魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2020-07-06 00:52:16 2020-07-06 00:53:14 58 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-hpdapp01-1 win7-sp1-x64-hpdapp01-1 KVM 2020-07-06 00:52:28 2020-07-06 00:53:14
魔盾分数

10.0

恶意的

文件详细信息

文件名 cs.exe
文件大小 5451776 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 92FB2572
MD5 be64cb911cba81db85df764ddfd79219
SHA1 33a63dba73274dbceb96ee135ced7811393d141a
SHA256 ace21ab8c5c39fc93d9e7618e5576b1f6954013b83360ab8a1c553908ce1c43d
SHA512 4afd110802778d542df199c524964575445367bdf22562ca3a81e1d599e7d5ea0bddb1493f21b5eb39943a3ce2c8709fa3d465295751850d305f4d752a980062
Ssdeep 98304:3wXhLuerBQljTwbr/EEc8JCC1jqjdkkao94IOJBAUZLS6:xhK7S80MjqJpqJVG6
PEiD 无匹配
Yara
  • DebuggerTiming__PerformanceCounter ()
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • ThreadControl__Context ()
  • anti_dbg (Detected self protection if being debugged)
  • inject_thread (Detected code injection function with CreateRemoteThread in a remote process)
  • network_http (Detected communications function over HTTP)
  • win_mutex (Create or check mutex)
  • screenshot (Detected take screenshot function)
  • create_process (Detection function for creating a new process)
  • persistence (Detected function for installing itself for autorun at Windows startup)
  • keylogger (Detected keylogger function)
  • win_registry (Detected system registries modification function)
  • change_win_registry (Change registries to affect system)
  • win_files_operation (Affect private profile)
  • win_hook (Detected hook table access function)
  • win_private_profile (Detected private profile access function)
  • Maldun_Anomoly_Combined_Activities_Logging_Persistence (Spotted postential abnormal behaviors, like logging and persistenc3)
  • Maldun_Anomoly_Combined_Activities_Network_Logging (Spotted potential abnormal behaviors, like logging and network communications)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
  • with_images (Detected the presence of an or several images)
  • with_urls (Detected the presence of an or several urls)
  • CRC32_poly_Constant (Look for CRC32 [poly])
  • CRC32_table (Look for CRC32 table)
  • MD5_Constants (Look for MD5 constants)
  • RsaRef2_NN_modExp (RsaRef2 NN_modExp)
  • RsaEuro_NN_modMult (RsaEuro NN_modMult)
  • BASE64_table (Look for Base64 table)
  • IsPE32 (Detected a 32bit PE sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
  • IsPacked (Detected Entropy signature)
  • HasRichSignature (Detected Rich Signature)
VirusTotal 无此文件扫描结果

特征

二进制文件可能包含加密或压缩数据
section: name: .rdata, entropy: 7.36, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x0049e000, virtual_size: 0x0049d67a
创建一个隐藏文件或系统文件
file: C:\Users\test\AppData\Local\Temp\CR.DLL
魔盾安全Yara规则检测结果 - 高危
Warning: Detected code injection function with CreateRemoteThread in a remote process
Warning: Detected function for installing itself for autorun at Windows startup
Critical: Spotted postential abnormal behaviors, like logging and persistenc3
Critical: Spotted potential abnormal behaviors, like logging and network communications
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
Warning: RsaRef2 NN_modExp
Warning: RsaEuro NN_modMult

运行截图

网络分析

无信息

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x0045e305
声明校验值 0x00000000
实际校验值 0x005395a9
最低操作系统版本要求 4.0
编译时间 2020-07-06 00:51:15
载入哈希 5028e5c9ed837e27346b8425a32c20f5

版本信息

LegalCopyright: \u4f5c\u8005\u7248\u6743\u6240\u6709 \u8bf7\u5c0a\u91cd\u5e76\u4f7f\u7528\u6b63\u7248
FileVersion: 1.0.0.0
Comments: \u672c\u7a0b\u5e8f\u4f7f\u7528\u6613\u8bed\u8a00\u7f16\u5199(http://www.eyuyan.com)
ProductName: \u6613\u8bed\u8a00\u7a0b\u5e8f
ProductVersion: 1.0.0.0
FileDescription: \u6613\u8bed\u8a00\u7a0b\u5e8f
Translation: 0x0804 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0007bf3a 0x0007c000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.60
.rdata 0x0007d000 0x0049d67a 0x0049e000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.36
.data 0x0051b000 0x00024a68 0x00012000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.09
.rsrc 0x00540000 0x00005958 0x00006000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.82

导入

库 KERNEL32.dll:
0x47d170 - SetEndOfFile
0x47d174 - UnlockFile
0x47d178 - LockFile
0x47d17c - FlushFileBuffers
0x47d180 - SetFilePointer
0x47d184 - GetCurrentProcess
0x47d188 - DuplicateHandle
0x47d18c - lstrcpynA
0x47d190 - SetLastError
0x47d194 - FileTimeToLocalFileTime
0x47d198 - FileTimeToSystemTime
0x47d19c - LocalFree
0x47d1a0 - InterlockedDecrement
0x47d1a4 - CreateSemaphoreA
0x47d1a8 - ResumeThread
0x47d1ac - ReleaseSemaphore
0x47d1b0 - EnterCriticalSection
0x47d1b4 - LeaveCriticalSection
0x47d1b8 - GetProfileStringA
0x47d1bc - SetStdHandle
0x47d1c0 - IsBadCodePtr
0x47d1c4 - IsBadReadPtr
0x47d1c8 - CompareStringW
0x47d1cc - CompareStringA
0x47d1d0 - SetUnhandledExceptionFilter
0x47d1d4 - GetStringTypeW
0x47d1d8 - GetStringTypeA
0x47d1dc - IsBadWritePtr
0x47d1e0 - VirtualAlloc
0x47d1e4 - LCMapStringW
0x47d1e8 - LCMapStringA
0x47d1ec - SetEnvironmentVariableA
0x47d1f0 - VirtualFree
0x47d1f4 - HeapCreate
0x47d1f8 - HeapDestroy
0x47d1fc - GetEnvironmentVariableA
0x47d200 - GetFileType
0x47d204 - GetStdHandle
0x47d208 - SetHandleCount
0x47d20c - GetEnvironmentStringsW
0x47d210 - GetEnvironmentStrings
0x47d214 - FreeEnvironmentStringsW
0x47d218 - FreeEnvironmentStringsA
0x47d21c - UnhandledExceptionFilter
0x47d220 - GetACP
0x47d224 - HeapSize
0x47d228 - TerminateProcess
0x47d22c - GetLocalTime
0x47d230 - GetSystemTime
0x47d234 - GetTimeZoneInformation
0x47d238 - WriteFile
0x47d23c - WaitForMultipleObjects
0x47d240 - CreateFileA
0x47d244 - SetEvent
0x47d248 - FindResourceA
0x47d24c - LoadResource
0x47d250 - LockResource
0x47d254 - ReadFile
0x47d258 - GetModuleFileNameA
0x47d25c - WideCharToMultiByte
0x47d260 - MultiByteToWideChar
0x47d264 - GetCurrentThreadId
0x47d268 - ExitProcess
0x47d26c - GlobalSize
0x47d270 - GlobalFree
0x47d274 - DeleteCriticalSection
0x47d278 - InitializeCriticalSection
0x47d27c - lstrcatA
0x47d280 - lstrlenA
0x47d284 - WinExec
0x47d288 - lstrcpyA
0x47d28c - FindNextFileA
0x47d290 - GlobalReAlloc
0x47d294 - HeapFree
0x47d298 - HeapReAlloc
0x47d29c - GetProcessHeap
0x47d2a0 - HeapAlloc
0x47d2a4 - GetFullPathNameA
0x47d2a8 - FreeLibrary
0x47d2ac - LoadLibraryA
0x47d2b0 - GetLastError
0x47d2b4 - GetVersionExA
0x47d2b8 - WritePrivateProfileStringA
0x47d2bc - CreateThread
0x47d2c0 - CreateEventA
0x47d2c4 - Sleep
0x47d2c8 - GlobalAlloc
0x47d2cc - GlobalLock
0x47d2d0 - GlobalUnlock
0x47d2d4 - FindFirstFileA
0x47d2d8 - FindClose
0x47d2dc - SetFileAttributesA
0x47d2e0 - GetFileAttributesA
0x47d2e4 - DeleteFileA
0x47d2e8 - RaiseException
0x47d2ec - RtlUnwind
0x47d2f0 - GetStartupInfoA
0x47d2f4 - GetOEMCP
0x47d2f8 - GetCPInfo
0x47d2fc - GetProcessVersion
0x47d300 - SetErrorMode
0x47d304 - GlobalFlags
0x47d308 - GetCurrentThread
0x47d30c - GetFileTime
0x47d310 - GetFileSize
0x47d314 - TlsGetValue
0x47d318 - LocalReAlloc
0x47d31c - TlsSetValue
0x47d320 - TlsFree
0x47d324 - GlobalHandle
0x47d328 - TlsAlloc
0x47d32c - LocalAlloc
0x47d330 - SetCurrentDirectoryA
0x47d334 - GetVolumeInformationA
0x47d338 - GetModuleHandleA
0x47d33c - GetProcAddress
0x47d340 - MulDiv
0x47d344 - lstrcmpA
0x47d348 - GetVersion
0x47d34c - GlobalGetAtomNameA
0x47d350 - GlobalAddAtomA
0x47d354 - GlobalFindAtomA
0x47d358 - GlobalDeleteAtom
0x47d35c - lstrcmpiA
0x47d360 - GetCommandLineA
0x47d364 - GetTickCount
0x47d368 - WaitForSingleObject
0x47d36c - CloseHandle
0x47d370 - InterlockedIncrement
库 USER32.dll:
0x47d394 - OpenClipboard
0x47d398 - SetClipboardData
0x47d39c - EmptyClipboard
0x47d3a0 - GetSystemMetrics
0x47d3a4 - GetCursorPos
0x47d3a8 - MessageBoxA
0x47d3ac - SetWindowPos
0x47d3b0 - SendMessageA
0x47d3b4 - DestroyCursor
0x47d3b8 - SetParent
0x47d3bc - GetClipboardData
0x47d3c0 - PostMessageA
0x47d3c4 - GetTopWindow
0x47d3c8 - GetParent
0x47d3cc - CloseClipboard
0x47d3d0 - wsprintfA
0x47d3d4 - GetFocus
0x47d3d8 - GetClientRect
0x47d3dc - InvalidateRect
0x47d3e0 - ValidateRect
0x47d3e4 - UpdateWindow
0x47d3e8 - EqualRect
0x47d3ec - GetWindowRect
0x47d3f0 - SetForegroundWindow
0x47d3f4 - IsWindow
0x47d3f8 - GetMenuItemCount
0x47d3fc - DestroyMenu
0x47d400 - IsChild
0x47d404 - ReleaseDC
0x47d408 - IsRectEmpty
0x47d40c - FillRect
0x47d410 - GetDC
0x47d414 - SetCursor
0x47d418 - LoadCursorA
0x47d41c - SetCursorPos
0x47d420 - SetActiveWindow
0x47d424 - GetSysColor
0x47d428 - SetWindowLongA
0x47d42c - GetWindowLongA
0x47d430 - RedrawWindow
0x47d434 - EnableWindow
0x47d438 - IsWindowVisible
0x47d43c - OffsetRect
0x47d440 - PtInRect
0x47d444 - DestroyIcon
0x47d448 - IntersectRect
0x47d44c - InflateRect
0x47d450 - SetRect
0x47d454 - SetScrollPos
0x47d458 - SetScrollRange
0x47d45c - GetScrollRange
0x47d460 - SetCapture
0x47d464 - GetCapture
0x47d468 - ReleaseCapture
0x47d46c - LoadIconA
0x47d470 - TranslateMessage
0x47d474 - DrawFrameControl
0x47d478 - DrawEdge
0x47d47c - DrawFocusRect
0x47d480 - WindowFromPoint
0x47d484 - GetMessageA
0x47d488 - DispatchMessageA
0x47d48c - SetRectEmpty
0x47d490 - RegisterClipboardFormatA
0x47d494 - CreateIconFromResourceEx
0x47d498 - CreateIconFromResource
0x47d49c - DrawIconEx
0x47d4a0 - CreatePopupMenu
0x47d4a4 - AppendMenuA
0x47d4a8 - ModifyMenuA
0x47d4ac - CreateMenu
0x47d4b0 - CreateAcceleratorTableA
0x47d4b4 - GetDlgCtrlID
0x47d4b8 - GetSubMenu
0x47d4bc - EnableMenuItem
0x47d4c0 - ClientToScreen
0x47d4c4 - EnumDisplaySettingsA
0x47d4c8 - LoadImageA
0x47d4cc - SystemParametersInfoA
0x47d4d0 - ShowWindow
0x47d4d4 - IsWindowEnabled
0x47d4d8 - TranslateAcceleratorA
0x47d4dc - GetKeyState
0x47d4e0 - CopyAcceleratorTableA
0x47d4e4 - PostQuitMessage
0x47d4e8 - IsZoomed
0x47d4ec - GetClassInfoA
0x47d4f0 - DefWindowProcA
0x47d4f4 - GetSystemMenu
0x47d4f8 - DeleteMenu
0x47d4fc - GetMenu
0x47d500 - SetMenu
0x47d504 - PeekMessageA
0x47d508 - GetWindowTextA
0x47d50c - GetWindowTextLengthA
0x47d510 - CharUpperA
0x47d514 - GetWindowDC
0x47d518 - BeginPaint
0x47d51c - EndPaint
0x47d520 - TabbedTextOutA
0x47d524 - DrawTextA
0x47d528 - GrayStringA
0x47d52c - GetDlgItem
0x47d530 - DestroyWindow
0x47d534 - CreateDialogIndirectParamA
0x47d538 - EndDialog
0x47d53c - GetNextDlgTabItem
0x47d540 - GetWindowPlacement
0x47d544 - RegisterWindowMessageA
0x47d548 - GetForegroundWindow
0x47d54c - GetLastActivePopup
0x47d550 - GetMessageTime
0x47d554 - RemovePropA
0x47d558 - CallWindowProcA
0x47d55c - GetPropA
0x47d560 - UnhookWindowsHookEx
0x47d564 - SetPropA
0x47d568 - GetClassLongA
0x47d56c - CallNextHookEx
0x47d570 - SetWindowsHookExA
0x47d574 - CreateWindowExA
0x47d578 - GetMenuItemID
0x47d57c - UnregisterClassA
0x47d580 - RegisterClassA
0x47d584 - GetScrollPos
0x47d588 - AdjustWindowRectEx
0x47d58c - MapWindowPoints
0x47d590 - SendDlgItemMessageA
0x47d594 - ScrollWindowEx
0x47d598 - IsDialogMessageA
0x47d59c - SetWindowTextA
0x47d5a0 - MoveWindow
0x47d5a4 - CheckMenuItem
0x47d5a8 - SetMenuItemBitmaps
0x47d5ac - GetMenuState
0x47d5b0 - GetMenuCheckMarkDimensions
0x47d5b4 - GetClassNameA
0x47d5b8 - GetDesktopWindow
0x47d5bc - LoadStringA
0x47d5c0 - GetSysColorBrush
0x47d5c4 - IsIconic
0x47d5c8 - SetFocus
0x47d5cc - GetActiveWindow
0x47d5d0 - GetWindow
0x47d5d4 - DestroyAcceleratorTable
0x47d5d8 - SetWindowRgn
0x47d5dc - GetMessagePos
0x47d5e0 - ScreenToClient
0x47d5e4 - ChildWindowFromPointEx
0x47d5e8 - CopyRect
0x47d5ec - LoadBitmapA
0x47d5f0 - WinHelpA
0x47d5f4 - KillTimer
0x47d5f8 - SetTimer
库 GDI32.dll:
0x47d024 - SelectClipRgn
0x47d028 - DeleteObject
0x47d02c - CreateDIBitmap
0x47d030 - GetSystemPaletteEntries
0x47d034 - CreatePalette
0x47d038 - StretchBlt
0x47d03c - SelectPalette
0x47d040 - RealizePalette
0x47d044 - GetDIBits
0x47d048 - GetWindowExtEx
0x47d04c - GetViewportOrgEx
0x47d050 - GetWindowOrgEx
0x47d054 - BeginPath
0x47d058 - EndPath
0x47d05c - PathToRegion
0x47d060 - CreateEllipticRgn
0x47d064 - CreateRoundRectRgn
0x47d068 - GetTextColor
0x47d06c - GetBkMode
0x47d070 - GetBkColor
0x47d074 - GetROP2
0x47d078 - GetStretchBltMode
0x47d07c - GetPolyFillMode
0x47d080 - CreateCompatibleBitmap
0x47d084 - CreateDCA
0x47d088 - CreateBitmap
0x47d08c - SelectObject
0x47d090 - GetObjectA
0x47d094 - CreatePen
0x47d098 - PatBlt
0x47d09c - CombineRgn
0x47d0a0 - CreateRectRgn
0x47d0a4 - CreatePolygonRgn
0x47d0a8 - CreateSolidBrush
0x47d0ac - GetStockObject
0x47d0b0 - CreateFontIndirectA
0x47d0b4 - EndPage
0x47d0b8 - EndDoc
0x47d0bc - DeleteDC
0x47d0c0 - StartDocA
0x47d0c4 - StartPage
0x47d0c8 - BitBlt
0x47d0cc - CreateCompatibleDC
0x47d0d0 - Ellipse
0x47d0d4 - Rectangle
0x47d0d8 - LPtoDP
0x47d0dc - DPtoLP
0x47d0e0 - GetCurrentObject
0x47d0e4 - RoundRect
0x47d0e8 - GetTextExtentPoint32A
0x47d0ec - GetDeviceCaps
0x47d0f0 - SaveDC
0x47d0f4 - RestoreDC
0x47d0f8 - SetBkMode
0x47d0fc - SetPolyFillMode
0x47d100 - SetROP2
0x47d104 - SetTextColor
0x47d108 - SetMapMode
0x47d10c - SetViewportOrgEx
0x47d110 - OffsetViewportOrgEx
0x47d114 - SetViewportExtEx
0x47d118 - ScaleViewportExtEx
0x47d11c - SetWindowOrgEx
0x47d120 - SetWindowExtEx
0x47d124 - ScaleWindowExtEx
0x47d128 - GetClipBox
0x47d12c - ExcludeClipRect
0x47d130 - MoveToEx
0x47d134 - LineTo
0x47d138 - GetClipRgn
0x47d13c - SetStretchBltMode
0x47d140 - CreateRectRgnIndirect
0x47d144 - SetBkColor
0x47d148 - FillRgn
0x47d14c - GetTextMetricsA
0x47d150 - Escape
0x47d154 - ExtTextOutA
0x47d158 - TextOutA
0x47d15c - RectVisible
0x47d160 - PtVisible
0x47d164 - GetViewportExtEx
0x47d168 - ExtSelectClipRgn
库 WINMM.dll:
0x47d600 - midiStreamRestart
0x47d604 - midiStreamClose
0x47d608 - midiOutReset
0x47d60c - midiStreamStop
0x47d610 - midiStreamOut
0x47d614 - midiOutPrepareHeader
0x47d618 - midiStreamProperty
0x47d61c - midiStreamOpen
0x47d620 - midiOutUnprepareHeader
0x47d624 - waveOutOpen
0x47d628 - waveOutGetNumDevs
0x47d62c - waveOutClose
0x47d630 - waveOutReset
0x47d634 - waveOutPause
0x47d638 - waveOutWrite
0x47d63c - waveOutPrepareHeader
0x47d640 - waveOutUnprepareHeader
库 WINSPOOL.DRV:
0x47d648 - ClosePrinter
0x47d64c - DocumentPropertiesA
0x47d650 - OpenPrinterA
库 ADVAPI32.dll:
0x47d000 - RegCloseKey
0x47d004 - RegOpenKeyExA
0x47d008 - RegSetValueExA
0x47d00c - RegQueryValueA
0x47d010 - RegCreateKeyExA
库 SHELL32.dll:
0x47d388 - ShellExecuteA
0x47d38c - Shell_NotifyIconA
库 ole32.dll:
0x47d694 - OleInitialize
0x47d698 - OleUninitialize
0x47d69c - CLSIDFromString
库 OLEAUT32.dll:
0x47d378 - UnRegisterTypeLib
0x47d37c - RegisterTypeLib
0x47d380 - LoadTypeLib
库 COMCTL32.dll:
0x47d018 - ImageList_Destroy
0x47d01c - None
库 WS2_32.dll:
0x47d658 - recvfrom
0x47d65c - ioctlsocket
0x47d660 - recv
0x47d664 - getpeername
0x47d668 - accept
0x47d66c - WSAAsyncSelect
0x47d670 - closesocket
0x47d674 - inet_ntoa
0x47d678 - WSACleanup
库 comdlg32.dll:
0x47d680 - GetSaveFileNameA
0x47d684 - GetOpenFileNameA
0x47d688 - ChooseColorA
0x47d68c - GetFileTitleA

投放文件

无信息

行为分析

互斥量(Mutexes)
  • Local\MSCTF.Asm.MutexDefault1
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

cs.exe PID: 2700, 上一级进程 PID: 2340

访问的文件
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\test\AppData\Local\Temp\CR.DLL
  • C:\
  • C:\Windows\Fonts\staticcache.dat
  • C:\Users\test\AppData\Local\Temp\imageres.dll
  • C:\Windows\System32\imageres.dll
  • C:\Windows\System32\zh-CN\imageres.dll.mui
  • C:\Windows\sysnative\zh-CN\imageres.dll.mui
  • C:\Windows\System32\zh-Hans\imageres.dll.mui
  • C:\Windows\System32\zh\imageres.dll.mui
  • C:\Windows\System32\en-US\imageres.dll.mui
读取的文件
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\test\AppData\Local\Temp\CR.DLL
  • C:\Windows\Fonts\staticcache.dat
  • C:\Windows\System32\imageres.dll
  • C:\Windows\System32\zh-CN\imageres.dll.mui
  • C:\Windows\sysnative\zh-CN\imageres.dll.mui
  • C:\Windows\System32\zh-Hans\imageres.dll.mui
  • C:\Windows\System32\zh\imageres.dll.mui
  • C:\Windows\System32\en-US\imageres.dll.mui
修改的文件
  • C:\Users\test\AppData\Local\Temp\CR.DLL
删除的文件
  • C:\Users\test\AppData\Local\Temp\CR.DLL
注册表键
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\CR.DLL
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\cs.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_CURRENT_USER
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
读取的注册表键
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\CR.DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • kernel32.dll.IsProcessorFeaturePresent
  • cryptbase.dll.SystemFunction036
  • kernel32.dll.SortGetHandle
  • kernel32.dll.SortCloseHandle
  • comctl32.dll.RegisterClassNameW
  • uxtheme.dll.EnableThemeDialogTexture
  • uxtheme.dll.OpenThemeData
  • gdi32.dll.GetLayout
  • gdi32.dll.GdiRealizationInfo
  • gdi32.dll.FontIsLinked
  • advapi32.dll.RegOpenKeyExW
  • advapi32.dll.RegQueryInfoKeyW
  • gdi32.dll.GetTextFaceAliasW
  • advapi32.dll.RegEnumValueW
  • advapi32.dll.RegCloseKey
  • advapi32.dll.RegQueryValueExW
  • advapi32.dll.RegQueryValueExA
  • advapi32.dll.RegEnumKeyExW
  • gdi32.dll.GetTextExtentExPointWPri
  • ole32.dll.CoInitializeEx
  • ole32.dll.CoUninitialize
  • ole32.dll.CoRegisterInitializeSpy
  • ole32.dll.CoRevokeInitializeSpy
  • user32.dll.GetSystemMetrics
  • user32.dll.MonitorFromWindow
  • user32.dll.MonitorFromRect
  • user32.dll.MonitorFromPoint
  • user32.dll.EnumDisplayMonitors
  • user32.dll.GetMonitorInfoA
  • gdi32.dll.GetFontAssocStatus
  • oleaut32.dll.SysAllocString
  • oleaut32.dll.SysStringLen
  • oleaut32.dll.SysFreeString
  • oleaut32.dll.#500