魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2019-12-12 23:18:52 2019-12-12 23:21:12 140 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-hpdapp01-1 win7-sp1-x64-hpdapp01-1 KVM 2019-12-12 23:19:04 2019-12-12 23:21:13
魔盾分数

3.5

可疑的

文件详细信息

文件名 逐鹿人win10.exe
文件大小 4694016 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 D87F1E50
MD5 cab3fc02c31a5db33f59b3e8914770ab
SHA1 8b9a4102fb1f5906a2e690842e2e66a259dc65af
SHA256 ff6e606b9250c6622d1c4fa24767a7e69226481008e8fa2a70c5056d4636a666
SHA512 6908ed3745c83a3cc03b2e92f04822c41e955a0d9d145fb8f27714f06a0f0003d665d07511911fd678ecc4a61bca0cc7e8afcb1af8ca40044a03ff2a043b06b1
Ssdeep 49152:FZVexYM3kP45R4ZCR/jSuQaNjQJCUXQuzRfV0kW+QujY22RNi6x:vbP47k41NjiC18pW+Bj6Pi6
PEiD 无匹配
Yara
  • DebuggerTiming__PerformanceCounter ()
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • anti_dbg (Detected self protection if being debugged)
  • screenshot (Detected take screenshot function)
  • create_process (Detection function for creating a new process)
  • keylogger (Detected keylogger function)
  • win_registry (Detected system registries modification function)
  • change_win_registry (Change registries to affect system)
  • win_files_operation (Affect private profile)
  • win_hook (Detected hook table access function)
  • win_private_profile (Detected private profile access function)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
  • with_urls (Detected the presence of an or several urls)
  • UPX (Detected UPX. Commonly used by RAT!)
  • CRC32_poly_Constant (Look for CRC32 [poly])
  • CRC32_table (Look for CRC32 table)
  • MD5_Constants (Look for MD5 constants)
  • RijnDael_AES (Look for RijnDael AES)
  • IsPE32 (Detected a 32bit PE sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
  • IsPacked (Detected Entropy signature)
  • HasTaggantSignature (Detected Taggant Signature)
  • HasRichSignature (Detected Rich Signature)
VirusTotal 无此文件扫描结果

特征

创建RWX内存
二进制文件可能包含加密或压缩数据
section: name: .data, entropy: 7.25, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00391000, virtual_size: 0x003aba24
魔盾安全Yara规则检测结果 - 安全告警
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
Warning: Detected UPX. Commonly used by RAT!
Informational: Detected Taggant Signature

运行截图

网络分析

无信息

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x004b0e91
声明校验值 0x00000000
实际校验值 0x00488d29
最低操作系统版本要求 4.0
编译时间 2019-12-12 23:15:15
载入哈希 30b6fef5b0e5ab5712ce50365b73d0c0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000c399a 0x000c4000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.16
.rdata 0x000c5000 0x000124b4 0x00013000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.79
.data 0x000d8000 0x003aba24 0x00391000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.25
.rsrc 0x00484000 0x00010c88 0x00011000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.64

导入

库 KERNEL32.dll:
0x4c50c8 - LoadLibraryA
0x4c50cc - FreeLibrary
0x4c50d0 - GetCommandLineA
0x4c50d4 - FormatMessageA
0x4c50d8 - GetUserDefaultLCID
0x4c50dc - GetFileSize
0x4c50e0 - ReadFile
0x4c50e4 - LCMapStringA
0x4c50e8 - FindFirstFileA
0x4c50ec - RemoveDirectoryA
0x4c50f0 - DeleteFileA
0x4c50f4 - FindNextFileA
0x4c50f8 - FindClose
0x4c50fc - Sleep
0x4c5100 - GetTickCount
0x4c5104 - GetStartupInfoA
0x4c5108 - CreateProcessA
0x4c510c - WaitForSingleObject
0x4c5110 - SetFileAttributesA
0x4c5114 - WriteFile
0x4c5118 - GetModuleFileNameA
0x4c511c - GetPrivateProfileStringA
0x4c5120 - IsBadReadPtr
0x4c5124 - HeapReAlloc
0x4c5128 - HeapAlloc
0x4c512c - ExitProcess
0x4c5130 - GetLastError
0x4c5134 - CreateFileA
0x4c5138 - DeviceIoControl
0x4c513c - LocalSize
0x4c5140 - GlobalSize
0x4c5144 - lstrlenW
0x4c5148 - RtlMoveMemory
0x4c514c - MapViewOfFile
0x4c5150 - OpenFileMappingA
0x4c5154 - FreeResource
0x4c5158 - SizeofResource
0x4c515c - LockResource
0x4c5160 - LoadResource
0x4c5164 - FindResourceA
0x4c5168 - GetNativeSystemInfo
0x4c516c - GetProcessHeap
0x4c5170 - CreateThread
0x4c5174 - GetModuleHandleA
0x4c5178 - Module32First
0x4c517c - MoveFileA
0x4c5180 - CreateDirectoryA
0x4c5184 - IsWow64Process
0x4c5188 - Process32Next
0x4c518c - Process32First
0x4c5190 - CreateToolhelp32Snapshot
0x4c5194 - GetModuleHandleW
0x4c5198 - CloseHandle
0x4c519c - SetWaitableTimer
0x4c51a0 - CreateWaitableTimerW
0x4c51a4 - HeapFree
0x4c51a8 - GlobalFree
0x4c51ac - GlobalUnlock
0x4c51b0 - GlobalLock
0x4c51b4 - GlobalAlloc
0x4c51b8 - MultiByteToWideChar
0x4c51bc - WideCharToMultiByte
0x4c51c0 - SetStdHandle
0x4c51c4 - IsBadCodePtr
0x4c51c8 - GetStringTypeW
0x4c51cc - GetStringTypeA
0x4c51d0 - SetUnhandledExceptionFilter
0x4c51d4 - LCMapStringW
0x4c51d8 - IsBadWritePtr
0x4c51dc - HeapCreate
0x4c51e0 - HeapDestroy
0x4c51e4 - GetEnvironmentVariableA
0x4c51e8 - GetFileType
0x4c51ec - GetStdHandle
0x4c51f0 - SetHandleCount
0x4c51f4 - GetEnvironmentStringsW
0x4c51f8 - GetEnvironmentStrings
0x4c51fc - FreeEnvironmentStringsW
0x4c5200 - FreeEnvironmentStringsA
0x4c5204 - UnhandledExceptionFilter
0x4c5208 - GetACP
0x4c520c - HeapSize
0x4c5210 - RaiseException
0x4c5214 - TerminateProcess
0x4c5218 - RtlUnwind
0x4c521c - GetOEMCP
0x4c5220 - GetCPInfo
0x4c5224 - FlushFileBuffers
0x4c5228 - SetFilePointer
0x4c522c - SetErrorMode
0x4c5230 - GetProcessVersion
0x4c5234 - GetVersion
0x4c5238 - GlobalGetAtomNameA
0x4c523c - GlobalAddAtomA
0x4c5240 - GlobalFindAtomA
0x4c5244 - SetLastError
0x4c5248 - lstrcpyA
0x4c524c - lstrcatA
0x4c5250 - WritePrivateProfileStringA
0x4c5254 - GlobalFlags
0x4c5258 - MulDiv
0x4c525c - lstrcpynA
0x4c5260 - TlsGetValue
0x4c5264 - LocalReAlloc
0x4c5268 - TlsSetValue
0x4c526c - EnterCriticalSection
0x4c5270 - GlobalReAlloc
0x4c5274 - LeaveCriticalSection
0x4c5278 - TlsFree
0x4c527c - GlobalHandle
0x4c5280 - DeleteCriticalSection
0x4c5284 - TlsAlloc
0x4c5288 - GetProcAddress
0x4c528c - VirtualFree
0x4c5290 - VirtualAlloc
0x4c5294 - InitializeCriticalSection
0x4c5298 - LocalFree
0x4c529c - LocalAlloc
0x4c52a0 - GlobalDeleteAtom
0x4c52a4 - lstrcmpA
0x4c52a8 - GetCurrentThread
0x4c52ac - GetCurrentThreadId
0x4c52b0 - lstrcmpiA
0x4c52b4 - IsProcessorFeaturePresent
0x4c52b8 - GetSystemInfo
0x4c52bc - lstrlenA
0x4c52c0 - GetTempPathA
0x4c52c4 - GetSystemDirectoryA
0x4c52c8 - GetWindowsDirectoryA
0x4c52cc - GetVersionExA
0x4c52d0 - GetCurrentProcess
0x4c52d4 - InterlockedIncrement
0x4c52d8 - InterlockedDecrement
库 USER32.dll:
0x4c5324 - GetDesktopWindow
0x4c5328 - GetWindow
0x4c532c - IsWindowVisible
0x4c5330 - GetWindowTextA
0x4c5334 - GetClassNameA
0x4c5338 - GetWindowThreadProcessId
0x4c533c - ClientToScreen
0x4c5340 - GetWindowRect
0x4c5344 - GetParent
0x4c5348 - MoveWindow
0x4c534c - UpdateWindow
0x4c5350 - BringWindowToTop
0x4c5354 - LoadCursorW
0x4c5358 - LookupIconIdFromDirectoryEx
0x4c535c - RegisterClassExW
0x4c5360 - DefWindowProcW
0x4c5364 - SetCursor
0x4c5368 - SendMessageA
0x4c536c - KillTimer
0x4c5370 - FindWindowExA
0x4c5374 - IntersectRect
0x4c5378 - InvalidateRect
0x4c537c - UpdateLayeredWindow
0x4c5380 - ReleaseCapture
0x4c5384 - PostMessageW
0x4c5388 - IsZoomed
0x4c538c - IsIconic
0x4c5390 - GetPropA
0x4c5394 - LoadCursorFromFileW
0x4c5398 - SetTimer
0x4c539c - PtInRect
0x4c53a0 - ReleaseDC
0x4c53a4 - SetCaretPos
0x4c53a8 - GetCursorPos
0x4c53ac - CallWindowProcW
0x4c53b0 - TrackMouseEvent
0x4c53b4 - ShowWindow
0x4c53b8 - BeginPaint
0x4c53bc - EndPaint
0x4c53c0 - SetCapture
0x4c53c4 - GetAsyncKeyState
0x4c53c8 - GetSystemMetrics
0x4c53cc - GetFocus
0x4c53d0 - SetFocus
0x4c53d4 - EnableWindow
0x4c53d8 - IsWindowEnabled
0x4c53dc - GetForegroundWindow
0x4c53e0 - GetActiveWindow
0x4c53e4 - SetActiveWindow
0x4c53e8 - PostQuitMessage
0x4c53ec - PostMessageA
0x4c53f0 - GetWindowLongA
0x4c53f4 - GetLastActivePopup
0x4c53f8 - SetWindowsHookExA
0x4c53fc - ValidateRect
0x4c5400 - DispatchMessageW
0x4c5404 - GetKeyState
0x4c5408 - GetNextDlgTabItem
0x4c540c - EnableMenuItem
0x4c5410 - CheckMenuItem
0x4c5414 - SetMenuItemBitmaps
0x4c5418 - ModifyMenuA
0x4c541c - GetMenuState
0x4c5420 - LoadBitmapA
0x4c5424 - GetMenuCheckMarkDimensions
0x4c5428 - RegisterClipboardFormatA
0x4c542c - GetDlgCtrlID
0x4c5430 - SetWindowTextA
0x4c5434 - UnhookWindowsHookEx
0x4c5438 - GetMenuItemCount
0x4c543c - GetDC
0x4c5440 - TabbedTextOutA
0x4c5444 - DrawTextA
0x4c5448 - GrayStringA
0x4c544c - GetDlgItem
0x4c5450 - SendDlgItemMessageA
0x4c5454 - IsDialogMessageA
0x4c5458 - SetWindowLongA
0x4c545c - GetWindowPlacement
0x4c5460 - RegisterWindowMessageA
0x4c5464 - GetMessagePos
0x4c5468 - GetMessageTime
0x4c546c - DefWindowProcA
0x4c5470 - CallWindowProcA
0x4c5474 - GetClassLongA
0x4c5478 - CreateWindowExA
0x4c547c - DestroyWindow
0x4c5480 - GetMenuItemID
0x4c5484 - GetSubMenu
0x4c5488 - GetMenu
0x4c548c - RegisterClassA
0x4c5490 - GetClassInfoA
0x4c5494 - WinHelpA
0x4c5498 - GetCapture
0x4c549c - GetTopWindow
0x4c54a0 - CopyRect
0x4c54a4 - GetClientRect
0x4c54a8 - AdjustWindowRectEx
0x4c54ac - GetSysColor
0x4c54b0 - MapWindowPoints
0x4c54b4 - LoadIconA
0x4c54b8 - LoadCursorA
0x4c54bc - GetSysColorBrush
0x4c54c0 - LoadStringA
0x4c54c4 - UnregisterClassA
0x4c54c8 - PostThreadMessageA
0x4c54cc - DestroyMenu
0x4c54d0 - CreateDialogIndirectParamA
0x4c54d4 - EndDialog
0x4c54d8 - SetWindowLongW
0x4c54dc - SetWindowPos
0x4c54e0 - SetPropA
0x4c54e4 - GetClassLongW
0x4c54e8 - GetWindowTextW
0x4c54ec - SetWindowRgn
0x4c54f0 - RemovePropA
0x4c54f4 - TranslateMessage
0x4c54f8 - GetMessageW
0x4c54fc - IsWindow
0x4c5500 - PeekMessageA
0x4c5504 - GetClassNameW
0x4c5508 - SystemParametersInfoA
0x4c550c - SendMessageW
0x4c5510 - CreateWindowExW
0x4c5514 - MsgWaitForMultipleObjects
0x4c5518 - CopyImage
0x4c551c - CreateIconFromResourceEx
0x4c5520 - CallNextHookEx
0x4c5524 - SetForegroundWindow
0x4c5528 - MessageBoxA
0x4c552c - wsprintfA
0x4c5530 - DispatchMessageA
0x4c5534 - GetMessageA
库 ADVAPI32.dll:
0x4c5000 - CreateServiceA
0x4c5004 - OpenSCManagerA
0x4c5008 - CloseServiceHandle
0x4c500c - OpenServiceA
0x4c5010 - StartServiceA
0x4c5014 - ControlService
0x4c5018 - DeleteService
0x4c501c - RegCloseKey
0x4c5020 - RegQueryValueExA
0x4c5024 - RegOpenKeyA
0x4c5028 - RegCreateKeyExA
0x4c502c - RegOpenKeyExA
0x4c5030 - RegSetValueExA
库 SHELL32.dll:
0x4c530c - SHGetSpecialFolderPathA
0x4c5310 - ShellExecuteA
0x4c5314 - Shell_NotifyIconW
库 ole32.dll:
0x4c5688 - CLSIDFromProgID
0x4c568c - CoCreateInstance
0x4c5690 - OleRun
0x4c5694 - CoUninitialize
0x4c5698 - CoInitialize
0x4c569c - StringFromGUID2
0x4c56a0 - CLSIDFromString
0x4c56a4 - CreateStreamOnHGlobal
0x4c56a8 - OleInitialize
0x4c56ac - OleUninitialize
0x4c56b0 - CoFreeUnusedLibraries
0x4c56b4 - CoRegisterMessageFilter
0x4c56b8 - OleIsCurrentClipboard
0x4c56bc - OleFlushClipboard
0x4c56c0 - CoRevokeClassObject
库 SHLWAPI.dll:
0x4c531c - PathFileExistsA
库 GDI32.dll:
0x4c5040 - BitBlt
0x4c5044 - CreateCompatibleDC
0x4c5048 - CreateDIBSection
0x4c504c - SelectObject
0x4c5050 - DeleteObject
0x4c5054 - DeleteDC
0x4c5058 - CreateRoundRectRgn
0x4c505c - CreateRectRgn
0x4c5060 - GetDIBits
0x4c5064 - GetObjectA
0x4c5068 - GetStockObject
0x4c506c - CreateBitmap
0x4c5070 - SaveDC
0x4c5074 - RestoreDC
0x4c5078 - SetTextColor
0x4c507c - SetMapMode
0x4c5080 - SetViewportOrgEx
0x4c5084 - OffsetViewportOrgEx
0x4c5088 - SetViewportExtEx
0x4c508c - ScaleViewportExtEx
0x4c5090 - SetWindowExtEx
0x4c5094 - ScaleWindowExtEx
0x4c5098 - GetClipBox
0x4c509c - SetBkColor
0x4c50a0 - Escape
0x4c50a4 - ExtTextOutA
0x4c50a8 - TextOutA
0x4c50ac - RectVisible
0x4c50b0 - PtVisible
0x4c50b4 - GetDeviceCaps
库 gdiplus.dll:
0x4c554c - GdipCreatePath
0x4c5550 - GdipDeletePath
0x4c5554 - GdipDrawPath
0x4c5558 - GdipCreateRegionHrgn
0x4c555c - GdipDeleteRegion
0x4c5560 - GdipGetRegionBounds
0x4c5564 - GdipMeasureCharacterRanges
0x4c5568 - GdipCreateRegion
0x4c556c - GdipAddPathArc
0x4c5570 - GdipClosePathFigure
0x4c5574 - GdipFillPath
0x4c5578 - GdipSetStringFormatMeasurableCharacterRanges
0x4c557c - GdipGetImageEncoders
0x4c5580 - GdipGetImageEncodersSize
0x4c5584 - GdipSaveImageToStream
0x4c5588 - GdipLoadImageFromStream
0x4c558c - GdipGetPropertyItem
0x4c5590 - GdipGetPropertyItemSize
0x4c5594 - GdipImageGetFrameCount
0x4c5598 - GdipImageSelectActiveFrame
0x4c559c - GdipCreateLineBrush
0x4c55a0 - GdipCreatePen2
0x4c55a4 - GdipFillPolygon
0x4c55a8 - GdipDrawPolygon
0x4c55ac - GdipCreatePathGradientFromPath
0x4c55b0 - GdipGetFamilyName
0x4c55b4 - GdipGetFontSize
0x4c55b8 - GdipGetFontStyle
0x4c55bc - GdipCreateFont
0x4c55c0 - GdipCreateFontFamilyFromName
0x4c55c4 - GdipDeleteFontFamily
0x4c55c8 - GdipDeleteFont
0x4c55cc - GdipGetTextRenderingHint
0x4c55d0 - GdipGetCompositingQuality
0x4c55d4 - GdipDrawRectangle
0x4c55d8 - GdipDeletePen
0x4c55dc - GdipSetPenDashStyle
0x4c55e0 - GdiplusStartup
0x4c55e4 - GdipCreateImageAttributes
0x4c55e8 - GdipSetClipRegion
0x4c55ec - GdipSetClipRect
0x4c55f0 - GdipResetClip
0x4c55f4 - GdipDeleteGraphics
0x4c55f8 - GdipCreateFromHDC
0x4c55fc - GdipGetSmoothingMode
0x4c5600 - GdipSetSmoothingMode
0x4c5604 - GdipGraphicsClear
0x4c5608 - GdipDrawImageRectRect
0x4c560c - GdipGetImagePixelFormat
0x4c5610 - GdipCloneBitmapArea
0x4c5614 - GdipGetImageWidth
0x4c5618 - GdipCreateHBITMAPFromBitmap
0x4c561c - GdipDisposeImage
0x4c5620 - GdipBitmapLockBits
0x4c5624 - GdipBitmapUnlockBits
0x4c5628 - GdipDrawImageRect
0x4c562c - GdipCreateStringFormat
0x4c5630 - GdipSetStringFormatHotkeyPrefix
0x4c5634 - GdipDeleteStringFormat
0x4c5638 - GdipCreateLineBrushFromRect
0x4c563c - GdipFillRectangle
0x4c5640 - GdipDeleteBrush
0x4c5644 - GdipMeasureString
0x4c5648 - GdipGetFontHeight
0x4c564c - GdipCreateSolidFill
0x4c5650 - GdipDrawString
0x4c5654 - GdipCreateBitmapFromScan0
0x4c5658 - GdipGetImageGraphicsContext
0x4c565c - GdipSetCompositingQuality
0x4c5660 - GdipSetInterpolationMode
0x4c5664 - GdipSetStringFormatAlign
0x4c5668 - GdipSetStringFormatTrimming
0x4c566c - GdipSetStringFormatFlags
0x4c5670 - GdipGetStringFormatAlign
0x4c5674 - GdipGetStringFormatTrimming
0x4c5678 - GdipGetStringFormatFlags
0x4c567c - GdipSetTextRenderingHint
0x4c5680 - GdipGetImageHeight
库 IMM32.dll:
0x4c50bc - ImmAssociateContext
0x4c50c0 - ImmGetContext
库 OLEAUT32.dll:
0x4c52e0 - VarR8FromCy
0x4c52e4 - VarR8FromBool
0x4c52e8 - LoadTypeLib
0x4c52ec - LHashValOfNameSys
0x4c52f0 - RegisterTypeLib
0x4c52f4 - SafeArrayCreate
0x4c52f8 - SysAllocString
0x4c52fc - VariantClear
0x4c5300 - SafeArrayDestroy
0x4c5304 - OleLoadPicture
库 oledlg.dll:
0x4c56c8 - None
库 WINSPOOL.DRV:
0x4c553c - ClosePrinter
0x4c5540 - DocumentPropertiesA
0x4c5544 - OpenPrinterA
库 COMCTL32.dll:
0x4c5038 - None

投放文件

无信息

行为分析

互斥量(Mutexes)
  • Local\MSCTF.Asm.MutexDefault1
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

_________win10.exe PID: 2480, 上一级进程 PID: 2332

访问的文件
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\test\AppData\Local\GDIPFONTCACHEV1.DAT
  • C:\Windows\Fonts\AGENCYR.TTF
  • C:\Windows\Fonts\simsun.ttc
  • C:\Windows\System32\msxml3.dll\1
  • C:\Windows\System32\msxml3.dll
  • C:\Windows\SysWOW64\stdole2.tlb
  • C:\Windows\Fonts\msyh.ttf
  • C:\Windows\Fonts\msyhbd.ttf
  • C:\yiyou.ini
  • C:\Windows\win.ini
读取的文件
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\test\AppData\Local\GDIPFONTCACHEV1.DAT
  • C:\Windows\Fonts\simsun.ttc
  • C:\Windows\System32\msxml3.dll\1
  • C:\Windows\System32\msxml3.dll
  • C:\Windows\SysWOW64\stdole2.tlb
  • C:\Windows\Fonts\msyh.ttf
  • C:\Windows\Fonts\msyhbd.ttf
  • C:\yiyou.ini
  • C:\Windows\win.ini
修改的文件
  • C:\Users\test\AppData\Local\GDIPFONTCACHEV1.DAT
删除的文件 无信息
注册表键
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
  • HKEY_CURRENT_USER\Software\Microsoft\GDIPlus
  • HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath
  • HKEY_CURRENT_USER\Software\Classes
  • HKEY_CURRENT_USER\Software\Classes\TypeLib
  • HKEY_CURRENT_USER\Software\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32\(Default)
  • HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
  • HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\_________win10.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_CURRENT_USER
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
读取的注册表键
  • HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • kernel32.dll.IsProcessorFeaturePresent
  • cryptbase.dll.SystemFunction036
  • d3d9.dll.Direct3DCreate9
  • user32.dll.GetWindowInfo
  • user32.dll.GetAncestor
  • user32.dll.GetMonitorInfoA
  • user32.dll.EnumDisplayMonitors
  • user32.dll.EnumDisplayDevicesA
  • kernel32.dll.SortGetHandle
  • kernel32.dll.SortCloseHandle
  • gdi32.dll.ExtTextOutW
  • gdi32.dll.GdiIsMetaPrintDC
  • ntdll.dll.RtlGetNtVersionNumbers
  • ntdll.dll.RtlGetNtProductType
  • kernel32.dll.IsBadWritePtr
  • kernel32.dll.RegOpenKeyExW
  • kernel32.dll.RegQueryInfoKeyA
  • kernel32.dll.RegCloseKey
  • kernel32.dll.RegCreateKeyExW
  • kernel32.dll.RegQueryValueExW
  • kernel32.dll.InitAtomTable
  • kernel32.dll.IsBadReadPtr
  • kernel32.dll.LoadLibraryA
  • kernel32.dll.GetProcAddress
  • advapi32.dll.CryptHashData
  • atl.dll.#10
  • gdi32.dll.GetDIBits
  • gdiplus.dll.GdipDrawString
  • msvcrt.dll.atoi
  • ole32.dll.OleRun
  • oleaut32.dll.#9
  • shell32.dll.DragFinish
  • shlwapi.dll.PathFileExistsA
  • user32.dll.wsprintfA
  • kernel32.dll.IsBadCodePtr
  • kernel32.dll.MultiByteToWideChar
  • kernel32.dll.GetUserDefaultLCID
  • kernel32.dll.CloseHandle
  • kernel32.dll.HeapReAlloc
  • kernel32.dll.GetFileSize
  • kernel32.dll.CreateFileA
  • kernel32.dll.FreeLibrary
  • kernel32.dll.LCMapStringA
  • kernel32.dll.HeapAlloc
  • kernel32.dll.ExitProcess
  • kernel32.dll.EnterCriticalSection
  • kernel32.dll.GetModuleHandleA
  • kernel32.dll.GetProcessHeap
  • kernel32.dll.WideCharToMultiByte
  • kernel32.dll.VirtualProtect
  • kernel32.dll.VirtualAlloc
  • kernel32.dll.InitializeCriticalSection
  • kernel32.dll.VirtualFree
  • kernel32.dll.CreateThread
  • kernel32.dll.RtlMoveMemory
  • kernel32.dll.HeapFree
  • kernel32.dll.LeaveCriticalSection
  • kernel32.dll.ReadFile
  • advapi32.dll.CryptDestroyHash
  • advapi32.dll.CryptCreateHash
  • advapi32.dll.CryptReleaseContext
  • advapi32.dll.CryptAcquireContextA
  • advapi32.dll.CryptGetHashParam
  • atl.dll.#11
  • gdi32.dll.CreateDIBSection
  • gdi32.dll.CreateRectRgn
  • gdiplus.dll.GdipBitmapLockBits
  • gdiplus.dll.GdipGetImageWidth
  • gdiplus.dll.GdipGetImagePixelFormat
  • gdiplus.dll.GdipCreateBitmapFromHBITMAP
  • gdiplus.dll.GdipCreateBitmapFromScan0
  • gdiplus.dll.GdipBitmapUnlockBits
  • gdiplus.dll.GdipDrawImageRect
  • gdiplus.dll.GdipGetImageGraphicsContext
  • gdiplus.dll.GdipSetInterpolationMode
  • gdiplus.dll.GdipSetTextRenderingHint
  • gdiplus.dll.GdipCreateSolidFill
  • gdiplus.dll.GdipDeleteBrush
  • gdiplus.dll.GdipDeleteGraphics
  • gdiplus.dll.GdipDisposeImage
  • gdiplus.dll.GdipGetImageHeight
  • gdiplus.dll.GdipCreateBitmapFromHICON
  • gdiplus.dll.GdipCreateFromHDC
  • gdiplus.dll.GdipGraphicsClear
  • gdiplus.dll.GdipLoadImageFromStream
  • msvcrt.dll.toupper
  • msvcrt.dll.sprintf
  • msvcrt.dll.strchr
  • msvcrt.dll.??3@YAXPAX@Z
  • msvcrt.dll.??2@YAPAXI@Z
  • msvcrt.dll._ftol
  • msvcrt.dll.tolower
  • msvcrt.dll.qsort
  • msvcrt.dll._CIfmod
  • msvcrt.dll.__CxxFrameHandler
  • msvcrt.dll.atof
  • msvcrt.dll._atoi64
  • msvcrt.dll.strtod
  • msvcrt.dll.strncmp
  • msvcrt.dll.modf
  • msvcrt.dll.memmove
  • msvcrt.dll.free
  • msvcrt.dll._stricmp
  • msvcrt.dll.malloc
  • msvcrt.dll._strnicmp
  • ole32.dll.StringFromCLSID
  • ole32.dll.OleInitialize
  • ole32.dll.RegisterDragDrop
  • ole32.dll.RevokeDragDrop
  • ole32.dll.OleUninitialize
  • ole32.dll.ReleaseStgMedium
  • ole32.dll.CoUninitialize
  • ole32.dll.CoCreateInstance
  • ole32.dll.CLSIDFromString
  • ole32.dll.CLSIDFromProgID
  • ole32.dll.CoInitialize
  • ole32.dll.CreateStreamOnHGlobal
  • oleaut32.dll.#2
  • oleaut32.dll.#16
  • oleaut32.dll.#15
  • oleaut32.dll.#163
  • oleaut32.dll.#165
  • oleaut32.dll.#161
  • oleaut32.dll.#86
  • oleaut32.dll.#82
  • shell32.dll.DragQueryFileA
  • user32.dll.MessageBoxA
  • user32.dll.UpdateLayeredWindow
  • user32.dll.GetWindowRect
  • user32.dll.GetWindow
  • kernel32.dll.FindAtomA
  • kernel32.dll.AddAtomA
  • cryptsp.dll.CryptAcquireContextA
  • cryptsp.dll.CryptHashData
  • cryptsp.dll.CryptCreateHash
  • cryptsp.dll.CryptGetHashParam
  • cryptsp.dll.CryptDestroyHash
  • cryptsp.dll.CryptReleaseContext
  • msvcrt.dll.strerror
  • msvcrt.dll.fflush
  • msvcrt.dll._errno
  • msvcrt.dll.fopen
  • msvcrt.dll.fread
  • msvcrt.dll.fprintf
  • msvcrt.dll._vsnprintf
  • msvcrt.dll.ftell
  • msvcrt.dll.fseek
  • msvcrt.dll.fclose
  • msvcrt.dll.clearerr
  • msvcrt.dll._fdopen
  • msvcrt.dll._initterm
  • msvcrt.dll._adjust_fdiv
  • msvcrt.dll.fwrite
  • msvcrt.dll.fputc
  • kernel32.dll.DisableThreadLibraryCalls
  • sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid
  • sxs.dll.SxsOleAut32RedirectTypeLibrary
  • advapi32.dll.RegOpenKeyW
  • advapi32.dll.RegQueryValueW
  • ntdll.dll.RtlComputeCrc32
  • kernel32.dll.lstrlenA
  • shell32.dll.StrCmpNA
  • kernel32.dll.GlobalAlloc
  • kernel32.dll.GlobalLock
  • kernel32.dll.GlobalUnlock
  • windowscodecs.dll.DllGetClassObject
  • kernel32.dll.WerRegisterMemoryBlock
  • user32.dll.GetWindowLongW
  • kernel32.dll.GetCurrentProcess
  • kernel32.dll.FlushInstructionCache
  • user32.dll.SetWindowLongW
  • comctl32.dll.RegisterClassNameW
  • uxtheme.dll.OpenThemeData
  • ole32.dll.CoInitializeEx
  • ole32.dll.CoRegisterInitializeSpy
  • ole32.dll.CoRevokeInitializeSpy
  • gdiplus.dll.GdipCreatePen1
  • gdiplus.dll.GdipDrawLine
  • kernel32.dll.lstrlenW
  • gdiplus.dll.GdipDrawImage
  • gdiplus.dll.GdipGetFamily
  • gdi32.dll.GetDeviceCaps
  • kernel32.dll.MulDiv
  • riched20.dll.CreateTextServices
  • gdi32.dll.SelectClipRgn
  • user32.dll.UnionRect
  • gdi32.dll.GdiAlphaBlend
  • gdi32.dll.CreateCompatibleDC
  • gdi32.dll.SelectObject
  • gdi32.dll.DeleteObject
  • user32.dll.SendMessageW
  • dwmapi.dll.DwmIsCompositionEnabled
  • user32.dll.ShowWindow
  • user32.dll.IsWindow
  • user32.dll.RedrawWindow
  • user32.dll.WindowFromPoint
  • gdi32.dll.DeleteDC