魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2020-02-19 09:09:26 2020-02-19 09:11:20 114 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-hpdapp01-1 win7-sp1-x64-hpdapp01-1 KVM 2020-02-19 09:09:32 2020-02-19 09:11:22
魔盾分数

10.0

恶意的

文件详细信息

文件名 PO.exe
文件大小 713216 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 A147D746
MD5 982964caed7675afc0b853b51ec8b16a
SHA1 105cdaec1adef402d7c24cba53d0624ed14acecc
SHA256 21cbed85dd80d4662073208a52c63bcb7464e7bc28081dd134e59d20e7e51611
SHA512 0834ae34def2a8deb2bb64dcdf436d041316bf7041f3ba51d9ec5fcb798f1117c91259f1abd699605e002b90d81d815b5b867c4597ad9147c593a6d6c03b1b1b
Ssdeep 12288:qcHgyL6D9Ud63tkMIPpEK/tpv+LB13t0wEtb6z:rdU9ASkJyK1pvct
PEiD 无匹配
Yara
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • network_udp_sock (Communications over UDP socket)
  • network_tcp_listen (Listen for incoming communication)
  • network_tcp_socket (Detected network communications over RAW socket)
  • network_dns (Detected network communications use DNS)
  • screenshot (Detected take screenshot function)
  • create_process (Detection function for creating a new process)
  • keylogger (Detected keylogger function)
  • win_registry (Detected system registries modification function)
  • win_files_operation (Affect private profile)
  • win_hook (Detected hook table access function)
  • Maldun_Anomoly_Combined_Activities_5 (Spotted potential mallicious behaviors like logging and network communication)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
  • BASE64_table (Look for Base64 table)
  • Borland (Detects Borland program)
  • BobSoftMiniDelphiBoBBobSoft ()
  • IsPE32 (Detected a 32bit PE sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
VirusTotal VirusTotal链接
VirusTotal扫描时间: 2020-02-19 01:03:55
扫描结果: 45/69

特征

创建RWX内存
通过进程尝试延迟分析任务
Process: PO.exe tried to sleep 61 seconds, actually delayed analysis time by 0 seconds
二进制文件可能包含加密或压缩数据
section: name: .rsrc, entropy: 7.33, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ, raw_size: 0x00040a00, virtual_size: 0x0004095c
异常的二进制特征
anomaly: Timestamp on binary predates the release date of the OS version it requires by at least a year
魔盾安全Yara规则检测结果 - 高危
Critical: Spotted potential mallicious behaviors like logging and network communication
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
文件已被至少一个VirusTotal上的反病毒引擎检测为病毒
MicroWorld-eScan: Trojan.Agent.ELBU
McAfee: Fareit-FRB!982964CAED76
Cylance: Unsafe
Sangfor: Malware
BitDefender: Trojan.Agent.ELBU
CrowdStrike: win/malicious_confidence_100% (W)
Cyren: W32/Trojan.QREF-6311
Symantec: ML.Attribute.HighConfidence
ESET-NOD32: a variant of Win32/Injector.EKIE
APEX: Malicious
Avast: Win32:Trojan-gen
Kaspersky: HEUR:Trojan.Win32.Kryptik.gen
NANO-Antivirus: Trojan.Win32.Stealer.gyoxgr
Ad-Aware: Trojan.Agent.ELBU
Emsisoft: Trojan.Agent.ELBU (B)
DrWeb: Trojan.PWS.Stealer.27970
Zillya: Trojan.Injector.Win32.683071
Invincea: heuristic
McAfee-GW-Edition: BehavesLike.Win32.Fareit.jh
Trapmine: malicious.high.ml.score
FireEye: Generic.mg.982964caed7675af
Sophos: Mal/Fareit-V
Ikarus: Trojan.Inject
F-Prot: W32/Trojan2.QBFK
Jiangmin: Trojan.Kryptik.adq
eGambit: Unsafe.AI_Score_99%
Antiy-AVL: Trojan/Win32.Kryptik
Endgame: malicious (high confidence)
Arcabit: Trojan.Agent.ELBU
ZoneAlarm: HEUR:Trojan.Win32.Kryptik.gen
GData: Trojan.Agent.ELBU
AhnLab-V3: Win-Trojan/Delphiless.Exp
Acronis: suspicious
BitDefenderTheta: Gen:NN.ZelphiF.34090.RGW@aaANTuoi
ALYac: Trojan.Agent.ELBU
MAX: malware (ai score=89)
VBA32: TScope.Trojan.Delf
Rising: Malware.Heuristic!ET#95% (RDMK:cmRtazpyFfjOGsw4EWYaqnzHOn7j)
SentinelOne: DFI - Suspicious PE
MaxSecure: Trojan.Malware.300983.susgen
Fortinet: W32/Injector.DZGI!tr
Webroot: W32.Trojan.Gen
AVG: Win32:Trojan-gen
Cybereason: malicious.c1adef
Qihoo-360: HEUR/QVM05.1.5763.Malware.Gen

运行截图

网络分析

无信息

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x00462ff0
声明校验值 0x00000000
实际校验值 0x000b6d9e
最低操作系统版本要求 4.0
编译时间 1992-01-09 10:40:55
载入哈希 958c2e3e398a0d6a82b85b37bc739288

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
CODE 0x00001000 0x00062038 0x00062200 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.60
DATA 0x00064000 0x00001970 0x00001a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.57
BSS 0x00066000 0x00000e75 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.idata 0x00067000 0x0000206a 0x00002200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.87
.tls 0x0006a000 0x00000010 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rdata 0x0006b000 0x00000018 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 0.20
.reloc 0x0006c000 0x00007338 0x00007400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 0.00
.rsrc 0x00074000 0x0004095c 0x00040a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 7.33

导入

库 KERNEL32.DLL:
0x467688 - Sleep
库 KERNEL32.DLL:
0x4671ec - TlsSetValue
0x4671f0 - TlsGetValue
0x4671f4 - LocalAlloc
0x4671f8 - GetModuleHandleA
库 KERNEL32.DLL:
0x467210 - lstrcpyA
0x467214 - lstrcmpA
0x467218 - WriteFile
0x46721c - WaitForSingleObject
0x467220 - VirtualQuery
0x467224 - VirtualProtectEx
0x467228 - VirtualFree
0x46722c - VirtualAlloc
0x467230 - SleepEx
0x467234 - Sleep
0x467238 - SizeofResource
0x46723c - SetThreadLocale
0x467240 - SetFilePointer
0x467244 - SetEvent
0x467248 - SetErrorMode
0x46724c - SetEndOfFile
0x467250 - ResetEvent
0x467254 - ReadFile
0x467258 - MulDiv
0x46725c - LockResource
0x467260 - LoadResource
0x467264 - LoadLibraryA
0x467268 - LeaveCriticalSection
0x46726c - InitializeCriticalSection
0x467270 - GlobalUnlock
0x467274 - GlobalReAlloc
0x467278 - GlobalHandle
0x46727c - GlobalLock
0x467280 - GlobalFree
0x467284 - GlobalFindAtomA
0x467288 - GlobalDeleteAtom
0x46728c - GlobalAlloc
0x467290 - GlobalAddAtomA
0x467294 - GetVersionExA
0x467298 - GetVersion
0x46729c - GetTickCount
0x4672a0 - GetThreadLocale
0x4672a4 - GetTempPathA
0x4672a8 - GetSystemInfo
0x4672ac - GetStringTypeExA
0x4672b0 - GetStdHandle
0x4672b4 - GetProcAddress
0x4672b8 - GetModuleHandleA
0x4672bc - GetModuleFileNameA
0x4672c0 - GetLocaleInfoA
0x4672c4 - GetLocalTime
0x4672c8 - GetLastError
0x4672cc - GetFullPathNameA
0x4672d0 - GetFileSize
0x4672d4 - GetDiskFreeSpaceA
0x4672d8 - GetDateFormatA
0x4672dc - GetCurrentThreadId
0x4672e0 - GetCurrentProcessId
0x4672e4 - GetCPInfo
0x4672e8 - GetACP
0x4672ec - FreeResource
0x4672f0 - InterlockedExchange
0x4672f4 - FreeLibrary
0x4672f8 - FormatMessageA
0x4672fc - FindResourceA
0x467300 - EnumCalendarInfoA
0x467304 - EnterCriticalSection
0x467308 - DeleteCriticalSection
0x46730c - CreateThread
0x467310 - CreateFileA
0x467314 - CreateEventA
0x467318 - CompareStringA
0x46731c - CloseHandle
库 KERNEL32.DLL:
0x46712c - DeleteCriticalSection
0x467130 - LeaveCriticalSection
0x467134 - EnterCriticalSection
0x467138 - InitializeCriticalSection
0x46713c - VirtualFree
0x467140 - VirtualAlloc
0x467144 - LocalFree
0x467148 - LocalAlloc
0x46714c - GetVersion
0x467150 - GetCurrentThreadId
0x467154 - InterlockedDecrement
0x467158 - InterlockedIncrement
0x46715c - VirtualQuery
0x467160 - WideCharToMultiByte
0x467164 - MultiByteToWideChar
0x467168 - lstrlenA
0x46716c - lstrcpynA
0x467170 - LoadLibraryExA
0x467174 - GetThreadLocale
0x467178 - GetStartupInfoA
0x46717c - GetProcAddress
0x467180 - GetModuleHandleA
0x467184 - GetModuleFileNameA
0x467188 - GetLocaleInfoA
0x46718c - GetCommandLineA
0x467190 - FreeLibrary
0x467194 - FindFirstFileA
0x467198 - FindClose
0x46719c - ExitProcess
0x4671a0 - WriteFile
0x4671a4 - UnhandledExceptionFilter
0x4671a8 - RtlUnwind
0x4671ac - RaiseException
0x4671b0 - GetStdHandle
库 advapi32.dll:
0x467200 - RegQueryValueExA
0x467204 - RegOpenKeyExA
0x467208 - RegCloseKey
库 advapi32.dll:
0x4671cc - RegQueryValueExA
0x4671d0 - RegOpenKeyExA
0x4671d4 - RegCloseKey
库 comctl32.dll:
0x4676c8 - ImageList_SetIconSize
0x4676cc - ImageList_GetIconSize
0x4676d0 - ImageList_Write
0x4676d4 - ImageList_Read
0x4676d8 - ImageList_GetDragImage
0x4676dc - ImageList_DragShowNolock
0x4676e0 - ImageList_SetDragCursorImage
0x4676e4 - ImageList_DragMove
0x4676e8 - ImageList_DragLeave
0x4676ec - ImageList_DragEnter
0x4676f0 - ImageList_EndDrag
0x4676f4 - ImageList_BeginDrag
0x4676f8 - ImageList_Remove
0x4676fc - ImageList_DrawEx
0x467700 - ImageList_Draw
0x467704 - ImageList_GetBkColor
0x467708 - ImageList_SetBkColor
0x46770c - ImageList_ReplaceIcon
0x467710 - ImageList_Add
0x467714 - ImageList_GetImageCount
0x467718 - ImageList_Destroy
0x46771c - ImageList_Create
0x467720 - InitCommonControls
库 gdi32.dll:
0x467334 - UnrealizeObject
0x467338 - StretchBlt
0x46733c - SetWindowOrgEx
0x467340 - SetViewportOrgEx
0x467344 - SetTextColor
0x467348 - SetStretchBltMode
0x46734c - SetROP2
0x467350 - SetPixel
0x467354 - SetDIBColorTable
0x467358 - SetBrushOrgEx
0x46735c - SetBkMode
0x467360 - SetBkColor
0x467364 - SelectPalette
0x467368 - SelectObject
0x46736c - SelectClipRgn
0x467370 - SaveDC
0x467374 - RestoreDC
0x467378 - RectVisible
0x46737c - RealizePalette
0x467380 - PatBlt
0x467384 - MoveToEx
0x467388 - MaskBlt
0x46738c - LineTo
0x467390 - IntersectClipRect
0x467394 - GetWindowOrgEx
0x467398 - GetTextMetricsA
0x46739c - GetTextExtentPoint32A
0x4673a0 - GetSystemPaletteEntries
0x4673a4 - GetStockObject
0x4673a8 - GetPixel
0x4673ac - GetPaletteEntries
0x4673b0 - GetObjectA
0x4673b4 - GetDeviceCaps
0x4673b8 - GetDIBits
0x4673bc - GetDIBColorTable
0x4673c0 - GetDCOrgEx
0x4673c4 - GetCurrentPositionEx
0x4673c8 - GetClipBox
0x4673cc - GetBrushOrgEx
0x4673d0 - GetBitmapBits
0x4673d4 - ExcludeClipRect
0x4673d8 - DeleteObject
0x4673dc - DeleteDC
0x4673e0 - CreateSolidBrush
0x4673e4 - CreatePenIndirect
0x4673e8 - CreatePalette
0x4673ec - CreateHalftonePalette
0x4673f0 - CreateFontIndirectA
0x4673f4 - CreateDIBitmap
0x4673f8 - CreateDIBSection
0x4673fc - CreateCompatibleDC
0x467400 - CreateCompatibleBitmap
0x467404 - CreateBrushIndirect
0x467408 - CreateBitmap
0x46740c - BitBlt
库 ole32.dll:
0x4676b4 - CoTaskMemAlloc
0x4676b8 - CoCreateInstance
0x4676bc - CoUninitialize
0x4676c0 - CoInitialize
库 oleaut32.dll:
0x467690 - SafeArrayPtrOfIndex
0x467694 - SafeArrayGetUBound
0x467698 - SafeArrayGetLBound
0x46769c - SafeArrayCreate
0x4676a0 - VariantChangeType
0x4676a4 - VariantCopy
0x4676a8 - VariantClear
0x4676ac - VariantInit
库 oleaut32.dll:
0x4671dc - SysFreeString
0x4671e0 - SysReAllocStringLen
0x4671e4 - SysAllocStringLen
库 user32.dll:
0x467414 - CreateWindowExA
0x467418 - WindowFromPoint
0x46741c - WinHelpA
0x467420 - WaitMessage
0x467424 - UpdateWindow
0x467428 - UnregisterClassA
0x46742c - UnhookWindowsHookEx
0x467430 - TranslateMessage
0x467434 - TranslateMDISysAccel
0x467438 - TrackPopupMenu
0x46743c - SystemParametersInfoA
0x467440 - ShowWindow
0x467444 - ShowScrollBar
0x467448 - ShowOwnedPopups
0x46744c - ShowCursor
0x467450 - SetWindowsHookExA
0x467454 - SetWindowTextA
0x467458 - SetWindowPos
0x46745c - SetWindowPlacement
0x467460 - SetWindowLongA
0x467464 - SetTimer
0x467468 - SetScrollRange
0x46746c - SetScrollPos
0x467470 - SetScrollInfo
0x467474 - SetRect
0x467478 - SetPropA
0x46747c - SetParent
0x467480 - SetMenuItemInfoA
0x467484 - SetMenu
0x467488 - SetForegroundWindow
0x46748c - SetFocus
0x467490 - SetCursor
0x467494 - SetClassLongA
0x467498 - SetCapture
0x46749c - SetActiveWindow
0x4674a0 - SendMessageA
0x4674a4 - ScrollWindow
0x4674a8 - ScreenToClient
0x4674ac - RemovePropA
0x4674b0 - RemoveMenu
0x4674b4 - ReleaseDC
0x4674b8 - ReleaseCapture
0x4674bc - RegisterWindowMessageA
0x4674c0 - RegisterClipboardFormatA
0x4674c4 - RegisterClassA
0x4674c8 - RedrawWindow
0x4674cc - PtInRect
0x4674d0 - PostQuitMessage
0x4674d4 - PostMessageA
0x4674d8 - PeekMessageA
0x4674dc - OffsetRect
0x4674e0 - OemToCharA
0x4674e4 - MessageBoxA
0x4674e8 - MapWindowPoints
0x4674ec - MapVirtualKeyA
0x4674f0 - LoadStringA
0x4674f4 - LoadKeyboardLayoutA
0x4674f8 - LoadIconA
0x4674fc - LoadCursorA
0x467500 - LoadBitmapA
0x467504 - KillTimer
0x467508 - IsZoomed
0x46750c - IsWindowVisible
0x467510 - IsWindowEnabled
0x467514 - IsWindow
0x467518 - IsRectEmpty
0x46751c - IsIconic
0x467520 - IsDialogMessageA
0x467524 - IsChild
0x467528 - InvalidateRect
0x46752c - IntersectRect
0x467530 - InsertMenuItemA
0x467534 - InsertMenuA
0x467538 - InflateRect
0x46753c - GetWindowThreadProcessId
0x467540 - GetWindowTextA
0x467544 - GetWindowRect
0x467548 - GetWindowPlacement
0x46754c - GetWindowLongA
0x467550 - GetWindowDC
0x467554 - GetTopWindow
0x467558 - GetSystemMetrics
0x46755c - GetSystemMenu
0x467560 - GetSysColorBrush
0x467564 - GetSysColor
0x467568 - GetSubMenu
0x46756c - GetScrollRange
0x467570 - GetScrollPos
0x467574 - GetScrollInfo
0x467578 - GetPropA
0x46757c - GetParent
0x467580 - GetWindow
0x467584 - GetMenuStringA
0x467588 - GetMenuState
0x46758c - GetMenuItemInfoA
0x467590 - GetMenuItemID
0x467594 - GetMenuItemCount
0x467598 - GetMenu
0x46759c - GetLastActivePopup
0x4675a0 - GetKeyboardState
0x4675a4 - GetKeyboardLayoutList
0x4675a8 - GetKeyboardLayout
0x4675ac - GetKeyState
0x4675b0 - GetKeyNameTextA
0x4675b4 - GetInputState
0x4675b8 - GetIconInfo
0x4675bc - GetForegroundWindow
0x4675c0 - GetFocus
0x4675c4 - GetDesktopWindow
0x4675c8 - GetDCEx
0x4675cc - GetDC
0x4675d0 - GetCursorPos
0x4675d4 - GetCursor
0x4675d8 - GetClientRect
0x4675dc - GetClassNameA
0x4675e0 - GetClassInfoA
0x4675e4 - GetCapture
0x4675e8 - GetActiveWindow
0x4675ec - FrameRect
0x4675f0 - FindWindowA
0x4675f4 - FillRect
0x4675f8 - EqualRect
0x4675fc - EnumWindows
0x467600 - EnumThreadWindows
0x467604 - EndPaint
0x467608 - EnableWindow
0x46760c - EnableScrollBar
0x467610 - EnableMenuItem
0x467614 - DrawTextA
0x467618 - DrawMenuBar
0x46761c - DrawIconEx
0x467620 - DrawIcon
0x467624 - DrawFrameControl
0x467628 - DrawEdge
0x46762c - DispatchMessageA
0x467630 - DestroyWindow
0x467634 - DestroyMenu
0x467638 - DestroyIcon
0x46763c - DestroyCursor
0x467640 - DeleteMenu
0x467644 - DefWindowProcA
0x467648 - DefMDIChildProcA
0x46764c - DefFrameProcA
0x467650 - CreatePopupMenu
0x467654 - CreateMenu
0x467658 - CreateIcon
0x46765c - ClientToScreen
0x467660 - CheckMenuItem
0x467664 - CallWindowProcA
0x467668 - CallNextHookEx
0x46766c - BeginPaint
0x467670 - CharNextA
0x467674 - CharLowerA
0x467678 - CharToOemA
0x46767c - AdjustWindowRectEx
0x467680 - ActivateKeyboardLayout
库 user32.dll:
0x4671b8 - GetKeyboardType
0x4671bc - LoadStringA
0x4671c0 - MessageBoxA
0x4671c4 - CharNextA
库 version.dll:
0x467324 - VerQueryValueA
0x467328 - GetFileVersionInfoSizeA
0x46732c - GetFileVersionInfoA

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

PO.exe PID: 2708, 上一级进程 PID: 2332

访问的文件
  • C:\Users\test\AppData\Local\Temp\PO.exe
  • C:\Users
  • C:\Users\test
  • C:\Users\test\AppData
  • C:\Users\test\AppData\Local
  • C:\Users\test\AppData\Local\Temp
  • C:\Users\test\AppData\Local\Temp\PO.CHS
  • C:\Users\test\AppData\Local\Temp\PO.CHS.DLL
  • C:\Users\test\AppData\Local\Temp\PO.CH
  • C:\Users\test\AppData\Local\Temp\PO.CH.DLL
  • C:\Windows\Globalization\Sorting\sortdefault.nls
读取的文件
  • C:\Windows\Globalization\Sorting\sortdefault.nls
修改的文件 无信息
删除的文件 无信息
注册表键
  • HKEY_CURRENT_USER\Software\Borland\Locales
  • HKEY_CURRENT_USER\Software\Borland\Locales\C:\Users\test\AppData\Local\Temp\PO.exe
  • HKEY_CURRENT_USER\Software\Borland\Locales\(Default)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08040804
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\E0200804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\E0200804\layout text
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\E0210804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\E0210804\layout text
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
读取的注册表键
  • HKEY_CURRENT_USER\Software\Borland\Locales\C:\Users\test\AppData\Local\Temp\PO.exe
  • HKEY_CURRENT_USER\Software\Borland\Locales\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\E0200804\layout text
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\E0210804\layout text
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • kernel32.dll.GetLongPathNameA
  • kernel32.dll.GetDiskFreeSpaceExA
  • oleaut32.dll.VariantChangeTypeEx
  • oleaut32.dll.VarNeg
  • oleaut32.dll.VarNot
  • oleaut32.dll.VarAdd
  • oleaut32.dll.VarSub
  • oleaut32.dll.VarMul
  • oleaut32.dll.VarDiv
  • oleaut32.dll.VarIdiv
  • oleaut32.dll.VarMod
  • oleaut32.dll.VarAnd
  • oleaut32.dll.VarOr
  • oleaut32.dll.VarXor
  • oleaut32.dll.VarCmp
  • oleaut32.dll.VarI4FromStr
  • oleaut32.dll.VarR4FromStr
  • oleaut32.dll.VarR8FromStr
  • oleaut32.dll.VarDateFromStr
  • oleaut32.dll.VarCyFromStr
  • oleaut32.dll.VarBoolFromStr
  • oleaut32.dll.VarBstrFromCy
  • oleaut32.dll.VarBstrFromDate
  • oleaut32.dll.VarBstrFromBool
  • user32.dll.WINNLSEnableIME
  • imm32.dll.ImmGetContext
  • imm32.dll.ImmReleaseContext
  • imm32.dll.ImmGetConversionStatus
  • imm32.dll.ImmSetConversionStatus
  • imm32.dll.ImmSetOpenStatus
  • imm32.dll.ImmSetCompositionWindow
  • imm32.dll.ImmSetCompositionFontA
  • imm32.dll.ImmGetCompositionStringA
  • imm32.dll.ImmIsIME
  • imm32.dll.ImmNotifyIME
  • user32.dll.GetMonitorInfoA
  • user32.dll.GetSystemMetrics
  • user32.dll.EnumDisplayMonitors
  • kernel32.dll.SortGetHandle
  • kernel32.dll.SortCloseHandle
  • user32.dll.AnimateWindow
  • comctl32.dll.InitializeFlatSB
  • comctl32.dll.UninitializeFlatSB
  • comctl32.dll.FlatSB_GetScrollProp
  • comctl32.dll.FlatSB_SetScrollProp
  • comctl32.dll.FlatSB_EnableScrollBar
  • comctl32.dll.FlatSB_ShowScrollBar
  • comctl32.dll.FlatSB_GetScrollRange
  • comctl32.dll.FlatSB_GetScrollInfo
  • comctl32.dll.FlatSB_GetScrollPos
  • comctl32.dll.FlatSB_SetScrollPos
  • comctl32.dll.FlatSB_SetScrollInfo
  • comctl32.dll.FlatSB_SetScrollRange
  • user32.dll.SetLayeredWindowAttributes