22:28:22 [Info] HttpPostFromBuffer Success:update2.aegis.aliyun.com/uuidRequest,code:200, ret:0
2025-04-13 22:28:22 [Info] http request ret : {"result":{"aegis_update_domain":"aegis-abroad.alicdn.com|update-ap-southeast-5.aegis.aliyuncs.com","aegis_server_domain":"jsrv-ap-southeast-5.aegis.aliyuncs.com","uuid":"820992e8-7461-4d94-990c-699c347c1c4a"},"code":1}
2025-04-13 22:28:22 [Info] Currentuid Ret : 820992e8-7461-4d94-990c-699c347c1c4a
2025-04-13 22:28:22 [Info] start DownLoadBuffer update.aegis.aliyun.com/download/cert/root.md5
2025-04-13 22:28:22 [Info] HttpGetToBuffer Success : aegis-abroad.alicdn.com/download/cert/root.md5,code:200, ret:0
2025-04-13 22:28:22 [Info] DownLoadBuffer ok update.aegis.aliyun.com/download/cert/root.md5
2025-04-13 22:28:22 [Info] empty md5 buf
2025-04-13 22:28:22 [Info] cert file in C:/Program Files (x86)/Alibaba/Aegis/globalcfg/aegis.crt not need sync
2025-04-13 23:11:20 [Info] TotalPhys:1023,AvailPhys:681,TotalVirtual:2047,AvailVirtual:1959,TotalPageFile:6143,AvailPageFile:5425,SelfWorkingSet:12056, SelfPageFile:30508
2025-04-13 23:11:20 [Info] CommitTotal:717,CommitLimit:6143,CommitPeak:1959,PhysicalTotal:1023,PhysicalAvailable:681,SystemCache:360,KernelTotal:170,KernelPaged:119,KernelNonpaged:51,PageSize:4096,HandleCount:8983,ProcessCount:27,ThreadCount:323
2025-04-13 23:11:49 [Info] exception info: {"bin_file_list_drop":"0","conn_first_work_time":"3","conn_work_time":"3","connect_filter_total_count":"70","connect_filter_total_length":"57819","connect_merge_cache_count":"1","connect_merge_filter_count":"20","connect_merge_filter_count1":"20","connect_merge_filter_length":"14942","connect_profile_cache_count":"24","connect_profile_cache_limit":"0","connect_profile_filter_count":"48","connect_profile_filter_count1":"48","connect_profile_filter_length":"41242","connect_profile_no_ccp_count":"0","connect_static_filter_count":"0","connect_static_filter_length":"0","cpu_avg":"0.00","cpu_limit_enable":"1","cpu_limit_error_code":"0","cpu_limit_param_error_code":"0","cpu_warn_count":"0","fanotify_rate_limit":"0","fd_count":"507","file_change_list_drop":"0","inotify_node_limit":"0","ipc_msg_list_drop":"0","md5_file_not_exist":"0","md5_web_file_not_exist":"0","mem_avg":"12038.90","module_load_failed":"0","net_connect_list_drop_count":"0","net_connect_positive_drop_count":"0","net_connect_send_count":"70","net_connect_total_count":"70","net_connect_valid_send_count":"70","net_list_length":"0","net_tx_overflow":"0","network_rx_err":"0","network_tx_drop":"0","network_tx_overflow":"0","proc_filter_level":"2","proc_filter_total_count":"14","proc_filter_total_length":"14434","proc_first_work_time":"1927","proc_list_drop_count":"0","proc_list_length":"0","proc_merge_cache_count":"5","proc_merge_filter_count":"4","proc_merge_filter_count1":"4","proc_merge_filter_length":"3654","proc_positive_drop_count":"0","proc_profile_cache_count":"38","proc_profile_cache_limit":"0","proc_profile_filter_count":"10","proc_profile_filter_count1":"10","proc_profile_filter_length":"10780","proc_profile_no_ccp_count":"0","proc_send_count":"14","proc_static_filter_count":"0","proc_static_filter_length":"0","proc_total_count":"14","proc_tx_overflow":"0","proc_valid_send_count":"14","proc_work_time":"3693","procfile_filter_total_count":"67","procfile_filter_total_length":"53700","procfile_first_work_time":"266","procfile_merge_cache_count":"0","procfile_merge_filter_count":"0","procfile_merge_filter_count1":"0","procfile_merge_filter_length":"0","procfile_profile_cache_count":"174","procfile_profile_cache_limit":"0","procfile_profile_filter_count":"64","procfile_profile_filter_count1":"64","procfile_profile_filter_length":"51278","procfile_profile_no_ccp_count":"0","procfile_static_filter_count":"0","procfile_static_filter_length":"0","procfile_work_time":"3690","rtap_instance_abnormal":"0","script_file_list_drop":"0","script_md5_file_not_exist":"0","sys_login_config_error":"1","timer_skew":"0","update_update_fail":"0","web_file_list_drop":"0","web_file_size_fail":"0","web_path_failed":"0","web_rule_load_fail":"0","webshell_scan_timeout":"0"}
2025-04-13 23:12:01 [Info] cmdchain cache limit:50000 and over time cache clean now size :[0]
2025-04-13 23:12:01 [Info] cmdchain cache new limit:50000 and over time cache clean now size :[174]
2025-04-13 23:12:35 [Info] cmdchain cache limit:50000 and over time cache clean now size :[0]
2025-04-13 23:12:35 [Info] cmdchain cache new limit:50000 and over time cache clean now size :[24]
2025-04-13 23:14:35 [Info] start to update proc chain rule, path C:/Program Files (x86)/Alibaba/Aegis/aegis_client/aegis_11_36/rule/procchain.data
2025-04-13 23:14:35 [Info] md5 equal:C:/Program Files (x86)/Alibaba/Aegis/aegis_client/aegis_11_36/rule/procchain.data:26a4eab7534891fb1eed4d78ca99f4e7
2025-04-13 23:14:35 [Info] update rule procchain.data success
2025-04-13 23:14:35 [Info] start to update script rule, path C:/Program Files (x86)/Alibaba/Aegis/aegis_client/aegis_11_36/rule/scriptfilter.data
2025-04-13 23:14:35 [Warn] No Type about script_filter_windows
2025-04-13 23:14:35 [Info] start to update event log rule, path C:/Program Files (x86)/Alibaba/Aegis/aegis_client/aegis_11_36/rule/evtlog.data
2025-04-13 23:14:35 [Info] md5 equal:C:/Program Files (x86)/Alibaba/Aegis/aegis_client/aegis_11_36/rule/evtlog.data:ea00b991fae4851d9150c5fdf59d2f03
2025-04-13 23:14:35 [Info] update rule evtlog.data success
2025-04-13 23:33:19 [Info] on report:194.180.49.232 N/A RDPCRACK 1 3389 N/A
2025-04-13 23:33:19 [Info] on login:194.180.49.232 N/A 1 RDPCRACK N/A
2025-04-13 23:33:49 [Info] on report raw login:UNKNOWN - administrator 3389 1 N/A 3 fail valid N/A user
2025-04-13 23:33:49 [Info] on report raw login:RDP 194.180.49.232 N/A 3389 1 N/A N/A fail valid N/A user
2025-04-13 23:39:21 [Info] on report raw login:UNKNOWN - admin 3389 1 N/A 3 fail invalid N/A user
2025-04-13 23:39:21 [Info] on report raw login:RDP 194.180.49.232 N/A 3389 1 N/A N/A fail valid N/A user
2025-04-13 23:42:35 [Info] cmdchain cache limit:50000 and over time cache clean now size :[0]
2025-04-13 23:42:35 [Info] cmdchain cache new limit:50000 and over time cache clean now size :[38]
2025-04-13 23:45:59 [Info] on report raw login:UNKNOWN - home 3389 1 N/A 3 fail invalid N/A user
2025-04-13 23:45:59 [Info] on report raw login:UNKNOWN - user 3389 1 N/A 3 fail invalid N/A user
2025-04-13 23:45:59 [Info] on report raw login:RDP 194.180.49.232 N/A 3389 2 N/A N/A fail valid N/A user
2025-04-13 23:47:06 [Info] on report raw login:UNKNOWN - login 3389 1 N/A 3 fail invalid N/A user
2025-04-13 23:47:06 [Info] on report raw login:RDP 194.180.49.232 N/A 3389 1 N/A N/A fail valid N/A user
2025-04-13 23:48:16 [Info] on report:194.180.49.232 N/A RDPCRACK 6 3389 N/A
2025-04-13 23:48:16 [Info] on login:194.180.49.232 N/A 6 RDPCRACK N/A
2025-04-13 23:49:19 [Info] on report raw login:UNKNOWN - adm 3389 1 N/A 3 fail invalid N/A user
2025-04-13 23:49:19 [Info] on report raw login:UNKNOWN - justin 3389 1 N/A 3 fail invalid N/A user
2025-04-13 23:49:19 [Info] on report raw login:RDP 194.180.49.232 N/A 3389 2 N/A N/A fail valid N/A user
2025-04-13 23:50:25 [Info] on report raw login:UNKNOWN - connor 3389 1 N/A 3 fail invalid N/A user
2025-04-13 23:50:25 [Info] on report raw login:RDP 194.180.49.232 N/A 3389 1 N/A N/A fail valid N/A user
2025-04-13 23:52:38 [Info] on report raw login:UNKNOWN - administrator 3389 1 N/A 3 fail valid N/A user
2025-04-13 23:52:38 [Info] on report raw login:RDP 194.180.49.232 N/A 3389 1 N/A N/A fail valid N/A user
2025-04-13 23:54:51 [Info] on report raw login:UNKNOWN - mypc 3389 1 N/A 3 fail invalid N/A user
2025-04-13 23:54:51 [Info] on report raw login:UNKNOWN - user 3389 1 N/A 3 fail invalid N/A user
2025-04-13 23:54:51 [Info] on report raw login:RDP 194.180.49.232 N/A 3389 2 N/A N/A fail valid N/A user
2025-04-13 23:56:08 [Info] on report:194.180.49.232 N/A RDPCRACK 12 3389 N/A
2025-04-13 23:56:08 [Info] on login:194.180.49.232 N/A 12 RDPCRACK N/A
2025-04-13 23:57:04 [Info] on report raw login:UNKNOWN - engineer 3389 1 N/A 3 fail invalid N/A user
2025-04-13 23:57:04 [Info] on report raw login:UNKNOWN - jack 3389 1 N/A 3 fail invalid N/A user
2025-04-13 23:57:04 [Info] on report raw login:RDP 194.180.49.232 N/A 3389 2 N/A N/A fail valid N/A user
2025-04-13 23:58:10 [Info] on report raw login:UNKNOWN - chase 3389 1 N/A 3 fail invalid N/A user
2025-04-13 23:58:10 [Info] on report raw login:RDP 194.180.49.232 N/A 3389 1 N/A N/A fail valid N/A user
2025-04-13 23:59:17 [Info] on report raw login:UNKNOWN - admin 3389 1 N/A 3 fail invalid N/A user
2025-04-13 23:59:17 [Info] on report raw login:RDP 194.180.49.232 N/A 3389 1 N/A N/A fail valid N/A user
2025-04-14 00:00:01 [Info] bin info:c:/windows/system32/oobe/setupsqm.exe 7ddbe8917e4ebeed4ef27b28770f7695 2312
2025-04-14 00:02:36 [Info] on report raw login:UNKNOWN - username 3389 1 N/A 3 fail invalid N/A user
2025-04-14 00:02:36 [Info] on report raw login:RDP 194.180.49.232 N/A 3389 1 N/A N/A fail valid N/A user
2025-04-14 00:03:42 [Info] on report raw login:UNKNOWN - operator 3389 1 N/A 3 fail invalid N/A user
2025-04-14 00:03:42 [Info] on report raw login:RDP 194.180.49.232 N/A 3389 1 N/A N/A fail valid N/A user
2025-04-14 00:04:49 [Info] on report raw login:UNKNOWN - sql 3389 1 N/A 3 fail invalid N/A user
2025-04-14 00:04:49 [Info] on report raw login:RDP 194.180.49.232 N/A 3389 1 N/A N/A fail valid N/A user
2025-04-14 00:05:55 [Info] on report raw login:UNKNOWN - noah 3389 1 N/A 3 fail invalid N/A user
2025-04-14 00:05:55 [Info] on report raw login:UNKNOWN - user 3389 1 N/A 3 fail invalid N/A user
2025-04-14 00:05:55 [Info] on report raw login:RDP 194.180.49.232 N/A 3389 2 N/A N/A fail valid N/A user
2025-04-14 00:07:01 [Info] on report raw login:UNKNOWN - max 3389 1 N/A 3 fail invalid N/A user
2025-04-14 00:07:01 [Info] on report raw login:RDP 194.180.49.232 N/A 3389 1 N/A N/A fail valid N/A user
2025-04-14 00:10:09 [Info] on report:79.171.115.22 N/A RDPCRACK 1 3389 N/A
2025-04-14 00:10:09 [Info] on login:79.171.115.22 N/A 1 RDPCRACK N/A
2025-04-14 00:10:21 [Info] on report raw login:UNKNOWN - cloud 3389 1 N/A 3 fail invalid N/A user
2025-04-14 00:10:21 [Info] on report raw login:UNKNOWN - haruto 3389 1 N/A 3 fail invalid N/A user
2025-04-14 00:10:21 [Info] on report raw login:RDP 194.180.49.232 N/A 3389 1 N/A N/A fail valid N/A user
2025-04-14 00:10:21 [Info] on report raw login:RDP 79.171.115.22 N/A 3389 1 N/A N/A fail valid N/A user
2025-04-14 00:11:27 [Info] on report raw login:UNKNOWN - dewi 3389 1 N/A 3 fail invalid N/A user
2025-04-14 00:11:27 [Info] on report raw login:UNKNOWN - oprator 3389 1 N/A 3 fail invalid N/A user
2025-04-14 00:11:27 [Info] on report raw login:RDP 194.180.49.232 N/A 3389 1 N/A N/A fail valid N/A user
2025-04-14 00:11:27 [Info] on report raw login:RDP 79.171.115.22 N/A 3389 1 N/A N/A fail valid N/A user
2025-04-14 00:11:32 [Info] TotalPhys:1023,AvailPhys:678,TotalVirtual:2047,AvailVirtual:1955,TotalPageFile:6143,AvailPageFile:5424,SelfWorkingSet:12212, SelfPageFile:30668
2025-04-14 00:11:32 [Info] CommitTotal:718,CommitLimit:6143,CommitPeak:1959,PhysicalTotal:1023,PhysicalAvailable:678,SystemCache:366,KernelTotal:170,KernelPaged:119,KernelNonpaged:51,PageSize:4096,HandleCount:9008,ProcessCount:27,ThreadCount:329
2025-04-14 00:11:38 [Info] exception info: {"bin_file_list_drop":"0","conn_first_work_time":"3","conn_work_time":"3","connect_filter_total_count":"66","connect_filter_total_length":"54506","connect_merge_cache_count":"1","connect_merge_filter_count":"20","connect_merge_filter_count1":"20","connect_merge_filter_length":"14942","connect_profile_cache_count":"24","connect_profile_cache_limit":"0","connect_profile_filter_count":"46","connect_profile_filter_count1":"46","connect_profile_filter_length":"39564","connect_profile_no_ccp_count":"0","connect_static_filter_count":"0","connect_static_filter_length":"0","cpu_avg":"0.00","cpu_limit_enable":"1","cpu_limit_error_code":"0","cpu_limit_param_error_code":"0","cpu_warn_count":"0","fanotify_rate_limit":"0","fd_count":"513","file_change_list_drop":"0","inotify_node_limit":"0","ipc_msg_list_drop":"0","md5_file_not_exist":"0","md5_web_file_not_exist":"0","mem_avg":"12230.43","module_load_failed":"0","net_connect_list_drop_count":"0","net_connect_positive_drop_count":"0","net_connect_send_count":"66","net_connect_total_count":"66","net_connect_valid_send_count":"66","net_list_length":"0","net_tx_overflow":"0","network_rx_err":"0","network_tx_drop":"0","network_tx_overflow":"0","proc_filter_level":"2","proc_filter_total_count":"20","proc_filter_total_length":"20954","proc_first_work_time":"1927","proc_list_drop_count":"0","proc_list_length":"0","proc_merge_cache_count":"2","proc_merge_filter_count":"4","proc_merge_filter_count1":"4","proc_merge_filter_length":"3660","proc_positive_drop_count":"0","proc_profile_cache_count":"40","proc_profile_cache_limit":"0","proc_profile_filter_count":"10","proc_profile_filter_count1":"10","proc_profile_filter_length":"10778","proc_profile_no_ccp_count":"0","proc_send_count":"20","proc_static_filter_count":"0","proc_static_filter_length":"0","proc_total_count":"20","proc_tx_overflow":"0","proc_valid_send_count":"20","proc_work_time":"3693","procfile_filter_total_count":"73","procfile_filter_total_length":"58581","procfile_first_work_time":"266","procfile_merge_cache_count":"0","procfile_merge_filter_count":"0","procfile_merge_filter_count1":"0","procfile_merge_filter_length":"0","procfile_profile_cache_count":"179","procfile_profile_cache_limit":"0","procfile_profile_filter_count":"67","procfile_profile_filter_count1":"67","procfile_profile_filter_length":"53714","procfile_profile_no_ccp_count":"0","procfile_static_filter_count":"0","procfile_static_filter_length":"0","procfile_work_time":"3690","rtap_instance_abnormal":"0","script_file_list_drop":"0","script_md5_file_not_exist":"0","sys_login_config_error":"1","timer_skew":"0","update_update_fail":"0","web_file_list_drop":"0","web_file_size_fail":"0","web_path_failed":"0","web_rule_load_fail":"0","webshell_scan_timeout":"0"}
2025-04-14 00:12:02 [Info] cmdchain cache limit:50000 and over time cache clean now size :[0]
2025-04-14 00:12:02 [Info] cmdchain cache new limit:50000 and over time cache clean now size :[179]
2025-04-14 00:12:08 [Info] on report:84.47.235.143 N/A RDPCRACK 1 3389 N/A
2025-04-14 00:12:08 [Info] on login:84.47.235.143 N/A 1 RDPCRACK N/A
2025-04-14 00:12:34 [Info] on report raw login:UNKNOWN - administrator 3389 2 N/A 3 fail valid N/A user
2025-04-14 00:12:34 [Info] on report raw login:UNKNOWN - sofia 3389 1 N/A 3 fail invalid N/A user
2025-04-14 00:12:34 [Info] on report raw login:UNKNOWN - sqladmin 3389 1 N/A 3 fail invalid N/A user
2025-04-14 00:12:34 [Info] on report raw login:RDP 194.180.49.232 N/A 3389 2 N/A N/A fail valid N/A user
2025-04-14 00:12:34 [Info] on report raw login:RDP 79.171.115.22 N/A 3389 1 N/A N/A fail valid N/A user
2025-04-14 00:12:34 [Info] on report raw login:RDP 84.47.235.143 N/A 3389 1 N/A N/A fail valid N/A user
2025-04-14 00:13:29 [Info] cmdchain cache limit:50000 and over time cache clean now size :[0]
2025-04-14 00:13:29 [Info] cmdchain cache new limit:50000 and over time cache clean now size :[24]
2025-04-14 00:13:40 [Info] on report raw login:UNKNOWN - administrator 3389 3 N/A 3 fail valid N/A user
2025-04-14 00:13:40 [Info] on report raw login:UNKNOWN - james 3389 1 N/A 3 fail invalid N/A user
2025-04-14 00:13:40 [Info] on report raw login:RDP 194.180.49.232 N/A 3389 1 N/A N/A fail valid N/A user
2025-04-14 00:13:40 [Info] on report raw login:RDP 79.171.115.22 N/A 3389 1 N/A N/A fail valid N/A user
2025-04-14 00:13:40 [Info] on report raw login:RDP 84.47.235.143 N/A 3389 2 N/A N/A fail valid N/A user
2025-04-14 00:14:46 [Info] on report raw login:UNKNOWN - administrator 3389 1 N/A 3 fail valid N/A user
2025-04-14 00:14:46 [Info] on report raw login:UNKNOWN - sean 3389 1 N/A 3 fail invalid N/A user
2025-04-14 00:14:46 [Info] on report raw login:RDP 194.180.49.232 N/A 3389 1 N/A N/A fail valid N/A user
2025-04-14 00:14:46 [Info] on report raw login:RDP 84.47.235.143 N/A 3389 1 N/A N/A fail valid N/A user
2025-04-14 00:15:53 [Info] on report raw login:UNKNOWN - administrator 3389 1 N/A 3 fail valid N/A user
2025-04-14 00:15:53 [Info] on report raw login:RDP 84.47.235.143 N/A 3389 1 N/A N/A fail valid N/A user
2025-04-14 00:16:34 [Info] on report:84.47.235.143 N/A RDPCRACK 6 3389 N/A
2025-04-14 00:16:34 [Info] on login:84.47.235.143 N/A 6 RDPCRACK N/A
2025-04-14 00:16:59 [Info] on report raw login:UNKNOWN - administrator 3389 1 N/A 3 fail valid N/A user
2025-04-14 00:16:59 [Info] on report raw login:RDP 84.47.235.143 N/A 3389 1 N/A N/A fail valid N/A user
2025-04-14 00:18:06 [Info] on report raw login:UNKNOWN - administrator 3389 2 N/A 3 fail valid N/A user
2025-04-14 00:18:06 [Info] on report raw login:UNKNOWN - vps 3389 1 N/A 3 fail invalid N/A user
2025-04-14 00:18:06 [Info] on report raw login:UNKNOWN - yuto 3389 1 N/A 3 fail invalid N/A user
2025-04-14 00:18:06 [Info] on report raw login:RDP 194.180.49.232 N/A 3389 1 N/A N/A fail valid N/A user
2025-04-14 00:18:06 [Info] on report raw login:RDP 79.171.115.22 N/A 3389 1 N/A N/A fail valid N/A user
2025-04-14 00:18:06 [Info] on report raw login:RDP 84.47.235.143 N/A 3389 2 N/A N/A fail valid N/A user
UnknownSec Shell
