魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2020-09-25 17:18:52 2020-09-25 17:19:54 62 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-hpdapp01-1 win7-sp1-x64-hpdapp01-1 KVM 2020-09-25 17:19:08 2020-09-25 17:19:55
魔盾分数

10.0

恶意的

文件详细信息

文件名 Hash_new_163_0918.exe
文件大小 9789440 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 14FF9C7D
MD5 21c6608dc2f49980566a3940a6c40005
SHA1 8322fce46a3c4d636102fc748f04cfeb11deee02
SHA256 6162c0635443a489509fce87e4d56a70af1452f63d8a70b20476d196422f3133
SHA512 7c07b5648f08d30673bd2a00403d0a29a1523dcd6740147f52b253d3474b797884c15a66c27bd6e94dd80e6b9ee84a69667d92b178d7fc130f177837021edaf4
Ssdeep 196608:KqZWwUE8GEZmlJTK9bjcKxnC9bUljtDyHMdYBroqD7/FKA3wfwlWeUiZw:KqZW3EKZmlklxC9bUlBLdY8g5lwfwlWx
PEiD 无匹配
Yara
  • DebuggerTiming__PerformanceCounter ()
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • anti_dbg (Detected self protection if being debugged)
  • win_mutex (Create or check mutex)
  • screenshot (Detected take screenshot function)
  • create_process (Detection function for creating a new process)
  • keylogger (Detected keylogger function)
  • win_registry (Detected system registries modification function)
  • change_win_registry (Change registries to affect system)
  • win_files_operation (Affect private profile)
  • win_hook (Detected hook table access function)
  • win_private_profile (Detected private profile access function)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
  • IsPE32 (Detected a 32bit PE sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
  • IsPacked (Detected Entropy signature)
VirusTotal VirusTotal链接
VirusTotal扫描时间: 2020-09-20 03:13:01
扫描结果: 33/68

特征

二进制文件可能包含加密或压缩数据
section: name: .vmp1, entropy: 7.98, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00951000, virtual_size: 0x00950740
魔盾安全Yara规则检测结果 - 安全告警
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
检测到网络活动但没有显示在API日志中
ip: 104.99.238.89
domain: acroipm.adobe.com
可执行文件可能使用VMProtect打包
section: {'name': '.vmp0', 'characteristics': 'IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ', 'virtual_address': '0x00661000', 'size_of_data': '0x00000000', 'entropy': '0.00', 'virtual_size': '0x0023b694', 'characteristics_raw': '0x60000060'}
文件已被至少一个VirusTotal上的反病毒引擎检测为病毒
Bkav: W32.AIDetectVM.malware1
Elastic: malicious (high confidence)
MicroWorld-eScan: Gen:Variant.Ursu.617261
Cylance: Unsafe
K7AntiVirus: Unwanted-Program ( 004eb1401 )
BitDefender: Gen:Variant.Ursu.617261
K7GW: Unwanted-Program ( 004eb1401 )
BitDefenderTheta: Gen:NN.ZexaF.34254.@B0@a43sgSfH
Symantec: ML.Attribute.HighConfidence
Cynet: Malicious (score: 100)
Rising: Trojan.Generic@ML.100 (RDML:SbcRBW9gt7XadXlGtenkDw)
Ad-Aware: Gen:Variant.Ursu.617261
F-Secure: Heuristic.HEUR/AGEN.1135703
Invincea: Generic ML PUA (PUA)
SentinelOne: DFI - Malicious PE
FireEye: Generic.mg.21c6608dc2f49980
APEX: Malicious
GData: Gen:Variant.Ursu.617261
MaxSecure: Trojan.Malware.300983.susgen
Avira: HEUR/AGEN.1135703
Arcabit: Trojan.Ursu.D96B2D
Microsoft: Trojan:Win32/Wacatac.D6!ml
Acronis: suspicious
ALYac: Gen:Variant.Ursu.617261
MAX: malware (ai score=89)
ESET-NOD32: a variant of Win32/GenKryptik.DHCY
Tencent: Win32.Trojan.Suspicious.Hqvm
Ikarus: Trojan.Win32.Krypt
eGambit: Unsafe.AI_Score_99%
Fortinet: W32/GenKryptik.DLII!tr
AVG: FileRepMalware
CrowdStrike: win/malicious_confidence_90% (W)
Qihoo-360: Generic/HEUR/QVM19.1.018A.Malware.Gen

运行截图

网络分析

域名解析

域名 响应
acroipm.adobe.com CNAME acroipm.adobe.com.edgesuite.net
A 104.99.238.89
CNAME a1983.dscd.akamai.net
A 104.99.238.98

TCP连接

IP地址 端口
104.99.238.98 80

UDP连接

IP地址 端口
192.168.122.1 53

HTTP请求

URL HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x00dd6e21
声明校验值 0x00000000
实际校验值 0x009597a6
最低操作系统版本要求 5.0
编译时间 2020-09-18 14:08:51
载入哈希 270113278c13aa86cf8c3e1418166bf8
导出DLL库名称 \x37\x39\x31

版本信息

LegalCopyright: CSGO Hash \u5947\u7279\u5427\u7279\u522b\u7248,www.cheat8.com
FileVersion: 1.0.0.0
CompanyName: \u5947\u7279\u5427
Comments: CSGO Hash \u5947\u7279\u5427\u7279\u522b,www.cheat8.com
ProductName: CSGO Hash \u5947\u7279\u5427\u7279\u522b\u7248
ProductVersion: 1.0.0.0
FileDescription: CSGO Hash \u5947\u7279\u5427\u7279\u7248,www.cheat8.com
Translation: 0x0804 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000b6e96 0x00000000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 0.00
.rdata 0x000b8000 0x005495c8 0x00000000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 0.00
.data 0x00602000 0x0005eaa8 0x00000000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.vmp0 0x00661000 0x0023b694 0x00000000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 0.00
.vmp1 0x0089d000 0x00950740 0x00951000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.98
.rsrc 0x011ee000 0x000087aa 0x00004000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.10

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_BITMAP 0x011f4920 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_BITMAP 0x011f4920 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_BITMAP 0x011f4920 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_BITMAP 0x011f4920 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_BITMAP 0x011f4920 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_BITMAP 0x011f4920 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_BITMAP 0x011f4920 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_BITMAP 0x011f4920 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_BITMAP 0x011f4920 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_BITMAP 0x011f4920 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_BITMAP 0x011f4920 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_BITMAP 0x011f4920 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_BITMAP 0x011f4920 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_BITMAP 0x011f4920 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_BITMAP 0x011f4920 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_BITMAP 0x011f4920 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_MENU 0x011f4a70 0x00000284 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_MENU 0x011f4a70 0x00000284 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_DIALOG 0x011f5cb8 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_DIALOG 0x011f5cb8 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_DIALOG 0x011f5cb8 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_DIALOG 0x011f5cb8 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_DIALOG 0x011f5cb8 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_DIALOG 0x011f5cb8 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_DIALOG 0x011f5cb8 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_DIALOG 0x011f5cb8 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_DIALOG 0x011f5cb8 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_DIALOG 0x011f5cb8 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_STRING 0x011f6700 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_STRING 0x011f6700 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_STRING 0x011f6700 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_STRING 0x011f6700 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_STRING 0x011f6700 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_STRING 0x011f6700 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_STRING 0x011f6700 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_STRING 0x011f6700 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_STRING 0x011f6700 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_STRING 0x011f6700 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_STRING 0x011f6700 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_GROUP_CURSOR 0x011f6788 0x00000022 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_GROUP_CURSOR 0x011f6788 0x00000022 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_GROUP_CURSOR 0x011f6788 0x00000022 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_GROUP_CURSOR 0x011f6788 0x00000022 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_GROUP_CURSOR 0x011f6788 0x00000022 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_GROUP_CURSOR 0x011f6788 0x00000022 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None

导入

库 KERNEL32.dll:
0xdb2000 - GetCurrentThreadId
0xdb2004 - WaitForSingleObject
0xdb2008 - GetTickCount
0xdb200c - GetCommandLineA
0xdb2010 - MulDiv
0xdb2014 - SetStdHandle
0xdb2018 - IsBadCodePtr
0xdb201c - IsBadReadPtr
0xdb2020 - CompareStringW
0xdb2024 - CompareStringA
0xdb2028 - SetUnhandledExceptionFilter
0xdb202c - GetStringTypeW
0xdb2030 - GetStringTypeA
0xdb2034 - IsBadWritePtr
0xdb2038 - VirtualAlloc
0xdb203c - LCMapStringW
0xdb2040 - LCMapStringA
0xdb2044 - SetEnvironmentVariableA
0xdb2048 - VirtualFree
0xdb204c - HeapCreate
0xdb2050 - HeapDestroy
0xdb2054 - GetEnvironmentVariableA
0xdb2058 - GetFileType
0xdb205c - GetStdHandle
0xdb2060 - SetHandleCount
0xdb2064 - GetEnvironmentStringsW
0xdb2068 - GetEnvironmentStrings
0xdb206c - FreeEnvironmentStringsW
0xdb2070 - FreeEnvironmentStringsA
0xdb2074 - UnhandledExceptionFilter
0xdb2078 - GetACP
0xdb207c - HeapSize
0xdb2080 - TerminateProcess
0xdb2084 - RaiseException
0xdb2088 - GetLocalTime
0xdb208c - GetSystemTime
0xdb2090 - GetTimeZoneInformation
0xdb2094 - RtlUnwind
0xdb2098 - GetStartupInfoA
0xdb209c - GetOEMCP
0xdb20a0 - GetCPInfo
0xdb20a4 - GetProcessVersion
0xdb20a8 - SetErrorMode
0xdb20ac - GlobalFlags
0xdb20b0 - GetCurrentThread
0xdb20b4 - GetFileTime
0xdb20b8 - GetFileSize
0xdb20bc - TlsGetValue
0xdb20c0 - LocalReAlloc
0xdb20c4 - TlsSetValue
0xdb20c8 - TlsFree
0xdb20cc - GlobalHandle
0xdb20d0 - TlsAlloc
0xdb20d4 - LocalAlloc
0xdb20d8 - lstrcmpA
0xdb20dc - GetVersion
0xdb20e0 - GlobalGetAtomNameA
0xdb20e4 - GlobalAddAtomA
0xdb20e8 - GlobalFindAtomA
0xdb20ec - GlobalDeleteAtom
0xdb20f0 - lstrcmpiA
0xdb20f4 - SetEndOfFile
0xdb20f8 - UnlockFile
0xdb20fc - LockFile
0xdb2100 - FlushFileBuffers
0xdb2104 - SetFilePointer
0xdb2108 - DuplicateHandle
0xdb210c - lstrcpynA
0xdb2110 - SetLastError
0xdb2114 - FileTimeToLocalFileTime
0xdb2118 - FileTimeToSystemTime
0xdb211c - LocalFree
0xdb2120 - InterlockedDecrement
0xdb2124 - InterlockedIncrement
0xdb2128 - GetProcAddress
0xdb212c - GetModuleHandleA
0xdb2130 - GetVolumeInformationA
0xdb2134 - SetCurrentDirectoryA
0xdb2138 - DeleteFileA
0xdb213c - GetFileAttributesA
0xdb2140 - FindClose
0xdb2144 - FindFirstFileA
0xdb2148 - GetTempPathA
0xdb214c - GlobalUnlock
0xdb2150 - GlobalLock
0xdb2154 - GlobalAlloc
0xdb2158 - Sleep
0xdb215c - CreateEventA
0xdb2160 - CreateThread
0xdb2164 - WritePrivateProfileStringA
0xdb2168 - GetVersionExA
0xdb216c - GetLastError
0xdb2170 - LoadLibraryA
0xdb2174 - FreeLibrary
0xdb2178 - GetFullPathNameA
0xdb217c - HeapAlloc
0xdb2180 - GetProcessHeap
0xdb2184 - HeapReAlloc
0xdb2188 - HeapFree
0xdb218c - GlobalReAlloc
0xdb2190 - FindNextFileA
0xdb2194 - lstrcpyA
0xdb2198 - WinExec
0xdb219c - lstrlenA
0xdb21a0 - SuspendThread
0xdb21a4 - TerminateThread
0xdb21a8 - ReleaseMutex
0xdb21ac - CreateMutexA
0xdb21b0 - WideCharToMultiByte
0xdb21b4 - MultiByteToWideChar
0xdb21b8 - GetCurrentProcess
0xdb21bc - GetWindowsDirectoryA
0xdb21c0 - GetSystemDirectoryA
0xdb21c4 - CreateSemaphoreA
0xdb21c8 - ResumeThread
0xdb21cc - ReleaseSemaphore
0xdb21d0 - EnterCriticalSection
0xdb21d4 - LeaveCriticalSection
0xdb21d8 - GetProfileStringA
0xdb21dc - WriteFile
0xdb21e0 - WaitForMultipleObjects
0xdb21e4 - lstrcatA
0xdb21e8 - InitializeCriticalSection
0xdb21ec - DeleteCriticalSection
0xdb21f0 - GlobalFree
0xdb21f4 - GlobalSize
0xdb21f8 - ExitProcess
0xdb21fc - CloseHandle
0xdb2200 - GetModuleFileNameA
0xdb2204 - ReadFile
0xdb2208 - LockResource
0xdb220c - LoadResource
0xdb2210 - FindResourceA
0xdb2214 - SetEvent
0xdb2218 - CreateFileA
库 USER32.dll:
0xdb2220 - UnregisterClassA
0xdb2224 - wsprintfA
0xdb2228 - CloseClipboard
0xdb222c - GetClipboardData
0xdb2230 - OpenClipboard
0xdb2234 - SetClipboardData
0xdb2238 - EmptyClipboard
0xdb223c - GetSystemMetrics
0xdb2240 - GetCursorPos
0xdb2244 - MessageBoxA
0xdb2248 - SetWindowPos
0xdb224c - SendMessageA
0xdb2250 - DestroyCursor
0xdb2254 - SetParent
0xdb2258 - IsWindow
0xdb225c - PostMessageA
0xdb2260 - GetTopWindow
0xdb2264 - GetParent
0xdb2268 - GetFocus
0xdb226c - GetClientRect
0xdb2270 - InvalidateRect
0xdb2274 - ValidateRect
0xdb2278 - UpdateWindow
0xdb227c - EqualRect
0xdb2280 - GetWindowRect
0xdb2284 - SetForegroundWindow
0xdb2288 - DestroyMenu
0xdb228c - TrackPopupMenu
0xdb2290 - IsChild
0xdb2294 - ReleaseDC
0xdb2298 - IsRectEmpty
0xdb229c - FillRect
0xdb22a0 - GetDC
0xdb22a4 - SetCursor
0xdb22a8 - LoadCursorA
0xdb22ac - SetCursorPos
0xdb22b0 - SetActiveWindow
0xdb22b4 - GetSysColor
0xdb22b8 - SetWindowLongA
0xdb22bc - GetWindowLongA
0xdb22c0 - RedrawWindow
0xdb22c4 - EnableWindow
0xdb22c8 - IsWindowVisible
0xdb22cc - OffsetRect
0xdb22d0 - PtInRect
0xdb22d4 - DestroyIcon
0xdb22d8 - IntersectRect
0xdb22dc - InflateRect
0xdb22e0 - GetForegroundWindow
0xdb22e4 - GetWindowTextA
0xdb22e8 - SetWindowTextA
0xdb22ec - GetMenuItemCount
0xdb22f0 - GetMenuItemID
0xdb22f4 - GetMenuStringA
0xdb22f8 - GetMenuState
0xdb22fc - GetTabbedTextExtentA
0xdb2300 - DrawStateA
0xdb2304 - GrayStringA
0xdb2308 - TabbedTextOutA
0xdb230c - WindowFromDC
0xdb2310 - EnumChildWindows
0xdb2314 - GetWindowDC
0xdb2318 - UnhookWindowsHookEx
0xdb231c - CallNextHookEx
0xdb2320 - SetWindowsHookExA
0xdb2324 - FrameRect
0xdb2328 - GetPropA
0xdb232c - MoveWindow
0xdb2330 - CallWindowProcA
0xdb2334 - SetPropA
0xdb2338 - DrawTextA
0xdb233c - GetCursor
0xdb2340 - LoadIconA
0xdb2344 - TranslateMessage
0xdb2348 - DrawFrameControl
0xdb234c - DrawEdge
0xdb2350 - DrawFocusRect
0xdb2354 - WindowFromPoint
0xdb2358 - GetMessageA
0xdb235c - DispatchMessageA
0xdb2360 - SetRectEmpty
0xdb2364 - RegisterClipboardFormatA
0xdb2368 - CreateIconFromResourceEx
0xdb236c - CreateIconFromResource
0xdb2370 - DrawIconEx
0xdb2374 - CreatePopupMenu
0xdb2378 - AppendMenuA
0xdb237c - ModifyMenuA
0xdb2380 - CreateMenu
0xdb2384 - CreateAcceleratorTableA
0xdb2388 - GetDlgCtrlID
0xdb238c - GetSubMenu
0xdb2390 - EnableMenuItem
0xdb2394 - ClientToScreen
0xdb2398 - EnumDisplaySettingsA
0xdb239c - LoadImageA
0xdb23a0 - SystemParametersInfoA
0xdb23a4 - ShowWindow
0xdb23a8 - IsWindowEnabled
0xdb23ac - TranslateAcceleratorA
0xdb23b0 - GetKeyState
0xdb23b4 - CopyAcceleratorTableA
0xdb23b8 - PostQuitMessage
0xdb23bc - IsZoomed
0xdb23c0 - GetClassInfoA
0xdb23c4 - DefWindowProcA
0xdb23c8 - GetSystemMenu
0xdb23cc - DeleteMenu
0xdb23d0 - GetMenu
0xdb23d4 - SetMenu
0xdb23d8 - PeekMessageA
0xdb23dc - IsIconic
0xdb23e0 - SetFocus
0xdb23e4 - GetActiveWindow
0xdb23e8 - GetWindow
0xdb23ec - DestroyAcceleratorTable
0xdb23f0 - SetWindowRgn
0xdb23f4 - GetMessagePos
0xdb23f8 - ScreenToClient
0xdb23fc - ChildWindowFromPointEx
0xdb2400 - CopyRect
0xdb2404 - LoadBitmapA
0xdb2408 - WinHelpA
0xdb240c - KillTimer
0xdb2410 - SetTimer
0xdb2414 - GetWindowTextLengthA
0xdb2418 - CharUpperA
0xdb241c - BeginPaint
0xdb2420 - EndPaint
0xdb2424 - GetDlgItem
0xdb2428 - DestroyWindow
0xdb242c - CreateDialogIndirectParamA
0xdb2430 - EndDialog
0xdb2434 - GetNextDlgTabItem
0xdb2438 - GetWindowPlacement
0xdb243c - RegisterWindowMessageA
0xdb2440 - GetLastActivePopup
0xdb2444 - GetMessageTime
0xdb2448 - RemovePropA
0xdb244c - GetClassLongA
0xdb2450 - CreateWindowExA
0xdb2454 - RegisterClassA
0xdb2458 - GetScrollPos
0xdb245c - AdjustWindowRectEx
0xdb2460 - MapWindowPoints
0xdb2464 - SendDlgItemMessageA
0xdb2468 - ScrollWindowEx
0xdb246c - IsDialogMessageA
0xdb2470 - CheckMenuItem
0xdb2474 - SetMenuItemBitmaps
0xdb2478 - GetMenuCheckMarkDimensions
0xdb247c - GetClassNameA
0xdb2480 - GetDesktopWindow
0xdb2484 - LoadStringA
0xdb2488 - GetSysColorBrush
0xdb248c - ReleaseCapture
0xdb2490 - GetCapture
0xdb2494 - SetCapture
0xdb2498 - GetScrollRange
0xdb249c - SetScrollRange
0xdb24a0 - SetScrollPos
0xdb24a4 - SetRect
库 GDI32.dll:
0xdb24ac - ExtSelectClipRgn
0xdb24b0 - LineTo
0xdb24b4 - GetViewportExtEx
0xdb24b8 - GetTextMetricsA
0xdb24bc - MoveToEx
0xdb24c0 - ExcludeClipRect
0xdb24c4 - GetClipBox
0xdb24c8 - ScaleWindowExtEx
0xdb24cc - SetWindowExtEx
0xdb24d0 - SetPolyFillMode
0xdb24d4 - SetROP2
0xdb24d8 - SetMapMode
0xdb24dc - SetViewportOrgEx
0xdb24e0 - OffsetViewportOrgEx
0xdb24e4 - SetViewportExtEx
0xdb24e8 - CreateDIBitmap
0xdb24ec - Escape
0xdb24f0 - ExtTextOutA
0xdb24f4 - TextOutA
0xdb24f8 - RectVisible
0xdb24fc - PtVisible
0xdb2500 - CreatePenIndirect
0xdb2504 - RestoreDC
0xdb2508 - SaveDC
0xdb250c - SetWindowOrgEx
0xdb2510 - SetTextColor
0xdb2514 - SetBkMode
0xdb2518 - SetBkColor
0xdb251c - CreateRectRgnIndirect
0xdb2520 - CreateDIBSection
0xdb2524 - SetPixel
0xdb2528 - ExtCreateRegion
0xdb252c - SetStretchBltMode
0xdb2530 - GetClipRgn
0xdb2534 - CreatePolygonRgn
0xdb2538 - SelectClipRgn
0xdb253c - DeleteObject
0xdb2540 - ScaleViewportExtEx
0xdb2544 - GetSystemPaletteEntries
0xdb2548 - CreatePalette
0xdb254c - StretchBlt
0xdb2550 - SelectPalette
0xdb2554 - RealizePalette
0xdb2558 - GetDIBits
0xdb255c - GetWindowExtEx
0xdb2560 - GetViewportOrgEx
0xdb2564 - GetWindowOrgEx
0xdb2568 - BeginPath
0xdb256c - EndPath
0xdb2570 - PathToRegion
0xdb2574 - CreateEllipticRgn
0xdb2578 - CreateRoundRectRgn
0xdb257c - GetTextColor
0xdb2580 - GetBkMode
0xdb2584 - GetBkColor
0xdb2588 - GetROP2
0xdb258c - GetStretchBltMode
0xdb2590 - GetPolyFillMode
0xdb2594 - CreateCompatibleBitmap
0xdb2598 - CreateDCA
0xdb259c - CreateBrushIndirect
0xdb25a0 - CreateBitmap
0xdb25a4 - SelectObject
0xdb25a8 - GetObjectA
0xdb25ac - CreatePen
0xdb25b0 - PatBlt
0xdb25b4 - CombineRgn
0xdb25b8 - CreateRectRgn
0xdb25bc - FillRgn
0xdb25c0 - CreateSolidBrush
0xdb25c4 - GetStockObject
0xdb25c8 - CreateFontIndirectA
0xdb25cc - EndPage
0xdb25d0 - EndDoc
0xdb25d4 - DeleteDC
0xdb25d8 - StartDocA
0xdb25dc - StartPage
0xdb25e0 - BitBlt
0xdb25e4 - GetPixel
0xdb25e8 - CreateCompatibleDC
0xdb25ec - SetPixelV
0xdb25f0 - Ellipse
0xdb25f4 - Rectangle
0xdb25f8 - LPtoDP
0xdb25fc - DPtoLP
0xdb2600 - GetCurrentObject
0xdb2604 - RoundRect
0xdb2608 - GetTextExtentPoint32A
0xdb260c - GetDeviceCaps
库 WINMM.dll:
0xdb2614 - midiStreamRestart
0xdb2618 - midiStreamClose
0xdb261c - midiOutReset
0xdb2620 - midiStreamStop
0xdb2624 - midiStreamOut
0xdb2628 - midiOutPrepareHeader
0xdb262c - midiStreamProperty
0xdb2630 - midiStreamOpen
0xdb2634 - midiOutUnprepareHeader
0xdb2638 - waveOutOpen
0xdb263c - waveOutGetNumDevs
0xdb2640 - waveOutClose
0xdb2644 - waveOutReset
0xdb2648 - waveOutPause
0xdb264c - waveOutWrite
0xdb2650 - waveOutPrepareHeader
0xdb2654 - waveOutUnprepareHeader
0xdb2658 - waveOutRestart
库 MSIMG32.dll:
0xdb2660 - GradientFill
库 WINSPOOL.DRV:
0xdb2668 - ClosePrinter
0xdb266c - DocumentPropertiesA
0xdb2670 - OpenPrinterA
库 ADVAPI32.dll:
0xdb2678 - RegCreateKeyExA
0xdb267c - RegCloseKey
0xdb2680 - RegOpenKeyExA
0xdb2684 - RegSetValueExA
0xdb2688 - RegQueryValueA
库 SHELL32.dll:
0xdb2690 - SHGetSpecialFolderPathA
0xdb2694 - Shell_NotifyIconA
0xdb2698 - ShellExecuteA
库 ole32.dll:
0xdb26a0 - OleInitialize
0xdb26a4 - OleUninitialize
0xdb26a8 - CLSIDFromString
库 OLEAUT32.dll:
0xdb26b0 - LoadTypeLib
0xdb26b4 - RegisterTypeLib
0xdb26b8 - UnRegisterTypeLib
库 COMCTL32.dll:
0xdb26c0 - ImageList_GetIcon
0xdb26c4 - ImageList_GetImageInfo
0xdb26c8 - ImageList_GetImageCount
0xdb26cc - ImageList_SetBkColor
0xdb26d0 - ImageList_Draw
0xdb26d4 - _TrackMouseEvent
0xdb26d8 - ImageList_AddMasked
0xdb26dc - None
0xdb26e0 - ImageList_Destroy
0xdb26e4 - ImageList_Create
0xdb26e8 - ImageList_Read
0xdb26ec - ImageList_DrawIndirect
0xdb26f0 - ImageList_Duplicate
库 WS2_32.dll:
0xdb26f8 - accept
0xdb26fc - getpeername
0xdb2700 - recv
0xdb2704 - ioctlsocket
0xdb2708 - recvfrom
0xdb270c - WSAAsyncSelect
0xdb2710 - closesocket
0xdb2714 - WSACleanup
0xdb2718 - inet_ntoa
0xdb271c - ntohl
库 comdlg32.dll:
0xdb2724 - GetFileTitleA
0xdb2728 - GetSaveFileNameA
0xdb272c - GetOpenFileNameA
0xdb2730 - ChooseColorA
库 WTSAPI32.dll:
0xdb2738 - WTSSendMessageW
库 KERNEL32.dll:
0xdb2740 - VirtualQuery
0xdb2744 - GetSystemTimeAsFileTime
0xdb2748 - GetModuleHandleA
0xdb274c - CreateEventA
0xdb2750 - GetModuleFileNameW
0xdb2754 - LoadLibraryA
0xdb2758 - TerminateProcess
0xdb275c - GetCurrentProcess
0xdb2760 - CreateToolhelp32Snapshot
0xdb2764 - Thread32First
0xdb2768 - GetCurrentProcessId
0xdb276c - GetCurrentThreadId
0xdb2770 - OpenThread
0xdb2774 - Thread32Next
0xdb2778 - CloseHandle
0xdb277c - SuspendThread
0xdb2780 - ResumeThread
0xdb2784 - WriteProcessMemory
0xdb2788 - GetSystemInfo
0xdb278c - VirtualAlloc
0xdb2790 - VirtualProtect
0xdb2794 - VirtualFree
0xdb2798 - GetProcessAffinityMask
0xdb279c - SetProcessAffinityMask
0xdb27a0 - GetCurrentThread
0xdb27a4 - SetThreadAffinityMask
0xdb27a8 - Sleep
0xdb27ac - FreeLibrary
0xdb27b0 - GetTickCount
0xdb27b4 - SystemTimeToFileTime
0xdb27b8 - FileTimeToSystemTime
0xdb27bc - GlobalFree
0xdb27c0 - LocalAlloc
0xdb27c4 - LocalFree
0xdb27c8 - GetProcAddress
0xdb27cc - ExitProcess
0xdb27d0 - EnterCriticalSection
0xdb27d4 - LeaveCriticalSection
0xdb27d8 - InitializeCriticalSection
0xdb27dc - DeleteCriticalSection
0xdb27e0 - GetModuleHandleW
0xdb27e4 - LoadResource
0xdb27e8 - MultiByteToWideChar
0xdb27ec - FindResourceExW
0xdb27f0 - FindResourceExA
0xdb27f4 - WideCharToMultiByte
0xdb27f8 - GetThreadLocale
0xdb27fc - GetUserDefaultLCID
0xdb2800 - GetSystemDefaultLCID
0xdb2804 - EnumResourceNamesA
0xdb2808 - EnumResourceNamesW
0xdb280c - EnumResourceLanguagesA
0xdb2810 - EnumResourceLanguagesW
0xdb2814 - EnumResourceTypesA
0xdb2818 - EnumResourceTypesW
0xdb281c - CreateFileW
0xdb2820 - LoadLibraryW
0xdb2824 - GetLastError
0xdb2828 - FlushFileBuffers
0xdb282c - CreateFileA
0xdb2830 - WriteConsoleW
0xdb2834 - GetConsoleOutputCP
0xdb2838 - WriteConsoleA
0xdb283c - GetCommandLineA
0xdb2840 - RaiseException
0xdb2844 - RtlUnwind
0xdb2848 - HeapFree
0xdb284c - GetCPInfo
0xdb2850 - InterlockedIncrement
0xdb2854 - InterlockedDecrement
0xdb2858 - GetACP
0xdb285c - GetOEMCP
0xdb2860 - IsValidCodePage
0xdb2864 - TlsGetValue
0xdb2868 - TlsAlloc
0xdb286c - TlsSetValue
0xdb2870 - TlsFree
0xdb2874 - SetLastError
0xdb2878 - UnhandledExceptionFilter
0xdb287c - SetUnhandledExceptionFilter
0xdb2880 - IsDebuggerPresent
0xdb2884 - HeapAlloc
0xdb2888 - LCMapStringA
0xdb288c - LCMapStringW
0xdb2890 - SetHandleCount
0xdb2894 - GetStdHandle
0xdb2898 - GetFileType
0xdb289c - GetStartupInfoA
0xdb28a0 - GetModuleFileNameA
0xdb28a4 - FreeEnvironmentStringsA
0xdb28a8 - GetEnvironmentStrings
0xdb28ac - FreeEnvironmentStringsW
0xdb28b0 - GetEnvironmentStringsW
0xdb28b4 - HeapCreate
0xdb28b8 - HeapDestroy
0xdb28bc - QueryPerformanceCounter
0xdb28c0 - HeapReAlloc
0xdb28c4 - GetStringTypeA
0xdb28c8 - GetStringTypeW
0xdb28cc - GetLocaleInfoA
0xdb28d0 - HeapSize
0xdb28d4 - WriteFile
0xdb28d8 - SetFilePointer
0xdb28dc - GetConsoleCP
0xdb28e0 - GetConsoleMode
0xdb28e4 - InitializeCriticalSectionAndSpinCount
0xdb28e8 - SetStdHandle
库 USER32.dll:
0xdb28f0 - GetProcessWindowStation
0xdb28f4 - GetUserObjectInformationW
0xdb28f8 - CharUpperBuffW
0xdb28fc - MessageBoxW
库 KERNEL32.dll:
0xdb2904 - LocalAlloc
0xdb2908 - LocalFree
0xdb290c - GetModuleFileNameW
0xdb2910 - GetProcessAffinityMask
0xdb2914 - SetProcessAffinityMask
0xdb2918 - SetThreadAffinityMask
0xdb291c - Sleep
0xdb2920 - ExitProcess
0xdb2924 - FreeLibrary
0xdb2928 - LoadLibraryA
0xdb292c - GetModuleHandleA
0xdb2930 - GetProcAddress
库 USER32.dll:
0xdb2938 - GetProcessWindowStation
0xdb293c - GetUserObjectInformationW

投放文件

无信息

行为分析

互斥量(Mutexes)
  • Local\MSCTF.Asm.MutexDefault1
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

Hash_new_163_0918.exe PID: 2480, 上一级进程 PID: 2168

访问的文件
  • C:\Windows\Fonts\staticcache.dat
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\test\AppData\Local\Temp\imageres.dll
  • C:\Windows\System32\imageres.dll
  • C:\Windows\System32\zh-CN\imageres.dll.mui
  • C:\Windows\sysnative\zh-CN\imageres.dll.mui
  • C:\Windows\System32\zh-Hans\imageres.dll.mui
  • C:\Windows\System32\zh\imageres.dll.mui
  • C:\Windows\System32\en-US\imageres.dll.mui
  • \Device\KsecDD
读取的文件
  • C:\Windows\Fonts\staticcache.dat
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\System32\imageres.dll
  • C:\Windows\System32\zh-CN\imageres.dll.mui
  • C:\Windows\sysnative\zh-CN\imageres.dll.mui
  • C:\Windows\System32\zh-Hans\imageres.dll.mui
  • C:\Windows\System32\zh\imageres.dll.mui
  • C:\Windows\System32\en-US\imageres.dll.mui
  • \Device\KsecDD
修改的文件 无信息
删除的文件 无信息
注册表键
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\Hash_new_163_0918.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_CURRENT_USER
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
读取的注册表键
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • gdi32.dll.GetLayout
  • gdi32.dll.GdiRealizationInfo
  • gdi32.dll.FontIsLinked
  • advapi32.dll.RegOpenKeyExW
  • advapi32.dll.RegQueryInfoKeyW
  • gdi32.dll.GetTextFaceAliasW
  • advapi32.dll.RegEnumValueW
  • advapi32.dll.RegCloseKey
  • advapi32.dll.RegQueryValueExW
  • advapi32.dll.RegQueryValueExA
  • advapi32.dll.RegEnumKeyExW
  • gdi32.dll.GetTextExtentExPointWPri
  • comctl32.dll.RegisterClassNameW
  • kernel32.dll.SortGetHandle
  • kernel32.dll.SortCloseHandle
  • uxtheme.dll.EnableThemeDialogTexture
  • uxtheme.dll.OpenThemeData
  • ole32.dll.CoInitializeEx
  • ole32.dll.CoUninitialize
  • cryptbase.dll.SystemFunction036
  • ole32.dll.CoRegisterInitializeSpy
  • ole32.dll.CoRevokeInitializeSpy
  • oleaut32.dll.SysAllocString
  • oleaut32.dll.SysStringLen
  • oleaut32.dll.SysFreeString
  • oleaut32.dll.#500