魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2020-08-16 11:39:14 2020-08-16 11:40:04 50 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-hpdapp01-1 win7-sp1-x64-hpdapp01-1 KVM 2020-08-16 11:39:20 2020-08-16 11:40:05
魔盾分数

10.0

Malicious

文件详细信息

文件名 Steam一键授权工具.exe
文件大小 901120 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 A8FA06A0
MD5 e07f5616dd0a367d7fa2a25213a50e38
SHA1 f11296f15350587363d012343f139fa0d18b6688
SHA256 73a226d69404704c52ed802d5c1ad6f47639a3a1faf4143860d9ba1b0c5e91be
SHA512 63c5107d63266469a3ffd202ee88a1a9862cda31bf9df58537d1cfc745554247cb7a0c627a8fa97ee0f72e334dbcedd794a9cf19527efdf4710e32fb56ed4bd7
Ssdeep 12288:wc2zmx2sg8HpkFZpQQBZgqPsJ9Xl5ak5uGD1OUMdzmQK4Z/eMXRCHAk:wrzmBg8JkvpQKZgSsJB6dyQKI/eIW
PEiD 无匹配
Yara
  • DebuggerCheck__QueryInfo ()
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • win_mutex (Create or check mutex)
  • screenshot (Detected take screenshot function)
  • create_process (Detection function for creating a new process)
  • keylogger (Detected keylogger function)
  • win_registry (Detected system registries modification function)
  • change_win_registry (Change registries to affect system)
  • win_files_operation (Affect private profile)
  • win_hook (Detected hook table access function)
  • win_private_profile (Detected private profile access function)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
  • with_images (Detected the presence of an or several images)
  • CRC32_poly_Constant (Look for CRC32 [poly])
  • CRC32_table (Look for CRC32 table)
  • MD5_Constants (Look for MD5 constants)
  • IsPE32 (Detected a 32bit PE sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
  • HasRichSignature (Detected Rich Signature)
VirusTotal VirusTotal链接
VirusTotal扫描时间: 2020-04-25 15:41:16
扫描结果: 34/73

特征

魔盾安全Yara规则检测结果 - 安全告警
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
文件已被至少一个VirusTotal上的反病毒引擎检测为病毒
Bkav: W32.AIDetectVM.malware
FireEye: Generic.mg.e07f5616dd0a367d
CAT-QuickHeal: Risktool.Flystudio.16885
Cylance: Unsafe
SUPERAntiSpyware: Trojan.Agent/Gen-OnlineGames
K7AntiVirus: Trojan ( 005246d51 )
Alibaba: Ransom:Win32/Wannaren.a63749a2
K7GW: Trojan ( 005246d51 )
Cybereason: malicious.153505
Invincea: heuristic
F-Prot: W32/Agent.EW.gen!Eldorado
Symantec: ML.Attribute.HighConfidence
TotalDefense: Win32/Oflwr.A!crypt
APEX: Malicious
ClamAV: Win.Malware.Zusy-6840460-0
GData: Win32.Application.PUPStudio.A
Rising: Malware.Heuristic!ET#98% (RDMK:cmRtazqiM759+vcVU04hUdbH+baS)
Comodo: Worm.Win32.Dropper.RA@1qraug
McAfee-GW-Edition: BehavesLike.Win32.Generic.ch
Trapmine: malicious.high.ml.score
Ikarus: PUA.Virbox
Cyren: W32/Agent.EW.gen!Eldorado
Antiy-AVL: GrayWare/Win32.FlyStudio.a
Microsoft: Trojan:Win32/Wacatac.D!ml
Endgame: malicious (high confidence)
Acronis: suspicious
BitDefenderTheta: Gen:NN.ZexaF.34106.3q0@aiNUNgdb
ESET-NOD32: a variant of Win32/Packed.FlyStudio.AA potentially unwanted
SentinelOne: DFI - Malicious PE
eGambit: Unsafe.AI_Score_99%
Fortinet: W32/QQWare.A!tr
MaxSecure: Trojan.Malware.300983.susgen
CrowdStrike: win/malicious_confidence_100% (D)
Qihoo-360: Generic/HEUR/QVM07.1.AD05.Malware.Gen

运行截图

无运行截图

网络分析

无信息

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x0047e05a
声明校验值 0x00000000
实际校验值 0x000e5513
最低操作系统版本要求 4.0
编译时间 2020-04-19 00:07:27
载入哈希 7d26f94f3de14a5ee881a0308abfd577

版本信息

LegalCopyright: \u4ec5\u4f9b\u5b66\u4e60\u4f7f\u7528\uff0c\u8bf7\u52ff\u7528\u4e8e\u975e\u6cd5\u9014\u5f84\uff0c\u5426\u8005\u540e\u679c\u81ea\u8d1f\u3002
FileVersion: 1.0.0.0
Comments: \u672c\u7a0b\u5e8f\u4f7f\u7528\u6613\u8bed\u8a00\u7f16\u5199(http://www.eyuyan.com)
ProductName: Steam\u4e00\u952e\u6388\u6743\u5de5\u5177
ProductVersion: 1.0.0.0
FileDescription: \u4ec5\u4f9b\u5b66\u4e60\u4f7f\u7528\uff0c\u8bf7\u52ff\u7528\u4e8e\u975e\u6cd5\u9014\u5f84\uff0c\u5426\u8005\u540e\u679c\u81ea\u8d1f\u3002
Translation: 0x0804 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0009d4b6 0x0009e000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.58
.rdata 0x0009f000 0x0001af8e 0x0001b000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.73
.data 0x000ba000 0x0005942a 0x00018000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.98
.rsrc 0x00114000 0x00009290 0x0000a000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.20

导入

库 WINMM.dll:
0x49f658 - midiStreamOut
0x49f65c - midiOutPrepareHeader
0x49f660 - waveOutUnprepareHeader
0x49f664 - waveOutPrepareHeader
0x49f668 - waveOutWrite
0x49f66c - waveOutPause
0x49f670 - waveOutReset
0x49f674 - waveOutClose
0x49f678 - waveOutGetNumDevs
0x49f67c - waveOutOpen
0x49f680 - midiOutUnprepareHeader
0x49f684 - midiStreamStop
0x49f688 - midiOutReset
0x49f68c - midiStreamClose
0x49f690 - midiStreamRestart
0x49f694 - waveOutRestart
0x49f698 - midiStreamOpen
0x49f69c - midiStreamProperty
库 WS2_32.dll:
0x49f6b4 - WSAAsyncSelect
0x49f6b8 - closesocket
0x49f6bc - WSACleanup
0x49f6c0 - inet_ntoa
0x49f6c4 - ntohl
0x49f6c8 - recvfrom
0x49f6cc - ioctlsocket
0x49f6d0 - recv
0x49f6d4 - accept
0x49f6d8 - getpeername
库 KERNEL32.dll:
0x49f174 - SetLastError
0x49f178 - GetTimeZoneInformation
0x49f17c - GetVersion
0x49f180 - TerminateThread
0x49f184 - CreateMutexA
0x49f188 - ReleaseMutex
0x49f18c - SuspendThread
0x49f190 - GetACP
0x49f194 - HeapSize
0x49f198 - RaiseException
0x49f19c - GetLocalTime
0x49f1a0 - GetSystemTime
0x49f1a4 - RtlUnwind
0x49f1a8 - GetStartupInfoA
0x49f1ac - GetOEMCP
0x49f1b0 - GetCPInfo
0x49f1b4 - GetProcessVersion
0x49f1b8 - SetErrorMode
0x49f1bc - GlobalFlags
0x49f1c0 - GetCurrentThread
0x49f1c4 - GetFileTime
0x49f1c8 - TlsGetValue
0x49f1cc - LocalReAlloc
0x49f1d0 - TlsSetValue
0x49f1d4 - TlsFree
0x49f1d8 - GlobalHandle
0x49f1dc - TlsAlloc
0x49f1e0 - LocalAlloc
0x49f1e4 - lstrcmpA
0x49f1e8 - GlobalGetAtomNameA
0x49f1ec - GlobalAddAtomA
0x49f1f0 - GlobalFindAtomA
0x49f1f4 - GlobalDeleteAtom
0x49f1f8 - lstrcmpiA
0x49f1fc - SetEndOfFile
0x49f200 - UnlockFile
0x49f204 - LockFile
0x49f208 - FlushFileBuffers
0x49f20c - DuplicateHandle
0x49f210 - lstrcpynA
0x49f214 - FileTimeToLocalFileTime
0x49f218 - FileTimeToSystemTime
0x49f21c - LocalFree
0x49f220 - InterlockedDecrement
0x49f224 - InterlockedIncrement
0x49f228 - OpenProcess
0x49f22c - TerminateProcess
0x49f230 - GetFileSize
0x49f234 - SetFilePointer
0x49f238 - CreateToolhelp32Snapshot
0x49f23c - Process32First
0x49f240 - Process32Next
0x49f244 - WideCharToMultiByte
0x49f248 - MultiByteToWideChar
0x49f24c - GetCurrentProcess
0x49f250 - GetWindowsDirectoryA
0x49f254 - GetSystemDirectoryA
0x49f258 - CreateSemaphoreA
0x49f25c - ResumeThread
0x49f260 - ReleaseSemaphore
0x49f264 - EnterCriticalSection
0x49f268 - LeaveCriticalSection
0x49f26c - GetProfileStringA
0x49f270 - WriteFile
0x49f274 - WaitForMultipleObjects
0x49f278 - CreateFileA
0x49f27c - SetEvent
0x49f280 - FindResourceA
0x49f284 - LoadResource
0x49f288 - LockResource
0x49f28c - ReadFile
0x49f290 - GetModuleFileNameA
0x49f294 - GetCurrentThreadId
0x49f298 - ExitProcess
0x49f29c - GlobalSize
0x49f2a0 - GlobalFree
0x49f2a4 - DeleteCriticalSection
0x49f2a8 - InitializeCriticalSection
0x49f2ac - lstrcatA
0x49f2b0 - lstrlenA
0x49f2b4 - WinExec
0x49f2b8 - InterlockedExchange
0x49f2bc - lstrcpyA
0x49f2c0 - FindNextFileA
0x49f2c4 - GlobalReAlloc
0x49f2c8 - HeapFree
0x49f2cc - HeapReAlloc
0x49f2d0 - GetProcessHeap
0x49f2d4 - HeapAlloc
0x49f2d8 - GetFullPathNameA
0x49f2dc - FreeLibrary
0x49f2e0 - LoadLibraryA
0x49f2e4 - GetLastError
0x49f2e8 - GetVersionExA
0x49f2ec - WritePrivateProfileStringA
0x49f2f0 - CreateThread
0x49f2f4 - CreateEventA
0x49f2f8 - Sleep
0x49f2fc - ExpandEnvironmentStringsA
0x49f300 - GlobalAlloc
0x49f304 - GlobalLock
0x49f308 - GlobalUnlock
0x49f30c - GetTempPathA
0x49f310 - FindFirstFileA
0x49f314 - FindClose
0x49f318 - SetFileAttributesA
0x49f31c - GetFileAttributesA
0x49f320 - DeleteFileA
0x49f324 - SetCurrentDirectoryA
0x49f328 - GetVolumeInformationA
0x49f32c - GetModuleHandleA
0x49f330 - GetProcAddress
0x49f334 - MulDiv
0x49f338 - GetCommandLineA
0x49f33c - GetTickCount
0x49f340 - CreateProcessA
0x49f344 - WaitForSingleObject
0x49f348 - CloseHandle
0x49f34c - UnhandledExceptionFilter
0x49f350 - FreeEnvironmentStringsA
0x49f354 - FreeEnvironmentStringsW
0x49f358 - GetEnvironmentStrings
0x49f35c - GetEnvironmentStringsW
0x49f360 - SetHandleCount
0x49f364 - GetStdHandle
0x49f368 - GetFileType
0x49f36c - GetEnvironmentVariableA
0x49f370 - HeapDestroy
0x49f374 - HeapCreate
0x49f378 - VirtualFree
0x49f37c - SetEnvironmentVariableA
0x49f380 - LCMapStringA
0x49f384 - LCMapStringW
0x49f388 - VirtualAlloc
0x49f38c - IsBadWritePtr
0x49f390 - SetUnhandledExceptionFilter
0x49f394 - GetStringTypeA
0x49f398 - GetStringTypeW
0x49f39c - CompareStringA
0x49f3a0 - CompareStringW
0x49f3a4 - IsBadReadPtr
0x49f3a8 - IsBadCodePtr
0x49f3ac - SetStdHandle
库 USER32.dll:
0x49f3e0 - GetMenu
0x49f3e4 - SetMenu
0x49f3e8 - PeekMessageA
0x49f3ec - IsIconic
0x49f3f0 - SetFocus
0x49f3f4 - GetActiveWindow
0x49f3f8 - GetWindow
0x49f3fc - DestroyAcceleratorTable
0x49f400 - SetWindowRgn
0x49f404 - DeleteMenu
0x49f408 - GetSystemMenu
0x49f40c - DefWindowProcA
0x49f410 - GetClassInfoA
0x49f414 - IsZoomed
0x49f418 - PostQuitMessage
0x49f41c - CopyAcceleratorTableA
0x49f420 - GetKeyState
0x49f424 - TranslateAcceleratorA
0x49f428 - IsWindowEnabled
0x49f42c - ShowWindow
0x49f430 - SystemParametersInfoA
0x49f434 - LoadImageA
0x49f438 - EnumDisplaySettingsA
0x49f43c - ClientToScreen
0x49f440 - EnableMenuItem
0x49f444 - GetSubMenu
0x49f448 - GetDlgCtrlID
0x49f44c - CreateAcceleratorTableA
0x49f450 - CreateMenu
0x49f454 - ModifyMenuA
0x49f458 - AppendMenuA
0x49f45c - GetMessagePos
0x49f460 - ScreenToClient
0x49f464 - CreatePopupMenu
0x49f468 - CopyRect
0x49f46c - LoadBitmapA
0x49f470 - WinHelpA
0x49f474 - KillTimer
0x49f478 - SetTimer
0x49f47c - ReleaseCapture
0x49f480 - GetCapture
0x49f484 - SetCapture
0x49f488 - GetScrollRange
0x49f48c - SetScrollRange
0x49f490 - SetScrollPos
0x49f494 - SetRect
0x49f498 - InflateRect
0x49f49c - IntersectRect
0x49f4a0 - DestroyIcon
0x49f4a4 - PtInRect
0x49f4a8 - OffsetRect
0x49f4ac - GetSysColorBrush
0x49f4b0 - IsWindowVisible
0x49f4b4 - EnableWindow
0x49f4b8 - RedrawWindow
0x49f4bc - GetWindowLongA
0x49f4c0 - SetWindowLongA
0x49f4c4 - GetSysColor
0x49f4c8 - SetActiveWindow
0x49f4cc - SetCursorPos
0x49f4d0 - LoadCursorA
0x49f4d4 - SetCursor
0x49f4d8 - GetDC
0x49f4dc - FillRect
0x49f4e0 - IsRectEmpty
0x49f4e4 - ReleaseDC
0x49f4e8 - IsChild
0x49f4ec - DestroyMenu
0x49f4f0 - SetForegroundWindow
0x49f4f4 - GetWindowRect
0x49f4f8 - EqualRect
0x49f4fc - UpdateWindow
0x49f500 - ValidateRect
0x49f504 - InvalidateRect
0x49f508 - GetClientRect
0x49f50c - GetFocus
0x49f510 - GetParent
0x49f514 - GetTopWindow
0x49f518 - PostMessageA
0x49f51c - IsWindow
0x49f520 - SetParent
0x49f524 - DestroyCursor
0x49f528 - SendMessageA
0x49f52c - SetWindowPos
0x49f530 - MessageBoxA
0x49f534 - GetCursorPos
0x49f538 - GetSystemMetrics
0x49f53c - EmptyClipboard
0x49f540 - SetClipboardData
0x49f544 - OpenClipboard
0x49f548 - GetClipboardData
0x49f54c - CloseClipboard
0x49f550 - wsprintfA
0x49f554 - WaitForInputIdle
0x49f558 - DrawIconEx
0x49f55c - CreateIconFromResource
0x49f560 - CreateIconFromResourceEx
0x49f564 - SetRectEmpty
0x49f568 - DispatchMessageA
0x49f56c - GetMessageA
0x49f570 - WindowFromPoint
0x49f574 - DrawFocusRect
0x49f578 - DrawEdge
0x49f57c - DrawFrameControl
0x49f580 - TranslateMessage
0x49f584 - LoadIconA
0x49f588 - GetForegroundWindow
0x49f58c - GetDesktopWindow
0x49f590 - GetClassNameA
0x49f594 - GetWindowThreadProcessId
0x49f598 - FindWindowA
0x49f59c - GetDlgItem
0x49f5a0 - GetWindowTextA
0x49f5a4 - ChildWindowFromPointEx
0x49f5a8 - UnregisterClassA
0x49f5ac - RegisterClipboardFormatA
0x49f5b0 - GetWindowTextLengthA
0x49f5b4 - CharUpperA
0x49f5b8 - GetWindowDC
0x49f5bc - BeginPaint
0x49f5c0 - EndPaint
0x49f5c4 - TabbedTextOutA
0x49f5c8 - DrawTextA
0x49f5cc - GrayStringA
0x49f5d0 - DestroyWindow
0x49f5d4 - CreateDialogIndirectParamA
0x49f5d8 - EndDialog
0x49f5dc - GetNextDlgTabItem
0x49f5e0 - GetWindowPlacement
0x49f5e4 - RegisterWindowMessageA
0x49f5e8 - GetLastActivePopup
0x49f5ec - GetMessageTime
0x49f5f0 - RemovePropA
0x49f5f4 - CallWindowProcA
0x49f5f8 - GetPropA
0x49f5fc - UnhookWindowsHookEx
0x49f600 - SetPropA
0x49f604 - GetClassLongA
0x49f608 - CallNextHookEx
0x49f60c - SetWindowsHookExA
0x49f610 - CreateWindowExA
0x49f614 - GetMenuItemID
0x49f618 - GetMenuItemCount
0x49f61c - RegisterClassA
0x49f620 - GetScrollPos
0x49f624 - AdjustWindowRectEx
0x49f628 - MapWindowPoints
0x49f62c - SendDlgItemMessageA
0x49f630 - ScrollWindowEx
0x49f634 - IsDialogMessageA
0x49f638 - SetWindowTextA
0x49f63c - MoveWindow
0x49f640 - CheckMenuItem
0x49f644 - SetMenuItemBitmaps
0x49f648 - GetMenuState
0x49f64c - GetMenuCheckMarkDimensions
0x49f650 - LoadStringA
库 GDI32.dll:
0x49f028 - PtVisible
0x49f02c - GetViewportExtEx
0x49f030 - ExtSelectClipRgn
0x49f034 - CreateSolidBrush
0x49f038 - GetStockObject
0x49f03c - CreateFontIndirectA
0x49f040 - EndPage
0x49f044 - EndDoc
0x49f048 - DeleteDC
0x49f04c - StartDocA
0x49f050 - StartPage
0x49f054 - BitBlt
0x49f058 - CreateCompatibleDC
0x49f05c - Ellipse
0x49f060 - Rectangle
0x49f064 - LPtoDP
0x49f068 - DPtoLP
0x49f06c - GetCurrentObject
0x49f070 - RectVisible
0x49f074 - GetTextExtentPoint32A
0x49f078 - GetDeviceCaps
0x49f07c - CreateRectRgnIndirect
0x49f080 - SetBkColor
0x49f084 - LineTo
0x49f088 - MoveToEx
0x49f08c - ExcludeClipRect
0x49f090 - GetClipBox
0x49f094 - ScaleWindowExtEx
0x49f098 - SetWindowExtEx
0x49f09c - SetWindowOrgEx
0x49f0a0 - TextOutA
0x49f0a4 - ExtTextOutA
0x49f0a8 - Escape
0x49f0ac - GetTextMetricsA
0x49f0b0 - FillRgn
0x49f0b4 - CreateRectRgn
0x49f0b8 - CombineRgn
0x49f0bc - PatBlt
0x49f0c0 - CreatePen
0x49f0c4 - GetObjectA
0x49f0c8 - SelectObject
0x49f0cc - CreateBitmap
0x49f0d0 - CreateDCA
0x49f0d4 - CreateCompatibleBitmap
0x49f0d8 - GetPolyFillMode
0x49f0dc - GetStretchBltMode
0x49f0e0 - GetROP2
0x49f0e4 - GetBkColor
0x49f0e8 - GetBkMode
0x49f0ec - GetTextColor
0x49f0f0 - CreateRoundRectRgn
0x49f0f4 - CreateEllipticRgn
0x49f0f8 - PathToRegion
0x49f0fc - EndPath
0x49f100 - ScaleViewportExtEx
0x49f104 - SetViewportExtEx
0x49f108 - OffsetViewportOrgEx
0x49f10c - SetViewportOrgEx
0x49f110 - SetMapMode
0x49f114 - SetTextColor
0x49f118 - SetROP2
0x49f11c - SetPolyFillMode
0x49f120 - BeginPath
0x49f124 - GetWindowOrgEx
0x49f128 - GetViewportOrgEx
0x49f12c - GetWindowExtEx
0x49f130 - GetDIBits
0x49f134 - RealizePalette
0x49f138 - SelectPalette
0x49f13c - StretchBlt
0x49f140 - CreatePalette
0x49f144 - GetSystemPaletteEntries
0x49f148 - DeleteObject
0x49f14c - SelectClipRgn
0x49f150 - CreatePolygonRgn
0x49f154 - GetClipRgn
0x49f158 - RoundRect
0x49f15c - CreateDIBitmap
0x49f160 - SetBkMode
0x49f164 - RestoreDC
0x49f168 - SaveDC
0x49f16c - SetStretchBltMode
库 WINSPOOL.DRV:
0x49f6a4 - OpenPrinterA
0x49f6a8 - DocumentPropertiesA
0x49f6ac - ClosePrinter
库 ADVAPI32.dll:
0x49f000 - RegQueryValueExA
0x49f004 - RegOpenKeyExA
0x49f008 - RegSetValueExA
0x49f00c - RegQueryValueA
0x49f010 - RegCreateKeyExA
0x49f014 - RegCloseKey
库 SHELL32.dll:
0x49f3c4 - SHGetSpecialFolderPathA
0x49f3c8 - ShellExecuteA
0x49f3cc - Shell_NotifyIconA
0x49f3d0 - SHGetMalloc
0x49f3d4 - SHGetPathFromIDListA
0x49f3d8 - SHBrowseForFolderA
库 ole32.dll:
0x49f6f4 - CLSIDFromString
0x49f6f8 - OleUninitialize
0x49f6fc - OleInitialize
库 OLEAUT32.dll:
0x49f3b4 - LoadTypeLib
0x49f3b8 - RegisterTypeLib
0x49f3bc - UnRegisterTypeLib
库 COMCTL32.dll:
0x49f01c - None
0x49f020 - ImageList_Destroy
库 comdlg32.dll:
0x49f6e0 - ChooseColorA
0x49f6e4 - GetFileTitleA
0x49f6e8 - GetSaveFileNameA
0x49f6ec - GetOpenFileNameA

投放文件

无信息

行为分析

互斥量(Mutexes)
  • Local\MSCTF.Asm.MutexDefault1
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

Steam__________________.exe PID: 2696, 上一级进程 PID: 2332

访问的文件
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\Fonts\staticcache.dat
  • C:\Users\test\AppData\Local\Temp\kernel32.DLL
  • C:\Users\test\AppData\Local\Temp\shlwapi.dll
  • C:\Users\test\AppData\Local\Temp\ssfn\xe6\x96\x87\xe4\xbb\xb6
  • C:\Users\test\AppData\Roaming\Battlestate Games\BsgLauncher\settings
  • C:\BsgLauncher.exe
  • C:\Users\test\AppData\Local\Temp\kernel32.dll
  • C:\Users\test\AppData\Local\Temp\ssfn\xe6\x96\x87\xe4\xbb\xb6\ssfn8544172921137988491
  • C:\Users\test\AppData\Local\Temp\ssfn\xef\xbf\x8e\xef\xbf\x84\xef\xbe\xbc\xef\xbf\xbe\ssfn8544172921137988491
读取的文件
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\Fonts\staticcache.dat
  • C:\Users\test\AppData\Local\Temp\ssfn\xe6\x96\x87\xe4\xbb\xb6\ssfn8544172921137988491
  • C:\Users\test\AppData\Local\Temp\ssfn\xef\xbf\x8e\xef\xbf\x84\xef\xbe\xbc\xef\xbf\xbe\ssfn8544172921137988491
修改的文件
  • C:\BsgLauncher.exe
删除的文件
  • C:\Users\test\AppData\Roaming\Battlestate Games\BsgLauncher\settings
  • C:\BsgLauncher.exe
注册表键
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{B0FDA062-7581-4D67-B085-C4E7C358037F}_is1
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\Steam__________________.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_CURRENT_USER
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
读取的注册表键
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • kernel32.dll.IsProcessorFeaturePresent
  • cryptbase.dll.SystemFunction036
  • kernel32.dll.SortGetHandle
  • kernel32.dll.SortCloseHandle
  • comctl32.dll.RegisterClassNameW
  • uxtheme.dll.OpenThemeData
  • imm32.dll.ImmIsIME
  • gdi32.dll.GetLayout
  • gdi32.dll.GdiRealizationInfo
  • gdi32.dll.FontIsLinked
  • advapi32.dll.RegOpenKeyExW
  • advapi32.dll.RegQueryInfoKeyW
  • gdi32.dll.GetTextFaceAliasW
  • advapi32.dll.RegEnumValueW
  • advapi32.dll.RegCloseKey
  • advapi32.dll.RegQueryValueExW
  • advapi32.dll.RegQueryValueExA
  • advapi32.dll.RegEnumKeyExW
  • gdi32.dll.GetTextExtentExPointWPri
  • uxtheme.dll.EnableThemeDialogTexture
  • kernel32.dll.CreateToolhelp32Snapshot
  • kernel32.dll.Process32First
  • kernel32.dll.Process32Next
  • kernel32.dll.CloseHandle
  • kernel32.dll.OpenProcess
  • kernel32.dll.TerminateProcess
  • shlwapi.dll.PathFileExistsA
  • ole32.dll.CoInitializeEx
  • ole32.dll.CoUninitialize
  • ole32.dll.CoRegisterInitializeSpy
  • ole32.dll.CoRevokeInitializeSpy
  • user32.dll.GetSystemMetrics
  • user32.dll.MonitorFromWindow
  • user32.dll.MonitorFromRect
  • user32.dll.MonitorFromPoint
  • user32.dll.EnumDisplayMonitors
  • user32.dll.GetMonitorInfoA
  • gdi32.dll.GetFontAssocStatus
  • oleaut32.dll.SysAllocString
  • oleaut32.dll.SysStringLen
  • oleaut32.dll.SysFreeString
  • kernel32.dll.CopyFileA
  • oleaut32.dll.#500