魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2019-08-17 16:10:39 2019-08-17 16:13:17 158 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-hpdapp01-1 win7-sp1-x64-hpdapp01-1 KVM 2019-08-17 16:10:45 None
魔盾分数

8.0

恶意的

文件详细信息

文件名 csrss.exe
文件大小 1208320 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 98F5D0C9
MD5 8d7c5f11f9d6138b1a45c934b7afc8fd
SHA1 73dcb56b60dfbbb1d464e3112f5019bc83f435ca
SHA256 23df0b07f9a0d363f669b039085f5b8cb5be308fa5281800d37a09a1a02a2ff7
SHA512 d0cadaddcd191c40c241efa11d77fb0a3d5d11359b99780b53bfb3dccfec88bab6ee5e7beabde78f3756bed64140c3e8e0acd15efa2ad91c83f9b369ce9226d9
Ssdeep 12288:4NnES0tOcWKuo9luALfGSy9i+I/JEnjt3qDyb4hZUyqnuY0gUFols:4NnESIO1KtlxLuSRlQjRqphZUy+u/Gi
PEiD 无匹配
Yara
  • IsPE32 (Detected 32bit PE signature)
  • IsWindowsGUI ()
  • HasRichSignature (Detected Rich Signature)
  • DebuggerTiming__PerformanceCounter ()
  • DebuggerTiming__Ticks ()
  • ThreadControl__Context ()
  • anti_dbg (Checks if being debugged)
  • create_process (Create a new process)
  • screenshot (Detected take screenshot function)
  • keylogger (Run a keylogger)
  • migrate_apc (APC queue tasks migration)
  • win_registry (Affect system registries)
  • change_win_registry (Change registries to affect system)
  • win_token (Affect system token)
  • win_private_profile (Affect private profile)
  • win_files_operation (Affect private profile)
  • win_hook (Affect hook table)
  • Maldun_Anomoly_Combined_Activities_7 (Detects malicious behaviors from a small size app)
  • without_attachments (Detected no presence of any attachment)
  • maldoc_find_kernel32_base_method_1 ()
  • with_images (Detected the presence of an or several images)
  • with_urls (Detected the presence of an or several urls)
  • Big_Numbers1 (Looks for big numbers 32:sized)
  • CRC32_poly_Constant (Look for CRC32 [poly])
  • CRC32_table (Look for CRC32 table)
  • MD5_Constants (Look for MD5 constants)
  • RIPEMD160_Constants (Look for RIPEMD-160 constants)
  • SHA1_Constants (Look for SHA1 constants)
  • RijnDael_AES_CHAR (Look for RijnDael AES (check2) [char])
  • RijnDael_AES_LONG (Look for RijnDael AES)
  • Code_Random (Look for Random function)
  • Maldun_Abnormal_Hash_alg (Detects program has the encryption or decription logic)
VirusTotal 无此文件扫描结果

特征

可能进行了时间有效期检查,检查本地时间后过早退出
创建一个隐藏文件或系统文件
file: C:\Users\test\AppData\Local\Temp\\xe9\x84\x99\xe7\xbd\xae\xe5\x8c\x86\xe5\xa3\xae\xe7\x9b\x8e\xe9\x80\x9e
file: C:\Users\test\AppData\Local\Temp\\xe9\x84\x99\xe7\xbd\xae\xe5\x8c\x86\xe5\xa3\xae\xe7\x9b\x8e\xe9\x80\x9e\\xe8\xb5\xa3\xe7\xa7\xa9\xe5\x9d\x8a\xe5\x92\xb8\xe7\x96\xbe.lnk
强制将一个创建的进程加载为另一个不相关进程的子进程
process: C:\Windows\sysnative\cmd.exe, PID 2836
尝试通过重复调用同一个API多次以拖延分析时间
Spam: csrss.exe (2660) called API FindWindowA 2439466 times
魔盾安全Yara规则检测结果 - 高危
Informational: Detected Rich Signature
Warning: Create a new process
Warning: Detected take screenshot function
Warning: Run a keylogger
Warning: Affect system registries
Warning: Affect system token
Warning: Affect private profile
Warning: Affect hook table
Critical: Detects malicious behaviors from a small size app
Informational: Detected no presence of any attachment
Critical: maldoc_find_kernel32_base_method_1
Informational: Detected the presence of an or several images
Informational: Detected the presence of an or several urls
Informational: Looks for big numbers 32:sized
Informational: Look for CRC32 [poly]
Informational: Look for CRC32 table
Informational: Look for MD5 constants
Informational: Look for RIPEMD-160 constants
Informational: Look for SHA1 constants
Informational: Look for RijnDael AES (check2) [char]
Warning: Look for RijnDael AES
Informational: Look for Random function
Warning: Detects program has the encryption or decription logic

运行截图

网络分析

无信息

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x00467538
声明校验值 0x00000000
实际校验值 0x0012d021
最低操作系统版本要求 4.0
编译时间 2019-08-14 15:45:26
载入哈希 20c2efba35b346b27e1c8659124336e6

版本信息

LegalCopyright: \u8c37\u6b4c\u6d4f\u89c8\u5668
FileVersion: 1.0.0.0
Comments: \u672c\u7a0b\u5e8f\u4f7f\u7528\u6613\u8bed\u8a00\u7f16\u5199(http://www.eyuyan.com)
ProductName: \u6613\u8bed\u8a00\u7a0b\u5e8f
ProductVersion: 1.0.0.0
FileDescription: \u6613\u8bed\u8a00\u7a0b\u5e8f
Translation: 0x0804 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0008561e 0x00086000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.55
.rdata 0x00087000 0x000873c2 0x00088000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 6.40
.data 0x0010f000 0x000371ca 0x00012000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.05
.rsrc 0x00147000 0x00005944 0x00006000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.82

导入

库 WINMM.dll:
0x48764c - midiStreamOut
0x487650 - midiOutPrepareHeader
0x487654 - waveOutUnprepareHeader
0x487658 - waveOutPrepareHeader
0x48765c - waveOutWrite
0x487660 - waveOutPause
0x487664 - waveOutReset
0x487668 - waveOutClose
0x48766c - waveOutGetNumDevs
0x487670 - waveOutOpen
0x487674 - midiStreamStop
0x487678 - midiOutReset
0x48767c - midiStreamClose
0x487680 - midiStreamRestart
0x487684 - midiOutUnprepareHeader
0x487688 - midiStreamOpen
0x48768c - midiStreamProperty
库 WS2_32.dll:
0x4876a4 - WSACleanup
0x4876a8 - closesocket
0x4876ac - getpeername
0x4876b0 - accept
0x4876b4 - WSAAsyncSelect
0x4876b8 - recvfrom
0x4876bc - ioctlsocket
0x4876c0 - inet_ntoa
0x4876c4 - recv
库 KERNEL32.dll:
0x487174 - GetWindowsDirectoryA
0x487178 - GetSystemDirectoryA
0x48717c - MultiByteToWideChar
0x487180 - SetLastError
0x487184 - GetTimeZoneInformation
0x487188 - GetVersion
0x48718c - WideCharToMultiByte
0x487190 - GetACP
0x487194 - HeapSize
0x487198 - RaiseException
0x48719c - GetLocalTime
0x4871a0 - GetSystemTime
0x4871a4 - RtlUnwind
0x4871a8 - GetStartupInfoA
0x4871ac - GetOEMCP
0x4871b0 - GetCPInfo
0x4871b4 - GetProcessVersion
0x4871b8 - SetErrorMode
0x4871bc - GlobalFlags
0x4871c0 - GetCurrentThread
0x4871c4 - GetFileTime
0x4871c8 - TlsGetValue
0x4871cc - LocalReAlloc
0x4871d0 - TlsSetValue
0x4871d4 - TlsFree
0x4871d8 - GlobalHandle
0x4871dc - TlsAlloc
0x4871e0 - LocalAlloc
0x4871e4 - lstrcmpA
0x4871e8 - GlobalGetAtomNameA
0x4871ec - GlobalAddAtomA
0x4871f0 - GlobalFindAtomA
0x4871f4 - GlobalDeleteAtom
0x4871f8 - lstrcmpiA
0x4871fc - SetEndOfFile
0x487200 - UnlockFile
0x487204 - LockFile
0x487208 - FlushFileBuffers
0x48720c - DuplicateHandle
0x487210 - lstrcpynA
0x487214 - FileTimeToLocalFileTime
0x487218 - FileTimeToSystemTime
0x48721c - LocalFree
0x487220 - InterlockedDecrement
0x487224 - InterlockedIncrement
0x487228 - OpenProcess
0x48722c - TerminateProcess
0x487230 - GetCurrentProcess
0x487234 - GetFileSize
0x487238 - SetFilePointer
0x48723c - CreateToolhelp32Snapshot
0x487240 - Process32First
0x487244 - Process32Next
0x487248 - CreateSemaphoreA
0x48724c - ResumeThread
0x487250 - ReleaseSemaphore
0x487254 - EnterCriticalSection
0x487258 - LeaveCriticalSection
0x48725c - GetProfileStringA
0x487260 - WriteFile
0x487264 - WaitForMultipleObjects
0x487268 - CreateFileA
0x48726c - SetEvent
0x487270 - FindResourceA
0x487274 - LoadResource
0x487278 - LockResource
0x48727c - ReadFile
0x487280 - RemoveDirectoryA
0x487284 - GetModuleFileNameA
0x487288 - GetCurrentThreadId
0x48728c - ExitProcess
0x487290 - GlobalSize
0x487294 - GlobalFree
0x487298 - DeleteCriticalSection
0x48729c - InitializeCriticalSection
0x4872a0 - lstrcatA
0x4872a4 - lstrlenA
0x4872a8 - WinExec
0x4872ac - lstrcpyA
0x4872b0 - FindNextFileA
0x4872b4 - InterlockedExchange
0x4872b8 - GlobalReAlloc
0x4872bc - HeapFree
0x4872c0 - HeapReAlloc
0x4872c4 - GetProcessHeap
0x4872c8 - HeapAlloc
0x4872cc - GetFullPathNameA
0x4872d0 - FreeLibrary
0x4872d4 - LoadLibraryA
0x4872d8 - GetLastError
0x4872dc - GetVersionExA
0x4872e0 - WritePrivateProfileStringA
0x4872e4 - CreateThread
0x4872e8 - CreateEventA
0x4872ec - Sleep
0x4872f0 - ExpandEnvironmentStringsA
0x4872f4 - GlobalAlloc
0x4872f8 - GlobalLock
0x4872fc - GlobalUnlock
0x487300 - GetTempPathA
0x487304 - FindFirstFileA
0x487308 - FindClose
0x48730c - SetFileAttributesA
0x487310 - GetFileAttributesA
0x487314 - MoveFileA
0x487318 - DeleteFileA
0x48731c - CopyFileA
0x487320 - CreateDirectoryA
0x487324 - SetCurrentDirectoryA
0x487328 - GetVolumeInformationA
0x48732c - GetModuleHandleA
0x487330 - GetProcAddress
0x487334 - MulDiv
0x487338 - GetCommandLineA
0x48733c - GetTickCount
0x487340 - CreateProcessA
0x487344 - WaitForSingleObject
0x487348 - CloseHandle
0x48734c - UnhandledExceptionFilter
0x487350 - FreeEnvironmentStringsA
0x487354 - FreeEnvironmentStringsW
0x487358 - GetEnvironmentStrings
0x48735c - GetEnvironmentStringsW
0x487360 - SetHandleCount
0x487364 - GetStdHandle
0x487368 - GetFileType
0x48736c - GetEnvironmentVariableA
0x487370 - HeapDestroy
0x487374 - HeapCreate
0x487378 - VirtualFree
0x48737c - SetEnvironmentVariableA
0x487380 - LCMapStringA
0x487384 - LCMapStringW
0x487388 - VirtualAlloc
0x48738c - IsBadWritePtr
0x487390 - SetUnhandledExceptionFilter
0x487394 - GetStringTypeA
0x487398 - GetStringTypeW
0x48739c - CompareStringA
0x4873a0 - CompareStringW
0x4873a4 - IsBadReadPtr
0x4873a8 - IsBadCodePtr
0x4873ac - SetStdHandle
库 USER32.dll:
0x4873d4 - PeekMessageA
0x4873d8 - SetMenu
0x4873dc - GetMenu
0x4873e0 - IsIconic
0x4873e4 - SetFocus
0x4873e8 - GetActiveWindow
0x4873ec - GetWindow
0x4873f0 - DestroyAcceleratorTable
0x4873f4 - SetWindowRgn
0x4873f8 - GetMessagePos
0x4873fc - ScreenToClient
0x487400 - DeleteMenu
0x487404 - GetSystemMenu
0x487408 - DefWindowProcA
0x48740c - GetClassInfoA
0x487410 - IsZoomed
0x487414 - PostQuitMessage
0x487418 - CopyAcceleratorTableA
0x48741c - GetKeyState
0x487420 - TranslateAcceleratorA
0x487424 - IsWindowEnabled
0x487428 - ShowWindow
0x48742c - SystemParametersInfoA
0x487430 - LoadImageA
0x487434 - EnumDisplaySettingsA
0x487438 - ClientToScreen
0x48743c - EnableMenuItem
0x487440 - GetSubMenu
0x487444 - GetDlgCtrlID
0x487448 - CreateAcceleratorTableA
0x48744c - CreateMenu
0x487450 - ModifyMenuA
0x487454 - AppendMenuA
0x487458 - CreatePopupMenu
0x48745c - CopyRect
0x487460 - LoadBitmapA
0x487464 - WinHelpA
0x487468 - KillTimer
0x48746c - SetTimer
0x487470 - ReleaseCapture
0x487474 - GetCapture
0x487478 - SetCapture
0x48747c - GetScrollRange
0x487480 - SetScrollRange
0x487484 - SetScrollPos
0x487488 - SetRect
0x48748c - InflateRect
0x487490 - IntersectRect
0x487494 - GetSysColorBrush
0x487498 - DestroyIcon
0x48749c - PtInRect
0x4874a0 - OffsetRect
0x4874a4 - IsWindowVisible
0x4874a8 - EnableWindow
0x4874ac - RedrawWindow
0x4874b0 - GetWindowLongA
0x4874b4 - SetWindowLongA
0x4874b8 - GetSysColor
0x4874bc - SetActiveWindow
0x4874c0 - SetCursorPos
0x4874c4 - LoadCursorA
0x4874c8 - SetCursor
0x4874cc - GetDC
0x4874d0 - FillRect
0x4874d4 - IsRectEmpty
0x4874d8 - ReleaseDC
0x4874dc - IsChild
0x4874e0 - DestroyMenu
0x4874e4 - SetForegroundWindow
0x4874e8 - GetWindowRect
0x4874ec - EqualRect
0x4874f0 - UpdateWindow
0x4874f4 - ValidateRect
0x4874f8 - InvalidateRect
0x4874fc - GetClientRect
0x487500 - GetFocus
0x487504 - GetParent
0x487508 - GetTopWindow
0x48750c - PostMessageA
0x487510 - IsWindow
0x487514 - SetParent
0x487518 - DestroyCursor
0x48751c - SendMessageA
0x487520 - SetWindowPos
0x487524 - MessageBoxA
0x487528 - GetCursorPos
0x48752c - GetSystemMetrics
0x487530 - EmptyClipboard
0x487534 - SetClipboardData
0x487538 - OpenClipboard
0x48753c - GetClipboardData
0x487540 - CloseClipboard
0x487544 - wsprintfA
0x487548 - WaitForInputIdle
0x48754c - DrawIconEx
0x487550 - CreateIconFromResource
0x487554 - CreateIconFromResourceEx
0x487558 - RegisterClipboardFormatA
0x48755c - DispatchMessageA
0x487560 - GetMessageA
0x487564 - WindowFromPoint
0x487568 - DrawFocusRect
0x48756c - DrawEdge
0x487570 - DrawFrameControl
0x487574 - TranslateMessage
0x487578 - LoadIconA
0x48757c - GetDesktopWindow
0x487580 - GetClassNameA
0x487584 - GetWindowThreadProcessId
0x487588 - FindWindowA
0x48758c - GetDlgItem
0x487590 - GetWindowTextA
0x487594 - GetForegroundWindow
0x487598 - ChildWindowFromPointEx
0x48759c - UnregisterClassA
0x4875a0 - SetRectEmpty
0x4875a4 - GetWindowTextLengthA
0x4875a8 - CharUpperA
0x4875ac - GetWindowDC
0x4875b0 - BeginPaint
0x4875b4 - EndPaint
0x4875b8 - TabbedTextOutA
0x4875bc - DrawTextA
0x4875c0 - GrayStringA
0x4875c4 - DestroyWindow
0x4875c8 - CreateDialogIndirectParamA
0x4875cc - EndDialog
0x4875d0 - GetNextDlgTabItem
0x4875d4 - GetWindowPlacement
0x4875d8 - RegisterWindowMessageA
0x4875dc - GetLastActivePopup
0x4875e0 - GetMessageTime
0x4875e4 - RemovePropA
0x4875e8 - CallWindowProcA
0x4875ec - GetPropA
0x4875f0 - UnhookWindowsHookEx
0x4875f4 - SetPropA
0x4875f8 - GetClassLongA
0x4875fc - CallNextHookEx
0x487600 - SetWindowsHookExA
0x487604 - CreateWindowExA
0x487608 - GetMenuItemID
0x48760c - GetMenuItemCount
0x487610 - RegisterClassA
0x487614 - GetScrollPos
0x487618 - AdjustWindowRectEx
0x48761c - MapWindowPoints
0x487620 - SendDlgItemMessageA
0x487624 - ScrollWindowEx
0x487628 - IsDialogMessageA
0x48762c - SetWindowTextA
0x487630 - MoveWindow
0x487634 - CheckMenuItem
0x487638 - SetMenuItemBitmaps
0x48763c - GetMenuState
0x487640 - GetMenuCheckMarkDimensions
0x487644 - LoadStringA
库 GDI32.dll:
0x487028 - Escape
0x48702c - ExtTextOutA
0x487030 - TextOutA
0x487034 - RectVisible
0x487038 - PtVisible
0x48703c - GetViewportExtEx
0x487040 - ExtSelectClipRgn
0x487044 - CreateFontIndirectA
0x487048 - EndPage
0x48704c - EndDoc
0x487050 - DeleteDC
0x487054 - StartDocA
0x487058 - StartPage
0x48705c - BitBlt
0x487060 - CreateCompatibleDC
0x487064 - Ellipse
0x487068 - Rectangle
0x48706c - LPtoDP
0x487070 - DPtoLP
0x487074 - GetCurrentObject
0x487078 - GetTextMetricsA
0x48707c - GetTextExtentPoint32A
0x487080 - GetDeviceCaps
0x487084 - SetStretchBltMode
0x487088 - CreateRectRgnIndirect
0x48708c - SetBkColor
0x487090 - LineTo
0x487094 - MoveToEx
0x487098 - ExcludeClipRect
0x48709c - GetClipBox
0x4870a0 - ScaleWindowExtEx
0x4870a4 - SetWindowExtEx
0x4870a8 - SetWindowOrgEx
0x4870ac - GetStockObject
0x4870b0 - CreateSolidBrush
0x4870b4 - FillRgn
0x4870b8 - CreateRectRgn
0x4870bc - CombineRgn
0x4870c0 - PatBlt
0x4870c4 - CreatePen
0x4870c8 - GetObjectA
0x4870cc - SelectObject
0x4870d0 - CreateBitmap
0x4870d4 - CreateDCA
0x4870d8 - CreateCompatibleBitmap
0x4870dc - GetPolyFillMode
0x4870e0 - GetStretchBltMode
0x4870e4 - GetROP2
0x4870e8 - GetBkColor
0x4870ec - GetBkMode
0x4870f0 - GetTextColor
0x4870f4 - CreateRoundRectRgn
0x4870f8 - CreateEllipticRgn
0x4870fc - PathToRegion
0x487100 - EndPath
0x487104 - BeginPath
0x487108 - GetWindowOrgEx
0x48710c - GetViewportOrgEx
0x487110 - ScaleViewportExtEx
0x487114 - SetViewportExtEx
0x487118 - OffsetViewportOrgEx
0x48711c - SetViewportOrgEx
0x487120 - SetMapMode
0x487124 - SetTextColor
0x487128 - SetROP2
0x48712c - SetPolyFillMode
0x487130 - GetWindowExtEx
0x487134 - GetDIBits
0x487138 - RealizePalette
0x48713c - SelectPalette
0x487140 - StretchBlt
0x487144 - CreatePalette
0x487148 - GetSystemPaletteEntries
0x48714c - CreateDIBitmap
0x487150 - GetClipRgn
0x487154 - SelectClipRgn
0x487158 - RoundRect
0x48715c - DeleteObject
0x487160 - SetBkMode
0x487164 - RestoreDC
0x487168 - SaveDC
0x48716c - CreatePolygonRgn
库 WINSPOOL.DRV:
0x487694 - OpenPrinterA
0x487698 - DocumentPropertiesA
0x48769c - ClosePrinter
库 ADVAPI32.dll:
0x487000 - RegQueryValueExA
0x487004 - RegOpenKeyExA
0x487008 - RegSetValueExA
0x48700c - RegQueryValueA
0x487010 - RegCreateKeyExA
0x487014 - RegCloseKey
库 SHELL32.dll:
0x4873c4 - ShellExecuteA
0x4873c8 - Shell_NotifyIconA
0x4873cc - SHGetSpecialFolderPathA
库 ole32.dll:
0x4876e0 - CLSIDFromString
0x4876e4 - OleUninitialize
0x4876e8 - OleInitialize
库 OLEAUT32.dll:
0x4873b4 - LoadTypeLib
0x4873b8 - RegisterTypeLib
0x4873bc - UnRegisterTypeLib
库 COMCTL32.dll:
0x48701c - None
0x487020 - ImageList_Destroy
库 comdlg32.dll:
0x4876cc - ChooseColorA
0x4876d0 - GetFileTitleA
0x4876d4 - GetSaveFileNameA
0x4876d8 - GetOpenFileNameA

投放文件

无信息

行为分析

互斥量(Mutexes)
  • Local\MSCTF.Asm.MutexDefault1
执行的命令
  • cmd /c cacls.exe C:\Windows\System32\ntdll.DLL /e /t /p everyone:F
  • cmd /c takeown /f C:\Windows\Sysnative\ntdll.dll
  • cmd /c cacls.exe C:\Windows\Sysnative\csrss.exe /e /t /p test:F
  • cmd /c cacls.exe C:\Windows\Sysnative\ntdll.dll /e /t /p test:F
创建的服务 无信息
启动的服务 无信息

进程

csrss.exe PID: 2660, 上一级进程 PID: 2316

cmd.exe PID: 2836, 上一级进程 PID: 2660

cmd.exe PID: 2916, 上一级进程 PID: 2660

cmd.exe PID: 2944, 上一级进程 PID: 2660

cacls.exe PID: 3064, 上一级进程 PID: 2836

cacls.exe PID: 2172, 上一级进程 PID: 2944

takeown.exe PID: 1640, 上一级进程 PID: 2916

cmd.exe PID: 2540, 上一级进程 PID: 2660

cacls.exe PID: 2748, 上一级进程 PID: 2540

cmd.exe PID: 3052, 上一级进程 PID: 2660

cmd.exe PID: 2340, 上一级进程 PID: 2660

cacls.exe PID: 2416, 上一级进程 PID: 3052

cmd.exe PID: 2460, 上一级进程 PID: 2660

takeown.exe PID: 2840, 上一级进程 PID: 2340

cacls.exe PID: 2604, 上一级进程 PID: 2460

cmd.exe PID: 2828, 上一级进程 PID: 2660

cacls.exe PID: 1188, 上一级进程 PID: 2828

cmd.exe PID: 3028, 上一级进程 PID: 2660

cmd.exe PID: 2300, 上一级进程 PID: 2660

cmd.exe PID: 712, 上一级进程 PID: 2660

cacls.exe PID: 2896, 上一级进程 PID: 3028

takeown.exe PID: 3016, 上一级进程 PID: 2300

cacls.exe PID: 2708, 上一级进程 PID: 712

cmd.exe PID: 1672, 上一级进程 PID: 2660

cacls.exe PID: 3040, 上一级进程 PID: 1672

访问的文件
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\Fonts\staticcache.dat
  • C:\TCJ.dll
  • C:\
  • C:\Users\test\AppData\Local\Temp\\xe9\x84\x99\xe7\xbd\xae\xe5\x8c\x86\xe5\xa3\xae\xe7\x9b\x8e\xe9\x80\x9e
  • C:\Users\test\AppData\Local\Temp\csrss.exe
  • C:\Users\test\AppData\Local\Temp\\xe9\x84\x99\xe7\xbd\xae\xe5\x8c\x86\xe5\xa3\xae\xe7\x9b\x8e\xe9\x80\x9e\\xe8\xb5\xa3\xe7\xa7\xa9\xe5\x9d\x8a\xe5\x92\xb8\xe7\x96\xbe.ink
  • C:\Users\test\AppData\Local\Temp\\xef\xbe\xb1\xef\xbf\x89\xef\xbf\x96\xef\xbf\x83\xef\xbe\xb4\xef\xbf\x92\xef\xbf\x97\xef\xbe\xb3\xef\xbe\xb0\xef\xbe\xbb\xef\xbe\xb3\xef\xbf\x91\\xef\xbe\xb8\xef\xbf\x93\xef\xbf\x96\xef\xbf\x88\xef\xbe\xb7\xef\xbe\xbb\xef\xbf\x8f\xef\xbf\x8c\xef\xbe\xbc\xef\xbe\xb2.ink
  • C:\Users\test\AppData\Local\Temp\\xe9\x84\x99\xe7\xbd\xae\xe5\x8c\x86\xe5\xa3\xae\xe7\x9b\x8e\xe9\x80\x9e\\xe8\xb5\xa3\xe7\xa7\xa9\xe5\x9d\x8a\xe5\x92\xb8\xe7\x96\xbe.lnk
  • C:\Users\test\AppData\Local\Temp\kernel32.dll
  • C:\Users\test\AppData\Local\Temp\12095925
  • C:\Users\test\AppData\Local\Temp\12095925\....\
  • C:\Users\test\AppData\Local\Temp\12095925\....\TemporaryFile
  • C:\Users\test\AppData\Local\Temp\12095925\TemporaryFile
  • C:\Users\test\AppData\Local\Temp\12095925\*.*
  • C:\Users\test\AppData\Local\Temp\12095925\TemporaryFile\*.*
  • C:\Users\test\AppData\Local\Temp\12095925\TemporaryFile\TemporaryFile
  • C:\Users\test\AppData\Local\Temp\Kernel32.dll
  • C:\Windows\sysnative\ntdll.dll
  • C:\Users\test\AppData\Local\Temp\Advapi32.dll
  • C:\Windows\Sysnative\ntdll.dll
  • C:\Windows\Sysnative\ntdll.dll.bak
  • C:\Users\test\AppData\Local\Temp
  • C:\Users
  • C:\Users\test
  • C:\Users\test\AppData
  • C:\Users\test\AppData\Local
  • C:\Users\test\AppData\Local\Temp\cacls.exe
  • C:\Users\test\AppData\Local\Temp\cacls.exe.*
  • C:\ProgramData\Oracle\Java\javapath\cacls.exe
  • C:\ProgramData\Oracle\Java\javapath\cacls.exe.*
  • C:\Windows\sysnative\cacls.exe
  • C:\Users\test\AppData\Local\Temp\takeown.*
  • C:\Users\test\AppData\Local\Temp\takeown
  • C:\ProgramData\Oracle\Java\javapath\takeown.*
  • C:\ProgramData\Oracle\Java\javapath\takeown
  • C:\Windows\sysnative\takeown.*
  • C:\Windows\sysnative\takeown.COM
  • C:\Windows\sysnative\takeown.exe
  • C:\Windows\sysnative\ntdll.dll\
  • C:\Windows\sysnative
  • C:\Windows\sysnative\
  • C:\Windows
  • C:\Windows\
  • C:
  • \??\MountPointManager
  • C:\Windows\sysnative\zh-CN\KERNELBASE.dll.mui
  • C:\Windows\Sysnative\csrss.exe
  • C:\Windows\Sysnative\csrss.exe\
  • C:\Windows\Sysnative
  • C:\Windows\Sysnative\
  • C:\Windows\Sysnative\ntdll.dll\
读取的文件
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\Fonts\staticcache.dat
  • C:\Users\test\AppData\Local\Temp\csrss.exe
  • C:\Users\test\AppData\Local\Temp\\xe9\x84\x99\xe7\xbd\xae\xe5\x8c\x86\xe5\xa3\xae\xe7\x9b\x8e\xe9\x80\x9e\\xe8\xb5\xa3\xe7\xa7\xa9\xe5\x9d\x8a\xe5\x92\xb8\xe7\x96\xbe.ink
  • C:\Users\test\AppData\Local\Temp\12095925\....\
  • C:\Windows\sysnative\ntdll.dll
  • C:\Windows\Sysnative\ntdll.dll
  • C:\Windows\sysnative\zh-CN\KERNELBASE.dll.mui
修改的文件
  • C:\TCJ.dll
  • C:\Users\test\AppData\Local\Temp\\xe9\x84\x99\xe7\xbd\xae\xe5\x8c\x86\xe5\xa3\xae\xe7\x9b\x8e\xe9\x80\x9e\\xe8\xb5\xa3\xe7\xa7\xa9\xe5\x9d\x8a\xe5\x92\xb8\xe7\x96\xbe.ink
  • C:\Users\test\AppData\Local\Temp\\xef\xbe\xb1\xef\xbf\x89\xef\xbf\x96\xef\xbf\x83\xef\xbe\xb4\xef\xbf\x92\xef\xbf\x97\xef\xbe\xb3\xef\xbe\xb0\xef\xbe\xbb\xef\xbe\xb3\xef\xbf\x91\\xef\xbe\xb8\xef\xbf\x93\xef\xbf\x96\xef\xbf\x88\xef\xbe\xb7\xef\xbe\xbb\xef\xbf\x8f\xef\xbf\x8c\xef\xbe\xbc\xef\xbe\xb2.ink
  • C:\Users\test\AppData\Local\Temp\\xe9\x84\x99\xe7\xbd\xae\xe5\x8c\x86\xe5\xa3\xae\xe7\x9b\x8e\xe9\x80\x9e\\xe8\xb5\xa3\xe7\xa7\xa9\xe5\x9d\x8a\xe5\x92\xb8\xe7\x96\xbe.lnk
  • C:\Users\test\AppData\Local\Temp\12095925\....\TemporaryFile
  • C:\Users\test\AppData\Local\Temp\12095925\TemporaryFile
  • C:\Windows\Sysnative\ntdll.dll.bak
  • C:\Windows\sysnative\ntdll.dll
删除的文件
  • C:\TCJ.dll
  • C:\Users\test\AppData\Local\Temp\12095925\TemporaryFile\TemporaryFile
  • C:\Users\test\AppData\Local\Temp\12095925\TemporaryFile
  • C:\Users\test\AppData\Local\Temp\12095925
注册表键
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\csrss.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_CURRENT_USER
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
  • HKEY_CURRENT_USER\Software\Tencent\CrossFire
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
读取的注册表键
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • kernel32.dll.IsProcessorFeaturePresent
  • cryptbase.dll.SystemFunction036
  • kernel32.dll.SortGetHandle
  • kernel32.dll.SortCloseHandle
  • comctl32.dll.RegisterClassNameW
  • uxtheme.dll.EnableThemeDialogTexture
  • uxtheme.dll.OpenThemeData
  • gdi32.dll.GetLayout
  • gdi32.dll.GdiRealizationInfo
  • gdi32.dll.FontIsLinked
  • advapi32.dll.RegOpenKeyExW
  • advapi32.dll.RegQueryInfoKeyW
  • gdi32.dll.GetTextFaceAliasW
  • advapi32.dll.RegEnumValueW
  • advapi32.dll.RegCloseKey
  • advapi32.dll.RegQueryValueExW
  • advapi32.dll.RegQueryValueExA
  • advapi32.dll.RegEnumKeyExW
  • gdi32.dll.GetTextExtentExPointWPri
  • ole32.dll.CoInitializeEx
  • ole32.dll.CoUninitialize
  • ole32.dll.CoRegisterInitializeSpy
  • ole32.dll.CoRevokeInitializeSpy
  • user32.dll.GetSystemMetrics
  • user32.dll.MonitorFromWindow
  • user32.dll.MonitorFromRect
  • user32.dll.MonitorFromPoint
  • user32.dll.EnumDisplayMonitors
  • user32.dll.GetMonitorInfoA
  • gdi32.dll.GetFontAssocStatus
  • oleaut32.dll.SysAllocString
  • oleaut32.dll.SysStringLen
  • oleaut32.dll.SysFreeString
  • kernel32.dll.CreateDirectoryA
  • kernel32.dll.MoveFileA
  • kernel32.dll.Wow64DisableWow64FsRedirection
  • kernel32.dll.lstrcpyn
  • kernel32.dll.LoadLibraryA
  • kernel32.dll.GetProcAddress
  • shlwapi.dll.StrToIntExA
  • user32.dll.CallWindowProcA
  • kernel32.dll.GetCurrentProcessId
  • kernel32.dll.OpenProcess
  • advapi32.dll.OpenProcessToken
  • kernel32.dll.CloseHandle
  • advapi32.dll.GetTokenInformation
  • advapi32.dll.LookupAccountSidA
  • sechost.dll.LookupAccountSidLocalA
  • advapi32.dll.GetUserNameA
  • kernel32.dll.SetThreadUILanguage
  • kernel32.dll.CopyFileExW
  • kernel32.dll.IsDebuggerPresent
  • kernel32.dll.SetConsoleInputExeNameW
  • sechost.dll.LookupAccountNameLocalW