魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2022-08-19 12:08:14 | 2022-08-19 12:10:27 | 133 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-shaapp02-1 | win7-sp1-x64-shaapp02-1 | KVM | 2022-08-19 12:08:15 | 2022-08-19 12:10:28 |
| 魔盾分数 |
|---|
10.0恶意的 |
文件详细信息
| 文件名 | Setup.exe |
|---|---|
| 文件大小 | 8587482 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| CRC32 | 83750BA0 |
| MD5 | 7d3f6321b670af1cb84af4c1188a1580 |
| SHA1 | 3c5e770a8619e7efbcf89a8d269436402d38405b |
| SHA256 | 25361db1e21ee881a372c1ed78b602372288582da0e696d79da1009a10e7da51 |
| SHA512 | 659a10173b8d80a14e6eef586e1c36da9a6f35e6b9595deb067eabc3ce095bd289e4432f92b6c734cf7c674efb0e15effe59399afc138946633df8d9025416f8 |
| Ssdeep | 98304:vxPltKDKWsxd9yT2Wm+CvBExqZhA4xdXd5MBqrBhOzZ1JpSZKzOajFEFdRE:j7xd9yTW3EkXA47oAOzZ/XOajEg |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal | VirusTotal查询失败 |
特征
创建RWX内存
从文件自身的二进制镜像中读取数据
self_read: process: Setup.exe, pid: 2592, offset: 0x00000000, length: 0x008308da
魔盾安全Yara规则检测结果 - 高危
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
可能是恶意的样本写入可疑的执行文件并混淆扩展名
Suspicious: c:\users\test\appdata\local\temp\1260e7d.tmptempsystemcall.%setup%
Suspicious: c:\users\test\appdata\local\temp\1260e7d.tmptempsystemcall.%setup%
Suspicious: c:\users\test\appdata\local\temp\1260e7d.tmptempsystemcall.%setup%
Suspicious: c:\users\test\appdata\local\temp\1260e7d.tmptempsystemcall.%setup%
运行截图
网络分析
TCP连接
| IP地址 | 端口 |
|---|---|
| 184.30.30.64 | 80 |
UDP连接
| IP地址 | 端口 |
|---|---|
| 192.168.122.1 | 53 |
HTTP请求
| URL | HTTP数据 |
|---|---|
| http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip | GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache |
静态分析
PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x006b1db0 |
| 声明校验值 | 0x00000000 |
| 实际校验值 | 0x0083e082 |
| 最低操作系统版本要求 | 4.0 |
| 编译时间 | 2018-12-26 18:21:03 |
| 载入哈希 | 5486cdc8c32b0430ab845aa4fbd24a94 |
版本信息
| LegalCopyright: | \u661f\u5bb8\u5355\u673a\u6e38\u620f\u7f51 |
| InternalName: | \u661f\u5bb8\u5355\u673a\u6e38\u620f\u7f51 |
| FileVersion: | \u661f\u5bb8\u5355\u673a\u6e38\u620f\u7f51 |
| CompanyName: | www.xcgame.vip |
| PrivateBuild: | \u661f\u5bb8\u5355\u673a\u6e38\u620f\u7f51 |
| LegalTrademarks: | \u661f\u5bb8\u5355\u673a\u6e38\u620f\u7f51 |
| Comments: | \u661f\u5bb8\u5355\u673a\u6e38\u620f\u7f51 |
| ProductName: | \u661f\u5bb8\u5355\u673a\u6e38\u620f\u7f51 |
| SpecialBuild: | \u661f\u5bb8\u5355\u673a\u6e38\u620f\u7f51 |
| ProductVersion: | \u661f\u5bb8\u5355\u673a\u6e38\u620f\u7f51 |
| FileDescription: | \u661f\u5bb8\u5355\u673a\u6e38\u620f\u7f51 |
| OriginalFilename: | \u661f\u5bb8\u5355\u673a\u6e38\u620f\u7f51 |
| Translation: | 0x0804 0x04b0 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x002e2d5a | 0x002e3000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.21 |
| .rdata | 0x002e4000 | 0x0003c346 | 0x0003d000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.90 |
| .data | 0x00321000 | 0x00094851 | 0x00065000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 5.52 |
| .rsrc | 0x003b6000 | 0x000047c4 | 0x00005000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 6.74 |
覆盖
| 偏移量: | 0x003ba7c4 |
| 大小: | 0x00476116 |
导入
库 kernel32.dll:
• 0x6e4780 - GetFileSize
• 0x6e4784 - ReadFile
• 0x6e4788 - CreateFileA
• 0x6e478c - WriteFile
• 0x6e4790 - CloseHandle
• 0x6e4794 - GetModuleFileNameA
• 0x6e4798 - IsBadReadPtr
• 0x6e479c - HeapFree
• 0x6e47a0 - GetTickCount
• 0x6e47a4 - GetTempPathA
• 0x6e47a8 - Sleep
• 0x6e47ac - GetLocalTime
• 0x6e47b0 - GetCurrentDirectoryA
• 0x6e47b4 - FreeLibrary
• 0x6e47b8 - LoadLibraryA
• 0x6e47bc - LCMapStringA
• 0x6e47c0 - FlushFileBuffers
• 0x6e47c4 - MapViewOfFile
• 0x6e47c8 - LCMapStringW
• 0x6e47cc - IsBadCodePtr
• 0x6e47d0 - SetUnhandledExceptionFilter
• 0x6e47d4 - InterlockedIncrement
• 0x6e47d8 - HeapAlloc
• 0x6e47dc - LocalSize
• 0x6e47e0 - ExitProcess
• 0x6e47e4 - GetProcessHeap
• 0x6e47e8 - VirtualAlloc
• 0x6e47ec - VirtualProtectEx
• 0x6e47f0 - WideCharToMultiByte
• 0x6e47f4 - LocalAlloc
• 0x6e47f8 - lstrlenW
• 0x6e47fc - HeapReAlloc
• 0x6e4800 - InterlockedDecrement
• 0x6e4804 - SetFilePointer
• 0x6e4808 - GetStringTypeW
• 0x6e480c - GetStringTypeA
• 0x6e4810 - GetCommandLineA
• 0x6e4814 - GetVersion
• 0x6e4818 - RtlUnwind
• 0x6e481c - TerminateProcess
• 0x6e4820 - GetCurrentProcess
• 0x6e4824 - GetCurrentThreadId
• 0x6e4828 - TlsSetValue
• 0x6e482c - TlsAlloc
• 0x6e4830 - GetModuleHandleA
• 0x6e4834 - SetStdHandle
• 0x6e4838 - RtlMoveMemory
• 0x6e483c - LocalFree
• 0x6e4840 - GlobalAlloc
• 0x6e4844 - GlobalLock
• 0x6e4848 - TlsFree
• 0x6e484c - SetLastError
• 0x6e4850 - TlsGetValue
• 0x6e4854 - GetLastError
• 0x6e4858 - SetHandleCount
• 0x6e485c - GetStdHandle
• 0x6e4860 - GetFileType
• 0x6e4864 - GetStartupInfoA
• 0x6e4868 - DeleteCriticalSection
• 0x6e486c - FreeEnvironmentStringsA
• 0x6e4870 - FreeEnvironmentStringsW
• 0x6e4874 - GetEnvironmentStrings
• 0x6e4878 - GetEnvironmentStringsW
• 0x6e487c - GetEnvironmentVariableA
• 0x6e4880 - GetVersionExA
• 0x6e4884 - HeapDestroy
• 0x6e4888 - HeapCreate
• 0x6e488c - VirtualFree
• 0x6e4890 - RaiseException
• 0x6e4894 - GlobalUnlock
• 0x6e4898 - GlobalFree
• 0x6e489c - LoadLibraryW
• 0x6e48a0 - GetProcAddress
• 0x6e48a4 - MultiByteToWideChar
• 0x6e48a8 - CreateFileMappingA
• 0x6e48ac - IsBadWritePtr
• 0x6e48b0 - InitializeCriticalSection
• 0x6e48b4 - EnterCriticalSection
• 0x6e48b8 - LeaveCriticalSection
• 0x6e48bc - GetCPInfo
• 0x6e48c0 - GetACP
• 0x6e48c4 - GetOEMCP
库 user32.dll:
• 0x6e4904 - GetWindowRect
• 0x6e4908 - CloseClipboard
• 0x6e490c - GetWindowLongA
• 0x6e4910 - GetClassNameA
• 0x6e4914 - MessageBoxA
• 0x6e4918 - wsprintfA
• 0x6e491c - GetCursorPos
• 0x6e4920 - GetClipboardData
• 0x6e4924 - UpdateLayeredWindow
• 0x6e4928 - TranslateMessage
• 0x6e492c - DispatchMessageA
• 0x6e4930 - OpenClipboard
• 0x6e4934 - GetSystemMetrics
• 0x6e4938 - EnumWindows
• 0x6e493c - GetAncestor
• 0x6e4940 - ReleaseDC
• 0x6e4944 - IsWindow
• 0x6e4948 - CallWindowProcA
• 0x6e494c - SendMessageA
• 0x6e4950 - EnumChildWindows
• 0x6e4954 - TrackMouseEvent
• 0x6e4958 - GetMessageA
• 0x6e495c - GetPropA
• 0x6e4960 - SetPropA
• 0x6e4964 - CreateWindowExA
• 0x6e4968 - PeekMessageA
• 0x6e496c - ShowWindow
• 0x6e4970 - GetDC
库 gdi32.dll:
• 0x6e4708 - CreateCompatibleDC
• 0x6e470c - CreateDIBSection
• 0x6e4710 - SelectObject
• 0x6e4714 - DeleteDC
• 0x6e4718 - DeleteObject
库 gdiplus.dll:
• 0x6e4720 - GdipGetImageGraphicsContext
• 0x6e4724 - GdipCreateFromHDC
• 0x6e4728 - GdipCreateBitmapFromScan0
• 0x6e472c - GdipSetSolidFillColor
• 0x6e4730 - GdipCreateSolidFill
• 0x6e4734 - GdipDeleteBrush
• 0x6e4738 - GdipSetTextRenderingHint
• 0x6e473c - GdipGetRegionBounds
• 0x6e4740 - GdiplusStartup
• 0x6e4744 - GdipDisposeImage
• 0x6e4748 - GdipDeletePen
• 0x6e474c - GdipSetSmoothingMode
• 0x6e4750 - GdipGetImageHeight
• 0x6e4754 - GdipGetImageWidth
• 0x6e4758 - GdipDrawRectangleI
• 0x6e475c - GdipLoadImageFromStream
• 0x6e4760 - GdipLoadImageFromFile
库 ole32.dll:
• 0x6e48cc - CoCreateInstance
• 0x6e48d0 - OleRun
• 0x6e48d4 - OleUninitialize
• 0x6e48d8 - OleInitialize
• 0x6e48dc - CreateStreamOnHGlobal
• 0x6e48e0 - CLSIDFromString
• 0x6e48e4 - CLSIDFromProgID
• 0x6e48e8 - CLSIDFromString
库 imm32.dll:
• 0x6e4768 - ImmGetCompositionStringW
• 0x6e476c - ImmReleaseContext
• 0x6e4770 - ImmGetContext
• 0x6e4774 - ImmSetCompositionWindow
• 0x6e4778 - ImmAssociateContext
库 shell32.dll:
• 0x6e48f0 - ShellExecuteA
• 0x6e48f4 - SHAppBarMessage
库 shlwapi.dll:
• 0x6e48fc - PathFileExistsA
库 winmm.dll:
• 0x6e4978 - PlaySoundA
库 KERNEL32.dll:
• 0x6e4174 - VirtualFree
• 0x6e4178 - HeapCreate
• 0x6e417c - HeapDestroy
• 0x6e4180 - GetEnvironmentVariableA
• 0x6e4184 - GetFileType
• 0x6e4188 - GetStdHandle
• 0x6e418c - CloseHandle
• 0x6e4190 - WaitForSingleObject
• 0x6e4194 - GetTickCount
• 0x6e4198 - GetCommandLineA
• 0x6e419c - MulDiv
• 0x6e41a0 - GetDiskFreeSpaceA
• 0x6e41a4 - GetProcAddress
• 0x6e41a8 - GetModuleHandleA
• 0x6e41ac - GetVolumeInformationA
• 0x6e41b0 - SetCurrentDirectoryA
• 0x6e41b4 - GetCurrentDirectoryA
• 0x6e41b8 - SetHandleCount
• 0x6e41bc - FindClose
• 0x6e41c0 - FindFirstFileA
• 0x6e41c4 - GetTempPathA
• 0x6e41c8 - GlobalUnlock
• 0x6e41cc - GlobalLock
• 0x6e41d0 - GlobalAlloc
• 0x6e41d4 - ExpandEnvironmentStringsA
• 0x6e41d8 - Sleep
• 0x6e41dc - CreateEventA
• 0x6e41e0 - CreateThread
• 0x6e41e4 - WritePrivateProfileStringA
• 0x6e41e8 - GetVersionExA
• 0x6e41ec - GetLastError
• 0x6e41f0 - LoadLibraryA
• 0x6e41f4 - FreeLibrary
• 0x6e41f8 - GetFullPathNameA
• 0x6e41fc - GetUserDefaultLCID
• 0x6e4200 - HeapAlloc
• 0x6e4204 - GetProcessHeap
• 0x6e4208 - HeapReAlloc
• 0x6e420c - HeapFree
• 0x6e4210 - GlobalReAlloc
• 0x6e4214 - FindNextFileA
• 0x6e4218 - lstrcpyA
• 0x6e421c - WinExec
• 0x6e4220 - lstrlenA
• 0x6e4224 - lstrcatA
• 0x6e4228 - InitializeCriticalSection
• 0x6e422c - DeleteCriticalSection
• 0x6e4230 - GlobalFree
• 0x6e4234 - GlobalSize
• 0x6e4238 - ExitProcess
• 0x6e423c - GetCurrentThreadId
• 0x6e4240 - GetModuleFileNameA
• 0x6e4244 - lstrlenW
• 0x6e4248 - LockResource
• 0x6e424c - LoadResource
• 0x6e4250 - FindResourceA
• 0x6e4254 - SetEvent
• 0x6e4258 - CreateFileA
• 0x6e425c - WaitForMultipleObjects
• 0x6e4260 - ReadFile
• 0x6e4264 - WriteFile
• 0x6e4268 - GetProfileStringA
• 0x6e426c - LeaveCriticalSection
• 0x6e4270 - EnterCriticalSection
• 0x6e4274 - ReleaseSemaphore
• 0x6e4278 - ResumeThread
• 0x6e427c - CreateSemaphoreA
• 0x6e4280 - CreateMutexA
• 0x6e4284 - ReleaseMutex
• 0x6e4288 - TerminateThread
• 0x6e428c - SuspendThread
• 0x6e4290 - SetEnvironmentVariableA
• 0x6e4294 - LCMapStringA
• 0x6e4298 - LCMapStringW
• 0x6e429c - VirtualAlloc
• 0x6e42a0 - IsBadWritePtr
• 0x6e42a4 - SetUnhandledExceptionFilter
• 0x6e42a8 - GetStringTypeA
• 0x6e42ac - GetStringTypeW
• 0x6e42b0 - CompareStringA
• 0x6e42b4 - CompareStringW
• 0x6e42b8 - IsBadReadPtr
• 0x6e42bc - IsBadCodePtr
• 0x6e42c0 - SetStdHandle
• 0x6e42c4 - VirtualProtect
• 0x6e42c8 - VirtualQuery
• 0x6e42cc - GetSystemInfo
• 0x6e42d0 - InterlockedCompareExchange
• 0x6e42d4 - InterlockedExchange
• 0x6e42d8 - GetEnvironmentStringsW
• 0x6e42dc - GetEnvironmentStrings
• 0x6e42e0 - FreeEnvironmentStringsW
• 0x6e42e4 - FreeEnvironmentStringsA
• 0x6e42e8 - UnhandledExceptionFilter
• 0x6e42ec - GetACP
• 0x6e42f0 - HeapSize
• 0x6e42f4 - TerminateProcess
• 0x6e42f8 - GetLocalTime
• 0x6e42fc - GetSystemTime
• 0x6e4300 - GetTimeZoneInformation
• 0x6e4304 - RaiseException
• 0x6e4308 - RtlUnwind
• 0x6e430c - GetStartupInfoA
• 0x6e4310 - GetOEMCP
• 0x6e4314 - GetCPInfo
• 0x6e4318 - GetProcessVersion
• 0x6e431c - SetErrorMode
• 0x6e4320 - GlobalFlags
• 0x6e4324 - GetCurrentThread
• 0x6e4328 - InterlockedIncrement
• 0x6e432c - InterlockedDecrement
• 0x6e4330 - WideCharToMultiByte
• 0x6e4334 - MultiByteToWideChar
• 0x6e4338 - LocalFree
• 0x6e433c - FileTimeToSystemTime
• 0x6e4340 - FileTimeToLocalFileTime
• 0x6e4344 - SetLastError
• 0x6e4348 - lstrcpynA
• 0x6e434c - DuplicateHandle
• 0x6e4350 - GetCurrentProcess
• 0x6e4354 - SetFilePointer
• 0x6e4358 - FlushFileBuffers
• 0x6e435c - LockFile
• 0x6e4360 - UnlockFile
• 0x6e4364 - SetEndOfFile
• 0x6e4368 - GetStringTypeExA
• 0x6e436c - lstrcmpiA
• 0x6e4370 - GlobalDeleteAtom
• 0x6e4374 - GlobalFindAtomA
• 0x6e4378 - GlobalAddAtomA
• 0x6e437c - GlobalGetAtomNameA
• 0x6e4380 - GetVersion
• 0x6e4384 - lstrcmpA
• 0x6e4388 - LocalAlloc
• 0x6e438c - TlsAlloc
• 0x6e4390 - GlobalHandle
• 0x6e4394 - TlsFree
• 0x6e4398 - TlsSetValue
• 0x6e439c - LocalReAlloc
• 0x6e43a0 - TlsGetValue
• 0x6e43a4 - GetFileSize
• 0x6e43a8 - GetFileTime
• 0x6e43ac - GetFileAttributesA
库 USER32.dll:
• 0x6e4400 - ScreenToClient
• 0x6e4404 - ChildWindowFromPointEx
• 0x6e4408 - CopyRect
• 0x6e440c - LoadBitmapA
• 0x6e4410 - WinHelpA
• 0x6e4414 - KillTimer
• 0x6e4418 - SetTimer
• 0x6e441c - ReleaseCapture
• 0x6e4420 - GetCapture
• 0x6e4424 - SetCapture
• 0x6e4428 - GetScrollRange
• 0x6e442c - SetScrollRange
• 0x6e4430 - SetScrollPos
• 0x6e4434 - SetRect
• 0x6e4438 - InflateRect
• 0x6e443c - IntersectRect
• 0x6e4440 - DestroyIcon
• 0x6e4444 - PtInRect
• 0x6e4448 - OffsetRect
• 0x6e444c - UnregisterClassA
• 0x6e4450 - IsWindowVisible
• 0x6e4454 - EnableWindow
• 0x6e4458 - RedrawWindow
• 0x6e445c - GetWindowLongA
• 0x6e4460 - SetWindowLongA
• 0x6e4464 - SetActiveWindow
• 0x6e4468 - SetCursorPos
• 0x6e446c - LoadCursorA
• 0x6e4470 - SetCursor
• 0x6e4474 - GetDC
• 0x6e4478 - FillRect
• 0x6e447c - IsRectEmpty
• 0x6e4480 - ReleaseDC
• 0x6e4484 - IsChild
• 0x6e4488 - DestroyMenu
• 0x6e448c - SetForegroundWindow
• 0x6e4490 - GetWindowRect
• 0x6e4494 - EqualRect
• 0x6e4498 - UpdateWindow
• 0x6e449c - GetWindowTextA
• 0x6e44a0 - ValidateRect
• 0x6e44a4 - InvalidateRect
• 0x6e44a8 - GetClientRect
• 0x6e44ac - GetFocus
• 0x6e44b0 - GetParent
• 0x6e44b4 - GetTopWindow
• 0x6e44b8 - PostMessageA
• 0x6e44bc - IsWindow
• 0x6e44c0 - SetParent
• 0x6e44c4 - DestroyCursor
• 0x6e44c8 - SendMessageA
• 0x6e44cc - SetWindowPos
• 0x6e44d0 - MessageBoxA
• 0x6e44d4 - GetCursorPos
• 0x6e44d8 - GetSystemMetrics
• 0x6e44dc - EmptyClipboard
• 0x6e44e0 - SetClipboardData
• 0x6e44e4 - OpenClipboard
• 0x6e44e8 - GetClipboardData
• 0x6e44ec - CloseClipboard
• 0x6e44f0 - wsprintfA
• 0x6e44f4 - SetFocus
• 0x6e44f8 - GetWindowTextLengthA
• 0x6e44fc - CharUpperA
• 0x6e4500 - GetWindowDC
• 0x6e4504 - BeginPaint
• 0x6e4508 - EndPaint
• 0x6e450c - TabbedTextOutA
• 0x6e4510 - DrawTextA
• 0x6e4514 - GrayStringA
• 0x6e4518 - GetDlgItem
• 0x6e451c - DestroyWindow
• 0x6e4520 - CreateDialogIndirectParamA
• 0x6e4524 - GetMessagePos
• 0x6e4528 - SetWindowRgn
• 0x6e452c - DestroyAcceleratorTable
• 0x6e4530 - EndDialog
• 0x6e4534 - GetNextDlgTabItem
• 0x6e4538 - GetWindowPlacement
• 0x6e453c - RegisterWindowMessageA
• 0x6e4540 - GetForegroundWindow
• 0x6e4544 - GetLastActivePopup
• 0x6e4548 - IsIconic
• 0x6e454c - PeekMessageA
• 0x6e4550 - SetMenu
• 0x6e4554 - GetMenu
• 0x6e4558 - DeleteMenu
• 0x6e455c - GetSystemMenu
• 0x6e4560 - DefWindowProcA
• 0x6e4564 - GetClassInfoA
• 0x6e4568 - IsZoomed
• 0x6e456c - PostQuitMessage
• 0x6e4570 - CopyAcceleratorTableA
• 0x6e4574 - GetKeyState
• 0x6e4578 - TranslateAcceleratorA
• 0x6e457c - IsWindowEnabled
• 0x6e4580 - ShowWindow
• 0x6e4584 - SystemParametersInfoA
• 0x6e4588 - LoadImageA
• 0x6e458c - EnumDisplaySettingsA
• 0x6e4590 - ClientToScreen
• 0x6e4594 - EnableMenuItem
• 0x6e4598 - TranslateMessage
• 0x6e459c - GetMessageTime
• 0x6e45a0 - RemovePropA
• 0x6e45a4 - CallWindowProcA
• 0x6e45a8 - GetPropA
• 0x6e45ac - UnhookWindowsHookEx
• 0x6e45b0 - SetPropA
• 0x6e45b4 - GetClassLongA
• 0x6e45b8 - CallNextHookEx
• 0x6e45bc - SetWindowsHookExA
• 0x6e45c0 - CreateWindowExA
• 0x6e45c4 - GetMenuItemID
• 0x6e45c8 - GetMenuItemCount
• 0x6e45cc - RegisterClassA
• 0x6e45d0 - GetScrollPos
• 0x6e45d4 - AdjustWindowRectEx
• 0x6e45d8 - MapWindowPoints
• 0x6e45dc - SendDlgItemMessageA
• 0x6e45e0 - ScrollWindowEx
• 0x6e45e4 - IsDialogMessageA
• 0x6e45e8 - SetWindowTextA
• 0x6e45ec - MoveWindow
• 0x6e45f0 - CheckMenuItem
• 0x6e45f4 - SetMenuItemBitmaps
• 0x6e45f8 - GetMenuState
• 0x6e45fc - GetMenuCheckMarkDimensions
• 0x6e4600 - GetClassNameA
• 0x6e4604 - GetDesktopWindow
• 0x6e4608 - LoadStringA
• 0x6e460c - GetSysColorBrush
• 0x6e4610 - GetWindow
• 0x6e4614 - GetActiveWindow
• 0x6e4618 - LoadIconA
• 0x6e461c - DrawFrameControl
• 0x6e4620 - DrawEdge
• 0x6e4624 - DrawFocusRect
• 0x6e4628 - WindowFromPoint
• 0x6e462c - GetMessageA
• 0x6e4630 - DispatchMessageA
• 0x6e4634 - SetRectEmpty
• 0x6e4638 - RegisterClipboardFormatA
• 0x6e463c - CreateIconFromResourceEx
• 0x6e4640 - CreateIconFromResource
• 0x6e4644 - DrawIconEx
• 0x6e4648 - CreatePopupMenu
• 0x6e464c - AppendMenuA
• 0x6e4650 - ModifyMenuA
• 0x6e4654 - CreateMenu
• 0x6e4658 - CreateAcceleratorTableA
• 0x6e465c - GetDlgCtrlID
• 0x6e4660 - GetSubMenu
• 0x6e4664 - GetSysColor
库 GDI32.dll:
• 0x6e4028 - CreateSolidBrush
• 0x6e402c - FillRgn
• 0x6e4030 - CreateRectRgn
• 0x6e4034 - CombineRgn
• 0x6e4038 - PatBlt
• 0x6e403c - Ellipse
• 0x6e4040 - Rectangle
• 0x6e4044 - LPtoDP
• 0x6e4048 - GetTextMetricsA
• 0x6e404c - Escape
• 0x6e4050 - ExtTextOutA
• 0x6e4054 - TextOutA
• 0x6e4058 - RectVisible
• 0x6e405c - PtVisible
• 0x6e4060 - GetViewportExtEx
• 0x6e4064 - ExtSelectClipRgn
• 0x6e4068 - LineTo
• 0x6e406c - MoveToEx
• 0x6e4070 - ExcludeClipRect
• 0x6e4074 - GetClipBox
• 0x6e4078 - ScaleWindowExtEx
• 0x6e407c - SetWindowExtEx
• 0x6e4080 - DPtoLP
• 0x6e4084 - ScaleViewportExtEx
• 0x6e4088 - CreateFontIndirectA
• 0x6e408c - OffsetViewportOrgEx
• 0x6e4090 - SetViewportOrgEx
• 0x6e4094 - SetMapMode
• 0x6e4098 - SetTextColor
• 0x6e409c - SetROP2
• 0x6e40a0 - SetPolyFillMode
• 0x6e40a4 - SetBkMode
• 0x6e40a8 - RestoreDC
• 0x6e40ac - SaveDC
• 0x6e40b0 - CreatePen
• 0x6e40b4 - SelectObject
• 0x6e40b8 - CreateBitmap
• 0x6e40bc - CreateDCA
• 0x6e40c0 - CreateCompatibleBitmap
• 0x6e40c4 - GetPolyFillMode
• 0x6e40c8 - GetStretchBltMode
• 0x6e40cc - GetROP2
• 0x6e40d0 - GetBkColor
• 0x6e40d4 - GetBkMode
• 0x6e40d8 - GetTextColor
• 0x6e40dc - CreateRoundRectRgn
• 0x6e40e0 - CreateEllipticRgn
• 0x6e40e4 - PathToRegion
• 0x6e40e8 - BeginPath
• 0x6e40ec - GetWindowOrgEx
• 0x6e40f0 - GetViewportOrgEx
• 0x6e40f4 - GetWindowExtEx
• 0x6e40f8 - GetDIBits
• 0x6e40fc - RealizePalette
• 0x6e4100 - SelectPalette
• 0x6e4104 - StretchBlt
• 0x6e4108 - CreatePalette
• 0x6e410c - GetSystemPaletteEntries
• 0x6e4110 - CreateDIBitmap
• 0x6e4114 - DeleteObject
• 0x6e4118 - SelectClipRgn
• 0x6e411c - CreatePolygonRgn
• 0x6e4120 - GetClipRgn
• 0x6e4124 - SetStretchBltMode
• 0x6e4128 - CreateRectRgnIndirect
• 0x6e412c - SetBkColor
• 0x6e4130 - GetDeviceCaps
• 0x6e4134 - GetStockObject
• 0x6e4138 - GetObjectA
• 0x6e413c - EndPage
• 0x6e4140 - EndDoc
• 0x6e4144 - DeleteDC
• 0x6e4148 - StartDocA
• 0x6e414c - StartPage
• 0x6e4150 - BitBlt
• 0x6e4154 - CreateCompatibleDC
• 0x6e4158 - SetViewportExtEx
• 0x6e415c - GetCurrentObject
• 0x6e4160 - RoundRect
• 0x6e4164 - GetTextExtentPoint32A
• 0x6e4168 - SetWindowOrgEx
• 0x6e416c - EndPath
库 WINMM.dll:
• 0x6e466c - midiStreamRestart
• 0x6e4670 - midiOutPrepareHeader
• 0x6e4674 - midiStreamProperty
• 0x6e4678 - midiStreamOpen
• 0x6e467c - midiOutUnprepareHeader
• 0x6e4680 - waveOutOpen
• 0x6e4684 - waveOutGetNumDevs
• 0x6e4688 - waveOutClose
• 0x6e468c - waveOutReset
• 0x6e4690 - waveOutPause
• 0x6e4694 - waveOutWrite
• 0x6e4698 - waveOutPrepareHeader
• 0x6e469c - waveOutUnprepareHeader
• 0x6e46a0 - waveOutRestart
• 0x6e46a4 - midiStreamStop
• 0x6e46a8 - midiOutReset
• 0x6e46ac - midiStreamClose
• 0x6e46b0 - midiStreamOut
库 WINSPOOL.DRV:
• 0x6e46b8 - ClosePrinter
• 0x6e46bc - DocumentPropertiesA
• 0x6e46c0 - OpenPrinterA
库 ADVAPI32.dll:
• 0x6e4000 - RegSetValueExA
• 0x6e4004 - RegOpenKeyExA
• 0x6e4008 - RegQueryValueExA
• 0x6e400c - RegCloseKey
• 0x6e4010 - RegQueryValueA
• 0x6e4014 - RegCreateKeyExA
库 SHELL32.dll:
• 0x6e43f4 - ShellExecuteA
• 0x6e43f8 - Shell_NotifyIconA
库 OLEAUT32.dll:
• 0x6e43b4 - UnRegisterTypeLib
• 0x6e43b8 - LoadTypeLib
• 0x6e43bc - LHashValOfNameSys
• 0x6e43c0 - RegisterTypeLib
• 0x6e43c4 - SysAllocString
• 0x6e43c8 - VariantInit
• 0x6e43cc - VariantCopyInd
• 0x6e43d0 - SafeArrayGetElement
• 0x6e43d4 - SafeArrayAccessData
• 0x6e43d8 - SafeArrayUnaccessData
• 0x6e43dc - SafeArrayGetDim
• 0x6e43e0 - SafeArrayGetLBound
• 0x6e43e4 - SafeArrayGetUBound
• 0x6e43e8 - VariantChangeType
• 0x6e43ec - VariantClear
库 COMCTL32.dll:
• 0x6e401c - None
• 0x6e4020 - ImageList_Destroy
库 WS2_32.dll:
• 0x6e46c8 - WSAAsyncSelect
• 0x6e46cc - closesocket
• 0x6e46d0 - WSACleanup
• 0x6e46d4 - inet_ntoa
• 0x6e46d8 - recvfrom
• 0x6e46dc - ioctlsocket
• 0x6e46e0 - recv
• 0x6e46e4 - getpeername
• 0x6e46e8 - accept
• 0x6e46ec - ntohl
库 comdlg32.dll:
• 0x6e46f4 - GetOpenFileNameA
• 0x6e46f8 - GetSaveFileNameA
• 0x6e46fc - ChooseColorA
• 0x6e4700 - GetFileTitleA
投放文件
行为分析
互斥量(Mutexes)
- Local\MSCTF.Asm.MutexDefault1
执行的命令
- C:\Users\test\AppData\Local\Temp\Plus-ing\Template.exe testverydata
创建的服务
无信息
启动的服务
无信息
进程
Setup.exe PID: 2592, 上一级进程 PID: 2256
访问的文件
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Users\test\AppData\Local\GDIPFONTCACHEV1.DAT
- C:\Windows\Fonts\AGENCYR.TTF
- C:\Windows\Fonts\simsun.ttc
- C:\Users\test\AppData\Local\Temp\kernel32.dll
- C:\Users\test\AppData\Local\Temp\kernel32.DLL
- C:\Users\test\AppData\Local\Temp\12609cb.tmp
- C:\Windows\Fonts\msyh.ttf
- C:\Windows\Fonts\msyhbd.ttf
- C:\Users\test\AppData\Local\Temp\1260b22.tmp
- C:\
- C:\Users\test\AppData\Local\Temp\1260b22.tmp.TempSystem.%Setup%
- C:\Users\test\AppData\Local\Temp\1260b60.tmp
- C:\Users\test\AppData\Local\Temp\Setup.exe
- C:\Users\test\AppData\Local\Temp\1260e7d.tmp
- C:\Users\test\AppData\Local\Temp\1260e7d.tmpTempSystemCall.%Setup%
- C:\Users\test\AppData\Local\Temp\1260e9b.tmp
- C:\Users\test\AppData\Local\Temp\1260e9b.tmp.\xe6\x88\x91\xe5\x8f\xaf\xe4\xbb\xa5\xe7\xad\x89\xe4\xbd\xa0,\xe4\xbd\x86\xe6\x98\xaf\xe6\x84\x9f\xe8\xa7\x89\xe4\xbd\xa0\xe8\xa6\x81\xe6\x94\xbe\xe6\x89\x8b\xe4\xba\x86
- C:\Users\test\AppData\Local\Temp\cls-*.dll
- D:\
- E:\
- F:\
- G:\
- H:\
- I:\
- J:\
- K:\
- L:\
- M:\
- N:\
- O:\
- P:\
- Q:\
- R:\
- S:\
- T:\
- U:\
- V:\
- W:\
- X:\
- Y:\
- Z:\
- A:\
- B:\
- C:\Users\test\AppData\Local\Temp\126111d.tmp
- c:\
- C:\Users\test\AppData\Local\Temp\dwmapi.DLL
读取的文件
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Users\test\AppData\Local\GDIPFONTCACHEV1.DAT
- C:\Windows\Fonts\simsun.ttc
- C:\Windows\Fonts\msyh.ttf
- C:\Windows\Fonts\msyhbd.ttf
- C:\Users\test\AppData\Local\Temp\1260b22.tmp.TempSystem.%Setup%
- C:\Users\test\AppData\Local\Temp\Setup.exe
- C:\Users\test\AppData\Local\Temp\1260e7d.tmpTempSystemCall.%Setup%
- C:\Users\test\AppData\Local\Temp\1260e9b.tmp.\xe6\x88\x91\xe5\x8f\xaf\xe4\xbb\xa5\xe7\xad\x89\xe4\xbd\xa0,\xe4\xbd\x86\xe6\x98\xaf\xe6\x84\x9f\xe8\xa7\x89\xe4\xbd\xa0\xe8\xa6\x81\xe6\x94\xbe\xe6\x89\x8b\xe4\xba\x86
- C:\Users\test\AppData\Local\Temp\126111d.tmp
修改的文件
- C:\Users\test\AppData\Local\GDIPFONTCACHEV1.DAT
- C:\Users\test\AppData\Local\Temp\1260b22.tmp.TempSystem.%Setup%
- C:\Users\test\AppData\Local\Temp\1260e7d.tmpTempSystemCall.%Setup%
- C:\Users\test\AppData\Local\Temp\1260e9b.tmp.\xe6\x88\x91\xe5\x8f\xaf\xe4\xbb\xa5\xe7\xad\x89\xe4\xbd\xa0,\xe4\xbd\x86\xe6\x98\xaf\xe6\x84\x9f\xe8\xa7\x89\xe4\xbd\xa0\xe8\xa6\x81\xe6\x94\xbe\xe6\x89\x8b\xe4\xba\x86
- C:\Users\test\AppData\Local\Temp\126111d.tmp
删除的文件
无信息
注册表键
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
- HKEY_CURRENT_USER\Software\Microsoft\GDIPlus
- HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath
- HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
- HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\Setup.exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_CURRENT_USER
- HKEY_CURRENT_USER\Keyboard Layout\Toggle
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\1260b22.tmp.TempSystem.%Setup%
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\1260e7d.tmpTempSystemCall.%Setup%
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\1260e9b.tmp.\xe6\x88\x91\xe5\x8f\xaf\xe4\xbb\xa5\xe7\xad\x89\xe4\xbd\xa0,\xe4\xbd\x86\xe6\x98\xaf\xe6\x84\x9f\xe8\xa7\x89\xe4\xbd\xa0\xe8\xa6\x81\xe6\x94\xbe\xe6\x89\x8b\xe4\xba\x86
- HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Namespaces
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DRIVERS32
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave1
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave2
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave3
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave4
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave5
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave6
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave7
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave8
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave9
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi1
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi2
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi3
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi4
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi5
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi6
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi7
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi8
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi9
- HKEY_CURRENT_USER\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm
- HKEY_CURRENT_USER\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Multimedia\MIDIMap
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\CurrentVersion
读取的注册表键
- HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\1260b22.tmp.TempSystem.%Setup%
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\1260e7d.tmpTempSystemCall.%Setup%
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\1260e9b.tmp.\xe6\x88\x91\xe5\x8f\xaf\xe4\xbb\xa5\xe7\xad\x89\xe4\xbd\xa0,\xe4\xbd\x86\xe6\x98\xaf\xe6\x84\x9f\xe8\xa7\x89\xe4\xbd\xa0\xe8\xa6\x81\xe6\x94\xbe\xe6\x89\x8b\xe4\xba\x86
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave1
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave2
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave3
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave4
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave5
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave6
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave7
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave8
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave9
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi1
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi2
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi3
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi4
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi5
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi6
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi7
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi8
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi9
- HKEY_CURRENT_USER\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\CurrentVersion
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- kernel32.dll.IsProcessorFeaturePresent
- cryptbase.dll.SystemFunction036
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle
- user32.dll.GetWindowInfo
- user32.dll.GetAncestor
- user32.dll.GetMonitorInfoA
- user32.dll.EnumDisplayMonitors
- user32.dll.EnumDisplayDevicesA
- gdi32.dll.ExtTextOutW
- gdi32.dll.GdiIsMetaPrintDC
- msimg32.dll.AlphaBlend
- gdi32.dll.CreateSolidBrush
- user32.dll.LoadCursorA
- gdiplus.dll.GdipCreateStringFormat
- gdiplus.dll.GdipCreateFontFamilyFromName
- kernel32.dll.RegOpenKeyExW
- kernel32.dll.RegQueryInfoKeyA
- kernel32.dll.RegCloseKey
- kernel32.dll.RegCreateKeyExW
- kernel32.dll.RegQueryValueExW
- gdiplus.dll.GdipCreateFont
- gdiplus.dll.GdipDeleteFontFamily
- gdiplus.dll.GdipSetStringFormatAlign
- gdiplus.dll.GdipSetStringFormatLineAlign
- kernel32.dll.GetCurrentProcessId
- kernel32.dll.CreateProcessA
- kernel32.dll.CloseHandle
- user32.dll.RegisterClassExA
- user32.dll.DefWindowProcA
- user32.dll.SetPropA
- user32.dll.GetPropA
- gdi32.dll.CreateRectRgn
- gdi32.dll.SetRectRgn
- kernel32.dll.GetProcessHeap
- kernel32.dll.HeapAlloc
- kernel32.dll.GlobalUnlock
- windowscodecs.dll.DllGetClassObject
- kernel32.dll.WerRegisterMemoryBlock
- gdiplus.dll.GdipMeasureString
- gdiplus.dll.GdipDrawString
- gdiplus.dll.GdipSetInterpolationMode
- gdiplus.dll.GdipSetPixelOffsetMode
- gdiplus.dll.GdipDrawImageRectRectI
- gdiplus.dll.GdipGraphicsClear
- gdiplus.dll.GdipDrawImageRectI
- gdiplus.dll.GdipDeleteGraphics
- gdiplus.dll.GdipCreateCachedBitmap
- gdiplus.dll.GdipDrawCachedBitmap
- gdiplus.dll.GdipSetClipRectI
- gdiplus.dll.GdipResetClip
- user32.dll.SetWindowRgn
- user32.dll.GetClassLongA
- user32.dll.SetClassLongA
- user32.dll.GetWindowLongA
- user32.dll.SetWindowLongA
- user32.dll.SetWindowPos
- ole32.dll.CoInitializeEx
- ole32.dll.CoUninitialize
- ole32.dll.CoRegisterInitializeSpy
- ole32.dll.CoRevokeInitializeSpy
- user32.dll.FillRect
- gdi32.dll.SelectClipRgn
- gdi32.dll.CombineRgn
- gdi32.dll.FillRgn
- gdiplus.dll.GdipFillRectangleI
- gdiplus.dll.GdipCreatePen1
- gdiplus.dll.GdipCreateHBITMAPFromBitmap
- gdiplus.dll.GdipSetStringFormatMeasurableCharacterRanges
- gdiplus.dll.GdipCreateRegion
- gdiplus.dll.GdipMeasureCharacterRanges
- gdiplus.dll.GdipDeleteRegion
- gdiplus.dll.GdipGetPropertyItemSize
- gdiplus.dll.GdipImageGetFrameCount
- gdiplus.dll.GdipImageSelectActiveFrame
- user32.dll.EnumChildWindows
- user32.dll.GetParent
- user32.dll.SetParent
- kernel32.dll.RtlMoveMemory
- kernel32.dll.UpdateResourceA
- kernel32.dll.EndUpdateResourceA
- kernel32.dll.CreateFileA
- kernel32.dll.SetLastError
- kernel32.dll.SetFilePointer
- kernel32.dll.GetLastError
- kernel32.dll.WriteFile
- kernel32.dll.GetFileSizeEx
- kernel32.dll.ReadFile
- kernel32.dll.GetModuleHandleA
- kernel32.dll.ExitProcess
- kernel32.dll.HeapReAlloc
- kernel32.dll.HeapFree
- kernel32.dll.IsBadReadPtr
- kernel32.dll.GetTickCount
- kernel32.dll.GetModuleFileNameA
- kernel32.dll.DeleteFileA
- kernel32.dll.CopyFileA
- kernel32.dll.MoveFileA
- kernel32.dll.GetFileSize
- kernel32.dll.GetTempPathA
- kernel32.dll.FreeLibrary
- kernel32.dll.GetProcAddress
- kernel32.dll.LoadLibraryA
- kernel32.dll.LCMapStringA
- kernel32.dll.FlushFileBuffers
- kernel32.dll.GetCommandLineA
- kernel32.dll.GetVersion
- kernel32.dll.InterlockedDecrement
- kernel32.dll.InterlockedIncrement
- kernel32.dll.RtlUnwind
- kernel32.dll.TerminateProcess
- kernel32.dll.GetCurrentProcess
- kernel32.dll.GetCurrentThreadId
- kernel32.dll.TlsSetValue
- kernel32.dll.TlsAlloc
- kernel32.dll.TlsFree
- kernel32.dll.TlsGetValue
- kernel32.dll.SetHandleCount
- kernel32.dll.GetStdHandle
- kernel32.dll.GetFileType
- kernel32.dll.GetStartupInfoA
- kernel32.dll.DeleteCriticalSection
- kernel32.dll.FreeEnvironmentStringsA
- kernel32.dll.FreeEnvironmentStringsW
- kernel32.dll.WideCharToMultiByte
- kernel32.dll.GetEnvironmentStrings
- kernel32.dll.GetEnvironmentStringsW
- kernel32.dll.GetEnvironmentVariableA
- kernel32.dll.GetVersionExA
- kernel32.dll.HeapDestroy
- kernel32.dll.HeapCreate
- kernel32.dll.VirtualFree
- kernel32.dll.InitializeCriticalSection
- kernel32.dll.EnterCriticalSection
- kernel32.dll.LeaveCriticalSection
- kernel32.dll.MultiByteToWideChar
- kernel32.dll.LCMapStringW
- kernel32.dll.RaiseException
- kernel32.dll.VirtualAlloc
- kernel32.dll.IsBadWritePtr
- kernel32.dll.GetCPInfo
- kernel32.dll.GetACP
- kernel32.dll.GetOEMCP
- kernel32.dll.GetStringTypeA
- kernel32.dll.GetStringTypeW
- kernel32.dll.SetUnhandledExceptionFilter
- kernel32.dll.IsBadCodePtr
- kernel32.dll.SetStdHandle
- shlwapi.dll.PathFileExistsA
- shlwapi.dll.StrToIntExA
- user32.dll.MessageBoxA
- user32.dll.wsprintfA
- cryptdll.dll.MD5Init
- cryptdll.dll.MD5Final
- kernel32.dll.GetWindowsDirectoryA
- kernel32.dll.GetDiskFreeSpaceExA
- oleaut32.dll.#9
- oleaut32.dll.#12
- kernel32.dll.NlsGetCacheUpdateCount
- oleaut32.dll.#8
- sechost.dll.OpenSCManagerW
- sechost.dll.OpenServiceW
- sechost.dll.QueryServiceStatus
- sechost.dll.CloseServiceHandle
- rpcrt4.dll.RpcStringBindingComposeW
- rpcrt4.dll.RpcBindingFromStringBindingW
- rpcrt4.dll.RpcStringFreeW
- mmdevapi.dll.#3
- rpcrt4.dll.NdrClientCall2
- user32.dll.CharLowerA
- dwmapi.dll.DwmEnableBlurBehindWindow