魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2020-11-30 10:37:42	2020-11-30 10:39:53	131 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-shaapp03-1	win7-sp1-x64-shaapp03-1	KVM	2020-11-30 10:37:45	2020-11-30 10:39:55

魔盾分数
10.0 Softcnapp

文件详细信息

文件名	setup_hglxnb001.exe
文件大小	9879920 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
CRC32	A0F18796
MD5	39d4f3f68a4f288ed83476d7fa2a7b68
SHA1	6cc450fbf25b50ed656a2ab66e859f1cbad1f5ca
SHA256	d30b186c93608a6e1c90595090e4d12df57cd6aa19164206534e95ebfb080b7a
SHA512	c102d740b012287af782cbe63c6762f2db8afd12fcaeb42948c99879f89035e01b627a568822c3a999c64044fe7c8bd7d7ce5415243023c2cd20fe9922ba8fe3
Ssdeep	196608:UTMLPkIOAawvPRL0bjHPI0Ls4cY82kC7f293lkeCnsM2m4jk5g1BV4XhGVUF:ZbsfeKjHA04S7fEInii5gBAhGaF
PEiD	无匹配
Yara	CRC32_poly_Constant (Look for CRC32 [poly]) CRC32_table (Look for CRC32 table) MD5_Constants (Look for MD5 constants) BASE64_table (Look for Base64 table) with_images (Detected the presence of an or several images) with_urls (Detected the presence of an or several urls) IsPE32 (Detected a 32bit PE sample) IsWindowsGUI (Detected a Windows GUI sample) IsPacked (Detected Entropy signature) HasOverlay (Detected Overlay signature) HasDigitalSignature (Detected Digital Signature) HasDebugData (Detected Debug Data) HasRichSignature (Detected Rich Signature) DebuggerCheck__QueryInfo () DebuggerTiming__PerformanceCounter () DebuggerTiming__Ticks (Detected timing ticks function) Check_OutputDebugStringA_iat (Detect in IAT OutputDebugstringA) anti_dbg (Detected self protection if being debugged) network_tcp_listen (Listen for incoming communication) network_smtp_raw (Detect SMTP ability in RAW) network_tcp_socket (Detected network communications over RAW socket) network_dns (Detected network communications use DNS) win_mutex (Create or check mutex) screenshot (Detected take screenshot function) create_process (Detection function for creating a new process) keylogger (Detected keylogger function) win_registry (Detected system registries modification function) win_token (Affect system token) win_files_operation (Affect private profile) Maldun_Anomoly_Combined_Activities_5 (Spotted potential mallicious behaviors like logging and network communication) Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
VirusTotal	VirusTotal链接 VirusTotal扫描时间: 2020-11-19 06:43:01 扫描结果: 46/70

特征

样本的签名证书合法

创建RWX内存

魔盾安全Yara检测结果 - 普通

Informational: Detect SMTP ability in RAW

Critical: Spotted potential mallicious behaviors like logging and network communication

Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files

发起了一些HTTP请求

url: http://tj.wn51.com/?cd831=674200d4ccb6c2e61b36c5d30e768d3c

二进制文件可能包含加密或压缩数据

section: name: .rsrc, entropy: 7.98, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x006f4c00, virtual_size: 0x006f4be8

HTTP数据流中包含可疑的恶意软件数据

get_no_useragent: HTTP traffic contains a GET request with no user-agent header

suspicious_request: http://tj.wn51.com/?cd831=674200d4ccb6c2e61b36c5d30e768d3c

文件已被至少一个VirusTotal上的反病毒引擎检测为病毒

Elastic: malicious (high confidence)

MicroWorld-eScan: Gen:Variant.Graftor.741529

FireEye: Generic.mg.39d4f3f68a4f288e

Malwarebytes: PUP.Optional.ChinAd

Zillya: Adware.Burden.Win32.1217

K7AntiVirus: Unwanted-Program ( 00560ccc1 )

BitDefender: Gen:Variant.Graftor.741529

K7GW: Unwanted-Program ( 00560ccc1 )

TrendMicro: TROJ_GEN.R01FC0PJU20

Cyren: W32/Softcnapp.N.gen!Eldorado

Symantec: ML.Attribute.HighConfidence

APEX: Malicious

Avast: Win32:Adware-gen [Adw]

Kaspersky: Trojan-Downloader.Win32.Agent.xxzmvz

Alibaba: TrojanDownloader:Win32/Softcnapp.dd561666

NANO-Antivirus: Riskware.Win32.Softcnapp.iayynn

Rising: Adware.Agent!1.C6F0 (CLASSIC)

Sophos: Generic PUA GM (PUA)

F-Secure: Heuristic.HEUR/AGEN.1132089

DrWeb: Adware.Softcnapp.125

VIPRE: Trojan.Win32.Generic!BT

Invincea: Generic PUA GM (PUA)

McAfee-GW-Edition: BehavesLike.Win32.Generic.tc

Emsisoft: Gen:Variant.Graftor.741529 (B)

GData: Gen:Variant.Graftor.741529

Jiangmin: AdWare.Burden.jc

Avira: HEUR/AGEN.1132089

Antiy-AVL: GrayWare[AdWare]/Win32.Burden

Gridinsoft: Adware.Softcnapp.vl!c

ZoneAlarm: Trojan-Downloader.Win32.Agent.xxzmvz

Microsoft: PUA:Win32/Softcnapp

Cynet: Malicious (score: 100)

AhnLab-V3: PUP/Win32.Softcnapp.C3863117

McAfee: GenericRXLM-EC!39D4F3F68A4F

MAX: malware (ai score=84)

VBA32: BScope.Adware.Softcnapp

Cylance: Unsafe

Panda: Trj/Genetic.gen

ESET-NOD32: a variant of Win32/Softcnapp.BG potentially unwanted

TrendMicro-HouseCall: TROJ_GEN.R01FC0PJU20

Tencent: Win32.Trojan-downloader.Agent.Lneq

Yandex: PUA.Burden!xacdSTCedUY

Ikarus: PUA.Softcnapp

eGambit: Unsafe.AI_Score_99%

Fortinet: Riskware/Agent

AVG: Win32:Adware-gen [Adw]

运行截图

网络分析

域名解析

域名	响应
tj.wn51.com	A 117.50.93.3
acroipm.adobe.com	CNAME acroipm.adobe.com.edgesuite.net CNAME a1983.dscd.akamai.net A 104.75.169.10 A 104.75.169.8

TCP连接

IP地址	端口
104.75.169.10	80
117.50.93.3	80

UDP连接

IP地址	端口
192.168.122.1	53
192.168.122.1	53

HTTP请求

URL	HTTP数据
http://tj.wn51.com/?cd831=674200d4ccb6c2e61b36c5d30e768d3c	GET /?cd831=674200d4ccb6c2e61b36c5d30e768d3c HTTP/1.1 Host: tj.wn51.com Accept: /
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache

URL

HTTP数据

http://tj.wn51.com/?cd831=674200d4ccb6c2e61b36c5d30e768d3c

GET /?cd831=674200d4ccb6c2e61b36c5d30e768d3c HTTP/1.1
Host: tj.wn51.com
Accept: */*

http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip

GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

静态分析

PE 信息

初始地址	0x00400000
入口地址	0x004271d6
声明校验值	0x00974ac2
实际校验值	0x00974ac2
最低操作系统版本要求	5.1
编译时间	2020-10-14 20:39:18
载入哈希	16af28fc4ab709a83ada72a21cbf77e2
图标
图标精确哈希值	ce1fa41efbac2be26375d15a9ef09709
图标相似性哈希值	41e1378b1a64688e3870c16870fa536c

版本信息

LegalCopyright:	Copyright (C) 2020
InternalName:	\xe8\xe8\xe5\xe6
FileVersion:	1.0.9.21015
CompanyName:	\xe8\xe8\xe5\xe6
ProductName:	\xe8\xe8\xe5\xe6
ProductVersion:	1,0,9,21015
FileDescription:	\xe8\xe8\xe5\xe6
OriginalFilename:	Install.exe
Translation:	0x0804 0x04b0

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x001d7744	0x001d7800	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.70
.rdata	0x001d9000	0x000709ee	0x00070a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.51
.data	0x0024a000	0x000270b4	0x0000e400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	5.10
.gfids	0x00272000	0x00000178	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	2.93
.tls	0x00273000	0x00000009	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.02
.rsrc	0x00274000	0x006f4be8	0x006f4c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	7.98
.reloc	0x00969000	0x0001caf0	0x0001cc00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	6.54

覆盖

偏移量:	0x00968600
大小:	0x00003b70

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
"CCC9BC118AABD6F1EB2A"	0x00274cf4	0x006783bd	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	8.00	7-zip archive data, version 0.3
C72C3D1BF1D5ABC67	0x008eda38	0x0000094d	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.41	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
C72C3D1BF1D5ABC67	0x008eda38	0x0000094d	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.41	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
C72C3D1BF1D5ABC67	0x008eda38	0x0000094d	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.41	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
C72C3D1BF1D5ABC67	0x008eda38	0x0000094d	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.41	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
DD9073109EC81164B	0x008ffbac	0x0000067f	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.83	PNG image data, 48 x 16, 8-bit/color RGBA, non-interlaced
DD9073109EC81164B	0x008ffbac	0x0000067f	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.83	PNG image data, 48 x 16, 8-bit/color RGBA, non-interlaced
DD9073109EC81164B	0x008ffbac	0x0000067f	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.83	PNG image data, 48 x 16, 8-bit/color RGBA, non-interlaced
DD9073109EC81164B	0x008ffbac	0x0000067f	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.83	PNG image data, 48 x 16, 8-bit/color RGBA, non-interlaced
DD9073109EC81164B	0x008ffbac	0x0000067f	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.83	PNG image data, 48 x 16, 8-bit/color RGBA, non-interlaced
DD9073109EC81164B	0x008ffbac	0x0000067f	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.83	PNG image data, 48 x 16, 8-bit/color RGBA, non-interlaced
DD9073109EC81164B	0x008ffbac	0x0000067f	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.83	PNG image data, 48 x 16, 8-bit/color RGBA, non-interlaced
DD9073109EC81164B	0x008ffbac	0x0000067f	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.83	PNG image data, 48 x 16, 8-bit/color RGBA, non-interlaced
DD9073109EC81164B	0x008ffbac	0x0000067f	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.83	PNG image data, 48 x 16, 8-bit/color RGBA, non-interlaced
F480F72D39A07D8E6	0x00905514	0x0000278c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	7.86	PNG image data, 200 x 208, 8-bit/color RGBA, non-interlaced
F480F72D39A07D8E6	0x00905514	0x0000278c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	7.86	PNG image data, 200 x 208, 8-bit/color RGBA, non-interlaced
F480F72D39A07D8E6	0x00905514	0x0000278c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	7.86	PNG image data, 200 x 208, 8-bit/color RGBA, non-interlaced
F480F72D39A07D8E6	0x00905514	0x0000278c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	7.86	PNG image data, 200 x 208, 8-bit/color RGBA, non-interlaced
F480F72D39A07D8E6	0x00905514	0x0000278c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	7.86	PNG image data, 200 x 208, 8-bit/color RGBA, non-interlaced
F480F72D39A07D8E6	0x00905514	0x0000278c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	7.86	PNG image data, 200 x 208, 8-bit/color RGBA, non-interlaced
F480F72D39A07D8E6	0x00905514	0x0000278c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	7.86	PNG image data, 200 x 208, 8-bit/color RGBA, non-interlaced
UIDEF	0x00907ca0	0x00000845	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.36	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
RT_ICON	0x00967ef8	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.58	GLS_BINARY_LSB_FIRST
RT_ICON	0x00967ef8	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.58	GLS_BINARY_LSB_FIRST
RT_ICON	0x00967ef8	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.58	GLS_BINARY_LSB_FIRST
RT_ICON	0x00967ef8	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.58	GLS_BINARY_LSB_FIRST
RT_ICON	0x00967ef8	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.58	GLS_BINARY_LSB_FIRST
RT_ICON	0x00967ef8	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.58	GLS_BINARY_LSB_FIRST
RT_ICON	0x00967ef8	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.58	GLS_BINARY_LSB_FIRST
RT_ICON	0x00967ef8	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.58	GLS_BINARY_LSB_FIRST
RT_ICON	0x00967ef8	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.58	GLS_BINARY_LSB_FIRST
RT_ICON	0x00967ef8	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.58	GLS_BINARY_LSB_FIRST
RT_ICON	0x00967ef8	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.58	GLS_BINARY_LSB_FIRST
RT_ICON	0x00967ef8	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.58	GLS_BINARY_LSB_FIRST
RT_ICON	0x00967ef8	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.58	GLS_BINARY_LSB_FIRST
RT_ICON	0x00967ef8	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.58	GLS_BINARY_LSB_FIRST
RT_ICON	0x00967ef8	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.58	GLS_BINARY_LSB_FIRST
RT_ICON	0x00967ef8	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.58	GLS_BINARY_LSB_FIRST
RT_ICON	0x00967ef8	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.58	GLS_BINARY_LSB_FIRST
RT_ICON	0x00967ef8	0x00000468	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.58	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x009683e4	0x00000084	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.03	MS Windows icon resource - 9 icons, 256x256
RT_GROUP_ICON	0x009683e4	0x00000084	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.03	MS Windows icon resource - 9 icons, 256x256
RT_VERSION	0x00968468	0x00000294	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.61	data
RT_MANIFEST	0x009686fc	0x000004ec	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.41	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators

导入

库 KERNEL32.dll:

• 0x5d9124 - FreeLibraryAndExitThread

• 0x5d9128 - GetCurrentDirectoryW

• 0x5d912c - ExitThread

• 0x5d9130 - FileTimeToSystemTime

• 0x5d9134 - SystemTimeToTzSpecificLocalTime

• 0x5d9138 - GetDriveTypeW

• 0x5d913c - ExpandEnvironmentStringsW

• 0x5d9140 - PeekNamedPipe

• 0x5d9144 - WaitForMultipleObjects

• 0x5d9148 - GetSystemDirectoryA

• 0x5d914c - SleepEx

• 0x5d9150 - ResetEvent

• 0x5d9154 - SetEvent

• 0x5d9158 - lstrlenA

• 0x5d915c - CreateFileMappingW

• 0x5d9160 - UnmapViewOfFile

• 0x5d9164 - MapViewOfFile

• 0x5d9168 - GetFileInformationByHandle

• 0x5d916c - InterlockedCompareExchange

• 0x5d9170 - CreateEventW

• 0x5d9174 - WideCharToMultiByte

• 0x5d9178 - OutputDebugStringA

• 0x5d917c - GlobalUnlock

• 0x5d9180 - GlobalLock

• 0x5d9184 - DeleteFileW

• 0x5d9188 - GetTempPathW

• 0x5d918c - FindResourceW

• 0x5d9190 - WriteFile

• 0x5d9194 - SizeofResource

• 0x5d9198 - LoadResource

• 0x5d919c - LockResource

• 0x5d91a0 - SetCurrentDirectoryW

• 0x5d91a4 - Process32NextW

• 0x5d91a8 - Process32FirstW

• 0x5d91ac - CreateToolhelp32Snapshot

• 0x5d91b0 - GetModuleHandleW

• 0x5d91b4 - GetLastError

• 0x5d91b8 - GetCurrentProcessId

• 0x5d91bc - VirtualFree

• 0x5d91c0 - VirtualAlloc

• 0x5d91c4 - LocalFree

• 0x5d91c8 - LocalAlloc

• 0x5d91cc - DeleteCriticalSection

• 0x5d91d0 - LeaveCriticalSection

• 0x5d91d4 - EnterCriticalSection

• 0x5d91d8 - InitializeCriticalSection

• 0x5d91dc - InterlockedDecrement

• 0x5d91e0 - InterlockedIncrement

• 0x5d91e4 - CreateFileW

• 0x5d91e8 - WritePrivateProfileStringW

• 0x5d91ec - GetModuleFileNameW

• 0x5d91f0 - ReadFile

• 0x5d91f4 - GetFileSize

• 0x5d91f8 - CreateThread

• 0x5d91fc - Sleep

• 0x5d9200 - GetCurrentProcess

• 0x5d9204 - GlobalFree

• 0x5d9208 - GlobalAlloc

• 0x5d920c - QueryDosDeviceW

• 0x5d9210 - GetWindowsDirectoryW

• 0x5d9214 - LoadLibraryW

• 0x5d9218 - GetLogicalDriveStringsW

• 0x5d921c - lstrlenW

• 0x5d9220 - lstrcmpiW

• 0x5d9224 - CloseHandle

• 0x5d9228 - OpenProcess

• 0x5d922c - GetProcAddress

• 0x5d9230 - FreeLibrary

• 0x5d9234 - MulDiv

• 0x5d9238 - MultiByteToWideChar

• 0x5d923c - UnhandledExceptionFilter

• 0x5d9240 - SetUnhandledExceptionFilter

• 0x5d9244 - TerminateProcess

• 0x5d9248 - IsProcessorFeaturePresent

• 0x5d924c - IsDebuggerPresent

• 0x5d9250 - GetStartupInfoW

• 0x5d9254 - QueryPerformanceCounter

• 0x5d9258 - GetCurrentThreadId

• 0x5d925c - GetSystemTimeAsFileTime

• 0x5d9260 - InitializeSListHead

• 0x5d9264 - WaitForSingleObject

• 0x5d9268 - CreateProcessW

• 0x5d926c - MoveFileExW

• 0x5d9270 - DecodePointer

• 0x5d9274 - HeapDestroy

• 0x5d9278 - HeapAlloc

• 0x5d927c - HeapReAlloc

• 0x5d9280 - HeapFree

• 0x5d9284 - HeapSize

• 0x5d9288 - GetProcessHeap

• 0x5d928c - RaiseException

• 0x5d9290 - InitializeCriticalSectionAndSpinCount

• 0x5d9294 - GetSystemInfo

• 0x5d9298 - FormatMessageW

• 0x5d929c - GetVersionExW

• 0x5d92a0 - GetPrivateProfileIntW

• 0x5d92a4 - GetPrivateProfileStringW

• 0x5d92a8 - FindClose

• 0x5d92ac - CreateDirectoryW

• 0x5d92b0 - FindFirstFileW

• 0x5d92b4 - FindNextFileW

• 0x5d92b8 - ReleaseMutex

• 0x5d92bc - CreateMutexW

• 0x5d92c0 - GetFileSizeEx

• 0x5d92c4 - GetTickCount

• 0x5d92c8 - AreFileApisANSI

• 0x5d92cc - SetErrorMode

• 0x5d92d0 - GetLocalTime

• 0x5d92d4 - FlushInstructionCache

• 0x5d92d8 - HeapCreate

• 0x5d92dc - FreeResource

• 0x5d92e0 - SetLastError

• 0x5d92e4 - GetFullPathNameW

• 0x5d92e8 - GetVersionExA

• 0x5d92ec - LoadLibraryA

• 0x5d92f0 - GetModuleHandleA

• 0x5d92f4 - EncodePointer

• 0x5d92f8 - RtlUnwind

• 0x5d92fc - TlsAlloc

• 0x5d9300 - TlsGetValue

• 0x5d9304 - TlsSetValue

• 0x5d9308 - TlsFree

• 0x5d930c - LoadLibraryExW

• 0x5d9310 - ExitProcess

• 0x5d9314 - GetModuleHandleExW

• 0x5d9318 - GetStdHandle

• 0x5d931c - GetACP

• 0x5d9320 - GetFileType

• 0x5d9324 - GetStringTypeW

• 0x5d9328 - CompareStringW

• 0x5d932c - LCMapStringW

• 0x5d9330 - GetConsoleMode

• 0x5d9334 - ReadConsoleW

• 0x5d9338 - SetFilePointerEx

• 0x5d933c - FindFirstFileExW

• 0x5d9340 - IsValidCodePage

• 0x5d9344 - GetOEMCP

• 0x5d9348 - GetCPInfo

• 0x5d934c - GetCommandLineA

• 0x5d9350 - GetCommandLineW

• 0x5d9354 - GetEnvironmentStringsW

• 0x5d9358 - FreeEnvironmentStringsW

• 0x5d935c - SetEnvironmentVariableA

• 0x5d9360 - OutputDebugStringW

• 0x5d9364 - WaitForSingleObjectEx

• 0x5d9368 - SetStdHandle

• 0x5d936c - GetConsoleCP

• 0x5d9370 - GetTimeZoneInformation

• 0x5d9374 - FlushFileBuffers

• 0x5d9378 - WriteConsoleW

• 0x5d937c - SetEndOfFile

库 USER32.dll:

• 0x5d93c8 - MonitorFromWindow

• 0x5d93cc - GetMonitorInfoW

• 0x5d93d0 - TrackMouseEvent

• 0x5d93d4 - PostMessageW

• 0x5d93d8 - PostQuitMessage

• 0x5d93dc - AnimateWindow

• 0x5d93e0 - SetLayeredWindowAttributes

• 0x5d93e4 - IsIconic

• 0x5d93e8 - IsZoomed

• 0x5d93ec - GetCapture

• 0x5d93f0 - SetCapture

• 0x5d93f4 - ReleaseCapture

• 0x5d93f8 - UpdateWindow

• 0x5d93fc - BeginPaint

• 0x5d9400 - EndPaint

• 0x5d9404 - InvalidateRect

• 0x5d9408 - CreateCaret

• 0x5d940c - GetCaretBlinkTime

• 0x5d9410 - HideCaret

• 0x5d9414 - SetCaretPos

• 0x5d9418 - ScreenToClient

• 0x5d941c - GetClassNameW

• 0x5d9420 - DestroyIcon

• 0x5d9424 - LoadBitmapW

• 0x5d9428 - CreateIconFromResource

• 0x5d942c - LoadImageW

• 0x5d9430 - CharNextW

• 0x5d9434 - GetMessageW

• 0x5d9438 - TranslateMessage

• 0x5d943c - DispatchMessageW

• 0x5d9440 - PeekMessageW

• 0x5d9444 - ClientToScreen

• 0x5d9448 - EnableMenuItem

• 0x5d944c - GetSysColor

• 0x5d9450 - IsWindowVisible

• 0x5d9454 - DrawTextW

• 0x5d9458 - SystemParametersInfoA

• 0x5d945c - CharLowerBuffW

• 0x5d9460 - GetWindowRect

• 0x5d9464 - UpdateLayeredWindow

• 0x5d9468 - IsMenu

• 0x5d946c - IsWindowEnabled

• 0x5d9470 - CreatePopupMenu

• 0x5d9474 - DestroyMenu

• 0x5d9478 - GetMenuItemCount

• 0x5d947c - GetWindow

• 0x5d9480 - AppendMenuW

• 0x5d9484 - TrackPopupMenu

• 0x5d9488 - GetMenuInfo

• 0x5d948c - SetMenuInfo

• 0x5d9490 - GetMenuItemInfoW

• 0x5d9494 - SetMenuContextHelpId

• 0x5d9498 - MsgWaitForMultipleObjects

• 0x5d949c - GetForegroundWindow

• 0x5d94a0 - GetClientRect

• 0x5d94a4 - GetDlgItem

• 0x5d94a8 - CreateWindowExW

• 0x5d94ac - RegisterClassExW

• 0x5d94b0 - CallWindowProcW

• 0x5d94b4 - DefWindowProcW

• 0x5d94b8 - GetKeyState

• 0x5d94bc - GetFocus

• 0x5d94c0 - SendMessageW

• 0x5d94c4 - IsWindow

• 0x5d94c8 - GetActiveWindow

• 0x5d94cc - GetSystemMetrics

• 0x5d94d0 - GetCursorPos

• 0x5d94d4 - OffsetRect

• 0x5d94d8 - GetWindowLongW

• 0x5d94dc - GetDC

• 0x5d94e0 - SystemParametersInfoW

• 0x5d94e4 - ShowWindow

• 0x5d94e8 - SetWindowPos

• 0x5d94ec - SetWindowTextW

• 0x5d94f0 - SetForegroundWindow

• 0x5d94f4 - FindWindowW

• 0x5d94f8 - SetFocus

• 0x5d94fc - PtInRect

• 0x5d9500 - EqualRect

• 0x5d9504 - IsRectEmpty

• 0x5d9508 - UnionRect

• 0x5d950c - CopyRect

• 0x5d9510 - SetRect

• 0x5d9514 - SetCursor

• 0x5d9518 - KillTimer

• 0x5d951c - GetParent

• 0x5d9520 - SetWindowLongW

• 0x5d9524 - MapWindowPoints

• 0x5d9528 - SetTimer

• 0x5d952c - DestroyWindow

• 0x5d9530 - DestroyCursor

• 0x5d9534 - LoadCursorW

• 0x5d9538 - IntersectRect

• 0x5d953c - UnregisterClassW

• 0x5d9540 - GetIconInfo

• 0x5d9544 - DrawIconEx

• 0x5d9548 - InflateRect

• 0x5d954c - ReleaseDC

• 0x5d9550 - MapVirtualKeyA

库 ADVAPI32.dll:

• 0x5d9000 - RegOpenKeyExW

• 0x5d9004 - RegQueryValueExW

• 0x5d9008 - RegCreateKeyExW

• 0x5d900c - RegSetValueExW

• 0x5d9010 - ImpersonateLoggedOnUser

• 0x5d9014 - RevertToSelf

• 0x5d9018 - RegOpenKeyW

• 0x5d901c - RegEnumKeyW

• 0x5d9020 - DuplicateTokenEx

• 0x5d9024 - CreateProcessAsUserW

• 0x5d9028 - LookupAccountSidW

• 0x5d902c - RegCloseKey

• 0x5d9030 - SetSecurityDescriptorDacl

• 0x5d9034 - InitializeSecurityDescriptor

• 0x5d9038 - SetTokenInformation

• 0x5d903c - GetTokenInformation

• 0x5d9040 - OpenProcessToken

库 SHELL32.dll:

• 0x5d93a4 - ShellExecuteW

• 0x5d93a8 - SHGetSpecialFolderPathW

• 0x5d93ac - SHGetFolderPathW

• 0x5d93b0 - SHGetPathFromIDListW

• 0x5d93b4 - SHBrowseForFolderW

库 ole32.dll:

• 0x5d9664 - CoCreateGuid

• 0x5d9668 - OleLockRunning

• 0x5d966c - CLSIDFromString

• 0x5d9670 - CLSIDFromProgID

• 0x5d9674 - CoCreateInstance

• 0x5d9678 - OleInitialize

• 0x5d967c - OleUninitialize

• 0x5d9680 - CreateStreamOnHGlobal

• 0x5d9684 - CoInitialize

• 0x5d9688 - CoUninitialize

• 0x5d968c - CreateBindCtx

库 SHLWAPI.dll:

• 0x5d93bc - PathFileExistsW

• 0x5d93c0 - StrToIntExW

库 PSAPI.DLL:

• 0x5d9390 - GetModuleFileNameExW

• 0x5d9394 - EnumProcessModules

• 0x5d9398 - EnumProcesses

• 0x5d939c - GetProcessImageFileNameW

库 CRYPT32.dll:

• 0x5d9048 - CryptMsgGetParam

• 0x5d904c - CertCloseStore

• 0x5d9050 - CertFindCertificateInStore

• 0x5d9054 - CertFreeCertificateContext

• 0x5d9058 - CertGetNameStringW

• 0x5d905c - CryptQueryObject

• 0x5d9060 - CryptMsgClose

库 gdiplus.dll:

• 0x5d95f4 - GdipImageGetFrameCount

• 0x5d95f8 - GdipGetImageEncoders

• 0x5d95fc - GdipAlloc

• 0x5d9600 - GdipFree

• 0x5d9604 - GdiplusStartup

• 0x5d9608 - GdiplusShutdown

• 0x5d960c - GdipCloneImage

• 0x5d9610 - GdipDisposeImage

• 0x5d9614 - GdipGetImageGraphicsContext

• 0x5d9618 - GdipGetImageWidth

• 0x5d961c - GdipGetImageHeight

• 0x5d9620 - GdipImageGetFrameDimensionsCount

• 0x5d9624 - GdipImageGetFrameDimensionsList

• 0x5d9628 - GdipImageSelectActiveFrame

• 0x5d962c - GdipGetPropertyItemSize

• 0x5d9630 - GdipGetPropertyItem

• 0x5d9634 - GdipCreateBitmapFromStream

• 0x5d9638 - GdipCreateBitmapFromFile

• 0x5d963c - GdipCreateBitmapFromScan0

• 0x5d9640 - GdipBitmapLockBits

• 0x5d9644 - GdipBitmapUnlockBits

• 0x5d9648 - GdipDeleteGraphics

• 0x5d964c - GdipDrawImageI

• 0x5d9650 - GdipSaveImageToFile

• 0x5d9654 - GdipGraphicsClear

• 0x5d9658 - GdipGetImageEncodersSize

• 0x5d965c - GdipDrawImageRectI

库 IMM32.dll:

• 0x5d9114 - ImmAssociateContext

• 0x5d9118 - ImmReleaseContext

• 0x5d911c - ImmGetContext

库 GDI32.dll:

• 0x5d9068 - SetBkMode

• 0x5d906c - StretchBlt

• 0x5d9070 - Rectangle

• 0x5d9074 - EnumFontsW

• 0x5d9078 - BitBlt

• 0x5d907c - GetViewportOrgEx

• 0x5d9080 - GetCurrentObject

• 0x5d9084 - SetViewportOrgEx

• 0x5d9088 - GetStockObject

• 0x5d908c - CreateSolidBrush

• 0x5d9090 - CreateFontIndirectW

• 0x5d9094 - SetGraphicsMode

• 0x5d9098 - GetDeviceCaps

• 0x5d909c - CreateRoundRectRgn

• 0x5d90a0 - GetObjectW

• 0x5d90a4 - CreateDIBSection

• 0x5d90a8 - SelectObject

• 0x5d90ac - SelectClipRgn

• 0x5d90b0 - IntersectClipRect

• 0x5d90b4 - GetRegionData

• 0x5d90b8 - ExtCreateRegion

• 0x5d90bc - DeleteObject

• 0x5d90c0 - DeleteDC

• 0x5d90c4 - GdiFlush

• 0x5d90c8 - GetTextFaceW

• 0x5d90cc - ExtTextOutW

• 0x5d90d0 - SetWorldTransform

• 0x5d90d4 - GetTextMetricsW

• 0x5d90d8 - SetTextAlign

• 0x5d90dc - SetTextColor

• 0x5d90e0 - RemoveFontMemResourceEx

• 0x5d90e4 - AddFontMemResourceEx

• 0x5d90e8 - GetTextExtentPointI

• 0x5d90ec - GetGlyphIndicesW

• 0x5d90f0 - GetFontUnicodeRanges

• 0x5d90f4 - GetOutlineTextMetricsW

• 0x5d90f8 - GetGlyphOutlineW

• 0x5d90fc - GetFontData

• 0x5d9100 - GetCharABCWidthsW

• 0x5d9104 - EnumFontFamiliesExW

• 0x5d9108 - CreateCompatibleDC

• 0x5d910c - CreateBitmap

库 OLEAUT32.dll:

• 0x5d9384 - SysAllocString

• 0x5d9388 - SysFreeString

库 USERENV.dll:

• 0x5d9558 - DestroyEnvironmentBlock

• 0x5d955c - CreateEnvironmentBlock

库 WS2_32.dll:

• 0x5d9574 - getsockopt

• 0x5d9578 - htons

• 0x5d957c - ntohs

• 0x5d9580 - setsockopt

• 0x5d9584 - WSASetLastError

• 0x5d9588 - htonl

• 0x5d958c - inet_addr

• 0x5d9590 - inet_ntoa

• 0x5d9594 - gethostbyaddr

• 0x5d9598 - gethostbyname

• 0x5d959c - getsockname

• 0x5d95a0 - getservbyname

• 0x5d95a4 - __WSAFDIsSet

• 0x5d95a8 - select

• 0x5d95ac - recvfrom

• 0x5d95b0 - sendto

• 0x5d95b4 - accept

• 0x5d95b8 - listen

• 0x5d95bc - ioctlsocket

• 0x5d95c0 - gethostname

• 0x5d95c4 - getpeername

• 0x5d95c8 - connect

• 0x5d95cc - bind

• 0x5d95d0 - send

• 0x5d95d4 - recv

• 0x5d95d8 - WSAGetLastError

• 0x5d95dc - socket

• 0x5d95e0 - closesocket

• 0x5d95e4 - WSACleanup

• 0x5d95e8 - getservbyport

• 0x5d95ec - WSAStartup

库 USP10.dll:

• 0x5d9564 - ScriptFreeCache

• 0x5d9568 - ScriptItemize

• 0x5d956c - ScriptShape

投放文件

无信息

行为分析

互斥量(Mutexes)

FlowerShopAssistantSetup
Local\MSCTF.Asm.MutexDefault1

执行的命令 无信息

创建的服务 无信息

启动的服务 无信息

进程

setup_hglxnb001.exe PID: 2392, 上一级进程 PID: 2176

访问的文件

C:\Users\test\AppData\Local\Temp\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\System32\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\system\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\api-ms-win-core-fibers-l1-1-1.DLL
C:\ProgramData\Oracle\Java\javapath\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\System32\wbem\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-core-fibers-l1-1-1.DLL
C:\Program Files (x86)\WinRAR\api-ms-win-core-fibers-l1-1-1.DLL
C:\Program Files (x86)\Common Files\FlowerShopAssistant\FlowerShopAssistant.ini
C:\Program Files (x86)\FlowerShopAssistant\
C:\Users\test\AppData\Local\Temp\FlowerShopAssistant.ini
C:\Program Files (x86)\FlowerShopAssistant\FlowerShopAssistant.ini
C:\Users\test\AppData\Local
C:\Users\test\AppData\LocalLow
C:\Users\test\AppData\Roaming
C:\Users\test\AppData\LocalLow\FlowerShopAssistant\
C:\Users\test\AppData\Local\Temp
C:\Users
C:\Users\test
C:\Users\test\AppData
C:\Users\test\AppData\LocalLow\FlowerShopAssistant
C:\Users\test\AppData\LocalLow\FlowerShopAssistant\HGConfig
C:\Users\test\AppData\LocalLow\FlowerShopAssistant\HGConfig\HGUse.ini
C:\Users\test\AppData\Local\Temp\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\Windows\System32\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\Windows\system\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\Windows\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\ProgramData\Oracle\Java\javapath\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\Windows\System32\wbem\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\Program Files (x86)\WinRAR\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\Windows\System32\tzres.dll
C:\Program Files (x86)\FlowerShopAssistant\Shop.exe
C:\Program Files (x86)\FlowerShopAssistant\FSUpd.exe
C:\Program Files (x86)\FlowerShopAssistant\Uninst.exe
C:\Program Files (x86)\FlowerShopAssistant\Umanlike.exe
C:\Program Files (x86)\FlowerShopAssistant\Svccen.exe
C:\Program Files (x86)\FlowerShopAssistant\Patemar.exe
C:\Program Files (x86)\FlowerShopAssistant\Patemar64.exe
C:\Program Files (x86)\FlowerShopAssistant\hghshtol.exe
\Device\KsecDD
C:\Users\test\AppData\Local\Temp\
C:\Windows\win.ini
C:\
C:\Users\test\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Windows\system\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Windows\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\ProgramData\Oracle\Java\javapath\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Windows\System32\wbem\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Program Files (x86)\WinRAR\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Users\test\AppData\Local\Temp\ext-ms-win-kernel32-package-current-l1-1-0.DLL

读取的文件

C:\Users\test\AppData\Local\Temp\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\System32\api-ms-win-core-fibers-l1-1-1.DLL
C:\Program Files (x86)\Common Files\FlowerShopAssistant\FlowerShopAssistant.ini
C:\Users\test\AppData\Local\Temp\FlowerShopAssistant.ini
C:\Program Files (x86)\FlowerShopAssistant\FlowerShopAssistant.ini
C:\Users\test\AppData\LocalLow\FlowerShopAssistant\HGConfig\HGUse.ini
C:\Windows\System32\tzres.dll
\Device\KsecDD
C:\Windows\win.ini
C:\Users\test\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Users\test\AppData\Local\Temp\ext-ms-win-kernel32-package-current-l1-1-0.DLL

修改的文件

C:\Users\test\AppData\LocalLow\FlowerShopAssistant\HGConfig\HGUse.ini

删除的文件 无信息

注册表键

HKEY_LOCAL_MACHINE\SOFTWARE\FlowerShopAssistant
HKEY_CURRENT_USER\SoftWare
HKEY_CURRENT_USER\Software\FlowerShopAssistant
HKEY_CURRENT_USER\Software\FlowerShopAssistant\HGAppInfo
HKEY_CURRENT_USER\Software\FlowerShopAssistant\HGAppInfo\CfgPath
HKEY_LOCAL_MACHINE\SoftWare
HKEY_CURRENT_USER\Software\FlowerShopAssistant\HGAppInfo\QID
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\Software\FlowerShopAssistant\HGSetting
HKEY_CURRENT_USER\Software\FlowerShopAssistant\HGSetting\3b9c4
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\setup_hglxnb001.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses

读取的注册表键

HKEY_CURRENT_USER\Software\FlowerShopAssistant\HGAppInfo\CfgPath
HKEY_CURRENT_USER\Software\FlowerShopAssistant\HGAppInfo\QID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext

修改的注册表键

HKEY_CURRENT_USER\Software\FlowerShopAssistant
HKEY_CURRENT_USER\Software\FlowerShopAssistant\HGAppInfo
HKEY_CURRENT_USER\Software\FlowerShopAssistant\HGSetting
HKEY_CURRENT_USER\Software\FlowerShopAssistant\HGSetting\3b9c4

删除的注册表键 无信息

API解析

kernel32.dll.FlsAlloc
kernel32.dll.FlsSetValue
kernel32.dll.FlsGetValue
api-ms-win-core-localization-l1-2-1.dll.LCMapStringEx
kernel32.dll.FlsFree
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.InitOnceExecuteOnce
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.GetTickCount64
kernel32.dll.GetFileInformationByHandleEx
kernel32.dll.SetFileInformationByHandle
kernel32.dll.InitializeConditionVariable
kernel32.dll.WakeConditionVariable
kernel32.dll.WakeAllConditionVariable
kernel32.dll.SleepConditionVariableCS
kernel32.dll.InitializeSRWLock
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.TryAcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
kernel32.dll.SleepConditionVariableSRW
kernel32.dll.CreateThreadpoolWork
kernel32.dll.SubmitThreadpoolWork
kernel32.dll.CloseThreadpoolWork
kernel32.dll.CompareStringEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.LCMapStringEx
cryptbase.dll.SystemFunction036
user32.dll.UpdateLayeredWindow
user32.dll.UpdateLayeredWindowIndirect
riched20.dll.CreateTextServices
kernel32.dll.IsProcessorFeaturePresent
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.EnumDisplayDevicesA
gdi32.dll.ExtTextOutW
gdi32.dll.GdiIsMetaPrintDC
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
ext-ms-win-kernel32-package-current-l1-1-0.dll.GetCurrentPackageId
ws2_32.dll.getaddrinfo
ws2_32.dll.getnameinfo
ws2_32.dll.freeaddrinfo