魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2020-02-19 10:46:25	2020-02-19 10:49:24	179 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-hpdapp01-2	win7-sp1-x64-hpdapp01-2	KVM	2020-02-19 10:46:43	2020-02-19 10:49:25

魔盾分数
3.15 可疑的

文件详细信息

文件名	Connect.exe
文件大小	3526656 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
CRC32	121BCD74
MD5	08b818c14e0f7613695da7270009ac54
SHA1	1257cffea7183bf66536781328551ac58e49b412
SHA256	e80d09f69dbfcefa5fc784fda8e7a73e2c73d4d554d309eb3dec715715c56a8e
SHA512	329ed5549cef982b928b871190ab324dfeeda93f14262faec6df5d210143153104a4d9534ed23d32d5221994502360574af008dad8af0ee7656080b1c98ea7ab
Ssdeep	98304:xtDuSSugoQimxRco/4Tr2B2glIZ2sFLOAkGkzdnEVomFHKnPk:8ZoKxuGdlIZ2sFLOyomFHKnPk
PEiD	无匹配
Yara	DebuggerTiming__PerformanceCounter () DebuggerTiming__Ticks (Detected timing ticks function) Check_OutputDebugStringA_iat (Detect in IAT OutputDebugstringA) anti_dbg (Detected self protection if being debugged) screenshot (Detected take screenshot function) create_process (Detection function for creating a new process) keylogger (Detected keylogger function) win_registry (Detected system registries modification function) win_files_operation (Affect private profile) win_hook (Detected hook table access function) Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files) with_urls (Detected the presence of an or several urls) IsPE32 (Detected a 32bit PE sample) IsWindowsGUI (Detected a Windows GUI sample) HasDebugData (Detected Debug Data) HasRichSignature (Detected Rich Signature)
VirusTotal	VirusTotal链接 VirusTotal扫描时间: 2019-09-30 20:23:16 扫描结果: 0/68

特征

二进制文件可能包含加密或压缩数据

section: name: .rsrc, entropy: 7.61, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00151a00, virtual_size: 0x00151850

魔盾安全Yara规则检测结果 - 安全告警

Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files

运行截图

网络分析

无信息

静态分析

PE 信息

初始地址	0x00400000
入口地址	0x00528c74
声明校验值	0x00000000
实际校验值	0x0035d5ab
最低操作系统版本要求	5.1
PDB路径	D:\\xe7\xa8\x8b\xe5\xba\x8f\xe4\xbb\xa3\xe7\xa0\x81\\xe4\xb8\x80\xe5\x8f\xa5\xe8\xaf\x9d\xe5\x90\x8e\xe9\x97\xa8\Connect\Release\Connect.pdb
编译时间	2016-10-06 18:37:12
载入哈希	4327311590f944b66b3a99f6fbcc405d

版本信息

LegalCopyright:	TODO: (C) <\u516c\u53f8\u540d>\u3002\u4fdd\u7559\u6240\u6709\u6743\u5229\u3002
InternalName:	Connect.exe
FileVersion:	1.0.0.1
CompanyName:	TODO: <\u516c\u53f8\u540d>
ProductName:	TODO: <\u4ea7\u54c1\u540d>
ProductVersion:	1.0.0.1
FileDescription:	Connect
OriginalFilename:	Connect.exe
Translation:	0x0804 0x04b0

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x0015183c	0x00151a00	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.54
.rdata	0x00153000	0x0005142e	0x00051600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.99
.data	0x001a5000	0x0000de70	0x00006600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	4.79
.rsrc	0x001b3000	0x00151850	0x00151a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	7.61
.reloc	0x00305000	0x00061be8	0x00061c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	2.76

导入

库 KERNEL32.dll:

• 0x5531d4 - GetConsoleCP

• 0x5531d8 - GetConsoleMode

• 0x5531dc - ReadConsoleW

• 0x5531e0 - SetFilePointerEx

• 0x5531e4 - GetTimeZoneInformation

• 0x5531e8 - GetStringTypeW

• 0x5531ec - OutputDebugStringW

• 0x5531f0 - GetACP

• 0x5531f4 - LCMapStringW

• 0x5531f8 - WriteConsoleW

• 0x5531fc - SetEnvironmentVariableA

• 0x553200 - IsValidCodePage

• 0x553204 - GetCPInfo

• 0x553208 - GetOEMCP

• 0x55320c - TerminateProcess

• 0x553210 - SetUnhandledExceptionFilter

• 0x553214 - UnhandledExceptionFilter

• 0x553218 - FreeEnvironmentStringsW

• 0x55321c - GetEnvironmentStringsW

• 0x553220 - QueryPerformanceCounter

• 0x553224 - GetStartupInfoW

• 0x553228 - GetProcessHeap

• 0x55322c - GetStdHandle

• 0x553230 - GetSystemTimeAsFileTime

• 0x553234 - HeapQueryInformation

• 0x553238 - InterlockedDecrement

• 0x55323c - HeapSize

• 0x553240 - GetFileType

• 0x553244 - SetStdHandle

• 0x553248 - IsProcessorFeaturePresent

• 0x55324c - IsDebuggerPresent

• 0x553250 - ExitThread

• 0x553254 - CreateThread

• 0x553258 - HeapReAlloc

• 0x55325c - RaiseException

• 0x553260 - VirtualQuery

• 0x553264 - VirtualAlloc

• 0x553268 - GetSystemInfo

• 0x55326c - GetModuleHandleExW

• 0x553270 - ExitProcess

• 0x553274 - RtlUnwind

• 0x553278 - HeapAlloc

• 0x55327c - HeapFree

• 0x553280 - GetCommandLineW

• 0x553284 - FindResourceExW

• 0x553288 - GetWindowsDirectoryW

• 0x55328c - SearchPathW

• 0x553290 - GetProfileIntW

• 0x553294 - Sleep

• 0x553298 - VirtualProtect

• 0x55329c - GetTempPathW

• 0x5532a0 - GetTempFileNameW

• 0x5532a4 - GetTickCount

• 0x5532a8 - SetErrorMode

• 0x5532ac - GlobalGetAtomNameW

• 0x5532b0 - VerifyVersionInfoW

• 0x5532b4 - VerSetConditionMask

• 0x5532b8 - GetFileTime

• 0x5532bc - GetFileSizeEx

• 0x5532c0 - GetFileAttributesExW

• 0x5532c4 - FileTimeToLocalFileTime

• 0x5532c8 - lstrcmpiW

• 0x5532cc - GetCurrentProcess

• 0x5532d0 - DuplicateHandle

• 0x5532d4 - WriteFile

• 0x5532d8 - UnlockFile

• 0x5532dc - SetFilePointer

• 0x5532e0 - SetEndOfFile

• 0x5532e4 - ReadFile

• 0x5532e8 - LockFile

• 0x5532ec - GetVolumeInformationW

• 0x5532f0 - GetFullPathNameW

• 0x5532f4 - GetFileSize

• 0x5532f8 - FlushFileBuffers

• 0x5532fc - FindFirstFileW

• 0x553300 - FindClose

• 0x553304 - CreateFileW

• 0x553308 - DeleteFileW

• 0x55330c - GlobalFlags

• 0x553310 - GetUserDefaultUILanguage

• 0x553314 - GetSystemDefaultUILanguage

• 0x553318 - GetLocaleInfoW

• 0x55331c - CompareStringW

• 0x553320 - GetCurrentDirectoryW

• 0x553324 - InterlockedIncrement

• 0x553328 - LocalReAlloc

• 0x55332c - LocalAlloc

• 0x553330 - GlobalHandle

• 0x553334 - GlobalReAlloc

• 0x553338 - TlsFree

• 0x55333c - TlsSetValue

• 0x553340 - TlsGetValue

• 0x553344 - TlsAlloc

• 0x553348 - GetThreadLocale

• 0x55334c - FileTimeToSystemTime

• 0x553350 - GlobalFindAtomW

• 0x553354 - GetSystemDirectoryW

• 0x553358 - EnterCriticalSection

• 0x55335c - DecodePointer

• 0x553360 - EncodePointer

• 0x553364 - GlobalAddAtomW

• 0x553368 - ResumeThread

• 0x55336c - SuspendThread

• 0x553370 - SetThreadPriority

• 0x553374 - CreateEventW

• 0x553378 - WaitForSingleObject

• 0x55337c - SetEvent

• 0x553380 - CloseHandle

• 0x553384 - CopyFileW

• 0x553388 - FormatMessageW

• 0x55338c - MulDiv

• 0x553390 - LocalFree

• 0x553394 - GlobalSize

• 0x553398 - WritePrivateProfileStringW

• 0x55339c - GetPrivateProfileStringW

• 0x5533a0 - GetPrivateProfileIntW

• 0x5533a4 - LoadLibraryW

• 0x5533a8 - LoadLibraryA

• 0x5533ac - GetProcAddress

• 0x5533b0 - GetModuleHandleW

• 0x5533b4 - GetModuleHandleA

• 0x5533b8 - GetVersion

• 0x5533bc - GetLastError

• 0x5533c0 - OutputDebugStringA

• 0x5533c4 - GetFileAttributesW

• 0x5533c8 - lstrcpyW

• 0x5533cc - GlobalFree

• 0x5533d0 - FreeResource

• 0x5533d4 - GetCurrentProcessId

• 0x5533d8 - SetLastError

• 0x5533dc - WideCharToMultiByte

• 0x5533e0 - lstrcmpW

• 0x5533e4 - lstrcmpA

• 0x5533e8 - GlobalDeleteAtom

• 0x5533ec - LoadLibraryExW

• 0x5533f0 - GetModuleFileNameW

• 0x5533f4 - FreeLibrary

• 0x5533f8 - GetVersionExW

• 0x5533fc - GetCurrentThreadId

• 0x553400 - GetCurrentThread

• 0x553404 - InterlockedExchange

• 0x553408 - InitializeCriticalSectionAndSpinCount

• 0x55340c - GlobalUnlock

• 0x553410 - GlobalLock

• 0x553414 - GlobalAlloc

• 0x553418 - DeleteCriticalSection

• 0x55341c - InitializeCriticalSection

• 0x553420 - LeaveCriticalSection

• 0x553424 - MultiByteToWideChar

• 0x553428 - FindResourceW

• 0x55342c - LoadResource

• 0x553430 - LockResource

• 0x553434 - SizeofResource

• 0x553438 - TryEnterCriticalSection

库 USER32.dll:

• 0x5534e0 - CreateAcceleratorTableW

• 0x5534e4 - GetKeyboardState

• 0x5534e8 - GetKeyboardLayout

• 0x5534ec - ToUnicodeEx

• 0x5534f0 - RegisterClipboardFormatW

• 0x5534f4 - ReuseDDElParam

• 0x5534f8 - UnpackDDElParam

• 0x5534fc - InsertMenuItemW

• 0x553500 - TranslateAcceleratorW

• 0x553504 - LoadAcceleratorsW

• 0x553508 - UnregisterClassW

• 0x55350c - UpdateLayeredWindow

• 0x553510 - GetUpdateRect

• 0x553514 - SetClassLongW

• 0x553518 - DestroyAcceleratorTable

• 0x55351c - ModifyMenuW

• 0x553520 - IsMenu

• 0x553524 - SetMenuDefaultItem

• 0x553528 - GetMenuDefaultItem

• 0x55352c - CopyIcon

• 0x553530 - GetIconInfo

• 0x553534 - GetDoubleClickTime

• 0x553538 - EnableScrollBar

• 0x55353c - LockWindowUpdate

• 0x553540 - CreatePopupMenu

• 0x553544 - BringWindowToTop

• 0x553548 - UnionRect

• 0x55354c - SetCursorPos

• 0x553550 - NotifyWinEvent

• 0x553554 - GetSystemMenu

• 0x553558 - GetAsyncKeyState

• 0x55355c - IsZoomed

• 0x553560 - TrackMouseEvent

• 0x553564 - LoadImageW

• 0x553568 - DestroyIcon

• 0x55356c - MonitorFromPoint

• 0x553570 - SetParent

• 0x553574 - EnumDisplayMonitors

• 0x553578 - SetRectEmpty

• 0x55357c - SetLayeredWindowAttributes

• 0x553580 - MessageBeep

• 0x553584 - GetNextDlgGroupItem

• 0x553588 - IntersectRect

• 0x55358c - SetRect

• 0x553590 - InvalidateRgn

• 0x553594 - CopyAcceleratorTableW

• 0x553598 - CharNextW

• 0x55359c - CharUpperW

• 0x5535a0 - RealChildWindowFromPoint

• 0x5535a4 - DeleteMenu

• 0x5535a8 - CopyImage

• 0x5535ac - LoadCursorW

• 0x5535b0 - WindowFromPoint

• 0x5535b4 - ReleaseCapture

• 0x5535b8 - SetCapture

• 0x5535bc - SystemParametersInfoW

• 0x5535c0 - GetMenuItemInfoW

• 0x5535c4 - DestroyMenu

• 0x5535c8 - SendDlgItemMessageA

• 0x5535cc - IsDialogMessageW

• 0x5535d0 - SetWindowTextW

• 0x5535d4 - CheckDlgButton

• 0x5535d8 - SetDlgItemTextW

• 0x5535dc - GetDlgItemInt

• 0x5535e0 - MoveWindow

• 0x5535e4 - ShowWindow

• 0x5535e8 - GetMonitorInfoW

• 0x5535ec - MonitorFromWindow

• 0x5535f0 - WinHelpW

• 0x5535f4 - GetScrollInfo

• 0x5535f8 - SetScrollInfo

• 0x5535fc - GetTopWindow

• 0x553600 - GetClassLongW

• 0x553604 - SetWindowLongW

• 0x553608 - AdjustWindowRectEx

• 0x55360c - GetWindowTextLengthW

• 0x553610 - GetWindowTextW

• 0x553614 - RemovePropW

• 0x553618 - GetPropW

• 0x55361c - SetPropW

• 0x553620 - ShowScrollBar

• 0x553624 - GetScrollRange

• 0x553628 - SetScrollRange

• 0x55362c - GetScrollPos

• 0x553630 - SetScrollPos

• 0x553634 - ScrollWindow

• 0x553638 - SetForegroundWindow

• 0x55363c - GetForegroundWindow

• 0x553640 - TrackPopupMenu

• 0x553644 - SetMenu

• 0x553648 - GetMenu

• 0x55364c - GetCapture

• 0x553650 - SetFocus

• 0x553654 - GetDlgCtrlID

• 0x553658 - EndDeferWindowPos

• 0x55365c - DeferWindowPos

• 0x553660 - BeginDeferWindowPos

• 0x553664 - SetWindowPlacement

• 0x553668 - GetWindowPlacement

• 0x55366c - IsChild

• 0x553670 - CreateWindowExW

• 0x553674 - GetClassInfoExW

• 0x553678 - GetClassInfoW

• 0x55367c - RegisterClassW

• 0x553680 - CallWindowProcW

• 0x553684 - DefWindowProcW

• 0x553688 - GetMessageTime

• 0x55368c - GetMessagePos

• 0x553690 - GetClassNameW

• 0x553694 - InvalidateRect

• 0x553698 - UpdateWindow

• 0x55369c - SetCursor

• 0x5536a0 - ShowOwnedPopups

• 0x5536a4 - ValidateRect

• 0x5536a8 - GetKeyState

• 0x5536ac - TranslateMessage

• 0x5536b0 - GetMessageW

• 0x5536b4 - LoadBitmapW

• 0x5536b8 - SetMenuItemInfoW

• 0x5536bc - GetMenuCheckMarkDimensions

• 0x5536c0 - SetMenuItemBitmaps

• 0x5536c4 - EnableMenuItem

• 0x5536c8 - CheckMenuItem

• 0x5536cc - CallNextHookEx

• 0x5536d0 - UnhookWindowsHookEx

• 0x5536d4 - SetWindowsHookExW

• 0x5536d8 - PtInRect

• 0x5536dc - ScreenToClient

• 0x5536e0 - ClientToScreen

• 0x5536e4 - EndPaint

• 0x5536e8 - BeginPaint

• 0x5536ec - GetWindowDC

• 0x5536f0 - TabbedTextOutW

• 0x5536f4 - GrayStringW

• 0x5536f8 - EnableWindow

• 0x5536fc - LoadIconW

• 0x553700 - SendMessageW

• 0x553704 - IsIconic

• 0x553708 - GetSystemMetrics

• 0x55370c - DrawTextExW

• 0x553710 - DrawTextW

• 0x553714 - RemoveMenu

• 0x553718 - AppendMenuW

• 0x55371c - InsertMenuW

• 0x553720 - GetMenuItemCount

• 0x553724 - GetMenuItemID

• 0x553728 - GetMenuState

• 0x55372c - GetMenuStringW

• 0x553730 - CopyRect

• 0x553734 - ReleaseDC

• 0x553738 - GetDC

• 0x55373c - MapVirtualKeyW

• 0x553740 - GetKeyNameTextW

• 0x553744 - GetDesktopWindow

• 0x553748 - GetWindowRgn

• 0x55374c - DestroyCursor

• 0x553750 - CreateMenu

• 0x553754 - InvertRect

• 0x553758 - HideCaret

• 0x55375c - GetComboBoxInfo

• 0x553760 - SubtractRect

• 0x553764 - DefMDIChildProcW

• 0x553768 - DefFrameProcW

• 0x55376c - SetActiveWindow

• 0x553770 - GetActiveWindow

• 0x553774 - DrawMenuBar

• 0x553778 - MapVirtualKeyExW

• 0x55377c - IsCharLowerW

• 0x553780 - CharUpperBuffW

• 0x553784 - PostThreadMessageW

• 0x553788 - IsClipboardFormatAvailable

• 0x55378c - FrameRect

• 0x553790 - EqualRect

• 0x553794 - GetClientRect

• 0x553798 - DrawIcon

• 0x55379c - LoadMenuW

• 0x5537a0 - GetSubMenu

• 0x5537a4 - GetCursorPos

• 0x5537a8 - OpenClipboard

• 0x5537ac - EmptyClipboard

• 0x5537b0 - CloseClipboard

• 0x5537b4 - SetClipboardData

• 0x5537b8 - PostMessageW

• 0x5537bc - PostQuitMessage

• 0x5537c0 - DispatchMessageW

• 0x5537c4 - PeekMessageW

• 0x5537c8 - WaitMessage

• 0x5537cc - SetTimer

• 0x5537d0 - KillTimer

• 0x5537d4 - IsWindowEnabled

• 0x5537d8 - MessageBoxW

• 0x5537dc - GetWindowLongW

• 0x5537e0 - GetParent

• 0x5537e4 - GetWindowThreadProcessId

• 0x5537e8 - GetLastActivePopup

• 0x5537ec - SetWindowPos

• 0x5537f0 - SetWindowContextHelpId

• 0x5537f4 - GetWindow

• 0x5537f8 - MapDialogRect

• 0x5537fc - RegisterWindowMessageW

• 0x553800 - DrawEdge

• 0x553804 - DrawFrameControl

• 0x553808 - IsWindowVisible

• 0x55380c - GetFocus

• 0x553810 - DrawStateW

• 0x553814 - SetWindowRgn

• 0x553818 - RedrawWindow

• 0x55381c - GetWindowRect

• 0x553820 - MapWindowPoints

• 0x553824 - GetSysColor

• 0x553828 - GetSysColorBrush

• 0x55382c - DrawFocusRect

• 0x553830 - FillRect

• 0x553834 - InflateRect

• 0x553838 - OffsetRect

• 0x55383c - IsRectEmpty

• 0x553840 - DrawIconEx

• 0x553844 - IsWindow

• 0x553848 - DestroyWindow

• 0x55384c - CreateDialogIndirectParamW

• 0x553850 - EndDialog

• 0x553854 - GetDlgItem

• 0x553858 - GetNextDlgTabItem

• 0x55385c - TranslateMDISysAccel

库 GDI32.dll:

• 0x553038 - GetObjectW

• 0x55303c - MoveToEx

• 0x553040 - TextOutW

• 0x553044 - SetViewportExtEx

• 0x553048 - SetViewportOrgEx

• 0x55304c - SetWindowExtEx

• 0x553050 - SetWindowOrgEx

• 0x553054 - OffsetViewportOrgEx

• 0x553058 - OffsetWindowOrgEx

• 0x55305c - ScaleViewportExtEx

• 0x553060 - ScaleWindowExtEx

• 0x553064 - CreateFontIndirectW

• 0x553068 - GetRgnBox

• 0x55306c - GetMapMode

• 0x553070 - SetRectRgn

• 0x553074 - DPtoLP

• 0x553078 - CreateCompatibleBitmap

• 0x55307c - CreateDIBitmap

• 0x553080 - EnumFontFamiliesW

• 0x553084 - GetTextCharsetInfo

• 0x553088 - RealizePalette

• 0x55308c - SetPixel

• 0x553090 - StretchBlt

• 0x553094 - CreateDIBSection

• 0x553098 - SetDIBColorTable

• 0x55309c - CreateRoundRectRgn

• 0x5530a0 - Rectangle

• 0x5530a4 - OffsetRgn

• 0x5530a8 - RoundRect

• 0x5530ac - GetPaletteEntries

• 0x5530b0 - GetNearestPaletteIndex

• 0x5530b4 - GetSystemPaletteEntries

• 0x5530b8 - EnumFontFamiliesExW

• 0x5530bc - ExtFloodFill

• 0x5530c0 - SetPaletteEntries

• 0x5530c4 - FillRgn

• 0x5530c8 - FrameRgn

• 0x5530cc - GetBoundsRect

• 0x5530d0 - PtInRegion

• 0x5530d4 - GetViewportOrgEx

• 0x5530d8 - LPtoDP

• 0x5530dc - GetWindowOrgEx

• 0x5530e0 - SetPixelV

• 0x5530e4 - GetTextFaceW

• 0x5530e8 - SetBkMode

• 0x5530ec - SetBkColor

• 0x5530f0 - SetTextAlign

• 0x5530f4 - SetTextColor

• 0x5530f8 - SetROP2

• 0x5530fc - SetPolyFillMode

• 0x553100 - GetLayout

• 0x553104 - SetLayout

• 0x553108 - SetMapMode

• 0x55310c - CreatePalette

• 0x553110 - CombineRgn

• 0x553114 - SelectPalette

• 0x553118 - SelectObject

• 0x55311c - ExtSelectClipRgn

• 0x553120 - SelectClipRgn

• 0x553124 - SaveDC

• 0x553128 - RestoreDC

• 0x55312c - RectVisible

• 0x553130 - PtVisible

• 0x553134 - LineTo

• 0x553138 - IntersectClipRect

• 0x55313c - GetWindowExtEx

• 0x553140 - GetViewportExtEx

• 0x553144 - GetStockObject

• 0x553148 - GetPixel

• 0x55314c - GetObjectType

• 0x553150 - GetClipBox

• 0x553154 - ExcludeClipRect

• 0x553158 - Escape

• 0x55315c - DeleteObject

• 0x553160 - DeleteDC

• 0x553164 - CreatePatternBrush

• 0x553168 - CreatePen

• 0x55316c - CreateCompatibleDC

• 0x553170 - CreateBitmap

• 0x553174 - BitBlt

• 0x553178 - GetDeviceCaps

• 0x55317c - CreateDCW

• 0x553180 - CopyMetaFileW

• 0x553184 - GetTextMetricsW

• 0x553188 - Polyline

• 0x55318c - Polygon

• 0x553190 - CreatePolygonRgn

• 0x553194 - ExtTextOutW

• 0x553198 - PatBlt

• 0x55319c - GetTextExtentPoint32W

• 0x5531a0 - GetTextColor

• 0x5531a4 - GetBkColor

• 0x5531a8 - Ellipse

• 0x5531ac - CreateSolidBrush

• 0x5531b0 - CreateRectRgnIndirect

• 0x5531b4 - CreateRectRgn

• 0x5531b8 - CreateHatchBrush

• 0x5531bc - CreateEllipticRgn

库 MSIMG32.dll:

• 0x553440 - TransparentBlt

• 0x553444 - AlphaBlend

库 WINSPOOL.DRV:

• 0x5538a0 - DocumentPropertiesW

• 0x5538a4 - OpenPrinterW

• 0x5538a8 - ClosePrinter

库 ADVAPI32.dll:

• 0x553000 - RegEnumKeyExW

• 0x553004 - RegEnumValueW

• 0x553008 - RegQueryValueW

• 0x55300c - RegEnumKeyW

• 0x553010 - RegCloseKey

• 0x553014 - RegSetValueExW

• 0x553018 - RegDeleteValueW

• 0x55301c - RegDeleteKeyW

• 0x553020 - RegCreateKeyExW

• 0x553024 - RegQueryValueExW

• 0x553028 - RegOpenKeyExW

库 SHELL32.dll:

• 0x553498 - DragFinish

• 0x55349c - SHGetPathFromIDListW

• 0x5534a0 - SHGetSpecialFolderLocation

• 0x5534a4 - SHBrowseForFolderW

• 0x5534a8 - SHGetDesktopFolder

• 0x5534ac - SHGetFileInfoW

• 0x5534b0 - ShellExecuteW

• 0x5534b4 - SHGetMalloc

• 0x5534b8 - DragQueryFileW

• 0x5534bc - SHAppBarMessage

库 COMCTL32.dll:

• 0x553030 - InitCommonControlsEx

库 SHLWAPI.dll:

• 0x5534c4 - PathFindFileNameW

• 0x5534c8 - PathIsUNCW

• 0x5534cc - PathStripToRootW

• 0x5534d0 - StrFormatKBSizeW

• 0x5534d4 - PathRemoveFileSpecW

• 0x5534d8 - PathFindExtensionW

库 UxTheme.dll:

• 0x553864 - GetWindowTheme

• 0x553868 - GetThemeSysColor

• 0x55386c - IsThemeBackgroundPartiallyTransparent

• 0x553870 - GetThemePartSize

• 0x553874 - OpenThemeData

• 0x553878 - CloseThemeData

• 0x55387c - DrawThemeBackground

• 0x553880 - GetThemeColor

• 0x553884 - GetCurrentThemeName

• 0x553888 - IsAppThemed

• 0x55388c - DrawThemeText

• 0x553890 - DrawThemeParentBackground

库 ole32.dll:

• 0x553930 - CLSIDFromProgID

• 0x553934 - CLSIDFromString

• 0x553938 - CoCreateGuid

• 0x55393c - CoCreateInstance

• 0x553940 - CoUninitialize

• 0x553944 - CoInitialize

• 0x553948 - IsAccelerator

• 0x55394c - OleTranslateAccelerator

• 0x553950 - OleDestroyMenuDescriptor

• 0x553954 - CoTaskMemAlloc

• 0x553958 - CoTaskMemFree

• 0x55395c - OleFlushClipboard

• 0x553960 - OleDuplicateData

• 0x553964 - ReleaseStgMedium

• 0x553968 - CoInitializeEx

• 0x55396c - CoGetClassObject

• 0x553970 - StgCreateDocfileOnILockBytes

• 0x553974 - StgOpenStorageOnILockBytes

• 0x553978 - CreateILockBytesOnHGlobal

• 0x55397c - CreateStreamOnHGlobal

• 0x553980 - CoFreeUnusedLibraries

• 0x553984 - OleInitialize

• 0x553988 - OleUninitialize

• 0x55398c - OleIsCurrentClipboard

• 0x553990 - DoDragDrop

• 0x553994 - OleGetClipboard

• 0x553998 - CoLockObjectExternal

• 0x55399c - OleCreateMenuDescriptor

• 0x5539a0 - CoRegisterMessageFilter

• 0x5539a4 - CoRevokeClassObject

• 0x5539a8 - OleLockRunning

• 0x5539ac - RevokeDragDrop

• 0x5539b0 - OleRun

• 0x5539b4 - RegisterDragDrop

库 OLEAUT32.dll:

• 0x55345c - SysAllocString

• 0x553460 - SysAllocStringLen

• 0x553464 - VariantChangeType

• 0x553468 - SysStringLen

• 0x55346c - SystemTimeToVariantTime

• 0x553470 - VariantTimeToSystemTime

• 0x553474 - SafeArrayDestroy

• 0x553478 - VariantClear

• 0x55347c - OleCreateFontIndirect

• 0x553480 - VariantCopy

• 0x553484 - VariantInit

• 0x553488 - SysFreeString

• 0x55348c - GetErrorInfo

• 0x553490 - VarBstrFromDate

库 oledlg.dll:

• 0x5539bc - OleUIBusyW

库 gdiplus.dll:

• 0x5538d4 - GdipCloneImage

• 0x5538d8 - GdipDrawImageRectI

• 0x5538dc - GdipSetInterpolationMode

• 0x5538e0 - GdipCreateFromHDC

• 0x5538e4 - GdipCreateBitmapFromHBITMAP

• 0x5538e8 - GdipDrawImageI

• 0x5538ec - GdipDeleteGraphics

• 0x5538f0 - GdipBitmapUnlockBits

• 0x5538f4 - GdipBitmapLockBits

• 0x5538f8 - GdipCreateBitmapFromScan0

• 0x5538fc - GdipCreateBitmapFromStream

• 0x553900 - GdipGetImagePaletteSize

• 0x553904 - GdipGetImagePalette

• 0x553908 - GdipGetImagePixelFormat

• 0x55390c - GdipGetImageHeight

• 0x553910 - GdipGetImageWidth

• 0x553914 - GdipGetImageGraphicsContext

• 0x553918 - GdipDisposeImage

• 0x55391c - GdiplusShutdown

• 0x553920 - GdiplusStartup

• 0x553924 - GdipFree

• 0x553928 - GdipAlloc

库 WS2_32.dll:

• 0x5538b0 - WSASetLastError

• 0x5538b4 - WSACleanup

• 0x5538b8 - WSAStartup

• 0x5538bc - closesocket

• 0x5538c0 - sendto

• 0x5538c4 - inet_addr

• 0x5538c8 - htons

• 0x5538cc - socket

库 OLEACC.dll:

• 0x55344c - CreateStdAccessibleObject

• 0x553450 - AccessibleObjectFromWindow

• 0x553454 - LresultFromObject

库 IMM32.dll:

• 0x5531c4 - ImmGetContext

• 0x5531c8 - ImmGetOpenStatus

• 0x5531cc - ImmReleaseContext

库 WINMM.dll:

• 0x553898 - PlaySoundW

投放文件

无信息

行为分析

互斥量(Mutexes)

Local\MSCTF.Asm.MutexDefault1

执行的命令 无信息

创建的服务 无信息

启动的服务 无信息

进程

Connect.exe PID: 2736, 上一级进程 PID: 2320

访问的文件

C:\Users\test\AppData\Local\Temp\ConnectCHS.dll
C:\Users\test\AppData\Local\Temp\ConnectCHS.dll.DLL
C:\Users\test\AppData\Local\Temp\ConnectENU.dll
C:\Users\test\AppData\Local\Temp\ConnectENU.dll.DLL
C:\Users\test\AppData\Local\Temp\ConnectLOC.dll
C:\Users\test\AppData\Local\Temp\ConnectLOC.dll.DLL
C:\Users\test\AppData\Local\Temp\Connect.exe.3.Manifest
C:\Windows\Fonts\staticcache.dat

读取的文件

C:\Users\test\AppData\Local\Temp\Connect.exe.3.Manifest
C:\Windows\Fonts\staticcache.dat

修改的文件 无信息

删除的文件 无信息

注册表键

HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetConnectDisconnect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsHistory
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-Hans
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-Hans
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\Connect.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg 2

读取的注册表键

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetConnectDisconnect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsHistory
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-Hans
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-Hans
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16

修改的注册表键 无信息

删除的注册表键 无信息

API解析

kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetThreadPreferredUILanguages
cryptbase.dll.SystemFunction036
kernel32.dll.RegisterApplicationRestart
ole32.dll.CoGetMalloc
kernel32.dll.QueryActCtxW
kernel32.dll.GetModuleHandleExW
kernel32.dll.CreateActCtxW
kernel32.dll.ActivateActCtx
kernel32.dll.FindActCtxSectionStringW
kernel32.dll.DeactivateActCtx
comctl32.dll.InitCommonControlsEx
shell32.dll.InitNetworkAddressControl
comctl32.dll.RegisterClassNameW
uxtheme.dll.OpenThemeData
imm32.dll.ImmIsIME
uxtheme.dll.EnableThemeDialogTexture
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
gdi32.dll.GetTextExtentExPointWPri
gdi32.dll.GetFontAssocStatus
gdi32.dll.GdiIsMetaPrintDC
uxtheme.dll.BufferedPaintInit
uxtheme.dll.BeginBufferedPaint
uxtheme.dll.EndBufferedPaint