收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 QQ补丁,BD报毒疑似文件
返回列表 发新帖
查看: 2352|回复: 9
收起左侧

[可疑文件] QQ补丁,BD报毒疑似文件

[复制链接]
qqggffok
发表于 2017-11-22 16:29:13 | 显示全部楼层 |阅读模式
本帖最后由 qqggffok 于 2017-11-22 16:36 编辑

infected   BD直接报毒



VT https://www.virustotal.com/#/fil ... 8caa3c7f9/detection

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

狐狸糊涂
发表于 2017-11-22 17:17:34 | 显示全部楼层
卡巴,实机运行,
QQ文件被损坏

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

zst470396853
发表于 2017-11-22 17:17:39 | 显示全部楼层
360

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

大明湖畔的乾隆
发表于 2017-11-22 17:39:49 | 显示全部楼层
卡巴免费版国内QQ杀毒报安全
回复

举报

Jerry.Lin
发表于 2017-11-22 17:46:14 | 显示全部楼层
火绒MISS
回复

举报

bambooslip
发表于 2017-11-22 22:18:04 | 显示全部楼层
安天云检测为黑客工具


景云ZAV引擎查杀了。



本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

沧桑浪子
发表于 2017-11-22 22:27:09 | 显示全部楼层
看文件名就知道该报毒
回复

举报

qqggffok
 楼主| 发表于 2017-11-23 00:53:32 | 显示全部楼层
狐狸糊涂 发表于 2017-11-22 17:17
卡巴,实机运行,
QQ文件被损坏

不过我这边QQ秀确实消失了,文件并没有损坏,应该是误报
回复

举报

和泉纱雾
发表于 2017-11-23 09:55:44 | 显示全部楼层

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

安全守护者
头像被屏蔽
发表于 2017-11-24 22:50:20 | 显示全部楼层
魔盾安全分析报告
分析类型
开始时间
结束时间
持续时间
分析引擎版本

FILE
2017-11-24 22:36:37
2017-11-24 22:38:58
141 秒
1.4-Maldun
虚拟机机器名
标签
虚拟机管理
开机时间
关机时间

win7-sp1-x64-hpdapp03-1
win7-sp1-x64-hpdapp03-1
KVM
2017-11-24 22:36:41
2017-11-24 22:38:57
魔盾分数

10.0Malicious
文件详细信息
文件名
腾讯QQ 完美去所有QQ秀相关框架补丁v5.1.exe
文件大小
69632 字节
文件类型
PE32 executable (GUI) Intel 80386, for MS Windows
CRC32
C634AC2E
MD5
b29cdffbbf8eeceee313dc06ca9d4cf4
SHA1
6a8aeebc5be71a4126f85eb77200248edc9f96ca
SHA256
e5e509b0f2f3225a379c61c9cf82dd05763e35aec7a5e3cf37214ba8caa3c7f9
SHA512
0faeb28db49d015b2d3c20100db430188edb754ddef4035e52d8bf2f2048a8d66b7de0a5a441bf62186d7371a6821a978fd555552bc7d685c9c01432a036213f
Ssdeep
1536:Okw4wMHnKvCA8uHNlkf/NvPC0NshfOxFQYMtG/7blHfu2DUaLA:O3+HlVy+3NHC0mA/3lHWZ
PEiD
无匹配
Yara
  • IsPE32 ()
  • IsWindowsGUI ()
  • IsPacked (Entropy Check)
  • HasRichSignature (Rich Signature Check)
  • without_images (Rule to detect the no presence of any image)
  • without_attachments (Rule to detect the no presence of any attachment)
  • win_files_operation (Affect private profile)
  • Safeguard_103_Simonzh ()
  • without_urls (Rule to detect the no presence of any url)
VirusTotal
VirusTotal链接
VirusTotal扫描时间: 2017-11-23 00:36:11
扫描结果: 42/66
特征
二进制文件可能包含加密或压缩数据
section: name: .rsrc, entropy: 7.98, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00010400, virtual_size: 0x00010238
异常的二进制特征
anomaly: Actual checksum does not match that reported in PE header
文件已被至少十个VirusTotal上的反病毒引擎检测为病毒
MicroWorld-eScan: Trojan.Generic.22552545
CAT-QuickHeal: Riskware.Dupatcher.A4
McAfee: Artemis!B29CDFFBBF8E
Cylance: Unsafe
VIPRE: Trojan.Win32.Agent.wfn (v)
K7AntiVirus: Trojan ( 0040f3a51 )
K7GW: Trojan ( 0040f3a51 )
Invincea: heuristic
Baidu: Win32.Trojan.Generic.f
F-Prot: W32/Agent.KFY
ESET-NOD32: a variant of Win32/HackTool.Patcher.AD potentially unsafe
TrendMicro-HouseCall: TROJ_GEN.R002H0CJM17
Paloalto: generic.ml
GData: Trojan.Generic.22552545
BitDefender: Trojan.Generic.22552545
ViRobot: Trojan.Win32.Agent.754688.B
Avast: FileRepMalware
Ad-Aware: Trojan.Generic.22552545
Sophos: Generic Patcher (PUA)
Comodo: TrojWare.Win32.Agent.WFN
F-Secure: Trojan.Generic.22552545
McAfee-GW-Edition: BehavesLike.Win32.Downloader.kc
Emsisoft: Trojan.Generic.22552545 (B)
SentinelOne: static engine - malicious
Cyren: W32/Agent.EWQQ-1275
Webroot: W32.Hacktool.Gen
Antiy-AVL: RiskWare[RiskTool]/Win32.Patcher
Kingsoft: Win32.Troj.Undef.(kcloud)
Endgame: malicious (high confidence)
Arcabit: Trojan.Generic.D1581FE1
AegisLab: Ml.Attribute.Gen!c
ALYac: Trojan.Generic.22552545
AVware: Trojan.Win32.Agent.wfn (v)
MAX: malware (ai score=100)
Malwarebytes: HackTool.FilePatch
Yandex: Riskware.HackTool!LT2poWNG63M
eGambit: HackTool.Generic
Fortinet: Riskware/GamePatcher
AVG: FileRepMalware
Cybereason: malicious.1b8fb7
CrowdStrike: malicious_confidence_70% (W)
Qihoo-360: HEUR/QVM20.1.6636.Malware.Gen

运行截图
网络分析
无信息静态分析
PE 信息
初始地址
0x00400000
入口地址
0x0040102b
声明校验值
0x0000ecdd
实际校验值
0x00018b96
最低操作系统版本要求
5.0
编译时间
2012-12-22 04:59:46
载入哈希
dc73a9bd8de0fd640549c85ac4089b87
图标
图标精确哈希值
fb5a60ee4609a14da6ecab6167895893
图标相似性哈希值
4a3fb500ae166239cd518c35d507e5e0


PE数据组成
名称
虚拟地址
虚拟大小
原始数据大小
特征
熵(Entropy)
.text
0x00001000
0x000001f6
0x00000200
IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ
5.06
.rdata
0x00002000
0x000001d8
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ
4.27
.data
0x00003000
0x00000034
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE
0.57
.rsrc
0x00004000
0x00010238
0x00010400
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ
7.98
.reloc
0x00015000
0x00000052
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ
0.74


资源
名称
偏移量
大小
语言
子语言
熵(Entropy)
文件类型
RT_ICON
0x00004138
0x00000568
LANG_NEUTRAL
SUBLANG_NEUTRAL
3.51
GLS_BINARY_LSB_FIRST
RT_RCDATA
0x000046a0
0x0000f800
LANG_NEUTRAL
SUBLANG_NEUTRAL
8.00
data
RT_GROUP_ICON
0x00013ea0
0x00000014
LANG_NEUTRAL
SUBLANG_NEUTRAL
1.67
data
RT_MANIFEST
0x00013eb4
0x00000382
LANG_NEUTRAL
SUBLANG_NEUTRAL
4.86
XML 1.0 document, ASCII text, with CRLF line terminators


导入库 kernel32.dll:
0x402000 - DeleteFileA
0x402004 - ExitProcess
0x402008 - FindResourceA
0x40200c - FreeLibrary
0x402010 - GetModuleHandleA
0x402014 - GetProcAddress
0x402018 - GetTempPathA
0x40201c - LoadLibraryA
0x402020 - LoadResource
0x402024 - RtlMoveMemory
0x402028 - SizeofResource
0x40202c - VirtualAlloc
0x402030 - lstrcatA
0x402034 - CloseHandle
0x402038 - CreateFileA
0x40203c - FlushFileBuffers
0x402040 - WriteFile



投放文件
dup2patcher.dll
文件名
dup2patcher.dll
相关文件
  • C:\Users\test\AppData\Local\Temp\dup2patcher.dll
文件大小
63488 bytes
文件类型
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5
762c970fa02bdbffea782cc523bf800d
SHA1
d68af9ad5504e13be6e14837d86274a7672c4165
SHA256
05d7aeab16f208563eb72edda9e3e19355eea7d83e0fe89c5730477c48d6ee15
SHA512
1f30c62194554c8085585918fb0241a8e2b10f7fc6d70a863e10b309f69cb41b986855659936c5b18ba079361b6b03c5889c2f3900f9e464d52d1f68b02c525e
Ssdeep
768:hdqDhNM0fB5eI+X4BoePeye6eyeqeSeaege6Rsllp8ZaiuSYScSUEhkI:QNTilc2ldltF9j6RW8ZuSYSc9jI
VirusTotal


9CE5948F6F706809AD1DF3709868DF94.dll
文件名
9CE5948F6F706809AD1DF3709868DF94.dll
相关文件
  • C:\Users\test\AppData\Local\Temp\9CE5948F6F706809AD1DF3709868DF94.dll
文件大小
3072 bytes
文件类型
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5
b89c8298e8cbdc72d9a0a9dabe0a9f2b
SHA1
2b78a6af2f8df304fc6d26a0eac0f30f02944821
SHA256
301efda3003a4a40c3ba5071a89ba88ed00a055f95a959a38a5a7eef88e9a82d
SHA512
161954ce3648e056675ab301d4519bfa78e82fc736c1e607e6b50888bfab0f3a503d010b1d819ba3f2ce780ae86a028e66232ac75f1845c9948bdbefaa03256d
Ssdeep
24:ev1GSnLRbXxdzrkLT0IAF8aUIAdxiIRf4LX:qRBpkjAeaUHw
VirusTotal


行为分析
互斥量(Mutexes)
  • Local\MSCTF.Asm.MutexDefault1

执行的命令 无信息
创建的服务 无信息
启动的服务 无信息
进程
______QQ _______________QQ_____________________v5.1.exe PID: 1588, 上一级进程 PID: 1144
访问的文件
  • C:\Users\test\AppData\Local\Temp\dup2patcher.dll
  • C:\Users\test\AppData\Local\Temp\______QQ _______________QQ_____________________v5.1.exe.Local\
  • C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2
  • C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
  • C:\Windows\WindowsShell.Manifest
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\Fonts\staticcache.dat
  • C:\Users\test\AppData\Local\Temp\
  • C:\Users\test\AppData\Local\Temp\9CE5948F6F706809AD1DF3709868DF94.dll
  • \Device\KsecDD

读取的文件
  • C:\Users\test\AppData\Local\Temp\dup2patcher.dll
  • C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
  • C:\Windows\WindowsShell.Manifest
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\Fonts\staticcache.dat
  • C:\Users\test\AppData\Local\Temp\9CE5948F6F706809AD1DF3709868DF94.dll
  • \Device\KsecDD

修改的文件
  • C:\Users\test\AppData\Local\Temp\dup2patcher.dll
  • C:\Users\test\AppData\Local\Temp\9CE5948F6F706809AD1DF3709868DF94.dll

删除的文件 无信息
注册表键
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\______QQ _______________QQ_____________________v5.1.exe
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\\xe9\xbb\x91\xe4\xbd\x93
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_CURRENT_USER
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804

读取的注册表键
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16

修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • lpk.dll.LpkEditControl
  • dup2patcher.dll.load_patcher
  • kernel32.dll.AttachConsole
  • kernel32.dll.SortGetHandle
  • kernel32.dll.SortCloseHandle
  • comctl32.dll.RegisterClassNameW
  • uxtheme.dll.EnableThemeDialogTexture
  • uxtheme.dll.OpenThemeData
  • imm32.dll.ImmGetContext
  • imm32.dll.ImmReleaseContext
  • imm32.dll.ImmAssociateContext
  • imm32.dll.ImmIsIME
  • gdi32.dll.GetLayout
  • gdi32.dll.GdiRealizationInfo
  • gdi32.dll.FontIsLinked
  • advapi32.dll.RegOpenKeyExW
  • advapi32.dll.RegQueryValueExW
  • advapi32.dll.RegCloseKey
  • advapi32.dll.RegQueryValueExA
  • advapi32.dll.RegQueryInfoKeyW
  • advapi32.dll.RegEnumKeyExW
  • gdi32.dll.GetTextFaceAliasW
  • gdi32.dll.GetTextExtentExPointWPri
  • ole32.dll.CoInitializeEx
  • ole32.dll.CoUninitialize
  • cryptbase.dll.SystemFunction036
  • ole32.dll.CoRegisterInitializeSpy
  • ole32.dll.CoRevokeInitializeSpy
  • advapi32.dll.RegEnumValueW
  • gdi32.dll.GetFontAssocStatus
  • oleaut32.dll.SysAllocString
  • oleaut32.dll.SysStringLen
  • oleaut32.dll.SysFreeString


回复

举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-5-10 15:49 , Processed in 0.152873 second(s), 17 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表