魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2020-07-06 00:04:48 2020-07-06 00:06:07 79 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-hpdapp01-1 win7-sp1-x64-hpdapp01-1 KVM 2020-07-06 00:05:16 2020-07-06 00:06:08
魔盾分数

4.216

可疑的

文件详细信息

文件名 csrss.exe
文件大小 10010624 字节
文件类型 PE32 executable (console) Intel 80386, for MS Windows
CRC32 0593D11B
MD5 bf8fe423e90775e579c520cc8d3999a1
SHA1 741668af5b37fc5506b8f1882211bd4303075ec5
SHA256 baf8899cfee109f6164fb9b99e821a5f3dce977990e14af68b6f5c38e23d033d
SHA512 61c17e8ca144bd36d43330a49c8aa3992549fce464e8b3eed9ca076d311fdd6827ab076d730c6f91b3aa21c097f6fb5da6906128e10b03c6df7ab948601f4bb9
Ssdeep 98304:V5xxFahjqN6H0kWEGWHIr1PwiFIIXNKUb7wJje:VfWjqkH5ib7qje
PEiD 无匹配
Yara
  • DebuggerTiming__PerformanceCounter ()
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • anti_dbg (Detected self protection if being debugged)
  • screenshot (Detected take screenshot function)
  • create_process (Detection function for creating a new process)
  • keylogger (Detected keylogger function)
  • win_files_operation (Affect private profile)
  • win_hook (Detected hook table access function)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
  • with_urls (Detected the presence of an or several urls)
  • Advapi_Hash_API (Looks for advapi API functions)
  • CRC32_poly_Constant (Look for CRC32 [poly])
  • IsPE32 (Detected a 32bit PE sample)
  • IsConsole (Detected a console program sample)
  • HasRichSignature (Detected Rich Signature)
VirusTotal 无此文件扫描结果

特征

样本投放可执行文件到临时目录
魔盾安全Yara规则检测结果 - 安全告警
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
Warning: Looks for advapi API functions
从文件自身的二进制镜像中读取数据
self_read: process: csrss.exe, pid: 2692, offset: 0x00000000, length: 0x0098c000
可能是恶意的样本写入可疑的执行文件并混淆扩展名

运行截图

网络分析

无信息

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x004625d6
声明校验值 0x00000000
实际校验值 0x00990aa4
最低操作系统版本要求 4.0
编译时间 2020-07-06 00:01:17
载入哈希 db2e08e35e207bfa68aae7146fef48d3

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x00075c26 0x00076000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.09
.rdata 0x00077000 0x00007d86 0x00008000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.21
.data 0x0007f000 0x009252ec 0x0090d000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.81

导入

库 KERNEL32.dll:
0x4770e8 - LCMapStringA
0x4770ec - LoadLibraryA
0x4770f0 - FreeLibrary
0x4770f4 - GlobalFree
0x4770f8 - GetEnvironmentVariableA
0x4770fc - GetFileSize
0x477100 - ReadFile
0x477104 - Sleep
0x477108 - FindFirstFileA
0x47710c - RemoveDirectoryA
0x477110 - DeleteFileA
0x477114 - FindNextFileA
0x477118 - FindClose
0x47711c - SetFileAttributesA
0x477120 - WriteFile
0x477124 - GetModuleFileNameA
0x477128 - GetTickCount
0x47712c - IsBadReadPtr
0x477130 - lstrlenW
0x477134 - lstrlenA
0x477138 - HeapFree
0x47713c - InterlockedDecrement
0x477140 - InterlockedIncrement
0x477144 - RtlMoveMemory
0x477148 - LocalSize
0x47714c - HeapAlloc
0x477150 - GetProcessHeap
0x477154 - EndUpdateResourceA
0x477158 - UpdateResourceA
0x47715c - InterlockedExchange
0x477160 - BeginUpdateResourceA
0x477164 - HeapReAlloc
0x477168 - SetStdHandle
0x47716c - IsBadCodePtr
0x477170 - GetStringTypeW
0x477174 - GetStringTypeA
0x477178 - SetUnhandledExceptionFilter
0x47717c - lstrcmpiW
0x477180 - IsBadWritePtr
0x477184 - VirtualAlloc
0x477188 - VirtualFree
0x47718c - GetStartupInfoA
0x477190 - GetFileType
0x477194 - GetStdHandle
0x477198 - SetHandleCount
0x47719c - GetEnvironmentStringsW
0x4771a0 - GetEnvironmentStrings
0x4771a4 - FreeEnvironmentStringsW
0x4771a8 - FreeEnvironmentStringsA
0x4771ac - UnhandledExceptionFilter
0x4771b0 - GetACP
0x4771b4 - TerminateProcess
0x4771b8 - HeapSize
0x4771bc - RaiseException
0x4771c0 - RtlUnwind
0x4771c4 - FlushFileBuffers
0x4771c8 - SetFilePointer
0x4771cc - GetOEMCP
0x4771d0 - GetCPInfo
0x4771d4 - GlobalFlags
0x4771d8 - GetProcessVersion
0x4771dc - GlobalGetAtomNameA
0x4771e0 - GlobalAddAtomA
0x4771e4 - GlobalFindAtomA
0x4771e8 - GlobalDeleteAtom
0x4771ec - SetLastError
0x4771f0 - CopyFileA
0x4771f4 - VirtualQueryEx
0x4771f8 - GetProcAddress
0x4771fc - SetWaitableTimer
0x477200 - CreateWaitableTimerA
0x477204 - CreateThread
0x477208 - ReadProcessMemory
0x47720c - OpenProcess
0x477210 - GetCurrentProcess
0x477214 - Module32Next
0x477218 - Module32First
0x47721c - MoveFileA
0x477220 - CreateDirectoryA
0x477224 - Process32Next
0x477228 - GetVersion
0x47722c - TlsGetValue
0x477230 - LocalReAlloc
0x477234 - TlsSetValue
0x477238 - EnterCriticalSection
0x47723c - GlobalReAlloc
0x477240 - LeaveCriticalSection
0x477244 - TlsFree
0x477248 - GlobalHandle
0x47724c - DeleteCriticalSection
0x477250 - TlsAlloc
0x477254 - InitializeCriticalSection
0x477258 - LocalFree
0x47725c - LocalAlloc
0x477260 - ExitProcess
0x477264 - GetCommandLineA
0x477268 - GlobalUnlock
0x47726c - GlobalLock
0x477270 - GlobalAlloc
0x477274 - lstrcmpW
0x477278 - RtlZeroMemory
0x47727c - lstrcmpiA
0x477280 - HeapDestroy
0x477284 - HeapCreate
0x477288 - CreateFileA
0x47728c - GetAtomNameW
0x477290 - GetModuleFileNameW
0x477294 - WideCharToMultiByte
0x477298 - GetCommandLineW
0x47729c - GetModuleHandleW
0x4772a0 - MultiByteToWideChar
0x4772a4 - lstrcatW
0x4772a8 - GetCurrentThreadId
0x4772ac - lstrcpynA
0x4772b0 - lstrcpyA
0x4772b4 - lstrcatA
0x4772b8 - SetErrorMode
0x4772bc - CloseHandle
0x4772c0 - Process32First
0x4772c4 - GetLastError
0x4772c8 - GetVersionExA
0x4772cc - GetWindowsDirectoryA
0x4772d0 - GetSystemDirectoryA
0x4772d4 - GetTempPathA
0x4772d8 - LCMapStringW
0x4772dc - lstrcmpA
0x4772e0 - CreateToolhelp32Snapshot
0x4772e4 - GetModuleHandleA
库 USER32.dll:
0x477334 - GetAsyncKeyState
0x477338 - IsWindow
0x47733c - FindWindowExW
0x477340 - GetClassNameW
0x477344 - GetWindowTextLengthW
0x477348 - GetWindowTextW
0x47734c - GetWindowLongW
0x477350 - SendMessageW
0x477354 - DestroyCursor
0x477358 - SetCursor
0x47735c - GetClientRect
0x477360 - SetCapture
0x477364 - ReleaseCapture
0x477368 - LoadCursorW
0x47736c - DestroyIcon
0x477370 - DestroyAcceleratorTable
0x477374 - GetSysColor
0x477378 - IsWindowEnabled
0x47737c - EnableWindow
0x477380 - InvalidateRect
0x477384 - MapWindowPoints
0x477388 - GetFocus
0x47738c - SetFocus
0x477390 - GetMessageW
0x477394 - IsChild
0x477398 - TranslateMDISysAccel
0x47739c - TranslateAcceleratorW
0x4773a0 - IsDialogMessageW
0x4773a4 - TranslateMessage
0x4773a8 - DispatchMessageW
0x4773ac - SetWindowLongW
0x4773b0 - GetAncestor
0x4773b4 - GetDlgItem
0x4773b8 - TrackMouseEvent
0x4773bc - EndPaint
0x4773c0 - BeginPaint
0x4773c4 - wvsprintfA
0x4773c8 - GetNextDlgTabItem
0x4773cc - PostQuitMessage
0x4773d0 - CreateWindowExW
0x4773d4 - GetClassInfoExW
0x4773d8 - RegisterClassExW
0x4773dc - CreateDialogIndirectParamW
0x4773e0 - GetClassLongW
0x4773e4 - SetClassLongW
0x4773e8 - DestroyWindow
0x4773ec - DialogBoxIndirectParamW
0x4773f0 - EndDialog
0x4773f4 - GrayStringA
0x4773f8 - DrawTextA
0x4773fc - TabbedTextOutA
0x477400 - PtInRect
0x477404 - GetSysColorBrush
0x477408 - LoadCursorA
0x47740c - SetWindowTextA
0x477410 - LoadIconA
0x477414 - PostMessageA
0x477418 - AdjustWindowRectEx
0x47741c - CopyRect
0x477420 - GetTopWindow
0x477424 - GetCapture
0x477428 - WinHelpA
0x47742c - GetClassInfoA
0x477430 - RegisterClassA
0x477434 - GetInputState
0x477438 - GetWindow
0x47743c - GetClassLongA
0x477440 - CallWindowProcA
0x477444 - DefWindowProcA
0x477448 - GetMessageTime
0x47744c - GetMessagePos
0x477450 - GetLastActivePopup
0x477454 - GetWindowLongA
0x477458 - SetWindowLongA
0x47745c - RegisterWindowMessageA
0x477460 - SystemParametersInfoA
0x477464 - GetWindowPlacement
0x477468 - GetMenuCheckMarkDimensions
0x47746c - LoadBitmapA
0x477470 - ModifyMenuA
0x477474 - SetMenuItemBitmaps
0x477478 - EnableMenuItem
0x47747c - LoadStringA
0x477480 - SendMessageA
0x477484 - GetKeyState
0x477488 - GetForegroundWindow
0x47748c - CreateDialogParamW
0x477490 - DialogBoxParamW
0x477494 - CreateMDIWindowW
0x477498 - CallWindowProcW
0x47749c - DefWindowProcW
0x4774a0 - ShowWindow
0x4774a4 - PostMessageW
0x4774a8 - CopyIcon
0x4774ac - GetIconInfo
0x4774b0 - ScreenToClient
0x4774b4 - ValidateRect
0x4774b8 - SetParent
0x4774bc - SetWindowTextW
0x4774c0 - MessageBoxW
0x4774c4 - GetDC
0x4774c8 - ReleaseDC
0x4774cc - SetTimer
0x4774d0 - KillTimer
0x4774d4 - SetPropW
0x4774d8 - SetPropA
0x4774dc - GetPropW
0x4774e0 - GetPropA
0x4774e4 - RemovePropW
0x4774e8 - RemovePropA
0x4774ec - EnumPropsExW
0x4774f0 - LoadIconW
0x4774f4 - SetWindowRgn
0x4774f8 - SetRect
0x4774fc - IsIconic
0x477500 - IsZoomed
0x477504 - GetSystemMetrics
0x477508 - GetMenu
0x47750c - SetMenu
0x477510 - DrawMenuBar
0x477514 - RegisterWindowMessageW
0x477518 - SystemParametersInfoW
0x47751c - UpdateLayeredWindow
0x477520 - CreateIconFromResourceEx
0x477524 - LoadImageW
0x477528 - DrawIconEx
0x47752c - CreateMenu
0x477530 - CreatePopupMenu
0x477534 - GetSystemMenu
0x477538 - LoadMenuW
0x47753c - GetMenuInfo
0x477540 - DestroyMenu
0x477544 - GetMenuItemCount
0x477548 - GetMenuItemInfoW
0x47754c - AppendMenuW
0x477550 - InsertMenuW
0x477554 - SetMenuInfo
0x477558 - GetSubMenu
0x47755c - GetMenuItemID
0x477560 - CheckMenuRadioItem
0x477564 - SetForegroundWindow
0x477568 - TrackPopupMenu
0x47756c - GetMenuStringW
0x477570 - GetMenuItemRect
0x477574 - GetMenuState
0x477578 - GetMenuDefaultItem
0x47757c - MenuItemFromPoint
0x477580 - RemoveMenu
0x477584 - CheckMenuItem
0x477588 - SetMenuItemInfoW
0x47758c - SetMenuDefaultItem
0x477590 - LoadStringW
0x477594 - CharUpperW
0x477598 - CharLowerW
0x47759c - MessageBoxA
0x4775a0 - wsprintfA
0x4775a4 - DispatchMessageA
0x4775a8 - GetMessageA
0x4775ac - PeekMessageA
0x4775b0 - SendInput
0x4775b4 - UnhookWindowsHookEx
0x4775b8 - SetWindowPos
0x4775bc - UpdateWindow
0x4775c0 - MoveWindow
0x4775c4 - GetParent
0x4775c8 - SetWindowsHookExA
0x4775cc - GetWindowRect
0x4775d0 - ClientToScreen
0x4775d4 - MsgWaitForMultipleObjects
0x4775d8 - GetWindowTextLengthA
0x4775dc - GetWindowThreadProcessId
0x4775e0 - GetClassNameA
0x4775e4 - GetWindowTextA
0x4775e8 - GetDlgCtrlID
0x4775ec - IsWindowVisible
0x4775f0 - FindWindowExA
0x4775f4 - GetDesktopWindow
0x4775f8 - CreateWindowExA
0x4775fc - CallNextHookEx
库 ADVAPI32.dll:
0x477000 - CryptReleaseContext
0x477004 - DeleteService
0x477008 - ControlService
0x47700c - StartServiceA
0x477010 - CloseServiceHandle
0x477014 - OpenServiceA
0x477018 - CreateServiceA
0x47701c - OpenSCManagerA
0x477020 - CryptGetHashParam
0x477024 - CryptDestroyHash
0x477028 - CryptHashData
0x47702c - CryptCreateHash
0x477030 - CryptAcquireContextA
库 SHELL32.dll:
0x4772f4 - Shell_NotifyIconW
0x4772f8 - SHGetSpecialFolderPathA
0x4772fc - DragQueryFileW
0x477300 - DragAcceptFiles
0x477304 - CommandLineToArgvW
0x477308 - DragFinish
库 ole32.dll:
0x477a50 - StringFromGUID2
0x477a54 - GetHGlobalFromStream
0x477a58 - CLSIDFromString
0x477a5c - CoInitialize
0x477a60 - CoUninitialize
0x477a64 - CreateStreamOnHGlobal
库 GDI32.dll:
0x477054 - GetDIBits
0x477058 - CreatePatternBrush
0x47705c - CreateSolidBrush
0x477060 - CreateFontIndirectW
0x477064 - GetObjectW
0x477068 - StretchBlt
0x47706c - SetStretchBltMode
0x477070 - GetStretchBltMode
0x477074 - CreateDIBSection
0x477078 - CreateCompatibleDC
0x47707c - BitBlt
0x477080 - GetStockObject
0x477084 - CreateRoundRectRgn
0x477088 - SetViewportOrgEx
0x47708c - DeleteDC
0x477090 - SelectObject
0x477094 - DeleteObject
0x477098 - GetObjectA
0x47709c - CreateBitmap
0x4770a0 - GetClipBox
0x4770a4 - SetTextColor
0x4770a8 - SetBkColor
0x4770ac - GetDeviceCaps
0x4770b0 - SaveDC
0x4770b4 - RestoreDC
0x4770b8 - SetMapMode
0x4770bc - OffsetViewportOrgEx
0x4770c0 - SetViewportExtEx
0x4770c4 - ScaleViewportExtEx
0x4770c8 - SetWindowExtEx
0x4770cc - ScaleWindowExtEx
0x4770d0 - Escape
0x4770d4 - ExtTextOutA
0x4770d8 - TextOutA
0x4770dc - RectVisible
0x4770e0 - PtVisible
库 SHLWAPI.dll:
0x477310 - StrToIntExA
0x477314 - PathFileExistsA
0x477318 - PathRemoveFileSpecW
0x47731c - PathFindFileNameW
0x477320 - StrTrimW
0x477324 - StrToIntW
0x477328 - wvnsprintfW
0x47732c - StrToIntExW
库 COMCTL32.dll:
0x477040 - InitCommonControlsEx
0x477044 - None
库 gdiplus.dll:
0x477614 - GdipCreateBitmapFromResource
0x477618 - GdipSetImageAttributesColorMatrix
0x47761c - GdipGetImageAttributesAdjustedPalette
0x477620 - GdipSetImageAttributesWrapMode
0x477624 - GdipSetImageAttributesRemapTable
0x477628 - GdipSetImageAttributesOutputChannelColorProfile
0x47762c - GdipCreateImageAttributes
0x477630 - GdipSetImageAttributesOutputChannel
0x477634 - GdipCreateBitmapFromHICON
0x477638 - GdipSetImageAttributesGamma
0x47763c - GdipSetImageAttributesNoOp
0x477640 - GdipSetImageAttributesThreshold
0x477644 - GdipResetImageAttributes
0x477648 - GdipSetImageAttributesToIdentity
0x47764c - GdipCloneBitmapArea
0x477650 - GdipDisposeImage
0x477654 - GdipDeleteGraphics
0x477658 - GdipDisposeImageAttributes
0x47765c - GdipDeleteBrush
0x477660 - GdipFillRectangle
0x477664 - GdipCreateTexture
0x477668 - GdipCreateBitmapFromHBITMAP
0x47766c - GdipCreateBitmapFromGdiDib
0x477670 - GdipCreateBitmapFromGraphics
0x477674 - GdipCreateBitmapFromStream
0x477678 - GdipCreateBitmapFromFile
0x47767c - GdipGetLineSpacing
0x477680 - GdipGetCellDescent
0x477684 - GdipGetCellAscent
0x477688 - GdipGetEmHeight
0x47768c - GdipBitmapSetResolution
0x477690 - GdipCreateHBITMAPFromBitmap
0x477694 - GdipCreateFromHDC
0x477698 - GdipDeleteStringFormat
0x47769c - GdiplusStartup
0x4776a0 - GdipDeleteFont
0x4776a4 - GdipDeletePath
0x4776a8 - GdipCloneImageAttributes
0x4776ac - GdipIsStyleAvailable
0x4776b0 - GdipGetFamilyName
0x4776b4 - GdipGetGenericFontFamilyMonospace
0x4776b8 - GdipGetGenericFontFamilySerif
0x4776bc - GdipGetGenericFontFamilySansSerif
0x4776c0 - GdipCreateFontFamilyFromName
0x4776c4 - GdipCloneFontFamily
0x4776c8 - GdipGetFontCollectionFamilyList
0x4776cc - GdipGetFontCollectionFamilyCount
0x4776d0 - GdipPrivateAddMemoryFont
0x4776d4 - GdipPrivateAddFontFile
0x4776d8 - GdipNewPrivateFontCollection
0x4776dc - GdipNewInstalledFontCollection
0x4776e0 - GdipIsMatrixEqual
0x4776e4 - GdipIsMatrixIdentity
0x4776e8 - GdipIsMatrixInvertible
0x4776ec - GdipVectorTransformMatrixPoints
0x4776f0 - GdipTransformMatrixPoints
0x4776f4 - GdipShearMatrix
0x4776f8 - GdipScaleMatrix
0x4776fc - GdipInvertMatrix
0x477700 - GdipRotateMatrix
0x477704 - GdipTranslateMatrix
0x477708 - GdipMultiplyMatrix
0x47770c - GdipGetMatrixElements
0x477710 - GdipSetMatrixElements
0x477714 - GdipCloneMatrix
0x477718 - GdipCreateMatrix3
0x47771c - GdipCreateMatrix2
0x477720 - GdipCreateMatrix
0x477724 - GdipGetRegionScans
0x477728 - GdipGetRegionScansCount
0x47772c - GdipIsVisibleRegionRect
0x477730 - GdipIsVisibleRegionPoint
0x477734 - GdipIsEqualRegion
0x477738 - GdipIsInfiniteRegion
0x47773c - GdipIsEmptyRegion
0x477740 - GdipGetRegionHRgn
0x477744 - GdipGetRegionData
0x477748 - GdipGetRegionDataSize
0x47774c - GdipGetRegionBounds
0x477750 - GdipTransformRegion
0x477754 - GdipTranslateRegion
0x477758 - GdipCombineRegionPath
0x47775c - GdipCombineRegionRegion
0x477760 - GdipCombineRegionRect
0x477764 - GdipSetEmpty
0x477768 - GdipSetInfinite
0x47776c - GdipCloneRegion
0x477770 - GdipCreateRegionRgnData
0x477774 - GdipCreateRegionHrgn
0x477778 - GdipCreateRegionPath
0x47777c - GdipCreateRegionRect
0x477780 - GdipIsOutlineVisiblePathPoint
0x477784 - GdipIsVisiblePathPoint
0x477788 - GdipWarpPath
0x47778c - GdipWindingModeOutline
0x477790 - GdipWidenPath
0x477794 - GdipFlattenPath
0x477798 - GdipGetPathWorldBounds
0x47779c - GdipTransformPath
0x4777a0 - GdipAddPathString
0x4777a4 - GdipAddPathPath
0x4777a8 - GdipAddPathPolygon
0x4777ac - GdipAddPathPie
0x4777b0 - GdipAddPathEllipse
0x4777b4 - GdipAddPathRectangle
0x4777b8 - GdipAddPathClosedCurve2
0x4777bc - GdipAddPathClosedCurve
0x4777c0 - GdipAddPathCurve2
0x4777c4 - GdipAddPathCurve
0x4777c8 - GdipAddPathBezier
0x4777cc - GdipAddPathArc
0x4777d0 - GdipAddPathLine
0x4777d4 - GdipGetPathLastPoint
0x4777d8 - GdipReversePath
0x4777dc - GdipClearPathMarkers
0x4777e0 - GdipSetPathMarker
0x4777e4 - GdipClosePathFigures
0x4777e8 - GdipClosePathFigure
0x4777ec - GdipStartPathFigure
0x4777f0 - GdipGetPathData
0x4777f4 - GdipGetPointCount
0x4777f8 - GdipSetPathFillMode
0x4777fc - GdipGetPathFillMode
0x477800 - GdipResetPath
0x477804 - GdipClonePath
0x477808 - GdipCreatePath2
0x47780c - GdipCreatePath
0x477810 - GdipGetImageGraphicsContext
0x477814 - GdipCreateFromHWND
0x477818 - GdipBitmapUnlockBits
0x47781c - GdipBitmapLockBits
0x477820 - GdipCreateBitmapFromScan0
0x477824 - GdipGetFontHeightGivenDPI
0x477828 - GdipGetFontHeight
0x47782c - GdipGetFontUnit
0x477830 - GdipGetFontSize
0x477834 - GdipGetFontStyle
0x477838 - GdipGetFamily
0x47783c - GdipGetLogFontA
0x477840 - GdipGetLogFontW
0x477844 - GdipCloneFont
0x477848 - GdipCreateFontFromLogfontA
0x47784c - GdipCreateFontFromDC
0x477850 - GdipDeleteFontFamily
0x477854 - GdipDeletePrivateFontCollection
0x477858 - GdipCreateFontFromLogfontW
0x47785c - GdipCreateFont
0x477860 - GdipGetSolidFillColor
0x477864 - GdipSetSolidFillColor
0x477868 - GdipCreateSolidFill
0x47786c - GdipGetBrushType
0x477870 - GdipDeleteRegion
0x477874 - GdipGetStringFormatMeasurableCharacterRangeCount
0x477878 - GdipSetStringFormatMeasurableCharacterRanges
0x47787c - GdipGetStringFormatDigitSubstitution
0x477880 - GdipSetStringFormatDigitSubstitution
0x477884 - GdipGetStringFormatTabStops
0x477888 - GdipGetStringFormatTabStopCount
0x47788c - GdipSetStringFormatTabStops
0x477890 - GdipGetStringFormatHotkeyPrefix
0x477894 - GdipSetStringFormatHotkeyPrefix
0x477898 - GdipGetStringFormatTrimming
0x47789c - GdipSetStringFormatTrimming
0x4778a0 - GdipGetStringFormatLineAlign
0x4778a4 - GdipSetStringFormatLineAlign
0x4778a8 - GdipGetStringFormatAlign
0x4778ac - GdipSetStringFormatAlign
0x4778b0 - GdipGetStringFormatFlags
0x4778b4 - GdipSetStringFormatFlags
0x4778b8 - GdipCloneStringFormat
0x4778bc - GdipStringFormatGetGenericTypographic
0x4778c0 - GdipStringFormatGetGenericDefault
0x4778c4 - GdipCreateStringFormat
0x4778c8 - GdipCreateHICONFromBitmap
0x4778cc - GdipImageSelectActiveFrame
0x4778d0 - GdipImageGetFrameCount
0x4778d4 - GdipGetImageThumbnail
0x4778d8 - GdipGetImageVerticalResolution
0x4778dc - GdipGetImageHorizontalResolution
0x4778e0 - GdipGetImageHeight
0x4778e4 - GdipGetImageWidth
0x4778e8 - GdipGetImageBounds
0x4778ec - GdipGetImageDimension
0x4778f0 - GdipGetImageEncoders
0x4778f4 - GdipGetImageEncodersSize
0x4778f8 - GdipSaveImageToStream
0x4778fc - GdipGetImagePixelFormat
0x477900 - GdipGetImageRawFormat
0x477904 - GdipCloneImage
0x477908 - GdipLoadImageFromStream
0x47790c - GdipLoadImageFromFile
0x477910 - GdipEndContainer
0x477914 - GdipBeginContainer2
0x477918 - GdipBeginContainer
0x47791c - GdipRestoreGraphics
0x477920 - GdipSaveGraphics
0x477924 - GdipIsVisibleRect
0x477928 - GdipIsVisiblePoint
0x47792c - GdipIsVisibleClipEmpty
0x477930 - GdipIsClipEmpty
0x477934 - GdipGetVisibleClipBounds
0x477938 - GdipGetClipBounds
0x47793c - GdipGetClip
0x477940 - GdipTranslateClip
0x477944 - GdipResetClip
0x477948 - GdipSetClipHrgn
0x47794c - GdipSetClipRegion
0x477950 - GdipSetClipRect
0x477954 - GdipSetClipPath
0x477958 - GdipSetClipGraphics
0x47795c - GdipDrawImagePointsRect
0x477960 - GdipDrawImagePointRect
0x477964 - GdipDrawImagePoints
0x477968 - GdipDrawImageRect
0x47796c - GdipDrawImageRectRect
0x477970 - GdipDrawImage
0x477974 - GdipDrawDriverString
0x477978 - GdipMeasureCharacterRanges
0x47797c - GdipCreateRegion
0x477980 - GdipMeasureString
0x477984 - GdipDrawString
0x477988 - GdipFillRegion
0x47798c - GdipFillClosedCurve2
0x477990 - GdipFillClosedCurve
0x477994 - GdipFillPath
0x477998 - GdipFillPie
0x47799c - GdipFillEllipse
0x4779a0 - GdipFillPolygon
0x4779a4 - GdipGraphicsClear
0x4779a8 - GdipDrawClosedCurve2
0x4779ac - GdipDrawClosedCurve
0x4779b0 - GdipDrawCurve2
0x4779b4 - GdipDrawCurve
0x4779b8 - GdipDrawPath
0x4779bc - GdipDrawPolygon
0x4779c0 - GdipDrawPie
0x4779c4 - GdipDrawEllipse
0x4779c8 - GdipDrawRectangle
0x4779cc - GdipDrawBezier
0x4779d0 - GdipDrawArc
0x4779d4 - GdipDrawLine
0x4779d8 - GdipGetNearestColor
0x4779dc - GdipTransformPointsI
0x4779e0 - GdipTransformPoints
0x4779e4 - GdipGetDpiY
0x4779e8 - GdipGetDpiX
0x4779ec - GdipGetPageScale
0x4779f0 - GdipSetPageScale
0x4779f4 - GdipGetPageUnit
0x4779f8 - GdipSetPageUnit
0x4779fc - GdipRotateWorldTransform
0x477a00 - GdipScaleWorldTransform
0x477a04 - GdipTranslateWorldTransform
0x477a08 - GdipResetWorldTransform
0x477a0c - GdipDeleteMatrix
0x477a10 - GdipGetWorldTransform
0x477a14 - GdipSetWorldTransform
0x477a18 - GdipGetPixelOffsetMode
0x477a1c - GdipSetPixelOffsetMode
0x477a20 - GdipGetSmoothingMode
0x477a24 - GdipSetSmoothingMode
0x477a28 - GdipGetInterpolationMode
0x477a2c - GdipSetInterpolationMode
0x477a30 - GdipGetTextRenderingHint
0x477a34 - GdipSetTextRenderingHint
0x477a38 - GdipReleaseDC
0x477a3c - GdipGetDC
0x477a40 - GdipSetImageAttributesColorKeys
0x477a44 - GdipFlush
0x477a48 - GdipCloneBrush
库 ATL.DLL:
0x477038 - None
库 CRYPT32.dll:
0x47704c - CryptStringToBinaryW
库 MSIMG32.dll:
0x4772ec - AlphaBlend
库 WINSPOOL.DRV:
0x477604 - ClosePrinter
0x477608 - DocumentPropertiesA
0x47760c - OpenPrinterA

投放文件

无信息

行为分析

互斥量(Mutexes)
  • Local\MSCTF.Asm.MutexDefault1
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

csrss.exe PID: 2692, 上一级进程 PID: 2336

访问的文件
  • \Device\KsecDD
  • C:\Windows\g.gker
  • C:\Users\test\AppData\Local\Temp\csrss.exe
  • C:\Users\test\AppData\Local\Temp\[================================]
  • C:\Users\test\AppData\Local\Temp\[bf8fe423e90775e579c520cc8d3999a1]
  • C:\Windows\Fonts\staticcache.dat
读取的文件
  • \Device\KsecDD
  • C:\Users\test\AppData\Local\Temp\csrss.exe
  • C:\Windows\Fonts\staticcache.dat
修改的文件
  • C:\Users\test\AppData\Local\Temp\[bf8fe423e90775e579c520cc8d3999a1]
  • C:\Users\test\AppData\Local\Temp\csrss.exe
  • C:\Windows\g.gker
删除的文件
  • C:\Users\test\AppData\Local\Temp\[================================]
注册表键
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\csrss.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_CURRENT_USER
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
读取的注册表键
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • kernel32.dll.IsProcessorFeaturePresent
  • cryptbase.dll.SystemFunction036
  • cryptsp.dll.CryptAcquireContextA
  • cryptsp.dll.CryptCreateHash
  • cryptsp.dll.CryptHashData
  • cryptsp.dll.CryptGetHashParam
  • cryptsp.dll.CryptDestroyHash
  • cryptsp.dll.CryptReleaseContext
  • gdi32.dll.GetLayout
  • gdi32.dll.GdiRealizationInfo
  • gdi32.dll.FontIsLinked
  • advapi32.dll.RegOpenKeyExW
  • advapi32.dll.RegQueryInfoKeyW
  • gdi32.dll.GetTextFaceAliasW
  • advapi32.dll.RegEnumValueW
  • advapi32.dll.RegCloseKey
  • advapi32.dll.RegQueryValueExW
  • advapi32.dll.RegQueryValueExA
  • advapi32.dll.RegEnumKeyExW
  • gdi32.dll.GetTextExtentExPointWPri
  • ole32.dll.CoInitializeEx
  • ole32.dll.CoUninitialize
  • ole32.dll.CoRegisterInitializeSpy
  • ole32.dll.CoRevokeInitializeSpy
  • gdi32.dll.GetFontAssocStatus
  • oleaut32.dll.SysAllocString
  • oleaut32.dll.SysStringLen
  • oleaut32.dll.SysFreeString
  • oleaut32.dll.#500