魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2016-05-28 14:59:33 2016-05-28 15:02:27 174 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64 win7-sp1-x64 KVM 2016-05-28 14:59:39 2016-05-28 15:02:25
魔盾分数

2.15

可疑的

文件详细信息

文件名 download_engine.dll
文件大小 3512776 字节
文件类型 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
CRC32 5F5020A4
MD5 1a87ff238df9ea26e76b56f34e18402c
SHA1 2df48c31f3b3adb118f6472b5a2dc3081b302d7c
SHA256 abaeb5121548256577ddd8b0fc30c9ff3790649ad6a0704e4e30d62e70a72964
SHA512 b2e63aba8c081d3d38bd9633a1313f97b586b69ae0301d3b32b889690327a575b55097f19cc87c6e6ed345f1b4439d28f981fdb094e6a095018a10921dae80d9
Ssdeep 49152:O/4yyAd2+awsEL4eyiiDoHHPLvQB0o32Qm6m7VBmurXztN:OVrsEcTiiAvLa0oYkuf/
PEiD 无匹配
Yara
  • DebuggerCheck__API ()
  • MD5_Constants (Look for MD5 constants)
  • RIPEMD160_Constants (Look for RIPEMD-160 constants)
  • SHA1_Constants (Look for SHA1 constants)
  • SHA512_Constants (Look for SHA384/SHA512 constants)
  • NET ()
VirusTotal VirusTotal链接
VirusTotal扫描时间: 2016-05-27 23:32:17
扫描结果: 0/56

特征

提供一个Authenticode数字签名
md5_fingerprint: a4235c901f3a314428818dcad41092c0
sha1_fingerprint: 20c98cd8e61f7b9e77dbd74242b7538ff410f57b
sn: 17277270394723284844005652106499860154
cn: ShenZhen Thunder Networking Technologies Ltd.
发起了一些HTTP请求
url: http://www.msftncsi.com/ncsi.txt
url: http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D
url: http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEAz%2FezKc%2F387jS1UKrJYJro%3D
url: http://ss.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV%2Bc%2FAZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEFYsTGl7at%2BFjHRU%2BpXehLM%3D
url: http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D
url: http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAN43VPPQBXGCMiwAAQAA3jc%3D
url: http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D
url: http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK4n3BU18%2BP0%3D
url: http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQLqIKj6Gi5thHaqKC1ECU9aXsCRQQUmvMr2s%2BtT7YvuypISCoStxtCwSQCEQD0gtB5WgsdpjrFZePtaJt6
url: http://sd.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMgSk4dLKWKRB%2B2DViUmQEUw3ggwQUDURcFlNEwYJ%2BHSCrJfQBY9i%2BeaUCEFzeRE%2FrSZRDaFn%2BzErlAWw%3D
url: http://ocsp2.globalsign.com/gsorganizationvalg2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBReGXQV%2FtqUV3SNMRE%2Bs25eR%2FvhjwQUXUayjcRLdBy77fVztjq3OI91nn4CEhEhyNkSBZL0u2zY4jc9udsWFw%3D%3D
url: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJ9L2KGL92BpjF3kAtaDtxauTmhgQUPdNQpdagre7zSmAKZdMh1Pj41g8CEAIwaX55BLru0bCAsau57vM%3D
url: http://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCCwQAAAAAAS9O4UUM
url: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D
url: http://sd.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMgSk4dLKWKRB%2B2DViUmQEUw3ggwQUDURcFlNEwYJ%2BHSCrJfQBY9i%2BeaUCEFulHELau99g31whfW%2B6uJI%3D
url: http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEBkaMst1nJe4z6wRjdUSf0k%3D
url: http://ocsp2.globalsign.com/gsorganizationvalsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCEhEhGuAGlWtDRHAtLRzCaILaCA%3D%3D
url: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAnmWtgHuEl7B0nUFWjWJtA%3D
检测到网络活动但没有显示在API日志中

运行截图

网络分析

访问主机记录

直接访问 IP地址 国家名
58.211.137.192 China
37.61.54.158 Azerbaijan
23.7.139.27 United States
23.47.27.27 United States
198.41.215.183 United States
117.18.237.29 Asia/Pacific Region
111.108.54.10 Japan

域名解析

域名 响应
www.msftncsi.com CNAME a1961.g2.akamai.net
A 111.108.54.17
A 111.108.54.10
CNAME www.msftncsi.com.edgesuite.net
ocsp.verisign.com CNAME ocsp-ds.ws.symantec.com.edgekey.net
CNAME e8218.dscb1.akamaiedge.net
A 23.47.27.27
ss.symcd.com A 23.7.139.27
ocsp.msocsp.com A 198.41.214.185
CNAME hostedocsp.globalsign.com
A 198.41.214.186
A 198.41.214.187
A 198.41.215.183
A 198.41.215.182
A 198.41.215.185
A 198.41.214.183
A 198.41.215.184
A 198.41.215.186
A 198.41.214.184
sd.symcd.com
ocsp2.globalsign.com CNAME cdn.globalsigncdn.com
A 58.211.137.192
ocsp.digicert.com CNAME cs9.wac.phicdn.net
A 117.18.237.29
ocsp.globalsign.com
s.symcd.com
ocsp.omniroot.com A 37.61.54.158
CNAME wac.BFDD.edgecastcdn.net

TCP连接

IP地址 端口
111.108.54.10 80
117.18.237.29 80
117.18.237.29 80
178.255.83.1 80
178.255.83.1 80
178.255.83.1 80
198.41.215.183 80
23.47.27.27 80
23.7.139.27 80
23.7.139.27 80
23.7.139.27 80
23.7.139.27 80
58.211.137.192 80
58.211.137.192 80

UDP连接

IP地址 端口
192.168.122.1 53
192.168.122.1 53
192.168.122.1 53
192.168.122.1 53
192.168.122.1 53
192.168.122.1 53
192.168.122.1 53
192.168.122.1 53
192.168.122.1 53
192.168.122.1 53
192.168.122.1 53
192.168.122.1 53
192.168.122.1 53
192.168.122.1 53
192.168.122.1 53
192.168.122.1 53
192.168.122.1 53
192.168.122.255 137
192.168.122.255 138
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
224.0.0.252 5355
239.255.255.250 1900
40.118.103.7 123
192.168.122.69 59674

HTTP请求

URL HTTP数据
http://www.msftncsi.com/ncsi.txt 
GET /ncsi.txt HTTP/1.1
Connection: Close
User-Agent: Microsoft NCSI
Host: www.msftncsi.com
http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEAz%2FezKc%2F387jS1UKrJYJro%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEAz%2FezKc%2F387jS1UKrJYJro%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEAz%2FezKc%2F387jS1UKrJYJro%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEAz%2FezKc%2F387jS1UKrJYJro%3D HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
http://ss.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV%2Bc%2FAZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEFYsTGl7at%2BFjHRU%2BpXehLM%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV%2Bc%2FAZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEFYsTGl7at%2BFjHRU%2BpXehLM%3D HTTP/1.1
Cache-Control: max-age = 386960
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 21 Jan 2016 20:44:27 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: ss.symcd.com
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D HTTP/1.1
Cache-Control: max-age = 311241
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 23 Jan 2016 23:57:39 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.usertrust.com
http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAN43VPPQBXGCMiwAAQAA3jc%3D 
GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAN43VPPQBXGCMiwAAQAA3jc%3D HTTP/1.1
Cache-Control: max-age = 10800
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sun, 24 Jan 2016 06:30:15 GMT
If-None-Match: "77a3ed05d7337d023a726d1efae9caf1857cedc9"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.msocsp.com
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D HTTP/1.1
Cache-Control: max-age = 311240
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 23 Jan 2016 23:57:39 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.comodoca.com
http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK4n3BU18%2BP0%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK4n3BU18%2BP0%3D HTTP/1.1
Cache-Control: max-age = 603676
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sun, 24 Jan 2016 08:43:57 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQLqIKj6Gi5thHaqKC1ECU9aXsCRQQUmvMr2s%2BtT7YvuypISCoStxtCwSQCEQD0gtB5WgsdpjrFZePtaJt6 
GET /MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQLqIKj6Gi5thHaqKC1ECU9aXsCRQQUmvMr2s%2BtT7YvuypISCoStxtCwSQCEQD0gtB5WgsdpjrFZePtaJt6 HTTP/1.1
Cache-Control: max-age = 334227
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sun, 24 Jan 2016 06:20:47 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.comodoca.com
http://sd.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMgSk4dLKWKRB%2B2DViUmQEUw3ggwQUDURcFlNEwYJ%2BHSCrJfQBY9i%2BeaUCEFzeRE%2FrSZRDaFn%2BzErlAWw%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMgSk4dLKWKRB%2B2DViUmQEUw3ggwQUDURcFlNEwYJ%2BHSCrJfQBY9i%2BeaUCEFzeRE%2FrSZRDaFn%2BzErlAWw%3D HTTP/1.1
Cache-Control: max-age = 533948
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 23 Jan 2016 13:34:51 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: sd.symcd.com
http://ocsp2.globalsign.com/gsorganizationvalg2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBReGXQV%2FtqUV3SNMRE%2Bs25eR%2FvhjwQUXUayjcRLdBy77fVztjq3OI91nn4CEhEhyNkSBZL0u2zY4jc9udsWFw%3D%3D 
GET /gsorganizationvalg2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBReGXQV%2FtqUV3SNMRE%2Bs25eR%2FvhjwQUXUayjcRLdBy77fVztjq3OI91nn4CEhEhyNkSBZL0u2zY4jc9udsWFw%3D%3D HTTP/1.1
Cache-Control: max-age = 180
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sun, 24 Jan 2016 08:12:59 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp2.globalsign.com
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJ9L2KGL92BpjF3kAtaDtxauTmhgQUPdNQpdagre7zSmAKZdMh1Pj41g8CEAIwaX55BLru0bCAsau57vM%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJ9L2KGL92BpjF3kAtaDtxauTmhgQUPdNQpdagre7zSmAKZdMh1Pj41g8CEAIwaX55BLru0bCAsau57vM%3D HTTP/1.1
Cache-Control: max-age = 513914
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sun, 24 Jan 2016 04:05:14 GMT
If-None-Match: "56a44d7a-1d7"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.digicert.com
http://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCCwQAAAAAAS9O4UUM 
GET /rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCCwQAAAAAAS9O4UUM HTTP/1.1
Cache-Control: max-age = 10800
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sun, 24 Jan 2016 06:40:24 GMT
If-None-Match: "1be626cf99d21b40b0ac46e272f28ef043bd829a"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.globalsign.com
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D HTTP/1.1
Cache-Control: max-age = 500863
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 23 Jan 2016 22:46:14 GMT
If-None-Match: "56a402b6-1d7"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.digicert.com
http://sd.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMgSk4dLKWKRB%2B2DViUmQEUw3ggwQUDURcFlNEwYJ%2BHSCrJfQBY9i%2BeaUCEFulHELau99g31whfW%2B6uJI%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMgSk4dLKWKRB%2B2DViUmQEUw3ggwQUDURcFlNEwYJ%2BHSCrJfQBY9i%2BeaUCEFulHELau99g31whfW%2B6uJI%3D HTTP/1.1
Cache-Control: max-age = 582766
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sun, 24 Jan 2016 03:09:24 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: sd.symcd.com
http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEBkaMst1nJe4z6wRjdUSf0k%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEBkaMst1nJe4z6wRjdUSf0k%3D HTTP/1.1
Cache-Control: max-age = 584283
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sun, 24 Jan 2016 03:35:04 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: s.symcd.com
http://ocsp2.globalsign.com/gsorganizationvalsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCEhEhGuAGlWtDRHAtLRzCaILaCA%3D%3D 
GET /gsorganizationvalsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCEhEhGuAGlWtDRHAtLRzCaILaCA%3D%3D HTTP/1.1
Cache-Control: max-age = 180
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sun, 24 Jan 2016 03:25:57 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp2.globalsign.com
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAnmWtgHuEl7B0nUFWjWJtA%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAnmWtgHuEl7B0nUFWjWJtA%3D HTTP/1.1
Cache-Control: max-age = 510937
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sun, 24 Jan 2016 01:36:05 GMT
If-None-Match: "56a42a85-1d7"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.digicert.com

静态分析

PE 信息

初始地址 0x10000000
入口地址 0x10025c3d
声明校验值 0x0035d926
实际校验值 0x0035d926
最低操作系统版本要求 4.0
PDB路径 d:\MiniDownloadLib\branches\bin\Product Release\download_engine.pdb
编译时间 2014-07-16 10:43:20
导出DLL库名称 download_engine.dll

版本信息

LegalCopyright: \x7248\x6743\x6240\x6709 (C) 2014 \x6df1\x5733\x5e02\x8fc5\x96f7\x7f51\x7edc\x6280\x672f\x6709\x9650\x516c\x53f8
InternalName: Thunder
FileVersion: 5,0,2,288
CompanyName: Thunder Networking Technologies,LTD
ProductName: Thunder
ProductVersion: 5,0,2,288
FileDescription: Thunder
OriginalFilename: download_interface.dll
Translation: 0x0804 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0027491c 0x00275000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.54
.rdata 0x00276000 0x0008744b 0x00088000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.05
.data 0x002fe000 0x0001be4c 0x00014000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.66
.rsrc 0x0031a000 0x00000360 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 0.97
.reloc 0x0031b000 0x00044c94 0x00045000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 5.91

覆盖

偏移量: 0x00358000
大小: 0x000019c8

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_VERSION 0x0031a060 0x000002fc LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.67 data

导入

库 WS2_32.dll:
0x10276670 - None
0x10276674 - WSARecvFrom
0x10276678 - WSASendTo
0x1027667c - None
0x10276680 - None
0x10276684 - WSACloseEvent
0x10276688 - WSACreateEvent
0x1027668c - None
0x10276690 - WSAWaitForMultipleEvents
0x10276694 - None
0x10276698 - None
0x1027669c - None
0x102766a0 - None
0x102766a4 - WSAEnumNetworkEvents
0x102766a8 - WSAEventSelect
0x102766ac - None
0x102766b0 - None
0x102766b4 - None
0x102766b8 - WSASocketW
0x102766bc - None
0x102766c0 - None
0x102766c4 - None
0x102766c8 - None
0x102766cc - None
0x102766d0 - None
0x102766d4 - None
0x102766d8 - WSASocketA
0x102766dc - WSASend
0x102766e0 - WSARecv
0x102766e4 - None
0x102766e8 - None
0x102766ec - WSAGetOverlappedResult
0x102766f0 - None
0x102766f4 - None
0x102766f8 - WSAIoctl
库 WININET.dll:
0x10276664 - InternetGetCookieA
0x10276668 - InternetQueryOptionA
库 KERNEL32.dll:
0x1027605c - IsBadCodePtr
0x10276060 - CreateDirectoryA
0x10276064 - GetFileAttributesA
0x10276068 - CreateEventW
0x1027606c - GetFileType
0x10276070 - GetStdHandle
0x10276074 - VirtualQuery
0x10276078 - FreeLibrary
0x1027607c - CreateDirectoryW
0x10276080 - lstrlenW
0x10276084 - lstrcmpiA
0x10276088 - GetVersion
0x1027608c - FindResourceExA
0x10276090 - FindResourceA
0x10276094 - LoadResource
0x10276098 - LockResource
0x1027609c - SizeofResource
0x102760a0 - WideCharToMultiByte
0x102760a4 - MultiByteToWideChar
0x102760a8 - GlobalMemoryStatus
0x102760ac - GetModuleHandleA
0x102760b0 - GetModuleFileNameA
0x102760b4 - GetSystemDefaultUILanguage
0x102760b8 - GetLastError
0x102760bc - GetTickCount
0x102760c0 - GetCurrentThreadId
0x102760c4 - InterlockedIncrement
0x102760c8 - InterlockedDecrement
0x102760cc - RaiseException
0x102760d0 - GetVersionExA
0x102760d4 - GetThreadLocale
0x102760d8 - GetLocaleInfoA
0x102760dc - GetACP
0x102760e0 - InterlockedExchange
0x102760e4 - SetLastError
0x102760e8 - LocalFree
0x102760ec - GetLocalTime
0x102760f0 - CreateProcessA
0x102760f4 - DebugBreak
0x102760f8 - CreateMutexA
0x102760fc - CompareFileTime
0x10276100 - GetFileAttributesExA
0x10276104 - ReleaseMutex
0x10276108 - FormatMessageA
0x1027610c - GetPrivateProfileStringW
0x10276110 - GetWindowsDirectoryA
0x10276114 - CreateThread
0x10276118 - WritePrivateProfileStringA
0x1027611c - GetPrivateProfileStringA
0x10276120 - GetPrivateProfileIntA
0x10276124 - CreateWaitableTimerA
0x10276128 - SetWaitableTimer
0x1027612c - CancelWaitableTimer
0x10276130 - WaitForMultipleObjects
0x10276134 - GetVolumeInformationA
0x10276138 - Sleep
0x1027613c - LoadLibraryA
0x10276140 - WaitForMultipleObjectsEx
0x10276144 - WriteFileGather
0x10276148 - ReadFileScatter
0x1027614c - GetOverlappedResult
0x10276150 - CreateIoCompletionPort
0x10276154 - QueueUserAPC
0x10276158 - PostQueuedCompletionStatus
0x1027615c - GetQueuedCompletionStatus
0x10276160 - CancelIo
0x10276164 - GetSystemInfo
0x10276168 - VirtualFree
0x1027616c - VirtualAlloc
0x10276170 - ResetEvent
0x10276174 - FindNextFileA
0x10276178 - RemoveDirectoryA
0x1027617c - DeleteFileA
0x10276180 - MoveFileA
0x10276184 - FindFirstFileA
0x10276188 - FindClose
0x1027618c - FlushFileBuffers
0x10276190 - GetFileSize
0x10276194 - SetEndOfFile
0x10276198 - SetFilePointer
0x1027619c - ReadFile
0x102761a0 - WriteFile
0x102761a4 - CreateFileA
0x102761a8 - GetSystemTimeAsFileTime
0x102761ac - GetCurrentProcessId
0x102761b0 - QueryPerformanceCounter
0x102761b4 - ExitProcess
0x102761b8 - GetProcessHeap
0x102761bc - HeapSize
0x102761c0 - HeapReAlloc
0x102761c4 - HeapFree
0x102761c8 - HeapAlloc
0x102761cc - LeaveCriticalSection
0x102761d0 - LoadLibraryExA
0x102761d4 - IsDBCSLeadByte
0x102761d8 - lstrcpynA
0x102761dc - DisableThreadLibraryCalls
0x102761e0 - WaitForSingleObject
0x102761e4 - CreateEventA
0x102761e8 - SetEvent
0x102761ec - GetPrivateProfileSectionNamesA
0x102761f0 - GetPrivateProfileSectionA
0x102761f4 - GetSystemDirectoryA
0x102761f8 - EnterCriticalSection
0x102761fc - DeleteCriticalSection
0x10276200 - InitializeCriticalSection
0x10276204 - ResumeThread
0x10276208 - GetModuleHandleW
0x1027620c - LoadLibraryW
0x10276210 - GetProcAddress
0x10276214 - GetModuleFileNameW
0x10276218 - GetCurrentProcess
0x1027621c - CloseHandle
0x10276220 - GetFileSizeEx
0x10276224 - lstrlenA
0x10276228 - HeapDestroy
库 USER32.dll:
0x10276604 - UnregisterClassA
0x10276608 - DefWindowProcA
0x1027660c - FindWindowA
0x10276610 - KillTimer
0x10276614 - PostMessageA
0x10276618 - MessageBoxA
0x1027661c - DestroyWindow
0x10276620 - CharNextA
0x10276624 - GetDesktopWindow
0x10276628 - GetProcessWindowStation
0x1027662c - GetUserObjectInformationW
0x10276630 - GetWindowLongA
0x10276634 - ShowWindow
0x10276638 - SetWindowLongA
0x1027663c - CreateWindowExA
0x10276640 - RegisterClassExA
0x10276644 - SetTimer
库 ADVAPI32.dll:
0x10276000 - RegSetValueExA
0x10276004 - RegOpenKeyExA
0x10276008 - RegCreateKeyExA
0x1027600c - RegCloseKey
0x10276010 - RegDeleteValueA
0x10276014 - RegDeleteKeyA
0x10276018 - RegEnumKeyExA
0x1027601c - RegisterEventSourceA
0x10276020 - ReportEventA
0x10276024 - DeregisterEventSource
0x10276028 - RegQueryInfoKeyA
0x1027602c - AdjustTokenPrivileges
0x10276030 - LookupPrivilegeValueA
0x10276034 - OpenProcessToken
0x10276038 - InitializeSecurityDescriptor
0x1027603c - SetSecurityDescriptorDacl
库 SHELL32.dll:
0x102765ec - SHGetMalloc
0x102765f0 - SHGetSpecialFolderLocation
0x102765f4 - SHGetPathFromIDListW
库 ole32.dll:
0x1027670c - CoCreateGuid
0x10276710 - CoInitialize
0x10276714 - IIDFromString
0x10276718 - StringFromIID
0x1027671c - CoTaskMemFree
0x10276720 - CoTaskMemRealloc
0x10276724 - CoTaskMemAlloc
0x10276728 - CoInitializeEx
0x1027672c - CoCreateInstance
0x10276730 - CLSIDFromString
0x10276734 - CoUninitialize
库 OLEAUT32.dll:
0x102765dc - None
库 SHLWAPI.dll:
0x102765fc - PathFileExistsW
库 MSVCP71.dll:
0x10276230 - ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE?AViterator@12@XZ
0x10276234 - ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z
0x10276238 - ??$?8DU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z
0x1027623c - ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE?AViterator@12@XZ
0x10276240 - ?rbegin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE?AV?$reverse_iterator@Viterator@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@XZ
0x10276244 - ??_D?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ
0x10276248 - ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z
0x1027624c - ??$?9DU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
0x10276250 - ?open@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXPBDHH@Z
0x10276254 - ?close@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ
0x10276258 - ??0?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAE@XZ
0x1027625c - ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXID@Z
0x10276260 - ??$?MDU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z
0x10276264 - ?rfind@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
0x10276268 - ?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z
0x1027626c - ?rfind@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z
0x10276270 - ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z
0x10276274 - ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIDI@Z
0x10276278 - ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z
0x1027627c - ??_D?$basic_ostringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXXZ
0x10276280 - ?str@?$basic_ostringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ
0x10276284 - ??0?$basic_ostringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@H@Z
0x10276288 - ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z
0x1027628c - ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z
0x10276290 - ?replace@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@IIABV12@@Z
0x10276294 - ?replace@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@IIPBD@Z
0x10276298 - ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@II@Z
0x1027629c - ??_D?$basic_istringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXXZ
0x102762a0 - ??0?$basic_istringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@H@Z
0x102762a4 - ?_Nomemory@std@@YAXXZ
0x102762a8 - ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ
0x102762ac - ??0?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@H@Z
0x102762b0 - ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PBX@Z
0x102762b4 - ?rfind@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIDI@Z
0x102762b8 - ??$?5DU?$char_traits@D@std@@@std@@YAAAV?$basic_istream@DU?$char_traits@D@std@@@0@AAV10@AAD@Z
0x102762bc - ?unget@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ
0x102762c0 - ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV01@AAH@Z
0x102762c4 - ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@PADH@Z
0x102762c8 - ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV01@AA_J@Z
0x102762cc - ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_J@Z
0x102762d0 - ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z
0x102762d4 - ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z
0x102762d8 - ?find_first_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
0x102762dc - ?_Xran@_String_base@std@@QBEXXZ
0x102762e0 - ?find_last_not_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
0x102762e4 - ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@@Z
0x102762e8 - ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD@Z
0x102762ec - ?find_last_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
0x102762f0 - ?find_first_not_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
0x102762f4 - ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ
0x102762f8 - ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z
0x102762fc - ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@G@Z
0x10276300 - ??$?6U?$char_traits@D@std@@@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@D@Z
0x10276304 - ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z
0x10276308 - ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
0x1027630c - ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z
0x10276310 - ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
0x10276314 - ?find_first_not_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z
0x10276318 - ??0?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@H@Z
0x1027631c - ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z
0x10276320 - ??$?6U?$char_traits@D@std@@@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z
0x10276324 - ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K@Z
0x10276328 - ?str@?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ
0x1027632c - ??_D?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXXZ
0x10276330 - ??$?9DU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z
0x10276334 - ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
0x10276338 - ??$?8DU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
0x1027633c - ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
0x10276340 - ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDI@Z
0x10276344 - ?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB
0x10276348 - ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z
0x1027634c - ?getloc@ios_base@std@@QBE?AVlocale@2@XZ
0x10276350 - ??1locale@std@@QAE@XZ
0x10276354 - ?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
0x10276358 - ?erase@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@II@Z
0x1027635c - ?max_size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ
0x10276360 - ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ
0x10276364 - ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z
0x10276368 - ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ
0x1027636c - ?clear@ios_base@std@@QAEXH_N@Z
0x10276370 - ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ
0x10276374 - ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ
0x10276378 - ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z
0x1027637c - ?uncaught_exception@std@@YA_NXZ
0x10276380 - ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBG@Z
0x10276384 - ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z
0x10276388 - ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z
0x1027638c - ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ
0x10276390 - ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z
0x10276394 - ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
0x10276398 - ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ID@Z
0x1027639c - ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
0x102763a0 - ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
0x102763a4 - ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
0x102763a8 - ??0_Lockit@std@@QAE@H@Z
0x102763ac - ?id@?$ctype@D@std@@2V0locale@2@A
0x102763b0 - ??Bid@locale@std@@QAEIXZ
0x102763b4 - ?_Getfacet@locale@std@@QBEPBVfacet@12@I@Z
0x102763b8 - ?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@@Z
0x102763bc - ?_Incref@facet@locale@std@@QAEXXZ
0x102763c0 - ?_Register@facet@locale@std@@QAEXXZ
0x102763c4 - ??1_Lockit@std@@QAE@XZ
0x102763c8 - ?_Lock@_Mutex@std@@QAEXXZ
0x102763cc - ?_Unlock@_Mutex@std@@QAEXXZ
0x102763d0 - ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
0x102763d4 - ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
0x102763d8 - ??$?8DU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA_NPBDABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z
0x102763dc - ?insert@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@IABV12@@Z
0x102763e0 - ?clear@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXXZ
0x102763e4 - ??$?9DU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA_NPBDABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z
0x102763e8 - ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z
0x102763ec - ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
0x102763f0 - ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD@Z
0x102763f4 - ?insert@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@IPBD@Z
0x102763f8 - ?swap@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXAAV12@@Z
0x102763fc - ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_N@Z
0x10276400 - ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD0@Z
0x10276404 - ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD0@Z
0x10276408 - ??0?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAE@PBDHH@Z
0x1027640c - ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z
0x10276410 - ?find_first_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z
0x10276414 - ?erase@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE?AViterator@12@V312@@Z
0x10276418 - ?getline@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@PADH@Z
0x1027641c - ?find_last_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIDI@Z
0x10276420 - ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_K@Z
0x10276424 - ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAVios_base@1@AAV21@@Z@Z
0x10276428 - ?setw@std@@YA?AU?$_Smanip@H@1@H@Z
0x1027642c - ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
0x10276430 - ?rend@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE?AV?$reverse_iterator@Viterator@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@XZ
0x10276434 - ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ
库 MSVCR71.dll:
0x1027643c - __CppXcptFilter
0x10276440 - _adjust_fdiv
0x10276444 - _initterm
0x10276448 - _onexit
0x1027644c - __dllonexit
0x10276450 - ?terminate@@YAXXZ
0x10276454 - __security_error_handler
0x10276458 - ??1type_info@@UAE@XZ
0x1027645c - _callnewh
0x10276460 - srand
0x10276464 - _CRT_RTC_INIT
0x10276468 - _time64
0x1027646c - sqrt
0x10276470 - localtime
0x10276474 - realloc
0x10276478 - _putenv
0x1027647c - time
0x10276480 - _mbsrchr
0x10276484 - strlen
0x10276488 - _CIpow
0x1027648c - rand
0x10276490 - atof
0x10276494 - sscanf
0x10276498 - _strlwr
0x1027649c - wcscmp
0x102764a0 - wcslen
0x102764a4 - wcsrchr
0x102764a8 - wcscpy
0x102764ac - _resetstkoflw
0x102764b0 - malloc
0x102764b4 - strrchr
0x102764b8 - _snprintf
0x102764bc - ??0exception@@QAE@ABQBD@Z
0x102764c0 - _atoi64
0x102764c4 - atol
0x102764c8 - _ui64toa
0x102764cc - _ultoa
0x102764d0 - sprintf
0x102764d4 - __RTDynamicCast
0x102764d8 - strncpy
0x102764dc - memcmp
0x102764e0 - memcpy
0x102764e4 - _purecall
0x102764e8 - ??_V@YAXPAX@Z
0x102764ec - ??0exception@@QAE@XZ
0x102764f0 - ??1exception@@UAE@XZ
0x102764f4 - memmove
0x102764f8 - ??0bad_cast@@QAE@PBD@Z
0x102764fc - ??1bad_cast@@UAE@XZ
0x10276500 - ??0bad_cast@@QAE@ABV0@@Z
0x10276504 - ??0exception@@QAE@ABV0@@Z
0x10276508 - _except_handler3
0x1027650c - memset
0x10276510 - _CxxThrowException
0x10276514 - free
0x10276518 - __CxxFrameHandler
0x1027651c - ??3@YAXPAX@Z
0x10276520 - abort
0x10276524 - wcsstr
0x10276528 - _vsnprintf
0x1027652c - vfprintf
0x10276530 - _iob
0x10276534 - qsort
0x10276538 - memchr
0x1027653c - _setmode
0x10276540 - fgets
0x10276544 - fprintf
0x10276548 - _fileno
0x1027654c - _itoa
0x10276550 - strcpy
0x10276554 - isspace
0x10276558 - fclose
0x1027655c - fread
0x10276560 - _strdate
0x10276564 - _strtime
0x10276568 - fgetc
0x1027656c - fopen
0x10276570 - isdigit
0x10276574 - isalpha
0x10276578 - tolower
0x1027657c - strstr
0x10276580 - toupper
0x10276584 - strchr
0x10276588 - atoi
0x1027658c - ?what@exception@@UBEPBDXZ
0x10276590 - _strnicmp
0x10276594 - strncmp
0x10276598 - ceil
0x1027659c - ?name@type_info@@QBEPBDXZ
0x102765a0 - __RTtypeid
0x102765a4 - fflush
0x102765a8 - fwrite
0x102765ac - fseek
0x102765b0 - strtok
0x102765b4 - strcmp
0x102765b8 - _mbsstr
0x102765bc - _mbsicmp
0x102765c0 - _mbsnbicmp
0x102765c4 - printf
0x102765c8 - ftell
库 VERSION.dll:
0x1027664c - VerQueryValueA
0x10276650 - GetFileVersionInfoSizeA
0x10276654 - GetFileVersionInfoW
0x10276658 - GetFileVersionInfoSizeW
0x1027665c - GetFileVersionInfoA
库 ATL71.DLL:
0x10276044 - None
0x10276048 - None
0x1027604c - None
0x10276050 - None
0x10276054 - None
库 PSAPI.DLL:
0x102765e4 - GetProcessMemoryInfo
库 zlib1.dll:
0x1027673c - inflate
0x10276740 - inflateInit_
0x10276744 - inflateInit2_
0x10276748 - inflateEnd
0x1027674c - gzclose
0x10276750 - gzwrite
0x10276754 - gzopen
0x10276758 - gzread
0x1027675c - compress2
0x10276760 - compressBound
0x10276764 - uncompress
0x10276768 - gzflush
库 MSWSOCK.dll:
0x102765d0 - AcceptEx
0x102765d4 - GetAcceptExSockaddrs
库 iphlpapi.dll:
0x10276700 - GetAdaptersInfo
0x10276704 - GetNetworkParams

导出

序列 地址 名称
2 0x100060a6 accelerate_task
3 0x100064cc add_peer_resource
4 0x1000619b add_server_resource
5 0x10005a54 asyn_stop_task
6 0x1000610c can_accelerate_task
7 0x10003cfc cancel_speed_limit
8 0x10006e1e create_continued_task
9 0x10006c46 create_new_task
10 0x10006b09 create_predownload_task
11 0x10006708 delete_task
12 0x10007781 delete_tempfile
13 0x10006551 discard_peer_resource
14 0x10008dac enable_file_upload
15 0x1000839f fix_pre_download_parameter
16 0x10008426 fix_task_parameter
17 0x10005976 force_stop_task
18 0x100041ef get_connector_parameter
19 0x10004580 get_current_upload_speed
20 0x10003973 get_default_listen_port
21 0x10002d5b get_download_dl_status
22 0x10002d3a get_download_lib
23 0x10006369 get_downloaded_blocks
24 0x10008a7f get_dspider_ctrl_flag
25 0x10004662 get_enrollsp1_info
26 0x10005e17 get_external_info
27 0x100082a6 get_failure_detail
28 0x10008bd0 get_file_name
29 0x10008e1e get_file_upload_speed_by_type
30 0x10004ebe get_filter_domins
31 0x10007400 get_final_filename
32 0x10004afe get_flow_rate_info
33 0x10004351 get_global_connection_limit
34 0x100078ab get_http_request_header
35 0x10007ae9 get_http_request_method
36 0x100089d1 get_last_modified
37 0x100038a6 get_listen_port
38 0x10006476 get_origin_dl_bytes
39 0x100082f9 get_origin_readbytes
40 0x10008faf get_origin_res_connect_state
41 0x1000411c get_peer_id
42 0x10007d11 get_post_data
43 0x10006632 get_res_save_data_stat
44 0x10008ffc get_res_searcher_state
45 0x10006adc get_resource_statistic
46 0x100047aa get_seal_detect_result
47 0x100065bb get_task_channel_data_partner
48 0x10008ede get_task_ext_from_hub
49 0x100087fa get_task_gcid
50 0x1000874a get_task_url
51 0x10008e7e get_upload_credit
52 0x100074fa get_url_str
53 0x10005460 hz_init
54 0x10005417 init
55 0x100033c3 is_enable_run
56 0x1000461a is_nated
57 0x100040d6 is_registered
58 0x10005c79 is_support_dispatch_strategy
59 0x10006ff6 is_support_schema
60 0x10005f4e is_task_download_module_failed
61 0x1000705b is_tempfile_exist
62 0x100046ab notify_change_dir_for_ids
63 0x1000470e notify_del_uncomp_task
64 0x1000714e notify_hub_deleted
65 0x100070c0 notify_hub_moved
66 0x100071bb parse_filename
67 0x100072b7 parse_url
68 0x10005b01 query_new_connect_info
69 0x100086a6 query_part_cid
70 0x10005b48 query_resource_info
71 0x10008129 query_task_info
1 0x1000823b query_task_info_ex
72 0x10008cec query_upload_file_array
73 0x10002f42 read_ie_proxy
74 0x10003a45 register_client
75 0x10003548 release_blocks_info
76 0x10008d4f release_upload_file_array
77 0x10003d5a report_crack
78 0x10003dad report_crack_cancel
79 0x10004bef report_file_to_phub
80 0x1000860f set_added_resource_count
81 0x1000904c set_addition_info
82 0x10004cab set_channel_switch
83 0x10005cf0 set_complete_file_name
84 0x10004281 set_connector_parameter
85 0x1000889d set_cookie
86 0x10004009 set_cur_language
87 0x10005ca0 set_dispatch_strategy
88 0x10005dac set_external_info
89 0x10008b71 set_file_name
90 0x10004db8 set_filter_domins
91 0x1009ace5 set_forbid_p2p_service
92 0x10004b89 set_generate_peerid_strategy
93 0x100043d6 set_global_connection_limit
94 0x100077e9 set_http_request_header
95 0x10007a33 set_http_request_method
96 0x10003dfb set_hub_proxy
97 0x10005bee set_iobuffer_size
98 0x10008975 set_last_modified
99 0x100037fa set_listen_port
100 0x1000485f set_partner_id
101 0x10002d58 set_plugin_id
102 0x10007c5b set_post_data
103 0x1009b6ce set_product_flag
104 0x10003a40 set_product_identifier
105 0x10005c05 set_proxy_info
106 0x10008b30 set_ref_send_strategy
107 0x10005f04 set_reference_source
108 0x100084fa set_report_strategy
109 0x10008544 set_res_query_cid
110 0x100085a3 set_res_query_cid_and_file_size
111 0x10008484 set_res_use_strategy
112 0x10005c4e set_retry_strategy
113 0x10003be4 set_speed_limit
114 0x100047f9 set_speed_limit_mode
115 0x10008343 set_stat_ref_url
116 0x10007e7a set_task_download_speed_limit
117 0x10008ca1 set_task_hub_type
118 0x10005f9f set_task_product_info
119 0x1000603e set_task_product_info_ex
120 0x10005cc3 set_task_type
121 0x10003418 set_temp_file_suffix
122 0x10008659 set_thread_num
123 0x10004962 set_thunderS_pingInfo
124 0x100f14ec set_thunder_version
125 0x10007f04 set_under_global_task_speed_limit
126 0x100044a9 set_upload_speed_limit
127 0x10008ac1 set_user_agent
128 0x100049eb set_user_id
129 0x10003a8e set_xl_file_system_bufsize
130 0x10003b39 set_xl_file_system_flush_bufsize
131 0x100080ed start_predownload_task
132 0x10005825 start_task
133 0x100058c9 stop_task
134 0x100048e8 thunderS_register_client
135 0x1000553f uninit
136 0x100076d9 update_datafile
137 0x10007324 url_info_to_str
138 0x10003d06 verify_proxy

投放文件

无信息

行为分析

互斥量(Mutexes)
  • Local\MSCTF.Asm.MutexDefault1
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

rundll32.exe PID: 1676, 上一级进程 PID: 1572

访问的文件
  • C:\Users\test\AppData\Local\Temp\download_engine.dll
  • C:\Users\test\AppData\Local\Temp\download_engine.dll.123.Manifest
  • C:\Users\test\AppData\Local\Temp\download_engine.dll.124.Manifest
  • C:\Users\test\AppData\Local\Temp\download_engine.dll.2.Manifest
  • C:\Windows\SysWOW64\rundll32.exe
  • C:\Users\test\AppData\Local\Temp\MSVCP71.dll
  • C:\Windows\System32\MSVCP71.dll
  • C:\Windows\system\MSVCP71.dll
  • C:\Windows\MSVCP71.dll
  • C:\Windows\System32\wbem\MSVCP71.dll
  • C:\Windows\System32\WindowsPowerShell\v1.0\MSVCP71.dll
  • C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
  • C:\Windows\Fonts\staticcache.dat
  • \Device\KsecDD
  • C:\Windows\Globalization\Sorting\sortdefault.nls
读取的文件
  • C:\Users\test\AppData\Local\Temp\download_engine.dll
  • C:\Users\test\AppData\Local\Temp\download_engine.dll.123.Manifest
  • C:\Users\test\AppData\Local\Temp\download_engine.dll.124.Manifest
  • C:\Users\test\AppData\Local\Temp\download_engine.dll.2.Manifest
  • C:\Windows\SysWOW64\rundll32.exe
  • C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
  • C:\Windows\Fonts\staticcache.dat
  • \Device\KsecDD
  • C:\Windows\Globalization\Sorting\sortdefault.nls
修改的文件 无信息
删除的文件 无信息
注册表键
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\\xe5\xbe\xae\xe8\xbd\xaf\xe9\x9b\x85\xe9\xbb\x91
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\rundll32.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_CURRENT_USER
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
读取的注册表键
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • gdi32.dll.GetLayout
  • gdi32.dll.GdiRealizationInfo
  • gdi32.dll.FontIsLinked
  • advapi32.dll.RegOpenKeyExW
  • advapi32.dll.RegQueryInfoKeyW
  • gdi32.dll.GetTextFaceAliasW
  • advapi32.dll.RegEnumValueW
  • advapi32.dll.RegCloseKey
  • advapi32.dll.RegQueryValueExW
  • advapi32.dll.RegQueryValueExA
  • advapi32.dll.RegEnumKeyExW
  • uxtheme.dll.ThemeInitApiHook
  • user32.dll.IsProcessDPIAware
  • dwmapi.dll.DwmIsCompositionEnabled
  • gdi32.dll.GdiIsMetaPrintDC
  • ole32.dll.CoInitializeEx
  • ole32.dll.CoUninitialize
  • cryptbase.dll.SystemFunction036
  • ole32.dll.CoRegisterInitializeSpy
  • ole32.dll.CoRevokeInitializeSpy
  • kernel32.dll.SortGetHandle
  • kernel32.dll.SortCloseHandle