魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2024-04-18 10:54:18	2024-04-18 10:56:34	136 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-shaapp03-1	win7-sp1-x64-shaapp03-1	KVM	2024-04-18 10:54:19	2024-04-18 10:56:38

魔盾分数
10.0 恶意的

文件详细信息

文件名	WinLogs_Killer_x64.exe
文件大小	811761 字节
文件类型	PE32+ executable (GUI) x86-64, for MS Windows
CRC32	778F0C59
MD5	1f5657b16b5b226e95f05ddb7483c564
SHA1	eca29821ad0d329d1492ede325435a94281806a4
SHA256	a5a7b44f8955d639551e5811a39a02cc168049c008394ce2af5a4d3e3e9ab5a4
SHA512	9062977b5817f6835bf509d6011693335bff803bbcb2b7f908acc7ad4924f90a5ac9cd9b547c7b763fdba964e46ac7bd7abd00e0732919a120fae4111f785560
Ssdeep	24576:HAQoDefT6HesrQrSDZhyZ+aan+mMfqZaRfAm:HAcGHC2ZUZ+umWea+m
PEiD	无匹配
Yara	CRC32_poly_Constant (Look for CRC32 [poly]) CRC32_table (Look for CRC32 table) MD5_Constants (Look for MD5 constants) IsPE64 (Detected a 64bit PE sample) IsWindowsGUI (Detected a Windows GUI sample) HasOverlay (Detected Overlay signature) HasRichSignature (Detected Rich Signature) AutoIt (Detected the compiler AutoIt) AutoIt_2 (AutoIT packer) DebuggerTiming__PerformanceCounter () DebuggerTiming__Ticks (Detected timing ticks function) anti_dbg (Detected self protection if being debugged) inject_thread (Detected code injection function with CreateRemoteThread in a remote process) network_http (Detected communications function over HTTP) screenshot (Detected take screenshot function) create_process (Detection function for creating a new process) escalate_priv (Detected escalate priviledges function) keylogger (Detected keylogger function) win_registry (Detected system registries modification function) win_token (Affect system token) win_files_operation (Affect private profile) Maldun_Anomoly_Combined_Activities_Network_Logging (Spotted potential abnormal behaviors, like logging and network communications) Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
VirusTotal	VirusTotal查询失败

特征

可能进行了时间有效期检查，检查本地时间后过早退出

wping.org 域名信誉系统

Greylist: winscp-static-746341.c.cdn77.org

wping.org IP地址信誉系统

Greylist: 104.85.241.42

Greylist: 143.244.51.207

Greylist: 180.163.150.169

发起了一些HTTP请求

URL: http://x1.i.lencr.org/

URL: http://winscp.net/eng/upgrade.php?v=5.7.3.5438&lang=0804&isinstalled=1&beta=0&to=5.13.4&utm_source=winscp&utm_medium=app&utm_campaign=5.7.3

从文件自身的二进制镜像中读取数据

self_read: process: WinLogs_Killer_x64.exe, pid: 2560, offset: 0x00000000, length: 0x00010000

self_read: process: WinLogs_Killer_x64.exe, pid: 2560, offset: 0x0000ffec, length: 0x00010000

self_read: process: WinLogs_Killer_x64.exe, pid: 2560, offset: 0x0001ffd8, length: 0x00010000

self_read: process: WinLogs_Killer_x64.exe, pid: 2560, offset: 0x0002ffc4, length: 0x00010000

self_read: process: WinLogs_Killer_x64.exe, pid: 2560, offset: 0x0003ffb0, length: 0x00010000

self_read: process: WinLogs_Killer_x64.exe, pid: 2560, offset: 0x0004ff9c, length: 0x00010000

self_read: process: WinLogs_Killer_x64.exe, pid: 2560, offset: 0x0005ff88, length: 0x00010000

self_read: process: WinLogs_Killer_x64.exe, pid: 2560, offset: 0x0006ff74, length: 0x00010000

self_read: process: WinLogs_Killer_x64.exe, pid: 2560, offset: 0x0007ff60, length: 0x00010000

self_read: process: WinLogs_Killer_x64.exe, pid: 2560, offset: 0x0008ff4c, length: 0x00010000

self_read: process: WinLogs_Killer_x64.exe, pid: 2560, offset: 0x0009ff38, length: 0x00010000

self_read: process: WinLogs_Killer_x64.exe, pid: 2560, offset: 0x000aff24, length: 0x00010000

self_read: process: WinLogs_Killer_x64.exe, pid: 2560, offset: 0x000c5a14, length: 0x000008dd

self_read: process: WinLogs_Killer_x64.exe, pid: 2560, offset: 0x000c5a28, length: 0x00000200

self_read: process: WinLogs_Killer_x64.exe, pid: 2560, offset: 0x000c5ab9, length: 0x00000200

self_read: process: WinLogs_Killer_x64.exe, pid: 2560, offset: 0x000c5ad5, length: 0x0000081c

self_read: process: WinLogs_Killer_x64.exe, pid: 2560, offset: 0x000c62e9, length: 0x00000008

检测到网络活动但没有显示在API日志中

country_name: United States

ip: 104.85.241.42

inaddrarpa:

hostname: x1.i.lencr.org

score: 5

ip: 104.85.241.42

domain: x1.i.lencr.org

可疑的样本异常终止

专有的Yara规则检测结果 - 高危

Informational: Detected the compiler AutoIt

Informational: AutoIT packer

Warning: Detected code injection function with CreateRemoteThread in a remote process

Critical: Spotted potential abnormal behaviors, like logging and network communications

Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files

强制将一个创建的进程加载为另一个不相关进程的子进程

process: C:\Windows\sysnative\cmd.exe, PID 2728

运行截图

网络分析

访问主机记录

直接访问	IP地址	国家名
否	104.85.241.42	United States
否	143.244.51.207	United States
否	180.163.150.169	China
否	180.163.151.38	China
否	88.198.21.111	Germany

域名解析

域名	响应
winscp.net	A 88.198.21.111
winscp-static-746341.c.cdn77.org	CNAME 1578389079.rsc.cdn77.org A 89.187.187.14 A 143.244.51.201 A 89.187.187.11 A 143.244.51.207 A 89.187.187.20
www.googletagmanager.com	A 180.163.150.169
pagead2.googlesyndication.com	A 180.163.151.38
x1.i.lencr.org	A 104.85.241.42 CNAME crl.root-x1.letsencrypt.org.edgekey.net CNAME e8652.dscx.akamaiedge.net

TCP连接

IP地址	端口
104.102.250.53	80
104.85.241.42	80
104.85.241.42	80
104.85.241.42	80
104.85.241.42	80
104.85.241.42	80
104.85.241.42	80
143.244.51.207	443
143.244.51.207	443
143.244.51.207	443
143.244.51.207	443
143.244.51.207	443
143.244.51.207	443
143.244.51.207	443
143.244.51.207	443
143.244.51.207	443
143.244.51.207	443
143.244.51.207	443
180.163.150.169	443
180.163.151.38	443
88.198.21.111	443
88.198.21.111	80
88.198.21.111	443

UDP连接

IP地址	端口
192.168.122.1	53
192.168.122.1	53
192.168.122.1	53
192.168.122.1	53
192.168.122.1	53
192.168.122.1	53
192.168.122.1	53
192.168.122.1	53
192.168.122.1	53
192.168.122.1	53
192.168.122.1	53

HTTP请求

URL	HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache
http://winscp.net/eng/upgrade.php?v=5.7.3.5438&lang=0804&isinstalled=1&beta=0&to=5.13.4&utm_source=winscp&utm_medium=app&utm_campaign=5.7.3	GET /eng/upgrade.php?v=5.7.3.5438&lang=0804&isinstalled=1&beta=0&to=5.13.4&utm_source=winscp&utm_medium=app&utm_campaign=5.7.3 HTTP/1.1 Accept: / Accept-Language: zh-cn User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Accept-Encoding: gzip, deflate Host: winscp.net Connection: Keep-Alive
http://x1.i.lencr.org/	GET / HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: x1.i.lencr.org

URL

HTTP数据

http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip

GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

http://winscp.net/eng/upgrade.php?v=5.7.3.5438&lang=0804&isinstalled=1&beta=0&to=5.13.4&utm_source=winscp&utm_medium=app&utm_campaign=5.7.3

GET /eng/upgrade.php?v=5.7.3.5438&lang=0804&isinstalled=1&beta=0&to=5.13.4&utm_source=winscp&utm_medium=app&utm_campaign=5.7.3 HTTP/1.1
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: winscp.net
Connection: Keep-Alive

http://x1.i.lencr.org/

GET / HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: x1.i.lencr.org

静态分析

PE 信息

初始地址	0x140000000
入口地址	0x14001a53c
声明校验值	0x000c68bf
实际校验值	0x000cbf4b
最低操作系统版本要求	5.2
编译时间	2012-01-30 05:32:45
载入哈希	09965c276d620e5917bed399e0fe50ac
图标
图标精确哈希值	33bcfebe5086e6424e1ddb3be0d0e533
图标相似性哈希值	d1dc3a18b6b558afd1eb497640da7388

版本信息

CompiledScript:	AutoIt v3 Script: 3, 3, 8, 1
FileVersion:	3, 3, 8, 1
FileDescription:
Translation:	0x0809 0x04b0

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x00091b6e	0x00091c00	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.49
.rdata	0x00093000	0x000156ca	0x00015800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.93
.data	0x000a9000	0x0001cf88	0x00007800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.20
.pdata	0x000c6000	0x00006edc	0x00007000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.79
text	0x000cd000	0x00001a31	0x00001c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE	5.55
data	0x000cf000	0x00004940	0x00004a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	6.29
.rsrc	0x000d4000	0x00009328	0x00009400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.54

覆盖

偏移量:	0x000c5a00
大小:	0x000008f1

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
RT_ICON	0x000da6c0	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_UK	5.81	GLS_BINARY_LSB_FIRST
RT_ICON	0x000da6c0	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_UK	5.81	GLS_BINARY_LSB_FIRST
RT_ICON	0x000da6c0	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_UK	5.81	GLS_BINARY_LSB_FIRST
RT_ICON	0x000da6c0	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_UK	5.81	GLS_BINARY_LSB_FIRST
RT_ICON	0x000da6c0	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_UK	5.81	GLS_BINARY_LSB_FIRST
RT_ICON	0x000da6c0	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_UK	5.81	GLS_BINARY_LSB_FIRST
RT_ICON	0x000da6c0	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_UK	5.81	GLS_BINARY_LSB_FIRST
RT_ICON	0x000da6c0	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_UK	5.81	GLS_BINARY_LSB_FIRST
RT_ICON	0x000da6c0	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_UK	5.81	GLS_BINARY_LSB_FIRST
RT_ICON	0x000da6c0	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_UK	5.81	GLS_BINARY_LSB_FIRST
RT_ICON	0x000da6c0	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_UK	5.81	GLS_BINARY_LSB_FIRST
RT_ICON	0x000da6c0	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_UK	5.81	GLS_BINARY_LSB_FIRST
RT_MENU	0x000dab28	0x00000050	LANG_ENGLISH	SUBLANG_ENGLISH_UK	2.68	data
RT_DIALOG	0x000dab78	0x000000fc	LANG_ENGLISH	SUBLANG_ENGLISH_UK	3.04	data
RT_STRING	0x000dccf0	0x00000158	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.09	data
RT_STRING	0x000dccf0	0x00000158	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.09	data
RT_STRING	0x000dccf0	0x00000158	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.09	data
RT_STRING	0x000dccf0	0x00000158	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.09	data
RT_STRING	0x000dccf0	0x00000158	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.09	data
RT_STRING	0x000dccf0	0x00000158	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.09	data
RT_STRING	0x000dccf0	0x00000158	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.09	data
RT_GROUP_ICON	0x000dcf00	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_UK	2.02	MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_GROUP_ICON	0x000dcf00	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_UK	2.02	MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_GROUP_ICON	0x000dcf00	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_UK	2.02	MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_GROUP_ICON	0x000dcf00	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_UK	2.02	MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_VERSION	0x000dcf18	0x0000019c	LANG_ENGLISH	SUBLANG_ENGLISH_UK	3.28	data
RT_MANIFEST	0x000dd0b8	0x0000026c	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.01	ASCII text, with CRLF line terminators

导入

库 WSOCK32.dll:

• 0x140093f58 - __WSAFDIsSet

• 0x140093f60 - setsockopt

• 0x140093f68 - ntohs

• 0x140093f70 - recvfrom

• 0x140093f78 - sendto

• 0x140093f80 - htons

• 0x140093f88 - select

• 0x140093f90 - listen

• 0x140093f98 - WSAStartup

• 0x140093fa0 - bind

• 0x140093fa8 - closesocket

• 0x140093fb0 - connect

• 0x140093fb8 - socket

• 0x140093fc0 - send

• 0x140093fc8 - WSACleanup

• 0x140093fd0 - ioctlsocket

• 0x140093fd8 - accept

• 0x140093fe0 - WSAGetLastError

• 0x140093fe8 - inet_addr

• 0x140093ff0 - gethostbyname

• 0x140093ff8 - gethostname

• 0x140094000 - recv

库 VERSION.dll:

• 0x140093ea0 - VerQueryValueW

• 0x140093ea8 - GetFileVersionInfoW

• 0x140093eb0 - GetFileVersionInfoSizeW

库 WINMM.dll:

• 0x140093f38 - timeGetTime

• 0x140093f40 - waveOutSetVolume

• 0x140093f48 - mciSendStringW

库 COMCTL32.dll:

• 0x140093118 - ImageList_Remove

• 0x140093120 - ImageList_SetDragCursorImage

• 0x140093128 - ImageList_BeginDrag

• 0x140093130 - ImageList_DragEnter

• 0x140093138 - ImageList_DragLeave

• 0x140093140 - ImageList_EndDrag

• 0x140093148 - ImageList_DragMove

• 0x140093150 - ImageList_ReplaceIcon

• 0x140093158 - ImageList_Create

• 0x140093160 - InitCommonControlsEx

• 0x140093168 - ImageList_Destroy

库 MPR.dll:

• 0x1400937d0 - WNetCancelConnection2W

• 0x1400937d8 - WNetGetConnectionW

• 0x1400937e0 - WNetAddConnection2W

• 0x1400937e8 - WNetUseConnectionW

库 WININET.dll:

• 0x140093ec0 - InternetReadFile

• 0x140093ec8 - InternetCloseHandle

• 0x140093ed0 - InternetOpenW

• 0x140093ed8 - InternetSetOptionW

• 0x140093ee0 - InternetCrackUrlW

• 0x140093ee8 - HttpQueryInfoW

• 0x140093ef0 - InternetConnectW

• 0x140093ef8 - HttpOpenRequestW

• 0x140093f00 - HttpSendRequestW

• 0x140093f08 - FtpOpenFileW

• 0x140093f10 - FtpGetFileSize

• 0x140093f18 - InternetOpenUrlW

• 0x140093f20 - InternetQueryOptionW

• 0x140093f28 - InternetQueryDataAvailable

库 PSAPI.DLL:

• 0x1400938c0 - EnumProcesses

• 0x1400938c8 - GetModuleBaseNameW

• 0x1400938d0 - GetProcessMemoryInfo

• 0x1400938d8 - EnumProcessModules

库 USERENV.dll:

• 0x140093e78 - CreateEnvironmentBlock

• 0x140093e80 - DestroyEnvironmentBlock

• 0x140093e88 - UnloadUserProfile

• 0x140093e90 - LoadUserProfileW

库 KERNEL32.dll:

• 0x1400932b0 - HeapAlloc

• 0x1400932b8 - Sleep

• 0x1400932c0 - GetCurrentThreadId

• 0x1400932c8 - RaiseException

• 0x1400932d0 - MulDiv

• 0x1400932d8 - GetVersionExW

• 0x1400932e0 - GetSystemInfo

• 0x1400932e8 - WideCharToMultiByte

• 0x1400932f0 - lstrcpyW

• 0x1400932f8 - MultiByteToWideChar

• 0x140093300 - lstrlenW

• 0x140093308 - lstrcmpiW

• 0x140093310 - GetModuleHandleW

• 0x140093318 - QueryPerformanceCounter

• 0x140093320 - VirtualFreeEx

• 0x140093328 - OpenProcess

• 0x140093330 - VirtualAllocEx

• 0x140093338 - WriteProcessMemory

• 0x140093340 - ReadProcessMemory

• 0x140093348 - CreateFileW

• 0x140093350 - SetFilePointerEx

• 0x140093358 - ReadFile

• 0x140093360 - WriteFile

• 0x140093368 - FlushFileBuffers

• 0x140093370 - TerminateProcess

• 0x140093378 - CreateToolhelp32Snapshot

• 0x140093380 - Process32FirstW

• 0x140093388 - Process32NextW

• 0x140093390 - SetFileTime

• 0x140093398 - GetFileAttributesW

• 0x1400933a0 - FindFirstFileW

• 0x1400933a8 - FindClose

• 0x1400933b0 - DeleteFileW

• 0x1400933b8 - FindNextFileW

• 0x1400933c0 - MoveFileW

• 0x1400933c8 - CopyFileW

• 0x1400933d0 - CreateDirectoryW

• 0x1400933d8 - RemoveDirectoryW

• 0x1400933e0 - SetSystemPowerState

• 0x1400933e8 - QueryPerformanceFrequency

• 0x1400933f0 - FindResourceW

• 0x1400933f8 - LoadResource

• 0x140093400 - GetProcessHeap

• 0x140093408 - SizeofResource

• 0x140093410 - EnumResourceNamesW

• 0x140093418 - OutputDebugStringW

• 0x140093420 - GetLocalTime

• 0x140093428 - CompareStringW

• 0x140093430 - DeleteCriticalSection

• 0x140093438 - EnterCriticalSection

• 0x140093440 - LeaveCriticalSection

• 0x140093448 - InitializeCriticalSectionAndSpinCount

• 0x140093450 - GetStdHandle

• 0x140093458 - CreatePipe

• 0x140093460 - TerminateThread

• 0x140093468 - GetTempPathW

• 0x140093470 - GetTempFileNameW

• 0x140093478 - VirtualFree

• 0x140093480 - FormatMessageW

• 0x140093488 - GetExitCodeProcess

• 0x140093490 - SetErrorMode

• 0x140093498 - GetPrivateProfileStringW

• 0x1400934a0 - WritePrivateProfileStringW

• 0x1400934a8 - GetPrivateProfileSectionW

• 0x1400934b0 - WritePrivateProfileSectionW

• 0x1400934b8 - GetPrivateProfileSectionNamesW

• 0x1400934c0 - FileTimeToLocalFileTime

• 0x1400934c8 - FileTimeToSystemTime

• 0x1400934d0 - SystemTimeToFileTime

• 0x1400934d8 - LocalFileTimeToFileTime

• 0x1400934e0 - GetDriveTypeW

• 0x1400934e8 - GetDiskFreeSpaceExW

• 0x1400934f0 - GetDiskFreeSpaceW

• 0x1400934f8 - GetVolumeInformationW

• 0x140093500 - SetVolumeLabelW

• 0x140093508 - CreateHardLinkW

• 0x140093510 - DeviceIoControl

• 0x140093518 - SetFileAttributesW

• 0x140093520 - GetShortPathNameW

• 0x140093528 - CreateEventW

• 0x140093530 - SetEvent

• 0x140093538 - GetEnvironmentVariableW

• 0x140093540 - SetEnvironmentVariableW

• 0x140093548 - GlobalLock

• 0x140093550 - GlobalUnlock

• 0x140093558 - GlobalAlloc

• 0x140093560 - GetFileSize

• 0x140093568 - GlobalFree

• 0x140093570 - GlobalMemoryStatusEx

• 0x140093578 - Beep

• 0x140093580 - GetSystemDirectoryW

• 0x140093588 - GetComputerNameW

• 0x140093590 - GetWindowsDirectoryW

• 0x140093598 - GetCurrentProcessId

• 0x1400935a0 - GetCurrentThread

• 0x1400935a8 - GetProcessIoCounters

• 0x1400935b0 - CreateProcessW

• 0x1400935b8 - SetPriorityClass

• 0x1400935c0 - LoadLibraryW

• 0x1400935c8 - VirtualAlloc

• 0x1400935d0 - LoadLibraryExW

• 0x1400935d8 - HeapFree

• 0x1400935e0 - WaitForSingleObject

• 0x1400935e8 - CreateThread

• 0x1400935f0 - DuplicateHandle

• 0x1400935f8 - GetLastError

• 0x140093600 - CloseHandle

• 0x140093608 - GetCurrentProcess

• 0x140093610 - GetProcAddress

• 0x140093618 - LoadLibraryA

• 0x140093620 - FreeLibrary

• 0x140093628 - GetModuleFileNameW

• 0x140093630 - GetFullPathNameW

• 0x140093638 - SetCurrentDirectoryW

• 0x140093640 - IsDebuggerPresent

• 0x140093648 - GetCurrentDirectoryW

• 0x140093650 - GetSystemTimeAsFileTime

• 0x140093658 - ResumeThread

• 0x140093660 - GetDateFormatW

• 0x140093668 - GetTimeFormatW

• 0x140093670 - EncodePointer

• 0x140093678 - DecodePointer

• 0x140093680 - ExitProcess

• 0x140093688 - ExitThread

• 0x140093690 - GetCommandLineW

• 0x140093698 - GetStartupInfoW

• 0x1400936a0 - HeapSize

• 0x1400936a8 - RtlUnwindEx

• 0x1400936b0 - GetCPInfo

• 0x1400936b8 - GetACP

• 0x1400936c0 - GetOEMCP

• 0x1400936c8 - IsValidCodePage

• 0x1400936d0 - FlsGetValue

• 0x1400936d8 - FlsSetValue

• 0x1400936e0 - FlsFree

• 0x1400936e8 - SetLastError

• 0x1400936f0 - FlsAlloc

• 0x1400936f8 - UnhandledExceptionFilter

• 0x140093700 - SetUnhandledExceptionFilter

• 0x140093708 - RtlVirtualUnwind

• 0x140093710 - RtlLookupFunctionEntry

• 0x140093718 - RtlCaptureContext

• 0x140093720 - RtlPcToFileHeader

• 0x140093728 - GetStringTypeW

• 0x140093730 - HeapSetInformation

• 0x140093738 - GetVersion

• 0x140093740 - HeapCreate

• 0x140093748 - SetHandleCount

• 0x140093750 - GetFileType

• 0x140093758 - SetStdHandle

• 0x140093760 - GetConsoleCP

• 0x140093768 - GetConsoleMode

• 0x140093770 - LCMapStringW

• 0x140093778 - SetFilePointer

• 0x140093780 - GetTimeZoneInformation

• 0x140093788 - FreeEnvironmentStringsW

• 0x140093790 - GetEnvironmentStringsW

• 0x140093798 - GetTickCount

• 0x1400937a0 - HeapReAlloc

• 0x1400937a8 - WriteConsoleW

• 0x1400937b0 - SetEndOfFile

• 0x1400937b8 - LockResource

• 0x1400937c0 - SetEnvironmentVariableA

库 USER32.dll:

• 0x140093960 - IsCharUpperW

• 0x140093968 - GetMenuStringW

• 0x140093970 - GetSubMenu

• 0x140093978 - GetCaretPos

• 0x140093980 - IsZoomed

• 0x140093988 - GetWindowLongW

• 0x140093990 - MonitorFromPoint

• 0x140093998 - GetMonitorInfoW

• 0x1400939a0 - SetWindowLongW

• 0x1400939a8 - SetLayeredWindowAttributes

• 0x1400939b0 - FlashWindow

• 0x1400939b8 - GetClassLongPtrW

• 0x1400939c0 - TranslateAcceleratorW

• 0x1400939c8 - IsDialogMessageW

• 0x1400939d0 - GetSysColor

• 0x1400939d8 - InflateRect

• 0x1400939e0 - DrawFocusRect

• 0x1400939e8 - DrawTextW

• 0x1400939f0 - FrameRect

• 0x1400939f8 - DrawFrameControl

• 0x140093a00 - FillRect

• 0x140093a08 - PtInRect

• 0x140093a10 - DestroyAcceleratorTable

• 0x140093a18 - CreateAcceleratorTableW

• 0x140093a20 - SetCursor

• 0x140093a28 - GetWindowDC

• 0x140093a30 - GetSystemMetrics

• 0x140093a38 - SetWindowLongPtrW

• 0x140093a40 - GetActiveWindow

• 0x140093a48 - CharNextW

• 0x140093a50 - wsprintfW

• 0x140093a58 - RedrawWindow

• 0x140093a60 - DrawMenuBar

• 0x140093a68 - DestroyMenu

• 0x140093a70 - SetMenu

• 0x140093a78 - GetWindowTextLengthW

• 0x140093a80 - CreateMenu

• 0x140093a88 - IsDlgButtonChecked

• 0x140093a90 - DefDlgProcW

• 0x140093a98 - ReleaseCapture

• 0x140093aa0 - SetCapture

• 0x140093aa8 - WindowFromPoint

• 0x140093ab0 - LockWindowUpdate

• 0x140093ab8 - DispatchMessageW

• 0x140093ac0 - TranslateMessage

• 0x140093ac8 - PeekMessageW

• 0x140093ad0 - UnregisterHotKey

• 0x140093ad8 - CharLowerBuffW

• 0x140093ae0 - MonitorFromRect

• 0x140093ae8 - LoadImageW

• 0x140093af0 - CreateIconFromResourceEx

• 0x140093af8 - mouse_event

• 0x140093b00 - ExitWindowsEx

• 0x140093b08 - SetActiveWindow

• 0x140093b10 - FindWindowExW

• 0x140093b18 - EnumThreadWindows

• 0x140093b20 - SetMenuDefaultItem

• 0x140093b28 - InsertMenuItemW

• 0x140093b30 - IsCharLowerW

• 0x140093b38 - TrackPopupMenuEx

• 0x140093b40 - GetCursorPos

• 0x140093b48 - DeleteMenu

• 0x140093b50 - CheckMenuRadioItem

• 0x140093b58 - GetMenuItemID

• 0x140093b60 - GetMenuItemCount

• 0x140093b68 - SetMenuItemInfoW

• 0x140093b70 - GetMenuItemInfoW

• 0x140093b78 - SetForegroundWindow

• 0x140093b80 - IsIconic

• 0x140093b88 - FindWindowW

• 0x140093b90 - GetClipboardData

• 0x140093b98 - keybd_event

• 0x140093ba0 - SendInput

• 0x140093ba8 - GetAsyncKeyState

• 0x140093bb0 - SetKeyboardState

• 0x140093bb8 - GetKeyboardState

• 0x140093bc0 - GetKeyState

• 0x140093bc8 - VkKeyScanW

• 0x140093bd0 - LoadStringW

• 0x140093bd8 - DialogBoxParamW

• 0x140093be0 - MessageBeep

• 0x140093be8 - EndDialog

• 0x140093bf0 - SendDlgItemMessageW

• 0x140093bf8 - GetDlgItem

• 0x140093c00 - SetWindowTextW

• 0x140093c08 - CopyRect

• 0x140093c10 - ReleaseDC

• 0x140093c18 - GetDC

• 0x140093c20 - EndPaint

• 0x140093c28 - BeginPaint

• 0x140093c30 - GetClientRect

• 0x140093c38 - GetMenu

• 0x140093c40 - DestroyWindow

• 0x140093c48 - EnumWindows

• 0x140093c50 - GetDesktopWindow

• 0x140093c58 - IsWindowEnabled

• 0x140093c60 - IsWindowVisible

• 0x140093c68 - EnableWindow

• 0x140093c70 - InvalidateRect

• 0x140093c78 - GetWindowLongPtrW

• 0x140093c80 - GetWindowThreadProcessId

• 0x140093c88 - AttachThreadInput

• 0x140093c90 - GetFocus

• 0x140093c98 - GetWindowTextW

• 0x140093ca0 - ScreenToClient

• 0x140093ca8 - SendMessageTimeoutW

• 0x140093cb0 - EnumChildWindows

• 0x140093cb8 - CharUpperBuffW

• 0x140093cc0 - GetClassNameW

• 0x140093cc8 - GetParent

• 0x140093cd0 - GetDlgCtrlID

• 0x140093cd8 - SendMessageW

• 0x140093ce0 - MapVirtualKeyW

• 0x140093ce8 - PostMessageW

• 0x140093cf0 - GetWindowRect

• 0x140093cf8 - SetUserObjectSecurity

• 0x140093d00 - GetUserObjectSecurity

• 0x140093d08 - CloseDesktop

• 0x140093d10 - IsCharAlphaNumericW

• 0x140093d18 - IsCharAlphaW

• 0x140093d20 - GetKeyboardLayoutNameW

• 0x140093d28 - ClientToScreen

• 0x140093d30 - RegisterHotKey

• 0x140093d38 - GetCursorInfo

• 0x140093d40 - SetWindowPos

• 0x140093d48 - CopyImage

• 0x140093d50 - AdjustWindowRectEx

• 0x140093d58 - SetRect

• 0x140093d60 - SetClipboardData

• 0x140093d68 - EmptyClipboard

• 0x140093d70 - CountClipboardFormats

• 0x140093d78 - IsMenu

• 0x140093d80 - CloseClipboard

• 0x140093d88 - CloseWindowStation

• 0x140093d90 - OpenDesktopW

• 0x140093d98 - SetProcessWindowStation

• 0x140093da0 - GetProcessWindowStation

• 0x140093da8 - OpenWindowStationW

• 0x140093db0 - MessageBoxW

• 0x140093db8 - DefWindowProcW

• 0x140093dc0 - MoveWindow

• 0x140093dc8 - SetFocus

• 0x140093dd0 - PostQuitMessage

• 0x140093dd8 - KillTimer

• 0x140093de0 - CreatePopupMenu

• 0x140093de8 - RegisterWindowMessageW

• 0x140093df0 - SetTimer

• 0x140093df8 - ShowWindow

• 0x140093e00 - CreateWindowExW

• 0x140093e08 - RegisterClassExW

• 0x140093e10 - LoadIconW

• 0x140093e18 - LoadCursorW

• 0x140093e20 - GetSysColorBrush

• 0x140093e28 - GetForegroundWindow

• 0x140093e30 - MessageBoxA

• 0x140093e38 - DestroyIcon

• 0x140093e40 - IsClipboardFormatAvailable

• 0x140093e48 - OpenClipboard

• 0x140093e50 - BlockInput

• 0x140093e58 - SystemParametersInfoW

• 0x140093e60 - GetMessageW

• 0x140093e68 - IsWindow

库 GDI32.dll:

• 0x140093190 - DeleteObject

• 0x140093198 - AngleArc

• 0x1400931a0 - GetTextExtentPoint32W

• 0x1400931a8 - ExtCreatePen

• 0x1400931b0 - StrokeAndFillPath

• 0x1400931b8 - StrokePath

• 0x1400931c0 - EndPath

• 0x1400931c8 - SetPixel

• 0x1400931d0 - CloseFigure

• 0x1400931d8 - CreateCompatibleBitmap

• 0x1400931e0 - CreateCompatibleDC

• 0x1400931e8 - SelectObject

• 0x1400931f0 - StretchBlt

• 0x1400931f8 - GetDIBits

• 0x140093200 - GetDeviceCaps

• 0x140093208 - MoveToEx

• 0x140093210 - Ellipse

• 0x140093218 - PolyDraw

• 0x140093220 - BeginPath

• 0x140093228 - Rectangle

• 0x140093230 - SetViewportOrgEx

• 0x140093238 - GetObjectW

• 0x140093240 - SetBkMode

• 0x140093248 - RoundRect

• 0x140093250 - SetBkColor

• 0x140093258 - CreatePen

• 0x140093260 - CreateSolidBrush

• 0x140093268 - SetTextColor

• 0x140093270 - CreateFontW

• 0x140093278 - GetTextFaceW

• 0x140093280 - GetStockObject

• 0x140093288 - CreateDCW

• 0x140093290 - GetPixel

• 0x140093298 - DeleteDC

• 0x1400932a0 - LineTo

库 COMDLG32.dll:

• 0x140093178 - GetSaveFileNameW

• 0x140093180 - GetOpenFileNameW

库 ADVAPI32.dll:

• 0x140093000 - RegEnumValueW

• 0x140093008 - RegDeleteValueW

• 0x140093010 - RegDeleteKeyW

• 0x140093018 - RegEnumKeyExW

• 0x140093020 - RegSetValueExW

• 0x140093028 - RegCreateKeyExW

• 0x140093030 - GetUserNameW

• 0x140093038 - RegConnectRegistryW

• 0x140093040 - CloseServiceHandle

• 0x140093048 - UnlockServiceDatabase

• 0x140093050 - OpenThreadToken

• 0x140093058 - OpenProcessToken

• 0x140093060 - LookupPrivilegeValueW

• 0x140093068 - DuplicateTokenEx

• 0x140093070 - CreateProcessAsUserW

• 0x140093078 - CreateProcessWithLogonW

• 0x140093080 - InitializeSecurityDescriptor

• 0x140093088 - InitializeAcl

• 0x140093090 - GetLengthSid

• 0x140093098 - CopySid

• 0x1400930a0 - LogonUserW

• 0x1400930a8 - GetTokenInformation

• 0x1400930b0 - LockServiceDatabase

• 0x1400930b8 - GetSecurityDescriptorDacl

• 0x1400930c0 - GetAclInformation

• 0x1400930c8 - GetAce

• 0x1400930d0 - AddAce

• 0x1400930d8 - SetSecurityDescriptorDacl

• 0x1400930e0 - RegOpenKeyExW

• 0x1400930e8 - RegQueryValueExW

• 0x1400930f0 - AdjustTokenPrivileges

• 0x1400930f8 - InitiateSystemShutdownExW

• 0x140093100 - OpenSCManagerW

• 0x140093108 - RegCloseKey

库 SHELL32.dll:

• 0x1400938e8 - DragQueryPoint

• 0x1400938f0 - ShellExecuteExW

• 0x1400938f8 - SHGetFolderPathW

• 0x140093900 - DragQueryFileW

• 0x140093908 - SHEmptyRecycleBinW

• 0x140093910 - SHBrowseForFolderW

• 0x140093918 - SHFileOperationW

• 0x140093920 - SHGetPathFromIDListW

• 0x140093928 - SHGetDesktopFolder

• 0x140093930 - SHGetMalloc

• 0x140093938 - ExtractIconExW

• 0x140093940 - Shell_NotifyIconW

• 0x140093948 - ShellExecuteW

• 0x140093950 - DragFinish

库 ole32.dll:

• 0x140094010 - OleSetMenuDescriptor

• 0x140094018 - MkParseDisplayName

• 0x140094020 - OleSetContainedObject

• 0x140094028 - CLSIDFromString

• 0x140094030 - StringFromGUID2

• 0x140094038 - CoInitialize

• 0x140094040 - CoUninitialize

• 0x140094048 - CoCreateInstance

• 0x140094050 - CreateStreamOnHGlobal

• 0x140094058 - CoTaskMemAlloc

• 0x140094060 - CoTaskMemFree

• 0x140094068 - ProgIDFromCLSID

• 0x140094070 - OleInitialize

• 0x140094078 - CreateBindCtx

• 0x140094080 - CLSIDFromProgID

• 0x140094088 - CoInitializeSecurity

• 0x140094090 - CoCreateInstanceEx

• 0x140094098 - CoSetProxyBlanket

• 0x1400940a0 - OleUninitialize

• 0x1400940a8 - IIDFromString

库 OLEAUT32.dll:

• 0x1400937f8 - VarR8FromDec

• 0x140093800 - VariantTimeToSystemTime

• 0x140093808 - SysStringLen

• 0x140093810 - VariantChangeType

• 0x140093818 - VariantCopyInd

• 0x140093820 - DispCallFunc

• 0x140093828 - CreateStdDispatch

• 0x140093830 - CreateDispTypeInfo

• 0x140093838 - SysFreeString

• 0x140093840 - SafeArrayGetVartype

• 0x140093848 - SafeArrayDestroyData

• 0x140093850 - SafeArrayUnaccessData

• 0x140093858 - SafeArrayAccessData

• 0x140093860 - VariantInit

• 0x140093868 - VariantClear

• 0x140093870 - VariantCopy

• 0x140093878 - SysAllocString

• 0x140093880 - SafeArrayCreateVector

• 0x140093888 - SafeArrayAllocDescriptorEx

• 0x140093890 - OleLoadPicture

• 0x140093898 - GetActiveObject

• 0x1400938a0 - QueryPathOfRegTypeLib

• 0x1400938a8 - SafeArrayDestroyDescriptor

• 0x1400938b0 - SafeArrayAllocData

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息

执行的命令

C:\Windows\system32\cmd.exe /c wevtutil.exe enum-logs > "C:\Users\test\AppData\Local\Temp\EventLog.txt"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Analytic"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Application"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "DebugChannel"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "DirectShowFilterGraph"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "DirectShowPluginControl"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "EndpointMapper"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "ForwardedEvents"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "HardwareEvents"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Internet Explorer"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Key Management Service"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "MF_MediaFoundationDeviceProxy"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Media Center"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "MediaFoundationDeviceProxy"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "MediaFoundationPerformance"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "MediaFoundationPipeline"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "MediaFoundationPlatform"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-IE/Diagnostic"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-IEFRAME/Diagnostic"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-PerfTrack-IEFRAME/Diagnostic"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-PerfTrack-MSHTML/Diagnostic"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-ADSI/Debug"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-API-Tracing/Operational"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-ATAPort/General"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-ATAPort/SATA-LPM"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-ActionQueue/Analytic"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AltTab/Diagnostic"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppID/Operational"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppLocker/EXE and DLL"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AppLocker/MSI and Script"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application Server-Applications/Admin"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application Server-Applications/Analytic"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application Server-Applications/Debug"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application Server-Applications/Operational"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Program-Inventory"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Program-Telemetry"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Audio/CaptureMonitor"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Audio/Operational"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Audio/Performance"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Audit/Analytic"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Authentication User Interface/Operational"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-AxInstallService/Log"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Backup"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-Biometrics/Operational"
C:\Windows\system32\cmd.exe /c wevtutil.exe clear-log "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
wevtutil.exe enum-logs
wevtutil.exe clear-log "Analytic"
wevtutil.exe clear-log "Application"
wevtutil.exe clear-log "DebugChannel"
wevtutil.exe clear-log "DirectShowFilterGraph"
wevtutil.exe clear-log "DirectShowPluginControl"
wevtutil.exe clear-log "EndpointMapper"
wevtutil.exe clear-log "ForwardedEvents"
wevtutil.exe clear-log "HardwareEvents"
wevtutil.exe clear-log "Internet Explorer"
wevtutil.exe clear-log "Key Management Service"
wevtutil.exe clear-log "MF_MediaFoundationDeviceProxy"
wevtutil.exe clear-log "Media Center"
wevtutil.exe clear-log "MediaFoundationDeviceProxy"
wevtutil.exe clear-log "MediaFoundationPerformance"
wevtutil.exe clear-log "MediaFoundationPipeline"
wevtutil.exe clear-log "MediaFoundationPlatform"
wevtutil.exe clear-log "Microsoft-IE/Diagnostic"
wevtutil.exe clear-log "Microsoft-IEFRAME/Diagnostic"
wevtutil.exe clear-log "Microsoft-PerfTrack-IEFRAME/Diagnostic"
wevtutil.exe clear-log "Microsoft-PerfTrack-MSHTML/Diagnostic"
wevtutil.exe clear-log "Microsoft-Windows-ADSI/Debug"
wevtutil.exe clear-log "Microsoft-Windows-API-Tracing/Operational"
wevtutil.exe clear-log "Microsoft-Windows-ATAPort/General"
wevtutil.exe clear-log "Microsoft-Windows-ATAPort/SATA-LPM"
wevtutil.exe clear-log "Microsoft-Windows-ActionQueue/Analytic"
wevtutil.exe clear-log "Microsoft-Windows-AltTab/Diagnostic"
wevtutil.exe clear-log "Microsoft-Windows-AppID/Operational"
wevtutil.exe clear-log "Microsoft-Windows-AppLocker/EXE and DLL"
wevtutil.exe clear-log "Microsoft-Windows-AppLocker/MSI and Script"
wevtutil.exe clear-log "Microsoft-Windows-Application Server-Applications/Admin"
wevtutil.exe clear-log "Microsoft-Windows-Application Server-Applications/Analytic"
wevtutil.exe clear-log "Microsoft-Windows-Application Server-Applications/Debug"
wevtutil.exe clear-log "Microsoft-Windows-Application Server-Applications/Operational"
wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Program-Inventory"
wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
wevtutil.exe clear-log "Microsoft-Windows-Application-Experience/Program-Telemetry"
wevtutil.exe clear-log "Microsoft-Windows-Audio/CaptureMonitor"
wevtutil.exe clear-log "Microsoft-Windows-Audio/Operational"
wevtutil.exe clear-log "Microsoft-Windows-Audio/Performance"
wevtutil.exe clear-log "Microsoft-Windows-Audit/Analytic"
wevtutil.exe clear-log "Microsoft-Windows-Authentication User Interface/Operational"
wevtutil.exe clear-log "Microsoft-Windows-AxInstallService/Log"
wevtutil.exe clear-log "Microsoft-Windows-Backup"
wevtutil.exe clear-log "Microsoft-Windows-Biometrics/Operational"

创建的服务 无信息

启动的服务 无信息

进程

WinLogs_Killer_x64.exe PID: 2560, 上一级进程 PID: 2196

cmd.exe PID: 2728, 上一级进程 PID: 2560

wevtutil.exe PID: 2800, 上一级进程 PID: 2728

cmd.exe PID: 2868, 上一级进程 PID: 2560

wevtutil.exe PID: 2940, 上一级进程 PID: 2868

cmd.exe PID: 3040, 上一级进程 PID: 2560

wevtutil.exe PID: 2304, 上一级进程 PID: 3040

cmd.exe PID: 2340, 上一级进程 PID: 2560

wevtutil.exe PID: 2964, 上一级进程 PID: 2340

cmd.exe PID: 2424, 上一级进程 PID: 2560

wevtutil.exe PID: 2268, 上一级进程 PID: 2424

cmd.exe PID: 2760, 上一级进程 PID: 2560

wevtutil.exe PID: 168, 上一级进程 PID: 2760

cmd.exe PID: 3020, 上一级进程 PID: 2560

wevtutil.exe PID: 2908, 上一级进程 PID: 3020

cmd.exe PID: 1428, 上一级进程 PID: 2560

wevtutil.exe PID: 2672, 上一级进程 PID: 1428

cmd.exe PID: 1924, 上一级进程 PID: 2560

wevtutil.exe PID: 2996, 上一级进程 PID: 1924

cmd.exe PID: 2892, 上一级进程 PID: 2560

wevtutil.exe PID: 2936, 上一级进程 PID: 2892

cmd.exe PID: 2508, 上一级进程 PID: 2560

wevtutil.exe PID: 2920, 上一级进程 PID: 2508

cmd.exe PID: 2352, 上一级进程 PID: 2560

wevtutil.exe PID: 2216, 上一级进程 PID: 2352

cmd.exe PID: 2980, 上一级进程 PID: 2560

wevtutil.exe PID: 2768, 上一级进程 PID: 2980

cmd.exe PID: 2824, 上一级进程 PID: 2560

wevtutil.exe PID: 2784, 上一级进程 PID: 2824

cmd.exe PID: 2752, 上一级进程 PID: 2560

wevtutil.exe PID: 2708, 上一级进程 PID: 2752

cmd.exe PID: 2020, 上一级进程 PID: 2560

wevtutil.exe PID: 2852, 上一级进程 PID: 2020

cmd.exe PID: 3036, 上一级进程 PID: 2560

wevtutil.exe PID: 2164, 上一级进程 PID: 3036

cmd.exe PID: 2764, 上一级进程 PID: 2560

wevtutil.exe PID: 2848, 上一级进程 PID: 2764

cmd.exe PID: 3032, 上一级进程 PID: 2560

wevtutil.exe PID: 2248, 上一级进程 PID: 3032

cmd.exe PID: 2864, 上一级进程 PID: 2560

wevtutil.exe PID: 2136, 上一级进程 PID: 2864

cmd.exe PID: 3100, 上一级进程 PID: 2560

wevtutil.exe PID: 3172, 上一级进程 PID: 3100

cmd.exe PID: 3240, 上一级进程 PID: 2560

wevtutil.exe PID: 3312, 上一级进程 PID: 3240

cmd.exe PID: 3380, 上一级进程 PID: 2560

wevtutil.exe PID: 3460, 上一级进程 PID: 3380

cmd.exe PID: 3536, 上一级进程 PID: 2560

wevtutil.exe PID: 3608, 上一级进程 PID: 3536

cmd.exe PID: 3676, 上一级进程 PID: 2560

wevtutil.exe PID: 3748, 上一级进程 PID: 3676

cmd.exe PID: 3816, 上一级进程 PID: 2560

wevtutil.exe PID: 3888, 上一级进程 PID: 3816

cmd.exe PID: 3956, 上一级进程 PID: 2560

wevtutil.exe PID: 4040, 上一级进程 PID: 3956

cmd.exe PID: 2056, 上一级进程 PID: 2560

wevtutil.exe PID: 808, 上一级进程 PID: 2056

cmd.exe PID: 3152, 上一级进程 PID: 2560

wevtutil.exe PID: 3328, 上一级进程 PID: 3152

cmd.exe PID: 3280, 上一级进程 PID: 2560

wevtutil.exe PID: 3516, 上一级进程 PID: 3280

cmd.exe PID: 3568, 上一级进程 PID: 2560

wevtutil.exe PID: 3588, 上一级进程 PID: 3568

cmd.exe PID: 3768, 上一级进程 PID: 2560

wevtutil.exe PID: 3712, 上一级进程 PID: 3768

cmd.exe PID: 3924, 上一级进程 PID: 2560

wevtutil.exe PID: 3976, 上一级进程 PID: 3924

cmd.exe PID: 3044, 上一级进程 PID: 2560

wevtutil.exe PID: 3196, 上一级进程 PID: 3044

cmd.exe PID: 3076, 上一级进程 PID: 2560

wevtutil.exe PID: 3372, 上一级进程 PID: 3076

cmd.exe PID: 3412, 上一级进程 PID: 2560

wevtutil.exe PID: 3532, 上一级进程 PID: 3412

cmd.exe PID: 3612, 上一级进程 PID: 2560

wevtutil.exe PID: 3552, 上一级进程 PID: 3612

cmd.exe PID: 3832, 上一级进程 PID: 2560

wevtutil.exe PID: 916, 上一级进程 PID: 3832

cmd.exe PID: 4036, 上一级进程 PID: 2560

wevtutil.exe PID: 3928, 上一级进程 PID: 4036

cmd.exe PID: 3212, 上一级进程 PID: 2560

wevtutil.exe PID: 3104, 上一级进程 PID: 3212

cmd.exe PID: 3672, 上一级进程 PID: 2560

wevtutil.exe PID: 3592, 上一级进程 PID: 3672

cmd.exe PID: 1064, 上一级进程 PID: 2560

wevtutil.exe PID: 1664, 上一级进程 PID: 1064

cmd.exe PID: 1864, 上一级进程 PID: 2560

wevtutil.exe PID: 724, 上一级进程 PID: 1864

cmd.exe PID: 3360, 上一级进程 PID: 2560

wevtutil.exe PID: 3648, 上一级进程 PID: 3360

cmd.exe PID: 524, 上一级进程 PID: 2560

wevtutil.exe PID: 3728, 上一级进程 PID: 524

cmd.exe PID: 4000, 上一级进程 PID: 2560

wevtutil.exe PID: 3208, 上一级进程 PID: 4000

cmd.exe PID: 2008, 上一级进程 PID: 2560

wevtutil.exe PID: 2184, 上一级进程 PID: 2008

cmd.exe PID: 3128, 上一级进程 PID: 2560

wevtutil.exe PID: 3260, 上一级进程 PID: 3128

cmd.exe PID: 3952, 上一级进程 PID: 2560

wevtutil.exe PID: 3188, 上一级进程 PID: 3952

访问的文件

C:\Users\test\AppData\Local\Temp\WinLogs_Killer_x64.exe
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\sysnative\shell32.dll
C:\
C:\Users
\??\MountPointManager
C:\Users\desktop.ini
C:\Users\test
C:\Users\test\AppData
C:\Users\test\AppData\Local
C:\Users\test\AppData\Local\Temp
\Device\KsecDD
C:\Users\test\AppData\Local\Temp\EventLog.txt
C:\Windows\sysnative\wevtutil.exe
C:\Windows\sysnative
C:\Windows
C:\Windows\sysnative\zh-CN\KERNELBASE.dll.mui

读取的文件

C:\Users\test\AppData\Local\Temp\WinLogs_Killer_x64.exe
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\sysnative\shell32.dll
C:\
C:\Users\desktop.ini
C:\Users
C:\Users\test
C:\Users\test\AppData
C:\Users\test\AppData\Local
C:\Users\test\AppData\Local\Temp
\Device\KsecDD
C:\Users\test\AppData\Local\Temp\EventLog.txt
C:\Windows\sysnative\zh-CN\KERNELBASE.dll.mui

修改的文件

C:\Users\test\AppData\Local\Temp\EventLog.txt

删除的文件 无信息

注册表键

HKEY_CURRENT_USER\Control Panel\Mouse
HKEY_CURRENT_USER\Control Panel\Mouse\SwapMouseButtons
HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\WinLogs_Killer_x64.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Generation
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Directory\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Directory
HKEY_CLASSES_ROOT\Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Folder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
HKEY_CLASSES_ROOT\AllFilesystemObjects
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\WinLogs_Killer_x64.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable

读取的注册表键

HKEY_CURRENT_USER\Control Panel\Mouse\SwapMouseButtons
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable

修改的注册表键 无信息

删除的注册表键 无信息

API解析

kernel32.dll.IsWow64Process
uxtheme.dll.IsThemeActive
ole32.dll.CoGetMalloc
ole32.dll.CoGetApartmentType
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
ole32.dll.CoTaskMemFree
comctl32.dll.#236
oleaut32.dll.#6
ole32.dll.CoTaskMemAlloc
ole32.dll.CreateBindCtx
comctl32.dll.#320
ole32.dll.StringFromGUID2
comctl32.dll.#324
comctl32.dll.#323
comctl32.dll.#388
comctl32.dll.#328
comctl32.dll.#334
advapi32.dll.RegEnumKeyW
oleaut32.dll.#2
ole32.dll.CoCreateInstance
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#332
comctl32.dll.#386
advapi32.dll.IsTextUnicode
comctl32.dll.#338
comctl32.dll.#339
advapi32.dll.OpenThreadToken
shell32.dll.#102
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoUninitialize
ole32.dll.CoRevokeInitializeSpy
oleaut32.dll.#500
comctl32.dll.RegisterClassNameW
uxtheme.dll.OpenThemeData
imm32.dll.ImmGetContext
imm32.dll.ImmReleaseContext
imm32.dll.ImmAssociateContext
imm32.dll.ImmIsIME
shell32.dll.#66
kernel32.dll.SetThreadUILanguage
kernel32.dll.CopyFileExW
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetConsoleInputExeNameW
rpcrt4.dll.RpcStringBindingComposeW
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.RpcBindingSetAuthInfoExW
rpcrt4.dll.RpcBindingSetOption
rpcrt4.dll.RpcStringFreeW
rpcrt4.dll.NdrClientCall3
rpcrt4.dll.RpcBindingFree