魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2019-04-23 01:11:03	2019-04-23 01:11:54	51 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-hpdapp01-1	win7-sp1-x64-hpdapp01-1	KVM	2019-04-23 01:11:16	2019-04-23 01:11:56

魔盾分数
8.15 恶意的

文件详细信息

文件名	V2Panda.exe
文件大小	6889472 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
CRC32	56E4755A
MD5	b40d9644c071e182a08b82e2831d2376
SHA1	7cf32b2b7f4874a3e32254140d9af8f19ba279eb
SHA256	6f832148e354a5f65431614c9e2ed08a83871f110fd5df4c989516dd42ef5d9b
SHA512	444214a3f5bd032157b0af03a613598c4c256644068b9cb7f0767a3801af13a5a97464622e972b8a5936aef099636f6b1ae03fbb282b69f896c9c952d9d56a96
Ssdeep	98304:roXYIjSnL4Az7yINVy+AU8euOuNHDc74riuGVOEA009mz+SAp8oRrxaQHyBC4YoM:8UfLC+AjOuhEtuGX4tgQSglZ4k
PEiD	无匹配
Yara	IsPE32 (Detected 32bit PE signature) IsWindowsGUI () IsPacked (Detected Entropy signature) HasRichSignature (Detected Rich Signature) DebuggerTiming__PerformanceCounter () DebuggerTiming__Ticks () anti_dbg (Checks if being debugged) antisb_sandboxie (Anti-Sandbox checks for Sandboxie) create_process (Create a new process) network_http (Communications over HTTP) network_tcp_socket (Communications over RAW socket) screenshot (Detected take screenshot function) keylogger (Run a keylogger) spreading_file (Malware can spread east-west file) win_mutex (Create or check mutex) win_registry (Affect system registries) change_win_registry (Change registries to affect system) win_token (Affect system token) win_private_profile (Affect private profile) win_files_operation (Affect private profile) win_hook (Affect hook table) Maldun_Anomoly_Combined_Activities_2 (Detects abnormal behaviors and together with network communications) Maldun_Anomoly_Combined_Activities_5 (Detects mallicious behaviors) Maldun_Anomoly_Combined_Activities_7 (Detects malicious behaviors from a small size app) without_attachments (Detected no presence of any attachment) possible_includes_base64_packed_functions () maldoc_getEIP_method_1 () with_images (Detected the presence of an or several images) with_urls (Detected the presence of an or several urls) Big_Numbers1 (Looks for big numbers 32:sized) CRC32_poly_Constant (Look for CRC32 [poly]) CRC32_table (Look for CRC32 table) MD5_Constants (Look for MD5 constants) RIPEMD160_Constants (Look for RIPEMD-160 constants) SHA1_Constants (Look for SHA1 constants) BASE64_table (Look for Base64 table) Code_Random (Look for Random function) Maldun_Abnormal_Hash_alg (Detects program has the encryption or decription logic)
VirusTotal	无此文件扫描结果

特征

二进制文件可能包含加密或压缩数据

section: name: .rdata, entropy: 6.86, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x0007e000, virtual_size: 0x0007d2d2

section: name: .GERDGBJ, entropy: 7.83, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00354000, virtual_size: 0x00353346

section: name: .GERDGBJ, entropy: 7.72, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x001f2000, virtual_size: 0x001f1800

异常的二进制特征

anomaly: Found duplicated section names

魔盾安全Yara规则检测结果 - 高危

Informational: Detected Entropy signature

Informational: Detected Rich Signature

Warning: Create a new process

Warning: Communications over HTTP

Warning: Communications over RAW socket

Warning: Detected take screenshot function

Warning: Run a keylogger

Warning: Malware can spread east-west file

Warning: Affect system registries

Warning: Affect system token

Warning: Affect private profile

Warning: Affect hook table

Critical: Detects abnormal behaviors and together with network communications

Critical: Detects mallicious behaviors

Critical: Detects malicious behaviors from a small size app

Informational: Detected no presence of any attachment

Warning: possible_includes_base64_packed_functions

Critical: maldoc_getEIP_method_1

Informational: Detected the presence of an or several images

Informational: Detected the presence of an or several urls

Informational: Looks for big numbers 32:sized

Informational: Look for CRC32 [poly]

Informational: Look for CRC32 table

Informational: Look for MD5 constants

Informational: Look for RIPEMD-160 constants

Informational: Look for SHA1 constants

Informational: Look for Base64 table

Informational: Look for Random function

Warning: Detects program has the encryption or decription logic

运行截图

无运行截图

网络分析

无信息

静态分析

PE 信息

初始地址	0x00400000
入口地址	0x0099db95
声明校验值	0x00000000
实际校验值	0x00696094
最低操作系统版本要求	5.0
编译时间	2019-04-23 01:07:53
载入哈希	6ff280506440edf12bb262ad35d6e01f

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x000a9e9a	0x000aa000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.59
.rdata	0x000ab000	0x0007d2d2	0x0007e000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	6.86
.data	0x00129000	0x0003712a	0x00012000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	5.06
.GERDGBJ	0x00161000	0x00353346	0x00354000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	7.83
.GERDGBJ	0x004b5000	0x001f1800	0x001f2000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	7.72
.rsrc	0x006a7000	0x00010028	0x00011000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.16

导入

库 SHLWAPI.dll:

• 0x8f7000 - SHDeleteKeyA

• 0x8f7004 - SHDeleteValueA

库 WINMM.dll:

• 0x8f700c - waveOutUnprepareHeader

• 0x8f7010 - waveOutPrepareHeader

• 0x8f7014 - waveOutWrite

• 0x8f7018 - waveOutPause

• 0x8f701c - waveOutReset

• 0x8f7020 - waveOutClose

• 0x8f7024 - waveOutGetNumDevs

• 0x8f7028 - waveOutOpen

• 0x8f702c - midiOutPrepareHeader

• 0x8f7030 - midiStreamOut

• 0x8f7034 - midiStreamStop

• 0x8f7038 - midiOutReset

• 0x8f703c - midiStreamClose

• 0x8f7040 - midiStreamRestart

• 0x8f7044 - midiOutUnprepareHeader

• 0x8f7048 - midiStreamOpen

• 0x8f704c - midiStreamProperty

库 WS2_32.dll:

• 0x8f7054 - WSACleanup

• 0x8f7058 - WSAStartup

• 0x8f705c - gethostbyname

• 0x8f7060 - closesocket

• 0x8f7064 - getpeername

• 0x8f7068 - WSAAsyncSelect

• 0x8f706c - recvfrom

• 0x8f7070 - ioctlsocket

• 0x8f7074 - inet_ntoa

• 0x8f7078 - recv

• 0x8f707c - accept

库 KERNEL32.dll:

• 0x8f7084 - SetFilePointer

• 0x8f7088 - GetFileSize

• 0x8f708c - TerminateProcess

• 0x8f7090 - SetLastError

• 0x8f7094 - GetTimeZoneInformation

• 0x8f7098 - GetACP

• 0x8f709c - HeapSize

• 0x8f70a0 - RaiseException

• 0x8f70a4 - GetLocalTime

• 0x8f70a8 - GetSystemTime

• 0x8f70ac - RtlUnwind

• 0x8f70b0 - GetStartupInfoA

• 0x8f70b4 - GetOEMCP

• 0x8f70b8 - GetCPInfo

• 0x8f70bc - GetProcessVersion

• 0x8f70c0 - SetErrorMode

• 0x8f70c4 - GlobalFlags

• 0x8f70c8 - GetCurrentThread

• 0x8f70cc - GetFileTime

• 0x8f70d0 - TlsGetValue

• 0x8f70d4 - LocalReAlloc

• 0x8f70d8 - TlsSetValue

• 0x8f70dc - TlsFree

• 0x8f70e0 - GlobalHandle

• 0x8f70e4 - TlsAlloc

• 0x8f70e8 - LocalAlloc

• 0x8f70ec - lstrcmpA

• 0x8f70f0 - GlobalGetAtomNameA

• 0x8f70f4 - GlobalAddAtomA

• 0x8f70f8 - GlobalFindAtomA

• 0x8f70fc - GlobalDeleteAtom

• 0x8f7100 - lstrcmpiA

• 0x8f7104 - SetEndOfFile

• 0x8f7108 - UnlockFile

• 0x8f710c - LockFile

• 0x8f7110 - FlushFileBuffers

• 0x8f7114 - DuplicateHandle

• 0x8f7118 - lstrcpynA

• 0x8f711c - FileTimeToLocalFileTime

• 0x8f7120 - FileTimeToSystemTime

• 0x8f7124 - LocalFree

• 0x8f7128 - InterlockedDecrement

• 0x8f712c - InterlockedIncrement

• 0x8f7130 - WideCharToMultiByte

• 0x8f7134 - MultiByteToWideChar

• 0x8f7138 - GetCurrentProcess

• 0x8f713c - GetWindowsDirectoryA

• 0x8f7140 - CreateSemaphoreA

• 0x8f7144 - ResumeThread

• 0x8f7148 - ReleaseSemaphore

• 0x8f714c - EnterCriticalSection

• 0x8f7150 - LeaveCriticalSection

• 0x8f7154 - GetProfileStringA

• 0x8f7158 - WriteFile

• 0x8f715c - ReadFile

• 0x8f7160 - WaitForMultipleObjects

• 0x8f7164 - CreateFileA

• 0x8f7168 - SetEvent

• 0x8f716c - FindResourceA

• 0x8f7170 - LoadResource

• 0x8f7174 - LockResource

• 0x8f7178 - lstrlenW

• 0x8f717c - RemoveDirectoryA

• 0x8f7180 - GetModuleFileNameA

• 0x8f7184 - GetCurrentThreadId

• 0x8f7188 - ExitProcess

• 0x8f718c - GlobalSize

• 0x8f7190 - GlobalFree

• 0x8f7194 - DeleteCriticalSection

• 0x8f7198 - InitializeCriticalSection

• 0x8f719c - lstrcatA

• 0x8f71a0 - lstrlenA

• 0x8f71a4 - WinExec

• 0x8f71a8 - lstrcpyA

• 0x8f71ac - FindNextFileA

• 0x8f71b0 - GetDriveTypeA

• 0x8f71b4 - GlobalReAlloc

• 0x8f71b8 - HeapFree

• 0x8f71bc - HeapReAlloc

• 0x8f71c0 - GetProcessHeap

• 0x8f71c4 - InterlockedExchange

• 0x8f71c8 - HeapAlloc

• 0x8f71cc - GetUserDefaultLCID

• 0x8f71d0 - GetFullPathNameA

• 0x8f71d4 - FreeLibrary

• 0x8f71d8 - LoadLibraryA

• 0x8f71dc - GetLastError

• 0x8f71e0 - GetVersionExA

• 0x8f71e4 - WritePrivateProfileStringA

• 0x8f71e8 - CreateThread

• 0x8f71ec - CreateEventA

• 0x8f71f0 - Sleep

• 0x8f71f4 - ExpandEnvironmentStringsA

• 0x8f71f8 - GlobalAlloc

• 0x8f71fc - GlobalLock

• 0x8f7200 - GlobalUnlock

• 0x8f7204 - GetTempPathA

• 0x8f7208 - FindFirstFileA

• 0x8f720c - FindClose

• 0x8f7210 - SetFileAttributesA

• 0x8f7214 - GetFileAttributesA

• 0x8f7218 - DeleteFileA

• 0x8f721c - GetCurrentDirectoryA

• 0x8f7220 - SetCurrentDirectoryA

• 0x8f7224 - GetVolumeInformationA

• 0x8f7228 - GetModuleHandleA

• 0x8f722c - GetProcAddress

• 0x8f7230 - MulDiv

• 0x8f7234 - GetCommandLineA

• 0x8f7238 - GetTickCount

• 0x8f723c - CreateProcessA

• 0x8f7240 - WaitForSingleObject

• 0x8f7244 - CloseHandle

• 0x8f7248 - UnhandledExceptionFilter

• 0x8f724c - FreeEnvironmentStringsA

• 0x8f7250 - FreeEnvironmentStringsW

• 0x8f7254 - GetEnvironmentStrings

• 0x8f7258 - GetEnvironmentStringsW

• 0x8f725c - SetHandleCount

• 0x8f7260 - GetStdHandle

• 0x8f7264 - GetFileType

• 0x8f7268 - GetEnvironmentVariableA

• 0x8f726c - HeapDestroy

• 0x8f7270 - HeapCreate

• 0x8f7274 - VirtualFree

• 0x8f7278 - SetEnvironmentVariableA

• 0x8f727c - LCMapStringA

• 0x8f7280 - LCMapStringW

• 0x8f7284 - VirtualAlloc

• 0x8f7288 - IsBadWritePtr

• 0x8f728c - SetUnhandledExceptionFilter

• 0x8f7290 - GetStringTypeA

• 0x8f7294 - GetStringTypeW

• 0x8f7298 - CompareStringA

• 0x8f729c - CompareStringW

• 0x8f72a0 - IsBadReadPtr

• 0x8f72a4 - IsBadCodePtr

• 0x8f72a8 - SetStdHandle

• 0x8f72ac - GetVersion

库 USER32.dll:

• 0x8f72b4 - SetWindowRgn

• 0x8f72b8 - DestroyAcceleratorTable

• 0x8f72bc - GetWindow

• 0x8f72c0 - GetActiveWindow

• 0x8f72c4 - SetFocus

• 0x8f72c8 - IsIconic

• 0x8f72cc - PeekMessageA

• 0x8f72d0 - SetMenu

• 0x8f72d4 - GetMenu

• 0x8f72d8 - GetMessagePos

• 0x8f72dc - ScreenToClient

• 0x8f72e0 - ChildWindowFromPointEx

• 0x8f72e4 - CopyRect

• 0x8f72e8 - LoadBitmapA

• 0x8f72ec - GetSysColorBrush

• 0x8f72f0 - GetKeyState

• 0x8f72f4 - DefWindowProcA

• 0x8f72f8 - GetClassInfoA

• 0x8f72fc - LoadImageA

• 0x8f7300 - EnumDisplaySettingsA

• 0x8f7304 - ClientToScreen

• 0x8f7308 - EnableMenuItem

• 0x8f730c - GetSubMenu

• 0x8f7310 - GetDlgCtrlID

• 0x8f7314 - IsZoomed

• 0x8f7318 - PostQuitMessage

• 0x8f731c - CopyAcceleratorTableA

• 0x8f7320 - TranslateAcceleratorA

• 0x8f7324 - IsWindowEnabled

• 0x8f7328 - ShowWindow

• 0x8f732c - SystemParametersInfoA

• 0x8f7330 - CreateAcceleratorTableA

• 0x8f7334 - CreateMenu

• 0x8f7338 - ModifyMenuA

• 0x8f733c - AppendMenuA

• 0x8f7340 - WinHelpA

• 0x8f7344 - KillTimer

• 0x8f7348 - SetTimer

• 0x8f734c - ReleaseCapture

• 0x8f7350 - GetCapture

• 0x8f7354 - SetCapture

• 0x8f7358 - GetScrollRange

• 0x8f735c - SetScrollRange

• 0x8f7360 - SetScrollPos

• 0x8f7364 - SetRect

• 0x8f7368 - InflateRect

• 0x8f736c - IntersectRect

• 0x8f7370 - LoadStringA

• 0x8f7374 - GetMenuCheckMarkDimensions

• 0x8f7378 - GetMenuState

• 0x8f737c - DestroyIcon

• 0x8f7380 - PtInRect

• 0x8f7384 - OffsetRect

• 0x8f7388 - IsWindowVisible

• 0x8f738c - EnableWindow

• 0x8f7390 - RedrawWindow

• 0x8f7394 - GetWindowLongA

• 0x8f7398 - SetWindowLongA

• 0x8f739c - GetSysColor

• 0x8f73a0 - SetActiveWindow

• 0x8f73a4 - SetCursorPos

• 0x8f73a8 - LoadCursorA

• 0x8f73ac - SetCursor

• 0x8f73b0 - GetDC

• 0x8f73b4 - FillRect

• 0x8f73b8 - IsRectEmpty

• 0x8f73bc - ReleaseDC

• 0x8f73c0 - IsChild

• 0x8f73c4 - DestroyMenu

• 0x8f73c8 - SetForegroundWindow

• 0x8f73cc - GetWindowRect

• 0x8f73d0 - EqualRect

• 0x8f73d4 - UpdateWindow

• 0x8f73d8 - ValidateRect

• 0x8f73dc - InvalidateRect

• 0x8f73e0 - GetClientRect

• 0x8f73e4 - GetFocus

• 0x8f73e8 - GetParent

• 0x8f73ec - GetTopWindow

• 0x8f73f0 - PostMessageA

• 0x8f73f4 - IsWindow

• 0x8f73f8 - SetParent

• 0x8f73fc - DestroyCursor

• 0x8f7400 - SendMessageA

• 0x8f7404 - SetWindowPos

• 0x8f7408 - MessageBoxA

• 0x8f740c - GetCursorPos

• 0x8f7410 - GetSystemMetrics

• 0x8f7414 - EmptyClipboard

• 0x8f7418 - SetClipboardData

• 0x8f741c - OpenClipboard

• 0x8f7420 - GetClipboardData

• 0x8f7424 - CloseClipboard

• 0x8f7428 - wsprintfA

• 0x8f742c - WaitForInputIdle

• 0x8f7430 - CreatePopupMenu

• 0x8f7434 - DrawIconEx

• 0x8f7438 - CreateIconFromResource

• 0x8f743c - RegisterClipboardFormatA

• 0x8f7440 - SetRectEmpty

• 0x8f7444 - DispatchMessageA

• 0x8f7448 - GetMessageA

• 0x8f744c - WindowFromPoint

• 0x8f7450 - DrawFocusRect

• 0x8f7454 - DrawEdge

• 0x8f7458 - DrawFrameControl

• 0x8f745c - LoadIconA

• 0x8f7460 - TranslateMessage

• 0x8f7464 - GetForegroundWindow

• 0x8f7468 - GetDesktopWindow

• 0x8f746c - GetClassNameA

• 0x8f7470 - GetDlgItem

• 0x8f7474 - GetWindowTextA

• 0x8f7478 - UnregisterClassA

• 0x8f747c - CreateIconFromResourceEx

• 0x8f7480 - GetWindowTextLengthA

• 0x8f7484 - CharUpperA

• 0x8f7488 - GetWindowDC

• 0x8f748c - BeginPaint

• 0x8f7490 - EndPaint

• 0x8f7494 - TabbedTextOutA

• 0x8f7498 - DrawTextA

• 0x8f749c - GrayStringA

• 0x8f74a0 - DestroyWindow

• 0x8f74a4 - CreateDialogIndirectParamA

• 0x8f74a8 - EndDialog

• 0x8f74ac - GetNextDlgTabItem

• 0x8f74b0 - GetWindowPlacement

• 0x8f74b4 - RegisterWindowMessageA

• 0x8f74b8 - GetLastActivePopup

• 0x8f74bc - GetMessageTime

• 0x8f74c0 - RemovePropA

• 0x8f74c4 - CallWindowProcA

• 0x8f74c8 - GetPropA

• 0x8f74cc - UnhookWindowsHookEx

• 0x8f74d0 - SetPropA

• 0x8f74d4 - GetClassLongA

• 0x8f74d8 - CallNextHookEx

• 0x8f74dc - SetWindowsHookExA

• 0x8f74e0 - CreateWindowExA

• 0x8f74e4 - GetMenuItemID

• 0x8f74e8 - GetMenuItemCount

• 0x8f74ec - RegisterClassA

• 0x8f74f0 - GetScrollPos

• 0x8f74f4 - AdjustWindowRectEx

• 0x8f74f8 - MapWindowPoints

• 0x8f74fc - SendDlgItemMessageA

• 0x8f7500 - ScrollWindowEx

• 0x8f7504 - IsDialogMessageA

• 0x8f7508 - SetWindowTextA

• 0x8f750c - MoveWindow

• 0x8f7510 - CheckMenuItem

• 0x8f7514 - SetMenuItemBitmaps

库 GDI32.dll:

• 0x8f751c - Escape

• 0x8f7520 - ExtTextOutA

• 0x8f7524 - TextOutA

• 0x8f7528 - RectVisible

• 0x8f752c - PtVisible

• 0x8f7530 - GetViewportExtEx

• 0x8f7534 - ExtSelectClipRgn

• 0x8f7538 - LineTo

• 0x8f753c - MoveToEx

• 0x8f7540 - BitBlt

• 0x8f7544 - CreateCompatibleDC

• 0x8f7548 - Ellipse

• 0x8f754c - Rectangle

• 0x8f7550 - LPtoDP

• 0x8f7554 - DPtoLP

• 0x8f7558 - GetCurrentObject

• 0x8f755c - RoundRect

• 0x8f7560 - GetTextMetricsA

• 0x8f7564 - GetTextExtentPoint32A

• 0x8f7568 - GetDeviceCaps

• 0x8f756c - CreatePalette

• 0x8f7570 - CreateDIBitmap

• 0x8f7574 - DeleteObject

• 0x8f7578 - SelectClipRgn

• 0x8f757c - CreatePolygonRgn

• 0x8f7580 - GetClipRgn

• 0x8f7584 - SetStretchBltMode

• 0x8f7588 - CreateRectRgnIndirect

• 0x8f758c - SetBkColor

• 0x8f7590 - ExcludeClipRect

• 0x8f7594 - GetClipBox

• 0x8f7598 - ScaleWindowExtEx

• 0x8f759c - SetWindowExtEx

• 0x8f75a0 - SetWindowOrgEx

• 0x8f75a4 - ScaleViewportExtEx

• 0x8f75a8 - SetViewportExtEx

• 0x8f75ac - OffsetViewportOrgEx

• 0x8f75b0 - SetViewportOrgEx

• 0x8f75b4 - SetMapMode

• 0x8f75b8 - SetTextColor

• 0x8f75bc - StartPage

• 0x8f75c0 - StartDocA

• 0x8f75c4 - DeleteDC

• 0x8f75c8 - EndDoc

• 0x8f75cc - EndPage

• 0x8f75d0 - GetObjectA

• 0x8f75d4 - GetStockObject

• 0x8f75d8 - CreateFontIndirectA

• 0x8f75dc - CreateSolidBrush

• 0x8f75e0 - FillRgn

• 0x8f75e4 - CreateRectRgn

• 0x8f75e8 - CombineRgn

• 0x8f75ec - PatBlt

• 0x8f75f0 - CreatePen

• 0x8f75f4 - SelectObject

• 0x8f75f8 - CreateBitmap

• 0x8f75fc - CreateDCA

• 0x8f7600 - CreateCompatibleBitmap

• 0x8f7604 - GetPolyFillMode

• 0x8f7608 - GetStretchBltMode

• 0x8f760c - GetROP2

• 0x8f7610 - GetBkColor

• 0x8f7614 - GetBkMode

• 0x8f7618 - GetTextColor

• 0x8f761c - GetWindowOrgEx

• 0x8f7620 - SetROP2

• 0x8f7624 - SetPolyFillMode

• 0x8f7628 - SetBkMode

• 0x8f762c - RestoreDC

• 0x8f7630 - SaveDC

• 0x8f7634 - GetViewportOrgEx

• 0x8f7638 - GetWindowExtEx

• 0x8f763c - CreateRoundRectRgn

• 0x8f7640 - CreateEllipticRgn

• 0x8f7644 - PathToRegion

• 0x8f7648 - EndPath

• 0x8f764c - BeginPath

• 0x8f7650 - GetDIBits

• 0x8f7654 - RealizePalette

• 0x8f7658 - SelectPalette

• 0x8f765c - GetSystemPaletteEntries

• 0x8f7660 - StretchBlt

库 WINSPOOL.DRV:

• 0x8f7668 - OpenPrinterA

• 0x8f766c - DocumentPropertiesA

• 0x8f7670 - ClosePrinter

库 ADVAPI32.dll:

• 0x8f7678 - FreeSid

• 0x8f767c - RegQueryValueExA

• 0x8f7680 - RegOpenKeyExA

• 0x8f7684 - RegSetValueExA

• 0x8f7688 - RegDeleteValueA

• 0x8f768c - RegDeleteKeyA

• 0x8f7690 - RegQueryValueA

• 0x8f7694 - RegCreateKeyExA

• 0x8f7698 - GetUserNameA

• 0x8f769c - RegGetKeySecurity

• 0x8f76a0 - AllocateAndInitializeSid

• 0x8f76a4 - InitializeAcl

• 0x8f76a8 - AddAce

• 0x8f76ac - InitializeSecurityDescriptor

• 0x8f76b0 - SetSecurityDescriptorDacl

• 0x8f76b4 - RegCloseKey

• 0x8f76b8 - GetSidIdentifierAuthority

• 0x8f76bc - GetSidSubAuthorityCount

• 0x8f76c0 - GetSidSubAuthority

• 0x8f76c4 - GetTokenInformation

• 0x8f76c8 - GetLengthSid

• 0x8f76cc - CopySid

• 0x8f76d0 - RegSetKeySecurity

• 0x8f76d4 - RegQueryInfoKeyA

• 0x8f76d8 - RegEnumKeyA

• 0x8f76dc - OpenProcessToken

库 SHELL32.dll:

• 0x8f76e4 - ShellExecuteA

• 0x8f76e8 - Shell_NotifyIconA

• 0x8f76ec - SHEmptyRecycleBinA

• 0x8f76f0 - SHGetSpecialFolderPathA

库 ole32.dll:

• 0x8f76f8 - CLSIDFromProgID

• 0x8f76fc - OleRun

• 0x8f7700 - CoCreateInstance

• 0x8f7704 - CLSIDFromString

• 0x8f7708 - OleUninitialize

• 0x8f770c - OleInitialize

库 OLEAUT32.dll:

• 0x8f7714 - VariantChangeType

• 0x8f7718 - VariantClear

• 0x8f771c - UnRegisterTypeLib

• 0x8f7720 - LoadTypeLib

• 0x8f7724 - LHashValOfNameSys

• 0x8f7728 - RegisterTypeLib

• 0x8f772c - SysAllocString

• 0x8f7730 - VariantInit

• 0x8f7734 - VariantCopyInd

库 COMCTL32.dll:

• 0x8f773c - None

• 0x8f7740 - ImageList_Destroy

库 WININET.dll:

• 0x8f7748 - DeleteUrlCacheEntry

• 0x8f774c - FindNextUrlCacheEntryA

• 0x8f7750 - FindFirstUrlCacheEntryA

库 comdlg32.dll:

• 0x8f7758 - ChooseColorA

• 0x8f775c - GetFileTitleA

• 0x8f7760 - GetSaveFileNameA

• 0x8f7764 - GetOpenFileNameA

库 WTSAPI32.dll:

• 0x8f776c - WTSSendMessageW

库 KERNEL32.dll:

• 0x8f7774 - VirtualQuery

• 0x8f7778 - GetSystemTimeAsFileTime

• 0x8f777c - GetModuleHandleA

• 0x8f7780 - CreateEventA

• 0x8f7784 - GetModuleFileNameW

• 0x8f7788 - LoadLibraryA

• 0x8f778c - TerminateProcess

• 0x8f7790 - GetCurrentProcess

• 0x8f7794 - CreateToolhelp32Snapshot

• 0x8f7798 - Thread32First

• 0x8f779c - GetCurrentProcessId

• 0x8f77a0 - GetCurrentThreadId

• 0x8f77a4 - OpenThread

• 0x8f77a8 - Thread32Next

• 0x8f77ac - CloseHandle

• 0x8f77b0 - SuspendThread

• 0x8f77b4 - ResumeThread

• 0x8f77b8 - WriteProcessMemory

• 0x8f77bc - GetSystemInfo

• 0x8f77c0 - VirtualAlloc

• 0x8f77c4 - VirtualProtect

• 0x8f77c8 - VirtualFree

• 0x8f77cc - GetProcessAffinityMask

• 0x8f77d0 - SetProcessAffinityMask

• 0x8f77d4 - GetCurrentThread

• 0x8f77d8 - SetThreadAffinityMask

• 0x8f77dc - Sleep

• 0x8f77e0 - FreeLibrary

• 0x8f77e4 - GetTickCount

• 0x8f77e8 - GlobalFree

• 0x8f77ec - GetProcAddress

• 0x8f77f0 - LocalAlloc

• 0x8f77f4 - LocalFree

• 0x8f77f8 - ExitProcess

• 0x8f77fc - EnterCriticalSection

• 0x8f7800 - LeaveCriticalSection

• 0x8f7804 - InitializeCriticalSection

• 0x8f7808 - DeleteCriticalSection

• 0x8f780c - GetModuleHandleW

• 0x8f7810 - LoadResource

• 0x8f7814 - MultiByteToWideChar

• 0x8f7818 - FindResourceExW

• 0x8f781c - FindResourceExA

• 0x8f7820 - WideCharToMultiByte

• 0x8f7824 - GetThreadLocale

• 0x8f7828 - GetUserDefaultLCID

• 0x8f782c - GetSystemDefaultLCID

• 0x8f7830 - EnumResourceNamesA

• 0x8f7834 - EnumResourceNamesW

• 0x8f7838 - EnumResourceLanguagesA

• 0x8f783c - EnumResourceLanguagesW

• 0x8f7840 - EnumResourceTypesA

• 0x8f7844 - EnumResourceTypesW

• 0x8f7848 - CreateFileW

• 0x8f784c - LoadLibraryW

• 0x8f7850 - GetLastError

• 0x8f7854 - FlushFileBuffers

• 0x8f7858 - CreateFileA

• 0x8f785c - WriteConsoleW

• 0x8f7860 - GetConsoleOutputCP

• 0x8f7864 - WriteConsoleA

• 0x8f7868 - GetCommandLineA

• 0x8f786c - RaiseException

• 0x8f7870 - RtlUnwind

• 0x8f7874 - HeapFree

• 0x8f7878 - GetCPInfo

• 0x8f787c - InterlockedIncrement

• 0x8f7880 - InterlockedDecrement

• 0x8f7884 - GetACP

• 0x8f7888 - GetOEMCP

• 0x8f788c - IsValidCodePage

• 0x8f7890 - TlsGetValue

• 0x8f7894 - TlsAlloc

• 0x8f7898 - TlsSetValue

• 0x8f789c - TlsFree

• 0x8f78a0 - SetLastError

• 0x8f78a4 - UnhandledExceptionFilter

• 0x8f78a8 - SetUnhandledExceptionFilter

• 0x8f78ac - IsDebuggerPresent

• 0x8f78b0 - HeapAlloc

• 0x8f78b4 - LCMapStringA

• 0x8f78b8 - LCMapStringW

• 0x8f78bc - SetHandleCount

• 0x8f78c0 - GetStdHandle

• 0x8f78c4 - GetFileType

• 0x8f78c8 - GetStartupInfoA

• 0x8f78cc - GetModuleFileNameA

• 0x8f78d0 - FreeEnvironmentStringsA

• 0x8f78d4 - GetEnvironmentStrings

• 0x8f78d8 - FreeEnvironmentStringsW

• 0x8f78dc - GetEnvironmentStringsW

• 0x8f78e0 - HeapCreate

• 0x8f78e4 - HeapDestroy

• 0x8f78e8 - QueryPerformanceCounter

• 0x8f78ec - HeapReAlloc

• 0x8f78f0 - GetStringTypeA

• 0x8f78f4 - GetStringTypeW

• 0x8f78f8 - GetLocaleInfoA

• 0x8f78fc - HeapSize

• 0x8f7900 - WriteFile

• 0x8f7904 - SetFilePointer

• 0x8f7908 - GetConsoleCP

• 0x8f790c - GetConsoleMode

• 0x8f7910 - InitializeCriticalSectionAndSpinCount

• 0x8f7914 - SetStdHandle

库 USER32.dll:

• 0x8f791c - GetUserObjectInformationW

• 0x8f7920 - CharUpperBuffW

• 0x8f7924 - MessageBoxW

• 0x8f7928 - GetProcessWindowStation

库 KERNEL32.dll:

• 0x8f7930 - LocalAlloc

• 0x8f7934 - LocalFree

• 0x8f7938 - GetModuleFileNameW

• 0x8f793c - GetProcessAffinityMask

• 0x8f7940 - SetProcessAffinityMask

• 0x8f7944 - SetThreadAffinityMask

• 0x8f7948 - Sleep

• 0x8f794c - ExitProcess

• 0x8f7950 - FreeLibrary

• 0x8f7954 - LoadLibraryA

• 0x8f7958 - GetModuleHandleA

• 0x8f795c - GetProcAddress

库 USER32.dll:

• 0x8f7964 - GetProcessWindowStation

• 0x8f7968 - GetUserObjectInformationW

投放文件

无信息

行为分析

互斥量(Mutexes)

Local\MSCTF.Asm.MutexDefault1

执行的命令 无信息

创建的服务 无信息

启动的服务 无信息

进程

V2Panda.exe PID: 2660, 上一级进程 PID: 2300

访问的文件

C:\Windows\Fonts\staticcache.dat
\Device\KsecDD
C:\Windows\Globalization\Sorting\sortdefault.nls

读取的文件

C:\Windows\Fonts\staticcache.dat
\Device\KsecDD
C:\Windows\Globalization\Sorting\sortdefault.nls

修改的文件 无信息

删除的文件 无信息

注册表键

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\V2Panda.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

读取的注册表键

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

修改的注册表键 无信息

删除的注册表键 无信息

API解析

gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
gdi32.dll.GetTextExtentExPointWPri
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
cryptbase.dll.SystemFunction036
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
oleaut32.dll.SysAllocString
oleaut32.dll.SysStringLen
oleaut32.dll.SysFreeString
oleaut32.dll.#500

魔盾安全分析报告

8.15

恶意的

文件详细信息

特征

运行截图

网络分析

静态分析

PE 信息

PE数据组成

导入

投放文件

行为分析

进程

V2Panda.exe PID: 2660, 上一级进程 PID: 2300