魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2019-01-22 03:04:54 2019-01-22 03:07:24 150 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-hpdapp01-1 win7-sp1-x64-hpdapp01-1 KVM 2019-01-22 03:04:59 2019-01-22 03:07:26
魔盾分数

3.4

可疑的

文件详细信息

文件名 暴风压力测试.exe
文件大小 1486848 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 214CE085
MD5 48c25d7bb26162ab8e70ca4ebf69ded7
SHA1 bafde001944470ad4d8898f688be78d4f9b20108
SHA256 0914208ae470394177520817ab085e3bba82f1d8f2e35108b95d867cfc83ba8a
SHA512 9fba16a82062f12093294391b2b59b9b52001998aa9c38b23221be59ca25e57dd6ff389564b31d39f1480c4a792c6c1afef1dbf298d84adf2a576e5fc1f48c34
Ssdeep 24576:HRPuJu19+9BN+8qQh9eEj9vv8tBMk8+sz:UU19ABE85h9eEjGMk
PEiD 无匹配
Yara
  • IsPE32 (Detected 32bit PE signature)
  • IsWindowsGUI ()
  • HasRichSignature (Detected Rich Signature)
  • create_process (Create a new process)
  • network_tcp_listen (Listen for incoming communication)
  • network_tcp_socket (Communications over RAW socket)
  • screenshot (Detected take screenshot function)
  • win_private_profile (Affect private profile)
  • Maldun_Anomoly_Combined_Activities_7 (Detects malicious behaviors from a small size app)
  • without_attachments (Detected no presence of any attachment)
  • without_images (Detected no presence of any image)
  • with_urls (Detected the presence of an or several urls)
VirusTotal 无此文件扫描结果

特征

开始系统监听0.0.0.0:0
魔盾安全Yara规则检测结果 - 安全告警
Informational: Detected Rich Signature
Informational: Create a new process
Warning: Listen for incoming communication
Warning: Communications over RAW socket
Warning: Detected take screenshot function
Critical: Detects malicious behaviors from a small size app
Informational: Detected no presence of any attachment
Informational: Detected no presence of any image
Informational: Detected the presence of an or several urls

运行截图

网络分析

无信息

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x0040f6bf
声明校验值 0x00000000
实际校验值 0x00178f44
最低操作系统版本要求 4.0
编译时间 2015-01-28 17:43:42
载入哈希 c4ef31e92ea9020cc1b01ad1c92b3d88

版本信息

LegalCopyright: \u7248\u6743\u6240\u6709 (C) 2009 - 2012
InternalName: Storm DDOS Client
FileVersion: 6, 5, 4, 1
CompanyName:
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: Storm DDOS Client
SpecialBuild:
ProductVersion: 6, 5, 4, 1
FileDescription: Storm DDOS Client
OriginalFilename: \u5ba2\u6237\u7aef.EXE
Translation: 0x0804 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000103f2 0x00011000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.87
.rdata 0x00012000 0x00004fb0 0x00005000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.62
.data 0x00017000 0x00001584 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 3.90
.rsrc 0x00019000 0x001510e8 0x00152000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.50

导入

库 MFC42.DLL:
0x4120b4 - None
0x4120b8 - None
0x4120bc - None
0x4120c0 - None
0x4120c4 - None
0x4120c8 - None
0x4120cc - None
0x4120d0 - None
0x4120d4 - None
0x4120d8 - None
0x4120dc - None
0x4120e0 - None
0x4120e4 - None
0x4120e8 - None
0x4120ec - None
0x4120f0 - None
0x4120f4 - None
0x4120f8 - None
0x4120fc - None
0x412100 - None
0x412104 - None
0x412108 - None
0x41210c - None
0x412110 - None
0x412114 - None
0x412118 - None
0x41211c - None
0x412120 - None
0x412124 - None
0x412128 - None
0x41212c - None
0x412130 - None
0x412134 - None
0x412138 - None
0x41213c - None
0x412140 - None
0x412144 - None
0x412148 - None
0x41214c - None
0x412150 - None
0x412154 - None
0x412158 - None
0x41215c - None
0x412160 - None
0x412164 - None
0x412168 - None
0x41216c - None
0x412170 - None
0x412174 - None
0x412178 - None
0x41217c - None
0x412180 - None
0x412184 - None
0x412188 - None
0x41218c - None
0x412190 - None
0x412194 - None
0x412198 - None
0x41219c - None
0x4121a0 - None
0x4121a4 - None
0x4121a8 - None
0x4121ac - None
0x4121b0 - None
0x4121b4 - None
0x4121b8 - None
0x4121bc - None
0x4121c0 - None
0x4121c4 - None
0x4121c8 - None
0x4121cc - None
0x4121d0 - None
0x4121d4 - None
0x4121d8 - None
0x4121dc - None
0x4121e0 - None
0x4121e4 - None
0x4121e8 - None
0x4121ec - None
0x4121f0 - None
0x4121f4 - None
0x4121f8 - None
0x4121fc - None
0x412200 - None
0x412204 - None
0x412208 - None
0x41220c - None
0x412210 - None
0x412214 - None
0x412218 - None
0x41221c - None
0x412220 - None
0x412224 - None
0x412228 - None
0x41222c - None
0x412230 - None
0x412234 - None
0x412238 - None
0x41223c - None
0x412240 - None
0x412244 - None
0x412248 - None
0x41224c - None
0x412250 - None
0x412254 - None
0x412258 - None
0x41225c - None
0x412260 - None
0x412264 - None
0x412268 - None
0x41226c - None
0x412270 - None
0x412274 - None
0x412278 - None
0x41227c - None
0x412280 - None
0x412284 - None
0x412288 - None
0x41228c - None
0x412290 - None
0x412294 - None
0x412298 - None
0x41229c - None
0x4122a0 - None
0x4122a4 - None
0x4122a8 - None
0x4122ac - None
0x4122b0 - None
0x4122b4 - None
0x4122b8 - None
0x4122bc - None
0x4122c0 - None
0x4122c4 - None
0x4122c8 - None
0x4122cc - None
0x4122d0 - None
0x4122d4 - None
0x4122d8 - None
0x4122dc - None
0x4122e0 - None
0x4122e4 - None
0x4122e8 - None
0x4122ec - None
0x4122f0 - None
0x4122f4 - None
0x4122f8 - None
0x4122fc - None
0x412300 - None
0x412304 - None
0x412308 - None
0x41230c - None
0x412310 - None
0x412314 - None
0x412318 - None
0x41231c - None
0x412320 - None
0x412324 - None
0x412328 - None
0x41232c - None
0x412330 - None
0x412334 - None
0x412338 - None
0x41233c - None
0x412340 - None
0x412344 - None
0x412348 - None
0x41234c - None
0x412350 - None
0x412354 - None
0x412358 - None
0x41235c - None
0x412360 - None
0x412364 - None
0x412368 - None
0x41236c - None
0x412370 - None
0x412374 - None
0x412378 - None
0x41237c - None
0x412380 - None
0x412384 - None
0x412388 - None
0x41238c - None
0x412390 - None
0x412394 - None
0x412398 - None
0x41239c - None
0x4123a0 - None
0x4123a4 - None
0x4123a8 - None
0x4123ac - None
0x4123b0 - None
0x4123b4 - None
0x4123b8 - None
0x4123bc - None
0x4123c0 - None
0x4123c4 - None
0x4123c8 - None
0x4123cc - None
0x4123d0 - None
0x4123d4 - None
0x4123d8 - None
0x4123dc - None
0x4123e0 - None
0x4123e4 - None
0x4123e8 - None
0x4123ec - None
0x4123f0 - None
0x4123f4 - None
0x4123f8 - None
0x4123fc - None
0x412400 - None
0x412404 - None
0x412408 - None
0x41240c - None
0x412410 - None
库 MSVCRT.dll:
0x412418 - _except_handler3
0x41241c - __set_app_type
0x412420 - __p__fmode
0x412424 - __p__commode
0x412428 - _adjust_fdiv
0x41242c - __setusermatherr
0x412430 - _initterm
0x412434 - __getmainargs
0x412438 - _acmdln
0x41243c - _XcptFilter
0x412440 - _exit
0x412444 - _setmbcp
0x412448 - __CxxFrameHandler
0x41244c - rand
0x412450 - srand
0x412454 - time
0x412458 - free
0x41245c - malloc
0x412460 - atoi
0x412464 - _CxxThrowException
0x412468 - exit
0x41246c - _mbscmp
0x412470 - sscanf
0x412474 - strncpy
0x412478 - strcspn
0x41247c - strstr
0x412480 - sprintf
0x412484 - ??1type_info@@UAE@XZ
0x412488 - __dllonexit
0x41248c - _onexit
0x412490 - _controlfp
库 KERNEL32.dll:
0x412048 - FreeLibrary
0x41204c - GetProcAddress
0x412050 - LoadLibraryA
0x412054 - CreateThread
0x412058 - GetCurrentProcess
0x41205c - GetModuleHandleA
0x412060 - GetStartupInfoA
0x412064 - GetSystemInfo
0x412068 - GetCurrentDirectoryA
0x41206c - GetPrivateProfileIntA
0x412070 - GetPrivateProfileStringA
0x412074 - WritePrivateProfileStringA
0x412078 - LeaveCriticalSection
0x41207c - EnterCriticalSection
0x412080 - GlobalFree
0x412084 - GetQueuedCompletionStatus
0x412088 - CreateIoCompletionPort
0x41208c - GlobalAlloc
0x412090 - GetLastError
0x412094 - InitializeCriticalSection
0x412098 - DeleteCriticalSection
0x41209c - WaitForSingleObject
0x4120a0 - CloseHandle
0x4120a4 - SetPriorityClass
0x4120a8 - PostQueuedCompletionStatus
0x4120ac - TerminateThread
库 USER32.dll:
0x4124a0 - CopyRect
0x4124a4 - IsChild
0x4124a8 - LoadStringA
0x4124ac - GetDlgCtrlID
0x4124b0 - SystemParametersInfoA
0x4124b4 - GetSystemMetrics
0x4124b8 - OffsetRect
0x4124bc - ChildWindowFromPointEx
0x4124c0 - WindowFromPoint
0x4124c4 - ClientToScreen
0x4124c8 - DrawIconEx
0x4124cc - InflateRect
0x4124d0 - SetWindowRgn
0x4124d4 - ReleaseDC
0x4124d8 - GetDC
0x4124dc - GetCursorPos
0x4124e0 - GetIconInfo
0x4124e4 - AppendMenuA
0x4124e8 - GetSystemMenu
0x4124ec - GetWindowRect
0x4124f0 - IsIconic
0x4124f4 - GetWindow
0x4124f8 - ScreenToClient
0x4124fc - KillTimer
0x412500 - SetTimer
0x412504 - GetSysColor
0x412508 - FillRect
0x41250c - IsWindow
0x412510 - LoadIconA
0x412514 - GetParent
0x412518 - LoadCursorA
0x41251c - SetCursor
0x412520 - SetWindowLongA
0x412524 - GetClientRect
0x412528 - PtInRect
0x41252c - SetCapture
0x412530 - InvalidateRect
0x412534 - ReleaseCapture
0x412538 - DrawIcon
0x41253c - SetFocus
0x412540 - SendMessageA
0x412544 - EnableWindow
0x412548 - wsprintfA
0x41254c - RedrawWindow
库 GDI32.dll:
0x412008 - CreatePolygonRgn
0x41200c - CreateRectRgn
0x412010 - CombineRgn
0x412014 - FillRgn
0x412018 - FrameRgn
0x41201c - DeleteObject
0x412020 - CreateSolidBrush
0x412024 - Rectangle
0x412028 - GetTextMetricsA
0x41202c - GetTextExtentPoint32A
0x412030 - Polygon
0x412034 - GetObjectA
0x412038 - CreateFontIndirectA
0x41203c - GetStockObject
0x412040 - CreateRoundRectRgn
库 SHELL32.dll:
0x412498 - ShellExecuteA
库 COMCTL32.dll:
0x412000 - ImageList_ReplaceIcon
库 WS2_32.dll:
0x412554 - getpeername
0x412558 - WSAIoctl
0x41255c - setsockopt
0x412560 - WSAAccept
0x412564 - WSASend
0x412568 - shutdown
0x41256c - WSACleanup
0x412570 - listen
0x412574 - bind
0x412578 - htons
0x41257c - htonl
0x412580 - WSASocketA
0x412584 - inet_ntoa
0x412588 - gethostbyname
0x41258c - gethostname
0x412590 - WSAGetLastError
0x412594 - WSAStartup
0x412598 - closesocket
0x41259c - WSARecv

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

__________________.exe PID: 2452, 上一级进程 PID: 2300

访问的文件
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\Fonts\staticcache.dat
  • C:\Users\test\AppData\Local\Temp\Setting.ini
读取的文件
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\Fonts\staticcache.dat
  • C:\Users\test\AppData\Local\Temp\Setting.ini
修改的文件 无信息
删除的文件 无信息
注册表键
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\__________________.exe
  • HKEY_CURRENT_USER
  • HKEY_CURRENT_USER\Control Panel\Desktop
  • HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
读取的注册表键
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
  • HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • comctl32.dll.InitCommonControlsEx
  • kernel32.dll.SortGetHandle
  • kernel32.dll.SortCloseHandle
  • gdi32.dll.GetLayout
  • gdi32.dll.GdiRealizationInfo
  • gdi32.dll.FontIsLinked
  • advapi32.dll.RegOpenKeyExW
  • advapi32.dll.RegQueryInfoKeyW
  • gdi32.dll.GetTextFaceAliasW
  • advapi32.dll.RegEnumValueW
  • advapi32.dll.RegCloseKey
  • advapi32.dll.RegQueryValueExW
  • advapi32.dll.RegQueryValueExA
  • advapi32.dll.RegEnumKeyExW
  • gdi32.dll.GetTextExtentExPointWPri
  • uxtheme.dll.OpenThemeData
  • imm32.dll.ImmAssociateContext
  • comctl32.dll.RegisterClassNameW
  • uxtheme.dll.EnableThemeDialogTexture
  • imm32.dll.ImmIsIME
  • comctl32.dll.ImageList_Create
  • user32.dll.GetSystemMetrics
  • user32.dll.MonitorFromWindow
  • user32.dll.MonitorFromRect
  • user32.dll.MonitorFromPoint
  • user32.dll.EnumDisplayMonitors
  • user32.dll.GetMonitorInfoA
  • user32.dll.EnumDisplayDevicesA