分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp03-1 2021-04-09 02:28:45 2021-04-09 02:30:53 128 秒

魔盾分数

10.0

危险的

文件详细信息

文件名 fb.exe
文件大小 831888 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 139464919440e93e49c80cc890b90585
SHA1 0237408cdb74ad6b8d340cdf0d03c1b1f820ce17
SHA256 ce3a6224dae98fdaa712cfa6495cb72349f333133dbfb339c9e90699cbe4e8e4
SHA512 d6993d7568f6b39bf2ba0c0988eb30b9506dc05d50aef693d22a64c34e0d5cd5bdb32a828b666c9c37f116deba63b10ce662b9e42ad1025a7b05eb0b32251a1c
CRC32 27630D93
Ssdeep 12288:daWzgMg7v3qnCiIErQohh0F4nCJ8lnyhQaQDErWt5x:8aHMv6CErjDnyhQasMix
Yara
  • Detected Digital Signature
  • Detected code injection function with CreateRemoteThread in a remote process
  • Spotted potential abnormal behaviors, like logging and network communications
  • Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
样本下载 提交误报

登录查看威胁特征

运行截图


访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
acroipm.adobe.com CNAME acroipm.adobe.com.edgesuite.net
A 104.116.243.153
CNAME a1983.dscd.akamai.net
A 104.116.243.72

摘要

C:\Users\test\AppData\Local\Temp\fb.exe
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\SysWOW64\shell32.dll
C:\
C:\Users
C:\Users\desktop.ini
C:\Users\test
C:\Users\test\AppData
C:\Users\test\AppData\Local
C:\Users\test\AppData\Local\Temp
\Device\KsecDD
C:\Users\test\AppData\Local\Temp\jwlmdrc
C:\Users\test\AppData\Local\Temp\autDF85.tmp
\??\MountPointManager
C:\Users\test\AppData\Local\Temp\
C:\Windows\
C:\Users\test\AppData\Local\Temp\fb.ini
C:\Windows\sysnative\tzres.dll
C:\Users\test\AppData\Local\Temp\fb.exe.Local\
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
C:\Users\test\AppData\Local\Temp\imageres.dll
C:\Windows\sysnative\imageres.dll
C:\Windows\sysnative\zh-CN\imageres.dll.mui
C:\Windows\sysnative\zh-Hans\imageres.dll.mui
C:\Windows\sysnative\zh\imageres.dll.mui
C:\Windows\sysnative\en-US\imageres.dll.mui
C:\Windows\Fonts\staticcache.dat
C:\Windows\sysnative\GroupPolicy\Machine\
C:\Windows\sysnative\GroupPolicy\User\
C:\Windows\sysnative\GroupPolicy\Machine\Registry.pol
C:\Windows\sysnative\GroupPolicy\
C:\Windows\sysnative\GroupPolicy\gpt.ini
C:\Windows\Temp
C:\Users\test\AppData\Local\Temp\fb.exe
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\SysWOW64\shell32.dll
C:\
C:\Users\desktop.ini
C:\Users
C:\Users\test
C:\Users\test\AppData
C:\Users\test\AppData\Local
C:\Users\test\AppData\Local\Temp
\Device\KsecDD
C:\Users\test\AppData\Local\Temp\autDF85.tmp
C:\Users\test\AppData\Local\Temp\jwlmdrc
C:\Windows\sysnative\tzres.dll
C:\Users\test\AppData\Local\Temp\fb.ini
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
C:\Windows\sysnative\imageres.dll
C:\Windows\sysnative\zh-CN\imageres.dll.mui
C:\Windows\sysnative\zh-Hans\imageres.dll.mui
C:\Windows\sysnative\zh\imageres.dll.mui
C:\Windows\sysnative\en-US\imageres.dll.mui
C:\Windows\Fonts\staticcache.dat
C:\Windows\sysnative\GroupPolicy\Machine\Registry.pol
C:\Windows\sysnative\GroupPolicy\gpt.ini
C:\Users\test\AppData\Local\Temp\autDF85.tmp
C:\Users\test\AppData\Local\Temp\jwlmdrc
C:\Users\test\AppData\Local\Temp\fb.ini
C:\Windows\sysnative\GroupPolicy\Machine\Registry.pol
C:\Users\test\AppData\Local\Temp\autDF85.tmp
C:\Users\test\AppData\Local\Temp\jwlmdrc
HKEY_CURRENT_USER\Control Panel\Mouse
HKEY_CURRENT_USER\Control Panel\Mouse\SwapMouseButtons
HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\fb.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Generation
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Directory\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Directory
HKEY_CLASSES_ROOT\Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Folder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
HKEY_CLASSES_ROOT\AllFilesystemObjects
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\fb.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Tahoma
HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecLogon
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\seclogon\Start
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\1
HKEY_CURRENT_USER\Control Panel\Mouse\SwapMouseButtons
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\seclogon\Start
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.IsWow64Process
kernel32.dll.GetNativeSystemInfo
uxtheme.dll.IsThemeActive
ole32.dll.CoGetMalloc
ole32.dll.CoGetApartmentType
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
ole32.dll.CoTaskMemFree
comctl32.dll.#236
oleaut32.dll.#6
ole32.dll.CoTaskMemAlloc
ole32.dll.CreateBindCtx
comctl32.dll.#320
ole32.dll.StringFromGUID2
comctl32.dll.#324
comctl32.dll.#323
comctl32.dll.#388
comctl32.dll.#328
comctl32.dll.#334
advapi32.dll.RegEnumKeyW
oleaut32.dll.#2
ole32.dll.CoCreateInstance
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
advapi32.dll.IsTextUnicode
comctl32.dll.#332
comctl32.dll.#338
comctl32.dll.#339
advapi32.dll.OpenThreadToken
shell32.dll.#102
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoUninitialize
ole32.dll.CoRevokeInitializeSpy
oleaut32.dll.#500
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.RegisterClassNameW
uxtheme.dll.OpenThemeData
imm32.dll.ImmGetContext
imm32.dll.ImmReleaseContext
imm32.dll.ImmAssociateContext
imm32.dll.ImmIsIME
comctl32.dll.#386
kernel32.dll.Wow64DisableWow64FsRedirection
kernel32.dll.GetVersionExW
user32.dll.GetDC
gdi32.dll.GetDeviceCaps
user32.dll.ReleaseDC
uxtheme.dll.EnableThemeDialogTexture
gdiplus.dll.GdiplusStartup
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.EnumDisplayDevicesA
gdi32.dll.ExtTextOutW
gdi32.dll.GdiIsMetaPrintDC
kernel32.dll.GlobalAlloc
kernel32.dll.GlobalLock
kernel32.dll.GlobalUnlock
ole32.dll.CreateStreamOnHGlobal
gdiplus.dll.GdipCreateBitmapFromStream
windowscodecs.dll.DllGetClassObject
kernel32.dll.WerRegisterMemoryBlock
oleaut32.dll.DispCallFunc
gdiplus.dll.GdipCreateHBITMAPFromBitmap
gdiplus.dll.GdipDisposeImage
gdi32.dll.DeleteObject
shell32.dll.#66
advapi32.dll.OpenSCManagerW
advapi32.dll.OpenServiceW
advapi32.dll.ControlService
advapi32.dll.CloseServiceHandle
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
psapi.dll.EmptyWorkingSet
oleaut32.dll.SysAllocString
oleaut32.dll.SysStringLen
oleaut32.dll.SysFreeString
advapi32.dll.LookupAccountNameW
sechost.dll.LookupAccountNameLocalW
advapi32.dll.IsValidSid
advapi32.dll.ConvertSidToStringSidW
kernel32.dll.lstrlenW
kernel32.dll.LocalFree
userenv.dll.RefreshPolicyEx
gpapi.dll.RefreshPolicyExInternal
advapi32.dll.QueryServiceConfigW
advapi32.dll.ChangeServiceConfigW
kernel32.dll.ExpandEnvironmentStringsW
kernel32.dll.GetCurrentProcess
advapi32.dll.OpenProcessToken
advapi32.dll.LookupPrivilegeValueA
advapi32.dll.AdjustTokenPrivileges
kernel32.dll.GetLastError
kernel32.dll.CloseHandle
advapi32.dll.LookupAccountNameA
sechost.dll.LookupAccountNameLocalA
advapi32.dll.LsaOpenPolicy
advapi32.dll.LsaNtStatusToWinError
advapi32.dll.LsaAddAccountRights
advapi32.dll.LsaClose
kernel32.dll.WTSGetActiveConsoleSessionId
kernel32.dll.OpenProcess
advapi32.dll.GetTokenInformation
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
kernel32.dll.ProcessIdToSessionId
advapi32.dll.DuplicateTokenEx
userenv.dll.CreateEnvironmentBlock
sechost.dll.ConvertSidToStringSidW
sspicli.dll.GetUserNameExW
advapi32.dll.CreateProcessWithTokenW
Local\MSCTF.Asm.MutexDefault1

PE 信息

初始地址 0x00400000
入口地址 0x00416310
声明校验值 0x000d207c
实际校验值 0x000d207c
最低操作系统版本要求 5.0
编译时间 2010-04-16 15:47:33
载入哈希 aaaa8913c89c8aa4a5d93f06853894da
图标
图标精确哈希值 350fa755b590b2cbe7d9c0c579a63b8b
图标相似性哈希值 59f79ccac587ac39a2a24e069c93efa7

版本信息

LegalCopyright
Coder
FileVersion
CompanyName
Comments
ProductVersion
FileDescription
OriginalFilename
Translation

微软证书验证 (Sign Tool)

SHA1 时间戳 有效性 错误
60bbcd10d2f07086ce2fa5df782b7c4289f2126c Mon Jan 25 17:31:32 2021
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
证书链 Certificate Chain 1
发行给 Sordum Software
发行人 Sordum Software
有效期 Thu Jan 01 050000 2026
SHA1 哈希 f5e71628a478a248353bf0177395223d2c5a0e43
证书链 Timestamp Chain 1
发行给 GlobalSign Root CA
发行人 GlobalSign Root CA
有效期 Fri Jan 28 200000 2028
SHA1 哈希 b1bc968bd4f49d622aa89a81f2150152a41d829c
证书链 Timestamp Chain 2
发行给 GlobalSign Timestamping CA - G2
发行人 GlobalSign Root CA
有效期 Fri Jan 28 200000 2028
SHA1 哈希 c0e49d2d7d90a5cd427f02d9125694d5d6ec5b71
证书链 Timestamp Chain 3
发行给 GlobalSign TSA for MS Authenticode - G2
发行人 GlobalSign Timestamping CA - G2
有效期 Thu Jun 24 080000 2027
SHA1 哈希 63b82fab61f583909695050b00249c502933ec79

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x00080017 0x00080200 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.63
.rdata 0x00082000 0x0000d95c 0x0000da00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.87
.data 0x00090000 0x0001a518 0x00006800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.20
.rsrc 0x000ab000 0x0001b61c 0x0001b800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.54

覆盖

偏移量 0x000b0000
大小 0x0001b190

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_ICON 0x000c58b8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_UK 3.78 GLS_BINARY_LSB_FIRST
RT_ICON 0x000c58b8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_UK 3.78 GLS_BINARY_LSB_FIRST
RT_ICON 0x000c58b8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_UK 3.78 GLS_BINARY_LSB_FIRST
RT_ICON 0x000c58b8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_UK 3.78 GLS_BINARY_LSB_FIRST
RT_ICON 0x000c58b8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_UK 3.78 GLS_BINARY_LSB_FIRST
RT_ICON 0x000c58b8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_UK 3.78 GLS_BINARY_LSB_FIRST
RT_ICON 0x000c58b8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_UK 3.78 GLS_BINARY_LSB_FIRST
RT_ICON 0x000c58b8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_UK 3.78 GLS_BINARY_LSB_FIRST
RT_ICON 0x000c58b8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_UK 3.78 GLS_BINARY_LSB_FIRST
RT_ICON 0x000c58b8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_UK 3.78 GLS_BINARY_LSB_FIRST
RT_ICON 0x000c58b8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_UK 3.78 GLS_BINARY_LSB_FIRST
RT_ICON 0x000c58b8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_UK 3.78 GLS_BINARY_LSB_FIRST
RT_ICON 0x000c58b8 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_UK 3.78 GLS_BINARY_LSB_FIRST
RT_GROUP_ICON 0x000c5df4 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_UK 2.08 MS Windows icon resource - 1 icon, 16x16
RT_GROUP_ICON 0x000c5df4 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_UK 2.08 MS Windows icon resource - 1 icon, 16x16
RT_GROUP_ICON 0x000c5df4 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_UK 2.08 MS Windows icon resource - 1 icon, 16x16
RT_GROUP_ICON 0x000c5df4 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_UK 2.08 MS Windows icon resource - 1 icon, 16x16
RT_GROUP_ICON 0x000c5df4 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_UK 2.08 MS Windows icon resource - 1 icon, 16x16
RT_GROUP_ICON 0x000c5df4 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_UK 2.08 MS Windows icon resource - 1 icon, 16x16
RT_GROUP_ICON 0x000c5df4 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_UK 2.08 MS Windows icon resource - 1 icon, 16x16
RT_GROUP_ICON 0x000c5df4 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_UK 2.08 MS Windows icon resource - 1 icon, 16x16
RT_VERSION 0x000c5e08 0x00000374 LANG_ENGLISH SUBLANG_ENGLISH_UK 3.42 data
RT_MANIFEST 0x000c617c 0x0000049e LANG_ENGLISH SUBLANG_ENGLISH_UK 5.25 XML 1.0 document, ASCII text, with CRLF line terminators

导入

库: WSOCK32.dll:
0x482790 __WSAFDIsSet
0x482794 setsockopt
0x482798 ntohs
0x48279c recvfrom
0x4827a0 sendto
0x4827a4 htons
0x4827a8 select
0x4827ac listen
0x4827b0 WSAStartup
0x4827b4 bind
0x4827b8 closesocket
0x4827bc connect
0x4827c0 socket
0x4827c4 send
0x4827c8 WSACleanup
0x4827cc ioctlsocket
0x4827d0 accept
0x4827d4 WSAGetLastError
0x4827d8 inet_addr
0x4827dc gethostbyname
0x4827e0 gethostname
0x4827e4 recv
库: VERSION.dll:
0x482734 VerQueryValueW
0x482738 GetFileVersionInfoW
库: WINMM.dll:
0x482780 timeGetTime
0x482784 waveOutSetVolume
0x482788 mciSendStringW
库: COMCTL32.dll:
0x48208c ImageList_Remove
0x482094 ImageList_BeginDrag
0x482098 ImageList_DragEnter
0x48209c ImageList_DragLeave
0x4820a0 ImageList_EndDrag
0x4820a4 ImageList_DragMove
0x4820ac ImageList_Create
0x4820b4 ImageList_Destroy
库: MPR.dll:
0x4823f8 WNetGetConnectionW
0x4823fc WNetAddConnection2W
0x482400 WNetUseConnectionW
库: WININET.dll:
0x482744 InternetReadFile
0x482748 InternetCloseHandle
0x48274c InternetOpenW
0x482750 InternetSetOptionW
0x482754 InternetCrackUrlW
0x482758 HttpQueryInfoW
0x48275c InternetConnectW
0x482760 HttpOpenRequestW
0x482764 HttpSendRequestW
0x482768 FtpOpenFileW
0x48276c FtpGetFileSize
0x482770 InternetOpenUrlW
库: PSAPI.DLL:
0x48244c EnumProcesses
0x482450 GetModuleBaseNameW
0x482458 EnumProcessModules
库: USERENV.dll:
0x482728 UnloadUserProfile
0x48272c LoadUserProfileW
库: KERNEL32.dll:
0x482158 HeapAlloc
0x48215c Sleep
0x482160 GetCurrentThreadId
0x482164 RaiseException
0x482168 MulDiv
0x48216c GetVersionExW
0x482170 GetSystemInfo
0x482174 MultiByteToWideChar
0x482178 WideCharToMultiByte
0x48217c GetModuleHandleW
0x482184 VirtualFreeEx
0x482188 OpenProcess
0x48218c VirtualAllocEx
0x482190 WriteProcessMemory
0x482194 ReadProcessMemory
0x482198 CreateFileW
0x48219c SetFilePointerEx
0x4821a0 ReadFile
0x4821a4 WriteFile
0x4821a8 FlushFileBuffers
0x4821ac TerminateProcess
0x4821b4 Process32FirstW
0x4821b8 Process32NextW
0x4821bc SetFileTime
0x4821c0 GetFileAttributesW
0x4821c4 FindFirstFileW
0x4821c8 FindClose
0x4821cc DeleteFileW
0x4821d0 FindNextFileW
0x4821d4 lstrcmpiW
0x4821d8 MoveFileW
0x4821dc CopyFileW
0x4821e0 CreateDirectoryW
0x4821e4 RemoveDirectoryW
0x4821e8 SetSystemPowerState
0x4821f0 FindResourceW
0x4821f4 LoadResource
0x4821f8 LockResource
0x4821fc SizeofResource
0x482200 GetProcessHeap
0x482204 OutputDebugStringW
0x482208 GetLocalTime
0x48220c CompareStringW
0x482210 CompareStringA
0x48222c GetStdHandle
0x482230 CreatePipe
0x482234 InterlockedExchange
0x482238 TerminateThread
0x48223c GetTempPathW
0x482240 GetTempFileNameW
0x482244 VirtualFree
0x482248 FormatMessageW
0x48224c GetExitCodeProcess
0x482250 SetErrorMode
0x482278 GetDriveTypeW
0x48227c GetDiskFreeSpaceExW
0x482280 GetDiskFreeSpaceW
0x482288 SetVolumeLabelW
0x48228c CreateHardLinkW
0x482290 DeviceIoControl
0x482294 SetFileAttributesW
0x482298 GetShortPathNameW
0x48229c CreateEventW
0x4822a0 SetEvent
0x4822ac GlobalLock
0x4822b0 GlobalUnlock
0x4822b4 GlobalAlloc
0x4822b8 GetFileSize
0x4822bc GlobalFree
0x4822c4 Beep
0x4822c8 GetComputerNameW
0x4822d0 GetSystemDirectoryW
0x4822d4 GetCurrentProcessId
0x4822d8 GetCurrentThread
0x4822e0 CreateProcessW
0x4822e4 SetPriorityClass
0x4822e8 LoadLibraryW
0x4822ec VirtualAlloc
0x4822f0 LoadLibraryExW
0x4822f4 HeapFree
0x4822f8 WaitForSingleObject
0x4822fc CreateThread
0x482300 DuplicateHandle
0x482304 GetLastError
0x482308 CloseHandle
0x48230c GetCurrentProcess
0x482310 GetProcAddress
0x482314 LoadLibraryA
0x482318 FreeLibrary
0x48231c GetModuleFileNameW
0x482320 GetFullPathNameW
0x482324 ExitProcess
0x482328 ExitThread
0x482334 IsDebuggerPresent
0x48233c ResumeThread
0x482340 GetStartupInfoW
0x482344 TlsGetValue
0x482348 TlsAlloc
0x48234c TlsSetValue
0x482350 TlsFree
0x482354 SetLastError
0x482358 HeapSize
0x48235c GetCPInfo
0x482360 GetACP
0x482364 GetOEMCP
0x482368 IsValidCodePage
0x482374 GetModuleFileNameA
0x482378 HeapReAlloc
0x48237c HeapCreate
0x482380 SetHandleCount
0x482384 GetFileType
0x482388 GetStartupInfoA
0x48238c SetStdHandle
0x482390 GetConsoleCP
0x482394 GetConsoleMode
0x482398 LCMapStringW
0x48239c LCMapStringA
0x4823a0 RtlUnwind
0x4823a4 SetFilePointer
0x4823ac GetTimeFormatA
0x4823b0 GetDateFormatA
0x4823bc GetCommandLineW
0x4823c0 GetTickCount
0x4823c4 GetStringTypeA
0x4823c8 GetStringTypeW
0x4823cc GetLocaleInfoA
0x4823d0 GetModuleHandleA
0x4823d4 WriteConsoleA
0x4823d8 GetConsoleOutputCP
0x4823dc WriteConsoleW
0x4823e0 CreateFileA
0x4823e4 SetEndOfFile
0x4823e8 EnumResourceNamesW
库: USER32.dll:
0x48249c SetWindowPos
0x4824a0 GetCursorInfo
0x4824a4 RegisterHotKey
0x4824a8 ClientToScreen
0x4824b0 IsCharAlphaW
0x4824b4 IsCharAlphaNumericW
0x4824b8 IsCharLowerW
0x4824bc IsCharUpperW
0x4824c0 GetMenuStringW
0x4824c4 GetSubMenu
0x4824c8 GetCaretPos
0x4824cc IsZoomed
0x4824d0 MonitorFromPoint
0x4824d4 GetMonitorInfoW
0x4824d8 SetWindowLongW
0x4824e0 FlashWindow
0x4824e4 GetClassLongW
0x4824ec IsDialogMessageW
0x4824f0 GetSysColor
0x4824f4 InflateRect
0x4824f8 DrawFocusRect
0x4824fc DrawTextW
0x482500 FrameRect
0x482504 DrawFrameControl
0x482508 FillRect
0x48250c PtInRect
0x482518 SetCursor
0x48251c GetWindowDC
0x482520 GetSystemMetrics
0x482524 GetActiveWindow
0x482528 CharNextW
0x48252c wsprintfW
0x482530 RedrawWindow
0x482534 DrawMenuBar
0x482538 DestroyMenu
0x48253c SetMenu
0x482544 CreateMenu
0x482548 IsDlgButtonChecked
0x48254c DefDlgProcW
0x482550 ReleaseCapture
0x482554 SetCapture
0x482558 WindowFromPoint
0x482560 mouse_event
0x482564 ExitWindowsEx
0x482568 SetActiveWindow
0x48256c FindWindowExW
0x482570 EnumThreadWindows
0x482574 SetMenuDefaultItem
0x482578 InsertMenuItemW
0x48257c IsMenu
0x482580 TrackPopupMenuEx
0x482584 GetCursorPos
0x482588 DeleteMenu
0x48258c CheckMenuRadioItem
0x482590 CopyImage
0x482594 GetMenuItemCount
0x482598 SetMenuItemInfoW
0x48259c GetMenuItemInfoW
0x4825a0 SetForegroundWindow
0x4825a4 IsIconic
0x4825a8 FindWindowW
0x4825b0 PeekMessageW
0x4825b4 SendInput
0x4825b8 GetAsyncKeyState
0x4825bc SetKeyboardState
0x4825c0 GetKeyboardState
0x4825c4 GetKeyState
0x4825c8 VkKeyScanW
0x4825cc LoadStringW
0x4825d0 DialogBoxParamW
0x4825d4 MessageBeep
0x4825d8 EndDialog
0x4825dc SendDlgItemMessageW
0x4825e0 GetDlgItem
0x4825e4 SetWindowTextW
0x4825e8 CopyRect
0x4825ec ReleaseDC
0x4825f0 GetDC
0x4825f4 EndPaint
0x4825f8 BeginPaint
0x4825fc GetClientRect
0x482600 GetMenu
0x482604 DestroyWindow
0x482608 EnumWindows
0x48260c GetDesktopWindow
0x482610 IsWindow
0x482614 IsWindowEnabled
0x482618 IsWindowVisible
0x48261c EnableWindow
0x482620 InvalidateRect
0x482628 AttachThreadInput
0x48262c GetFocus
0x482630 GetWindowTextW
0x482634 ScreenToClient
0x482638 SendMessageTimeoutW
0x48263c EnumChildWindows
0x482640 CharUpperBuffW
0x482644 GetClassNameW
0x482648 GetParent
0x48264c GetDlgCtrlID
0x482650 SendMessageW
0x482654 MapVirtualKeyW
0x482658 PostMessageW
0x48265c GetWindowRect
0x482668 CloseDesktop
0x48266c CloseWindowStation
0x482670 OpenDesktopW
0x48267c OpenWindowStationW
0x482680 MessageBoxW
0x482684 DefWindowProcW
0x482688 MoveWindow
0x48268c AdjustWindowRectEx
0x482690 SetRect
0x482694 SetClipboardData
0x482698 EmptyClipboard
0x4826a0 CloseClipboard
0x4826a4 GetClipboardData
0x4826ac OpenClipboard
0x4826b0 BlockInput
0x4826b4 GetMessageW
0x4826b8 LockWindowUpdate
0x4826bc DispatchMessageW
0x4826c0 GetMenuItemID
0x4826c4 TranslateMessage
0x4826c8 SetFocus
0x4826cc PostQuitMessage
0x4826d0 KillTimer
0x4826d4 CreatePopupMenu
0x4826dc SetTimer
0x4826e0 ShowWindow
0x4826e4 CreateWindowExW
0x4826e8 RegisterClassExW
0x4826ec LoadIconW
0x4826f0 LoadCursorW
0x4826f4 GetSysColorBrush
0x4826f8 GetForegroundWindow
0x4826fc MessageBoxA
0x482700 DestroyIcon
0x482704 UnregisterHotKey
0x482708 CharLowerBuffW
0x48270c MonitorFromRect
0x482710 keybd_event
0x482714 LoadImageW
0x482718 GetWindowLongW
库: GDI32.dll:
0x4820c8 DeleteObject
0x4820cc GetObjectW
0x4820d4 ExtCreatePen
0x4820d8 StrokeAndFillPath
0x4820dc StrokePath
0x4820e0 EndPath
0x4820e4 SetPixel
0x4820e8 CloseFigure
0x4820f0 CreateCompatibleDC
0x4820f4 SelectObject
0x4820f8 StretchBlt
0x4820fc GetDIBits
0x482100 LineTo
0x482104 AngleArc
0x482108 MoveToEx
0x48210c Ellipse
0x482110 PolyDraw
0x482114 BeginPath
0x482118 Rectangle
0x48211c GetDeviceCaps
0x482120 SetBkMode
0x482124 RoundRect
0x482128 SetBkColor
0x48212c CreatePen
0x482130 CreateSolidBrush
0x482134 SetTextColor
0x482138 CreateFontW
0x48213c GetTextFaceW
0x482140 GetStockObject
0x482144 CreateDCW
0x482148 GetPixel
0x48214c DeleteDC
0x482150 SetViewportOrgEx
库: COMDLG32.dll:
0x4820bc GetSaveFileNameW
0x4820c0 GetOpenFileNameW
库: ADVAPI32.dll:
0x482000 RegEnumValueW
0x482004 RegDeleteValueW
0x482008 RegDeleteKeyW
0x48200c RegSetValueExW
0x482010 RegCreateKeyExW
0x482014 GetUserNameW
0x482018 RegConnectRegistryW
0x48201c RegEnumKeyExW
0x482020 CloseServiceHandle
0x482028 LockServiceDatabase
0x48202c OpenSCManagerW
0x482038 RegCloseKey
0x48203c RegQueryValueExW
0x482040 RegOpenKeyExW
0x482044 OpenThreadToken
0x482048 OpenProcessToken
0x482050 DuplicateTokenEx
0x482060 InitializeAcl
0x482064 GetLengthSid
0x48206c CopySid
0x482070 LogonUserW
0x482074 GetTokenInformation
0x482078 GetAclInformation
0x48207c GetAce
0x482080 AddAce
库: SHELL32.dll:
0x482460 DragQueryPoint
0x482464 ShellExecuteExW
0x482468 SHGetFolderPathW
0x48246c DragQueryFileW
0x482470 SHEmptyRecycleBinW
0x482474 SHBrowseForFolderW
0x482478 SHFileOperationW
0x482480 SHGetDesktopFolder
0x482484 SHGetMalloc
0x482488 ExtractIconExW
0x48248c Shell_NotifyIconW
0x482490 ShellExecuteW
0x482494 DragFinish
库: ole32.dll:
0x4827f0 MkParseDisplayName
0x4827f8 CoInitialize
0x4827fc CoUninitialize
0x482800 CoCreateInstance
0x482808 CoTaskMemAlloc
0x48280c CoTaskMemFree
0x482810 CLSIDFromString
0x482814 StringFromCLSID
0x482818 IIDFromString
0x48281c StringFromIID
0x482820 OleInitialize
0x482824 CreateBindCtx
0x482828 CLSIDFromProgID
0x482830 CoCreateInstanceEx
0x482834 CoSetProxyBlanket
0x482838 OleUninitialize
库: OLEAUT32.dll:
0x482408 SafeArrayAllocData
0x482410 SysAllocString
0x482414 OleLoadPicture
0x482418 SafeArrayGetVartype
0x482420 SafeArrayAccessData
0x482424 VarR8FromDec
0x48242c VariantClear
0x482430 VariantCopy
0x482434 VariantInit
0x48243c LoadRegTypeLib
0x482440 GetActiveObject

.text
`.rdata
@.data
.rsrc
T$$PQj
Vh<HH
D$00vH
u htMH
u htMH
D$<PGH
W95HgI
W95HgI
YQPVh
95,gI
u&hx1H
Vhx3H
0Wh,lI
Pf95llI
没有防病毒引擎扫描信息!

进程树


fb.exe, PID: 2508, 上一级进程 PID: 2184

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49160 104.116.243.72 acroipm.adobe.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59906 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
acroipm.adobe.com CNAME acroipm.adobe.com.edgesuite.net
A 104.116.243.153
CNAME a1983.dscd.akamai.net
A 104.116.243.72

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49160 104.116.243.72 acroipm.adobe.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59906 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)
下载

Processing ( 18.142 seconds )

  • 11.804 Suricata
  • 2.195 NetworkAnalysis
  • 1.836 VirusTotal
  • 1.009 Static
  • 0.542 TargetInfo
  • 0.365 peid
  • 0.352 BehaviorAnalysis
  • 0.019 AnalysisInfo
  • 0.011 Strings
  • 0.007 Memory
  • 0.002 config_decoder

Signatures ( 1.623 seconds )

  • 1.386 md_url_bl
  • 0.032 antiav_detectreg
  • 0.019 api_spamming
  • 0.017 md_domain_bl
  • 0.014 stealth_decoy_document
  • 0.014 stealth_timeout
  • 0.013 infostealer_ftp
  • 0.008 infostealer_im
  • 0.007 antiav_detectfile
  • 0.006 anomaly_persistence_autorun
  • 0.006 antianalysis_detectreg
  • 0.006 ransomware_extensions
  • 0.005 mimics_filetime
  • 0.005 reads_self
  • 0.005 geodo_banking_trojan
  • 0.004 infostealer_bitcoin
  • 0.004 infostealer_mail
  • 0.004 ransomware_files
  • 0.003 bootkit
  • 0.003 stealth_file
  • 0.003 antivm_generic_scsi
  • 0.003 antivm_generic_disk
  • 0.003 infostealer_browser_password
  • 0.003 antivm_vbox_files
  • 0.003 network_http
  • 0.002 tinba_behavior
  • 0.002 antiemu_wine_func
  • 0.002 infostealer_browser
  • 0.002 injection_createremotethread
  • 0.002 antivm_generic_services
  • 0.002 betabot_behavior
  • 0.002 antidbg_windows
  • 0.002 virus
  • 0.002 kovter_behavior
  • 0.002 disables_browser_warn
  • 0.002 network_torgateway
  • 0.001 network_tor
  • 0.001 antivm_vbox_libs
  • 0.001 rat_nanocore
  • 0.001 maldun_anomaly_massive_file_ops
  • 0.001 process_interest
  • 0.001 ipc_namedpipe
  • 0.001 kibex_behavior
  • 0.001 anormaly_invoke_kills
  • 0.001 vawtrak_behavior
  • 0.001 cerber_behavior
  • 0.001 injection_runpe
  • 0.001 hancitor_behavior
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_xen_keys
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_security
  • 0.001 modify_proxy
  • 0.001 darkcomet_regkeys
  • 0.001 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.001 md_bad_drop
  • 0.001 network_cnc_http
  • 0.001 recon_fingerprint
  • 0.001 stealth_modify_uac_prompt

Reporting ( 0.646 seconds )

  • 0.643 ReportHTMLSummary
  • 0.003 Malheur
Task ID 628832
Mongo ID 606f4c007e769a06aceb2bd6
Cuckoo release 1.4-Maldun