魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2024-03-27 17:38:54	2024-03-27 17:39:41	47 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-shaapp02-1	win7-sp1-x64-shaapp02-1	KVM	2024-03-27 17:38:58	2024-03-27 17:39:43

魔盾分数
10.0 恶意的

文件详细信息

文件名	1232209.dll
文件大小	10158780 字节
文件类型	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
CRC32	874FA670
MD5	cee9b10ccf6b20b8fc48cd1e00a3a666
SHA1	facad777bceb069cb48291ea93255c847bd7ee73
SHA256	3f5ae82a065c7babad772cfdfc40432a8471e82d8d7a0fd250c62f746f623a92
SHA512	25797b6ec6ccb9d0d567b76d97a4def1b1435323334060ac421d72593e97c120af4d7455fbbbfa0432fb259226d3ab71960562a3f55f8e65c0408b3197bfa643
Ssdeep	196608:y8amVc9T8/XVlEv58ktRyPZifZGYAhu2VeUu5TdHm9unqbi:Pc9T8/XVOrfkH8DQYnqW
PEiD	无匹配
Yara	GenerateTLSClientHelloPacket_Test (Detected TLS Client Hello Module from an known APT sample) DebuggerTiming__PerformanceCounter () DebuggerTiming__Ticks (Detected timing ticks function) ThreadControl__Context () anti_dbg (Detected self protection if being debugged) win_mutex (Create or check mutex) screenshot (Detected take screenshot function) create_process (Detection function for creating a new process) escalate_priv (Detected escalate priviledges function) keylogger (Detected keylogger function) win_registry (Detected system registries modification function) change_win_registry (Change registries to affect system) win_token (Affect system token) win_files_operation (Affect private profile) win_hook (Detected hook table access function) win_private_profile (Detected private profile access function) Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files) IsPE32 (Detected a 32bit PE sample) IsDLL (Detect a DLL sample) IsWindowsGUI (Detected a Windows GUI sample) IsPacked (Detected Entropy signature) HasOverlay (Detected Overlay signature) HasRichSignature (Detected Rich Signature) CRC32_poly_Constant (Look for CRC32 [poly]) CRC32_table (Look for CRC32 table) MD5_Constants (Look for MD5 constants) RIPEMD160_Constants (Look for RIPEMD-160 constants) SHA1_Constants (Look for SHA1 constants) with_images (Detected the presence of an or several images)
VirusTotal	VirusTotal查询失败

特征

创建RWX内存

从文件自身的二进制镜像中读取数据

self_read: process: rundll32.exe, pid: 2668, offset: 0x00000000, length: 0x0000ae00

可疑的样本异常终止

专有的Yara规则检测结果 - 高危

Critical: Detected TLS Client Hello Module from an known APT sample

Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files

运行截图

网络分析

TCP连接

IP地址	端口
23.214.95.215	80

UDP连接

IP地址	端口
192.168.122.1	53

HTTP请求

URL	HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache

静态分析

PE 信息

初始地址	0x10000000
入口地址	0x10127942
声明校验值	0x00000000
实际校验值	0x009b2f37
最低操作系统版本要求	4.0
编译时间	2024-03-09 15:27:34
载入哈希	c4483d4ffe796a6bbb4c8f2c1a9a103a

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x00188b80	0x00189000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	6.04
.rdata	0x0018a000	0x000384a6	0x00039000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	5.60
.data	0x001c3000	0x00130d40	0x00017000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	3.48
.reloc	0x002f4000	0x0031a000	0x0031a000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	6.74

覆盖

偏移量:	0x004f4000
大小:	0x004bc2bc

导入

库 KERNEL32.dll:

• 0x1018a110 - FileTimeToSystemTime

• 0x1018a114 - GetProcessTimes

• 0x1018a118 - GetThreadTimes

• 0x1018a11c - GetSystemTimeAsFileTime

• 0x1018a120 - GlobalReAlloc

• 0x1018a124 - InterlockedIncrement

• 0x1018a128 - UnmapViewOfFile

• 0x1018a12c - MapViewOfFile

• 0x1018a130 - GetHandleInformation

• 0x1018a134 - GetLogicalDriveStringsA

• 0x1018a138 - OpenFileMappingA

• 0x1018a13c - ReleaseMutex

• 0x1018a140 - OpenMutexA

• 0x1018a144 - LoadLibraryExW

• 0x1018a148 - GetDiskFreeSpaceExA

• 0x1018a14c - CreateMutexA

• 0x1018a150 - ExitThread

• 0x1018a154 - SetProcessAffinityMask

• 0x1018a158 - GetProcessAffinityMask

• 0x1018a15c - GetPrivateProfileStringA

• 0x1018a160 - WritePrivateProfileStringA

• 0x1018a164 - GetPrivateProfileSectionNamesA

• 0x1018a168 - GetPrivateProfileSectionA

• 0x1018a16c - DeleteCriticalSection

• 0x1018a170 - SuspendThread

• 0x1018a174 - lstrcmpA

• 0x1018a178 - EnumResourceLanguagesA

• 0x1018a17c - ConvertDefaultLocale

• 0x1018a180 - GlobalDeleteAtom

• 0x1018a184 - GlobalAddAtomA

• 0x1018a188 - GetModuleFileNameW

• 0x1018a18c - FileTimeToLocalFileTime

• 0x1018a190 - LocalAlloc

• 0x1018a194 - FindClose

• 0x1018a198 - FindFirstFileA

• 0x1018a19c - GetSystemTime

• 0x1018a1a0 - GetFileTime

• 0x1018a1a4 - FindNextFileA

• 0x1018a1a8 - GetVersionExA

• 0x1018a1ac - TlsGetValue

• 0x1018a1b0 - GlobalHandle

• 0x1018a1b4 - TlsAlloc

• 0x1018a1b8 - TlsSetValue

• 0x1018a1bc - LocalReAlloc

• 0x1018a1c0 - TlsFree

• 0x1018a1c4 - GlobalFlags

• 0x1018a1c8 - lstrcmpW

• 0x1018a1cc - GlobalFindAtomA

• 0x1018a1d0 - GlobalGetAtomNameA

• 0x1018a1d4 - FreeResource

• 0x1018a1d8 - GetThreadLocale

• 0x1018a1dc - FlushFileBuffers

• 0x1018a1e0 - LockFile

• 0x1018a1e4 - UnlockFile

• 0x1018a1e8 - SetEndOfFile

• 0x1018a1ec - GetLocalTime

• 0x1018a1f0 - GetCurrentDirectoryA

• 0x1018a1f4 - GetWindowsDirectoryA

• 0x1018a1f8 - GetTempPathA

• 0x1018a1fc - RemoveDirectoryA

• 0x1018a200 - SetFileAttributesA

• 0x1018a204 - CreateDirectoryA

• 0x1018a208 - GetProcessId

• 0x1018a20c - GetFileAttributesA

• 0x1018a210 - VirtualFreeEx

• 0x1018a214 - GlobalMemoryStatusEx

• 0x1018a218 - GetSystemTimes

• 0x1018a21c - GetLocaleInfoA

• 0x1018a220 - InterlockedExchange

• 0x1018a224 - SetThreadExecutionState

• 0x1018a228 - MoveFileA

• 0x1018a22c - CopyFileA

• 0x1018a230 - InterlockedCompareExchange

• 0x1018a234 - Beep

• 0x1018a238 - MulDiv

• 0x1018a23c - SetLastError

• 0x1018a240 - GlobalAlloc

• 0x1018a244 - GlobalLock

• 0x1018a248 - GlobalUnlock

• 0x1018a24c - GlobalFree

• 0x1018a250 - FormatMessageA

• 0x1018a254 - LocalFree

• 0x1018a258 - VirtualProtect

• 0x1018a25c - GetSystemInfo

• 0x1018a260 - EnterCriticalSection

• 0x1018a264 - LeaveCriticalSection

• 0x1018a268 - InitializeCriticalSection

• 0x1018a26c - IsBadReadPtr

• 0x1018a270 - SetProcessWorkingSetSize

• 0x1018a274 - InterlockedDecrement

• 0x1018a278 - FindResourceA

• 0x1018a27c - LoadResource

• 0x1018a280 - LockResource

• 0x1018a284 - SizeofResource

• 0x1018a288 - WriteFile

• 0x1018a28c - GetModuleHandleW

• 0x1018a290 - GetSystemDirectoryW

• 0x1018a294 - SetFilePointer

• 0x1018a298 - GetFileSize

• 0x1018a29c - VirtualProtectEx

• 0x1018a2a0 - SetThreadContext

• 0x1018a2a4 - GetThreadContext

• 0x1018a2a8 - ReadProcessMemory

• 0x1018a2ac - VirtualQueryEx

• 0x1018a2b0 - GetCurrentThread

• 0x1018a2b4 - GetFileType

• 0x1018a2b8 - CreateFileW

• 0x1018a2bc - DeviceIoControl

• 0x1018a2c0 - CreatePipe

• 0x1018a2c4 - CreateProcessA

• 0x1018a2c8 - ReadFile

• 0x1018a2cc - QueryDosDeviceW

• 0x1018a2d0 - FindFirstVolumeW

• 0x1018a2d4 - FindNextVolumeW

• 0x1018a2d8 - FindVolumeClose

• 0x1018a2dc - Process32First

• 0x1018a2e0 - Process32Next

• 0x1018a2e4 - DeleteFileA

• 0x1018a2e8 - CreateFileA

• 0x1018a2ec - SetEnvironmentVariableA

• 0x1018a2f0 - GetLocaleInfoW

• 0x1018a2f4 - WriteConsoleW

• 0x1018a2f8 - GetConsoleOutputCP

• 0x1018a2fc - WriteConsoleA

• 0x1018a300 - GetDriveTypeA

• 0x1018a304 - GetEnvironmentStringsW

• 0x1018a308 - FreeEnvironmentStringsW

• 0x1018a30c - GetEnvironmentStrings

• 0x1018a310 - FreeEnvironmentStringsA

• 0x1018a314 - IsValidLocale

• 0x1018a318 - EnumSystemLocalesA

• 0x1018a31c - GetUserDefaultLCID

• 0x1018a320 - GetTimeZoneInformation

• 0x1018a324 - GetConsoleMode

• 0x1018a328 - GetConsoleCP

• 0x1018a32c - GetStringTypeW

• 0x1018a330 - GetStringTypeA

• 0x1018a334 - LCMapStringW

• 0x1018a338 - LCMapStringA

• 0x1018a33c - IsValidCodePage

• 0x1018a340 - GetACP

• 0x1018a344 - GetStartupInfoA

• 0x1018a348 - SetHandleCount

• 0x1018a34c - GetSystemDirectoryA

• 0x1018a350 - WaitForMultipleObjects

• 0x1018a354 - ResumeThread

• 0x1018a358 - GetCurrentThreadId

• 0x1018a35c - TerminateProcess

• 0x1018a360 - QueryPerformanceFrequency

• 0x1018a364 - QueryPerformanceCounter

• 0x1018a368 - lstrcpyA

• 0x1018a36c - lstrcatA

• 0x1018a370 - CreateThread

• 0x1018a374 - WaitForSingleObjectEx

• 0x1018a378 - SetEvent

• 0x1018a37c - TerminateThread

• 0x1018a380 - FreeLibrary

• 0x1018a384 - CreateEventA

• 0x1018a388 - LoadLibraryA

• 0x1018a38c - CreateFileMappingA

• 0x1018a390 - Sleep

• 0x1018a394 - VirtualAlloc

• 0x1018a398 - VirtualFree

• 0x1018a39c - FlushInstructionCache

• 0x1018a3a0 - WaitForSingleObject

• 0x1018a3a4 - GetExitCodeThread

• 0x1018a3a8 - GetCurrentProcess

• 0x1018a3ac - GetModuleHandleA

• 0x1018a3b0 - GetProcAddress

• 0x1018a3b4 - OpenEventA

• 0x1018a3b8 - GetModuleFileNameA

• 0x1018a3bc - VirtualQuery

• 0x1018a3c0 - GetCurrentProcessId

• 0x1018a3c4 - CreateToolhelp32Snapshot

• 0x1018a3c8 - Module32First

• 0x1018a3cc - Module32Next

• 0x1018a3d0 - CloseHandle

• 0x1018a3d4 - GetTickCount

• 0x1018a3d8 - lstrlenA

• 0x1018a3dc - CompareStringW

• 0x1018a3e0 - CompareStringA

• 0x1018a3e4 - lstrlenW

• 0x1018a3e8 - GetVersion

• 0x1018a3ec - GetLastError

• 0x1018a3f0 - WideCharToMultiByte

• 0x1018a3f4 - MultiByteToWideChar

• 0x1018a3f8 - GetStdHandle

• 0x1018a3fc - HeapCreate

• 0x1018a400 - HeapDestroy

• 0x1018a404 - SetStdHandle

• 0x1018a408 - HeapSize

• 0x1018a40c - DuplicateHandle

• 0x1018a410 - GetVolumeInformationA

• 0x1018a414 - GetFullPathNameA

• 0x1018a418 - SetErrorMode

• 0x1018a41c - GetCPInfo

• 0x1018a420 - ExitProcess

• 0x1018a424 - GetProcessHeap

• 0x1018a428 - GetCommandLineA

• 0x1018a42c - RaiseException

• 0x1018a430 - IsDebuggerPresent

• 0x1018a434 - SetUnhandledExceptionFilter

• 0x1018a438 - UnhandledExceptionFilter

• 0x1018a43c - HeapReAlloc

• 0x1018a440 - RtlUnwind

• 0x1018a444 - HeapFree

• 0x1018a448 - HeapAlloc

• 0x1018a44c - GetOEMCP

库 USER32.dll:

• 0x1018a498 - GetDesktopWindow

• 0x1018a49c - GetParent

• 0x1018a4a0 - DrawIcon

• 0x1018a4a4 - GetIconInfo

• 0x1018a4a8 - GetSystemMetrics

• 0x1018a4ac - DrawTextW

• 0x1018a4b0 - GetCaretPos

• 0x1018a4b4 - GetAsyncKeyState

• 0x1018a4b8 - SystemParametersInfoA

• 0x1018a4bc - ChangeDisplaySettingsA

• 0x1018a4c0 - ExitWindowsEx

• 0x1018a4c4 - ClipCursor

• 0x1018a4c8 - PeekMessageA

• 0x1018a4cc - MsgWaitForMultipleObjects

• 0x1018a4d0 - CloseClipboard

• 0x1018a4d4 - SetClipboardData

• 0x1018a4d8 - EmptyClipboard

• 0x1018a4dc - OpenClipboard

• 0x1018a4e0 - GetWindowTextA

• 0x1018a4e4 - FindWindowA

• 0x1018a4e8 - MoveWindow

• 0x1018a4ec - ShowWindow

• 0x1018a4f0 - SetWindowPos

• 0x1018a4f4 - WindowFromPoint

• 0x1018a4f8 - GetWindow

• 0x1018a4fc - EnumWindows

• 0x1018a500 - GetDC

• 0x1018a504 - EnumDisplaySettingsA

• 0x1018a508 - GetMonitorInfoA

• 0x1018a50c - GetWindowDC

• 0x1018a510 - CharUpperA

• 0x1018a514 - MessageBoxA

• 0x1018a518 - CloseDesktop

• 0x1018a51c - SetThreadDesktop

• 0x1018a520 - OpenInputDesktop

• 0x1018a524 - InvalidateRect

• 0x1018a528 - SetWindowRgn

• 0x1018a52c - GetWindowRect

• 0x1018a530 - ClientToScreen

• 0x1018a534 - GetClientRect

• 0x1018a538 - GetWindowLongA

• 0x1018a53c - IsWindow

• 0x1018a540 - GetForegroundWindow

• 0x1018a544 - IsWindowVisible

• 0x1018a548 - SetWindowTextA

• 0x1018a54c - PtInRect

• 0x1018a550 - PostQuitMessage

• 0x1018a554 - SetWindowLongA

• 0x1018a558 - KillTimer

• 0x1018a55c - IsIconic

• 0x1018a560 - DefWindowProcA

• 0x1018a564 - RegisterClassExA

• 0x1018a568 - LoadCursorA

• 0x1018a56c - UnregisterClassA

• 0x1018a570 - DispatchMessageA

• 0x1018a574 - TranslateMessage

• 0x1018a578 - SendInput

• 0x1018a57c - GetMessageExtraInfo

• 0x1018a580 - MapVirtualKeyA

• 0x1018a584 - SetForegroundWindow

• 0x1018a588 - ReleaseDC

• 0x1018a58c - MessageBoxW

• 0x1018a590 - IsWindowUnicode

• 0x1018a594 - CreateWindowExA

• 0x1018a598 - AdjustWindowRectEx

• 0x1018a59c - MonitorFromWindow

• 0x1018a5a0 - GetMessageA

• 0x1018a5a4 - SetTimer

• 0x1018a5a8 - UpdateWindow

• 0x1018a5ac - SetClassLongA

• 0x1018a5b0 - GetClassLongA

• 0x1018a5b4 - GetClassLongW

• 0x1018a5b8 - SetWindowsHookExW

• 0x1018a5bc - PostMessageA

• 0x1018a5c0 - GetMessageW

• 0x1018a5c4 - DestroyWindow

• 0x1018a5c8 - TranslateAcceleratorA

• 0x1018a5cc - GetWindowThreadProcessId

• 0x1018a5d0 - CopyIcon

• 0x1018a5d4 - GetWindowPlacement

• 0x1018a5d8 - GetKeyState

• 0x1018a5dc - GetActiveWindow

• 0x1018a5e0 - CallNextHookEx

• 0x1018a5e4 - SetWindowLongW

• 0x1018a5e8 - DestroyCursor

• 0x1018a5ec - CallWindowProcA

• 0x1018a5f0 - GetMessageTime

• 0x1018a5f4 - SetWindowsHookExA

• 0x1018a5f8 - UnhookWindowsHookEx

• 0x1018a5fc - UnloadKeyboardLayout

• 0x1018a600 - BeginPaint

• 0x1018a604 - EndPaint

• 0x1018a608 - FillRect

• 0x1018a60c - DrawTextA

• 0x1018a610 - GetFocus

• 0x1018a614 - GetClassNameW

• 0x1018a618 - DrawTextExA

• 0x1018a61c - SendMessageA

• 0x1018a620 - GetSubMenu

• 0x1018a624 - GetMenuItemCount

• 0x1018a628 - GetMenuItemID

• 0x1018a62c - GetMenuState

• 0x1018a630 - CheckMenuItem

• 0x1018a634 - EnableMenuItem

• 0x1018a638 - ModifyMenuA

• 0x1018a63c - LoadBitmapA

• 0x1018a640 - GetMenuCheckMarkDimensions

• 0x1018a644 - SetMenuItemBitmaps

• 0x1018a648 - ValidateRect

• 0x1018a64c - SetCursor

• 0x1018a650 - GetLastActivePopup

• 0x1018a654 - RegisterClipboardFormatA

• 0x1018a658 - CopyRect

• 0x1018a65c - TabbedTextOutA

• 0x1018a660 - GrayStringA

• 0x1018a664 - GetSysColor

• 0x1018a668 - GetSysColorBrush

• 0x1018a66c - RegisterClassA

• 0x1018a670 - GetClassInfoA

• 0x1018a674 - GetClassInfoExA

• 0x1018a678 - MapWindowPoints

• 0x1018a67c - GetTopWindow

• 0x1018a680 - GetDlgItem

• 0x1018a684 - SetActiveWindow

• 0x1018a688 - ReleaseCapture

• 0x1018a68c - GetCapture

• 0x1018a690 - WinHelpA

• 0x1018a694 - SendDlgItemMessageA

• 0x1018a698 - LoadIconA

• 0x1018a69c - RegisterWindowMessageA

• 0x1018a6a0 - IsDialogMessageA

• 0x1018a6a4 - PostThreadMessageA

• 0x1018a6a8 - EndDialog

• 0x1018a6ac - GetNextDlgTabItem

• 0x1018a6b0 - CreateDialogIndirectParamA

• 0x1018a6b4 - DestroyMenu

• 0x1018a6b8 - SetRect

• 0x1018a6bc - AttachThreadInput

• 0x1018a6c0 - EnableWindow

• 0x1018a6c4 - SetFocus

• 0x1018a6c8 - SetPropA

• 0x1018a6cc - GetClipboardData

• 0x1018a6d0 - GetDoubleClickTime

• 0x1018a6d4 - GetClassNameA

• 0x1018a6d8 - IsWindowEnabled

• 0x1018a6dc - GetWindowLongW

• 0x1018a6e0 - ScreenToClient

• 0x1018a6e4 - FindWindowW

• 0x1018a6e8 - FindWindowExA

• 0x1018a6ec - SetWindowTextW

• 0x1018a6f0 - GetDlgCtrlID

• 0x1018a6f4 - GetKeyboardLayout

• 0x1018a6f8 - RedrawWindow

• 0x1018a6fc - RemovePropA

• 0x1018a700 - GetMenu

• 0x1018a704 - GetPropA

• 0x1018a708 - GetMessagePos

• 0x1018a70c - GetCursorPos

• 0x1018a710 - SetCursorPos

• 0x1018a714 - IsZoomed

库 GDI32.dll:

• 0x1018a040 - CreateEllipticRgn

• 0x1018a044 - CreateSolidBrush

• 0x1018a048 - CreatePen

• 0x1018a04c - MoveToEx

• 0x1018a050 - LineTo

• 0x1018a054 - SetBkMode

• 0x1018a058 - DPtoLP

• 0x1018a05c - CreateBitmap

• 0x1018a060 - GetMapMode

• 0x1018a064 - SetMapMode

• 0x1018a068 - SetBkColor

• 0x1018a06c - CreateDIBSection

• 0x1018a070 - ExtCreateRegion

• 0x1018a074 - GetPixel

• 0x1018a078 - SetDIBits

• 0x1018a07c - EnumFontFamiliesExA

• 0x1018a080 - CreateFontIndirectA

• 0x1018a084 - SetTextColor

• 0x1018a088 - BitBlt

• 0x1018a08c - CreateCompatibleDC

• 0x1018a090 - CreateCompatibleBitmap

• 0x1018a094 - SelectObject

• 0x1018a098 - DeleteDC

• 0x1018a09c - GetObjectA

• 0x1018a0a0 - GetStockObject

• 0x1018a0a4 - SelectPalette

• 0x1018a0a8 - RealizePalette

• 0x1018a0ac - GetDIBits

• 0x1018a0b0 - GetDeviceCaps

• 0x1018a0b4 - CreateRectRgn

• 0x1018a0b8 - CombineRgn

• 0x1018a0bc - DeleteObject

• 0x1018a0c0 - ExtTextOutA

• 0x1018a0c4 - CreateRectRgnIndirect

• 0x1018a0c8 - CreateRoundRectRgn

• 0x1018a0cc - RestoreDC

• 0x1018a0d0 - SetStretchBltMode

• 0x1018a0d4 - PtVisible

• 0x1018a0d8 - RectVisible

• 0x1018a0dc - TextOutA

• 0x1018a0e0 - Escape

• 0x1018a0e4 - SetViewportOrgEx

• 0x1018a0e8 - OffsetViewportOrgEx

• 0x1018a0ec - SetViewportExtEx

• 0x1018a0f0 - ScaleViewportExtEx

• 0x1018a0f4 - SetWindowExtEx

• 0x1018a0f8 - ScaleWindowExtEx

• 0x1018a0fc - ExtSelectClipRgn

• 0x1018a100 - SetDIBitsToDevice

• 0x1018a104 - GetClipBox

• 0x1018a108 - SaveDC

库 ADVAPI32.dll:

• 0x1018a000 - RegDeleteValueA

• 0x1018a004 - RegEnumValueA

• 0x1018a008 - RegEnumKeyA

• 0x1018a00c - RegOpenKeyExA

• 0x1018a010 - RegOpenKeyA

• 0x1018a014 - RegQueryValueExA

• 0x1018a018 - GetTokenInformation

• 0x1018a01c - RegDeleteKeyA

• 0x1018a020 - RegSetValueExA

• 0x1018a024 - RegCloseKey

• 0x1018a028 - OpenProcessToken

• 0x1018a02c - LookupPrivilegeValueA

• 0x1018a030 - AdjustTokenPrivileges

• 0x1018a034 - RegCreateKeyExA

• 0x1018a038 - RegQueryValueA

库 ole32.dll:

• 0x1018a7d4 - CoCreateInstance

• 0x1018a7d8 - CoInitialize

• 0x1018a7dc - CoSetProxyBlanket

• 0x1018a7e0 - CoInitializeSecurity

• 0x1018a7e4 - CoRegisterMessageFilter

• 0x1018a7e8 - OleFlushClipboard

• 0x1018a7ec - OleIsCurrentClipboard

• 0x1018a7f0 - CoRevokeClassObject

• 0x1018a7f4 - OleInitialize

• 0x1018a7f8 - CoFreeUnusedLibraries

• 0x1018a7fc - OleUninitialize

• 0x1018a800 - CoUninitialize

库 OLEAUT32.dll:

• 0x1018a460 - SysAllocStringLen

• 0x1018a464 - SysAllocString

• 0x1018a468 - SysFreeString

• 0x1018a46c - VariantChangeType

• 0x1018a470 - VariantClear

• 0x1018a474 - VariantInit

• 0x1018a478 - SystemTimeToVariantTime

库 SHLWAPI.dll:

• 0x1018a480 - PathStripToRootA

• 0x1018a484 - UrlUnescapeA

• 0x1018a488 - PathFindFileNameA

• 0x1018a48c - PathFindExtensionA

• 0x1018a490 - PathIsUNCA

库 oledlg.dll:

• 0x1018a808 - None

库 WS2_32.dll:

• 0x1018a778 - inet_addr

• 0x1018a77c - WSAStartup

• 0x1018a780 - getsockopt

• 0x1018a784 - ioctlsocket

• 0x1018a788 - select

• 0x1018a78c - __WSAFDIsSet

• 0x1018a790 - recv

• 0x1018a794 - send

• 0x1018a798 - htonl

• 0x1018a79c - setsockopt

• 0x1018a7a0 - sendto

• 0x1018a7a4 - recvfrom

• 0x1018a7a8 - ntohl

• 0x1018a7ac - WSACleanup

• 0x1018a7b0 - closesocket

• 0x1018a7b4 - socket

• 0x1018a7b8 - htons

• 0x1018a7bc - connect

• 0x1018a7c0 - WSAGetLastError

• 0x1018a7c4 - gethostbyname

库 WININET.dll:

• 0x1018a72c - InternetCrackUrlA

• 0x1018a730 - InternetCanonicalizeUrlA

• 0x1018a734 - InternetQueryOptionA

• 0x1018a738 - InternetSetOptionExA

• 0x1018a73c - InternetQueryDataAvailable

• 0x1018a740 - HttpQueryInfoA

• 0x1018a744 - InternetOpenUrlA

• 0x1018a748 - InternetReadFile

• 0x1018a74c - InternetWriteFile

• 0x1018a750 - InternetSetFilePointer

• 0x1018a754 - InternetSetStatusCallback

• 0x1018a758 - InternetOpenA

• 0x1018a75c - InternetGetLastResponseInfoA

• 0x1018a760 - InternetCloseHandle

库 OLEACC.dll:

• 0x1018a454 - CreateStdAccessibleObject

• 0x1018a458 - LresultFromObject

库 WINSPOOL.DRV:

• 0x1018a768 - DocumentPropertiesA

• 0x1018a76c - OpenPrinterA

• 0x1018a770 - ClosePrinter

库 comdlg32.dll:

• 0x1018a7cc - GetFileTitleA

投放文件

无信息

行为分析

互斥量(Mutexes)

Local\MSCTF.Asm.MutexDefault1

执行的命令 无信息

创建的服务 无信息

启动的服务 无信息

进程

rundll32.exe PID: 2668, 上一级进程 PID: 2324

访问的文件

C:\Users\test\AppData\Local\Temp\1232209.dll
C:\Users\test\AppData\Local\Temp\1232209.dll.123.Manifest
C:\Users\test\AppData\Local\Temp\1232209.dll.124.Manifest
C:\Users\test\AppData\Local\Temp\1232209.dll.2.Manifest
C:\Windows\SysWOW64\rundll32.exe
C:\Users\test\AppData\Local\Temp\oledlg.dll
C:\Windows\System32\oledlg.dll
C:\Users\test\AppData\Local\Temp\OLEACC.dll
C:\Windows\System32\oleacc.dll
C:\Windows\SysWOW64\rundll32.exe.Local\
C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af
C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
C:\Windows\SysWOW64\oleaccrc.dll
C:\Users\test\AppData\Local\Temp\1232209.dll.3.Manifest
C:\Users\test\AppData\Local\Temp\1232209.dll.Manifest
C:\*.log
C:\Windows\System32\ntdll.dll
C:\Windows\Fonts\staticcache.dat
C:\Windows\Globalization\Sorting\sortdefault.nls

读取的文件

C:\Users\test\AppData\Local\Temp\1232209.dll
C:\Users\test\AppData\Local\Temp\1232209.dll.123.Manifest
C:\Users\test\AppData\Local\Temp\1232209.dll.124.Manifest
C:\Users\test\AppData\Local\Temp\1232209.dll.2.Manifest
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\System32\oledlg.dll
C:\Windows\System32\oleacc.dll
C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
C:\Windows\SysWOW64\oleaccrc.dll
C:\Users\test\AppData\Local\Temp\1232209.dll.3.Manifest
C:\Users\test\AppData\Local\Temp\1232209.dll.Manifest
C:\Windows\System32\ntdll.dll
C:\Windows\Fonts\staticcache.dat
C:\Windows\Globalization\Sorting\sortdefault.nls

修改的文件 无信息

删除的文件 无信息

注册表键

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\DisableImprovedZoneCheck
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\1232209.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\rundll32.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

读取的注册表键

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\DisableImprovedZoneCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\1232209.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

修改的注册表键 无信息

删除的注册表键 无信息

API解析

advapi32.dll.EventWrite
advapi32.dll.EventRegister
advapi32.dll.EventUnregister
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernelbase.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.ProcessIdToSessionId
imm32.dll.ImmCreateContext
imm32.dll.ImmDestroyContext
imm32.dll.ImmNotifyIME
imm32.dll.ImmAssociateContext
imm32.dll.ImmReleaseContext
imm32.dll.ImmGetContext
imm32.dll.ImmGetCompositionStringA
imm32.dll.ImmSetCompositionStringA
imm32.dll.ImmGetCompositionStringW
imm32.dll.ImmSetCompositionStringW
imm32.dll.ImmSetCandidateWindow
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.CreateActCtxW
kernel32.dll.ReleaseActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.DeactivateActCtx
user32.dll.NotifyWinEvent
kernel32.dll.GetSystemTime
kernel32.dll.OpenProcess
kernel32.dll.TerminateProcess
kernel32.dll.ReadProcessMemory
user32.dll.GetWindowThreadProcessId
user32.dll.SendMessageA
user32.dll.PostMessageA
kernel32.dll.MapViewOfFile
user32.dll.GetCursorPos
user32.dll.SendMessageTimeoutA
user32.dll.SendNotifyMessageA
user32.dll.PostThreadMessageA
msvcrt.dll.sprintf
msvcrt.dll.sscanf
ntdll.dll.NtProtectVirtualMemory
kernel32.dll.IsWow64Process
ntdll.dll.NtAllocateVirtualMemory
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
gdi32.dll.GetTextExtentExPointWPri
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
cryptbase.dll.SystemFunction036
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
oleaut32.dll.SysAllocString
oleaut32.dll.SysStringLen
oleaut32.dll.SysFreeString
oleaut32.dll.#500