魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2022-07-04 18:21:32 2022-07-04 18:23:41 129 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp02-1 win7-sp1-x64-shaapp02-1 KVM 2022-07-04 18:21:34 2022-07-04 18:23:41
魔盾分数

2.25

可疑的

文件详细信息

文件名 8.exe
文件大小 1007616 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 234DB6F0
MD5 4d737de82c3c15df0d8eda3c88d11639
SHA1 6c33e493ed3e4b7238aea46ec5ed99635c660d46
SHA256 bf83dc91a4b356331aa8adbcb602ecf3196db6ef9f7a0cb5c8ea78f2f5f89d0a
SHA512 c57b0e8d4a101142f3a321c0063792afdb75bde6b38a02499c20cf584209342b7714c06081270c39cecacb9fc9249b44d4ab278d49c2250781c8858ebc2b419b
Ssdeep 24576:rmUO0Lx6dBImxUuVxzj9blj6/LQNELPvcsEbDP:rmUOHImWeNjJlWM2DU5
PEiD 无匹配
Yara
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • screenshot (Detected take screenshot function)
  • create_process (Detection function for creating a new process)
  • keylogger (Detected keylogger function)
  • win_registry (Detected system registries modification function)
  • change_win_registry (Change registries to affect system)
  • win_files_operation (Affect private profile)
  • win_hook (Detected hook table access function)
  • win_private_profile (Detected private profile access function)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
  • IsPE32 (Detected a 32bit PE sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
  • IsPacked (Detected Entropy signature)
  • HasRichSignature (Detected Rich Signature)
  • CRC32_poly_Constant (Look for CRC32 [poly])
  • CRC32_table (Look for CRC32 table)
  • MD5_Constants (Look for MD5 constants)
  • with_images (Detected the presence of an or several images)
  • nSpackV2xLiuXingPing ()
VirusTotal VirusTotal查询失败

特征

二进制文件可能包含加密或压缩数据
section: name: .rdata, entropy: 7.49, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x0005d000, virtual_size: 0x0005c61a
魔盾安全Yara规则检测结果 - 安全告警
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
创建一个隐藏文件或系统文件
file: C:\Users\test\AppData\Local\Temp\shark.dll

运行截图

网络分析

TCP连接

IP地址 端口
23.192.228.89 80

UDP连接

IP地址 端口
192.168.122.1 53

HTTP请求

URL HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x00461ce1
声明校验值 0x00000000
实际校验值 0x00102a97
最低操作系统版本要求 4.0
编译时间 2022-07-04 18:18:26
载入哈希 fdb6d5e6e0b1a9344cf8a2df770de1e4

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0007fdba 0x00080000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.58
.rdata 0x00081000 0x0005c61a 0x0005d000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.49
.data 0x000de000 0x0002ab48 0x00012000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.08
.rsrc 0x00109000 0x00005758 0x00006000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.26

导入

库 KERNEL32.dll:
0x481170 - SetEndOfFile
0x481174 - UnlockFile
0x481178 - LockFile
0x48117c - FlushFileBuffers
0x481180 - SetFilePointer
0x481184 - DuplicateHandle
0x481188 - lstrcpynA
0x48118c - SetLastError
0x481190 - FileTimeToLocalFileTime
0x481194 - FileTimeToSystemTime
0x481198 - LocalFree
0x48119c - InterlockedDecrement
0x4811a0 - GetCurrentProcess
0x4811a4 - CreateSemaphoreA
0x4811a8 - ResumeThread
0x4811ac - ReleaseSemaphore
0x4811b0 - EnterCriticalSection
0x4811b4 - LeaveCriticalSection
0x4811b8 - GetProfileStringA
0x4811bc - SetStdHandle
0x4811c0 - IsBadCodePtr
0x4811c4 - IsBadReadPtr
0x4811c8 - CompareStringW
0x4811cc - CompareStringA
0x4811d0 - SetUnhandledExceptionFilter
0x4811d4 - GetStringTypeW
0x4811d8 - GetStringTypeA
0x4811dc - IsBadWritePtr
0x4811e0 - VirtualAlloc
0x4811e4 - LCMapStringW
0x4811e8 - LCMapStringA
0x4811ec - SetEnvironmentVariableA
0x4811f0 - VirtualFree
0x4811f4 - HeapCreate
0x4811f8 - HeapDestroy
0x4811fc - GetEnvironmentVariableA
0x481200 - GetFileType
0x481204 - GetStdHandle
0x481208 - SetHandleCount
0x48120c - GetEnvironmentStringsW
0x481210 - GetEnvironmentStrings
0x481214 - FreeEnvironmentStringsW
0x481218 - FreeEnvironmentStringsA
0x48121c - UnhandledExceptionFilter
0x481220 - GetACP
0x481224 - HeapSize
0x481228 - TerminateProcess
0x48122c - GetLocalTime
0x481230 - GetSystemTime
0x481234 - GetTimeZoneInformation
0x481238 - RaiseException
0x48123c - WriteFile
0x481240 - WaitForMultipleObjects
0x481244 - CreateFileA
0x481248 - SetEvent
0x48124c - FindResourceA
0x481250 - LoadResource
0x481254 - LockResource
0x481258 - ReadFile
0x48125c - GetModuleFileNameA
0x481260 - WideCharToMultiByte
0x481264 - MultiByteToWideChar
0x481268 - GetCurrentThreadId
0x48126c - ExitProcess
0x481270 - GlobalSize
0x481274 - GlobalFree
0x481278 - DeleteCriticalSection
0x48127c - InitializeCriticalSection
0x481280 - lstrcatA
0x481284 - lstrlenA
0x481288 - WinExec
0x48128c - lstrcpyA
0x481290 - FindNextFileA
0x481294 - GlobalReAlloc
0x481298 - HeapFree
0x48129c - HeapReAlloc
0x4812a0 - GetProcessHeap
0x4812a4 - HeapAlloc
0x4812a8 - GetFullPathNameA
0x4812ac - FreeLibrary
0x4812b0 - LoadLibraryA
0x4812b4 - GetLastError
0x4812b8 - GetVersionExA
0x4812bc - WritePrivateProfileStringA
0x4812c0 - CreateThread
0x4812c4 - CreateEventA
0x4812c8 - Sleep
0x4812cc - GlobalAlloc
0x4812d0 - GlobalLock
0x4812d4 - GlobalUnlock
0x4812d8 - FindFirstFileA
0x4812dc - FindClose
0x4812e0 - SetFileAttributesA
0x4812e4 - GetFileAttributesA
0x4812e8 - RtlUnwind
0x4812ec - GetStartupInfoA
0x4812f0 - GetOEMCP
0x4812f4 - GetCPInfo
0x4812f8 - GetProcessVersion
0x4812fc - SetErrorMode
0x481300 - GlobalFlags
0x481304 - GetCurrentThread
0x481308 - GetFileTime
0x48130c - GetFileSize
0x481310 - TlsGetValue
0x481314 - LocalReAlloc
0x481318 - TlsSetValue
0x48131c - TlsFree
0x481320 - GlobalHandle
0x481324 - TlsAlloc
0x481328 - LocalAlloc
0x48132c - lstrcmpA
0x481330 - DeleteFileA
0x481334 - SetCurrentDirectoryA
0x481338 - GetVolumeInformationA
0x48133c - GetModuleHandleA
0x481340 - GetProcAddress
0x481344 - MulDiv
0x481348 - GetCommandLineA
0x48134c - GetTickCount
0x481350 - WaitForSingleObject
0x481354 - CloseHandle
0x481358 - lstrcmpiA
0x48135c - GlobalDeleteAtom
0x481360 - GetVersion
0x481364 - GlobalGetAtomNameA
0x481368 - GlobalAddAtomA
0x48136c - GlobalFindAtomA
0x481370 - InterlockedIncrement
库 USER32.dll:
0x481394 - RegisterClassA
0x481398 - wsprintfA
0x48139c - CloseClipboard
0x4813a0 - GetClipboardData
0x4813a4 - OpenClipboard
0x4813a8 - SetClipboardData
0x4813ac - EmptyClipboard
0x4813b0 - GetSystemMetrics
0x4813b4 - GetCursorPos
0x4813b8 - MessageBoxA
0x4813bc - SetWindowPos
0x4813c0 - SendMessageA
0x4813c4 - DestroyCursor
0x4813c8 - SetParent
0x4813cc - IsWindow
0x4813d0 - PostMessageA
0x4813d4 - GetTopWindow
0x4813d8 - GetParent
0x4813dc - GetFocus
0x4813e0 - GetClientRect
0x4813e4 - InvalidateRect
0x4813e8 - ValidateRect
0x4813ec - UpdateWindow
0x4813f0 - EqualRect
0x4813f4 - GetWindowRect
0x4813f8 - SetForegroundWindow
0x4813fc - DestroyMenu
0x481400 - IsChild
0x481404 - ReleaseDC
0x481408 - IsRectEmpty
0x48140c - FillRect
0x481410 - GetDC
0x481414 - SetCursor
0x481418 - LoadCursorA
0x48141c - SetCursorPos
0x481420 - SetActiveWindow
0x481424 - GetSysColor
0x481428 - SetWindowLongA
0x48142c - GetWindowLongA
0x481430 - RedrawWindow
0x481434 - EnableWindow
0x481438 - IsWindowVisible
0x48143c - OffsetRect
0x481440 - PtInRect
0x481444 - DestroyIcon
0x481448 - IntersectRect
0x48144c - InflateRect
0x481450 - SetRect
0x481454 - SetScrollPos
0x481458 - SetScrollRange
0x48145c - GetScrollRange
0x481460 - SetCapture
0x481464 - GetCapture
0x481468 - ReleaseCapture
0x48146c - SetTimer
0x481470 - KillTimer
0x481474 - GetForegroundWindow
0x481478 - LoadIconA
0x48147c - TranslateMessage
0x481480 - DrawFrameControl
0x481484 - DrawEdge
0x481488 - DrawFocusRect
0x48148c - WindowFromPoint
0x481490 - GetMessageA
0x481494 - DispatchMessageA
0x481498 - SetRectEmpty
0x48149c - RegisterClipboardFormatA
0x4814a0 - CreateIconFromResourceEx
0x4814a4 - CreateIconFromResource
0x4814a8 - DrawIconEx
0x4814ac - CreatePopupMenu
0x4814b0 - AppendMenuA
0x4814b4 - ModifyMenuA
0x4814b8 - CreateMenu
0x4814bc - CreateAcceleratorTableA
0x4814c0 - GetDlgCtrlID
0x4814c4 - GetSubMenu
0x4814c8 - EnableMenuItem
0x4814cc - ClientToScreen
0x4814d0 - EnumDisplaySettingsA
0x4814d4 - LoadImageA
0x4814d8 - SystemParametersInfoA
0x4814dc - ShowWindow
0x4814e0 - IsWindowEnabled
0x4814e4 - TranslateAcceleratorA
0x4814e8 - GetKeyState
0x4814ec - CopyAcceleratorTableA
0x4814f0 - PostQuitMessage
0x4814f4 - IsZoomed
0x4814f8 - GetClassInfoA
0x4814fc - DefWindowProcA
0x481500 - GetSystemMenu
0x481504 - DeleteMenu
0x481508 - GetMenu
0x48150c - SetMenu
0x481510 - GetWindowTextA
0x481514 - GetWindowTextLengthA
0x481518 - CharUpperA
0x48151c - GetWindowDC
0x481520 - BeginPaint
0x481524 - EndPaint
0x481528 - TabbedTextOutA
0x48152c - DrawTextA
0x481530 - GrayStringA
0x481534 - GetDlgItem
0x481538 - DestroyWindow
0x48153c - CreateDialogIndirectParamA
0x481540 - EndDialog
0x481544 - GetNextDlgTabItem
0x481548 - GetWindowPlacement
0x48154c - RegisterWindowMessageA
0x481550 - GetLastActivePopup
0x481554 - GetMessageTime
0x481558 - RemovePropA
0x48155c - CallWindowProcA
0x481560 - GetPropA
0x481564 - UnhookWindowsHookEx
0x481568 - SetPropA
0x48156c - GetClassLongA
0x481570 - CallNextHookEx
0x481574 - SetWindowsHookExA
0x481578 - CreateWindowExA
0x48157c - GetMenuItemID
0x481580 - GetMenuItemCount
0x481584 - UnregisterClassA
0x481588 - GetScrollPos
0x48158c - AdjustWindowRectEx
0x481590 - MapWindowPoints
0x481594 - SendDlgItemMessageA
0x481598 - ScrollWindowEx
0x48159c - IsDialogMessageA
0x4815a0 - SetWindowTextA
0x4815a4 - MoveWindow
0x4815a8 - CheckMenuItem
0x4815ac - SetMenuItemBitmaps
0x4815b0 - GetMenuState
0x4815b4 - GetMenuCheckMarkDimensions
0x4815b8 - GetClassNameA
0x4815bc - GetDesktopWindow
0x4815c0 - LoadStringA
0x4815c4 - GetSysColorBrush
0x4815c8 - PeekMessageA
0x4815cc - IsIconic
0x4815d0 - SetFocus
0x4815d4 - GetActiveWindow
0x4815d8 - GetWindow
0x4815dc - DestroyAcceleratorTable
0x4815e0 - SetWindowRgn
0x4815e4 - GetMessagePos
0x4815e8 - ScreenToClient
0x4815ec - ChildWindowFromPointEx
0x4815f0 - CopyRect
0x4815f4 - LoadBitmapA
0x4815f8 - WinHelpA
库 GDI32.dll:
0x481024 - SelectClipRgn
0x481028 - DeleteObject
0x48102c - CreateDIBitmap
0x481030 - GetSystemPaletteEntries
0x481034 - CreatePalette
0x481038 - StretchBlt
0x48103c - SelectPalette
0x481040 - RealizePalette
0x481044 - GetDIBits
0x481048 - GetWindowExtEx
0x48104c - GetViewportOrgEx
0x481050 - GetWindowOrgEx
0x481054 - BeginPath
0x481058 - EndPath
0x48105c - PathToRegion
0x481060 - CreateEllipticRgn
0x481064 - CreateRoundRectRgn
0x481068 - GetTextColor
0x48106c - GetBkMode
0x481070 - GetBkColor
0x481074 - GetROP2
0x481078 - GetStretchBltMode
0x48107c - GetPolyFillMode
0x481080 - CreateCompatibleBitmap
0x481084 - CreateDCA
0x481088 - CreateBitmap
0x48108c - SelectObject
0x481090 - GetObjectA
0x481094 - CreatePen
0x481098 - PatBlt
0x48109c - CombineRgn
0x4810a0 - CreatePolygonRgn
0x4810a4 - FillRgn
0x4810a8 - CreateSolidBrush
0x4810ac - GetStockObject
0x4810b0 - CreateFontIndirectA
0x4810b4 - EndPage
0x4810b8 - EndDoc
0x4810bc - DeleteDC
0x4810c0 - StartDocA
0x4810c4 - StartPage
0x4810c8 - BitBlt
0x4810cc - CreateCompatibleDC
0x4810d0 - Ellipse
0x4810d4 - Rectangle
0x4810d8 - LPtoDP
0x4810dc - DPtoLP
0x4810e0 - GetCurrentObject
0x4810e4 - RoundRect
0x4810e8 - GetTextExtentPoint32A
0x4810ec - GetDeviceCaps
0x4810f0 - SaveDC
0x4810f4 - RestoreDC
0x4810f8 - SetBkMode
0x4810fc - SetPolyFillMode
0x481100 - SetROP2
0x481104 - SetTextColor
0x481108 - SetMapMode
0x48110c - SetViewportOrgEx
0x481110 - OffsetViewportOrgEx
0x481114 - SetViewportExtEx
0x481118 - ScaleViewportExtEx
0x48111c - SetWindowOrgEx
0x481120 - SetWindowExtEx
0x481124 - ScaleWindowExtEx
0x481128 - GetClipBox
0x48112c - ExcludeClipRect
0x481130 - MoveToEx
0x481134 - LineTo
0x481138 - GetClipRgn
0x48113c - SetStretchBltMode
0x481140 - CreateRectRgnIndirect
0x481144 - SetBkColor
0x481148 - CreateRectRgn
0x48114c - GetTextMetricsA
0x481150 - Escape
0x481154 - ExtTextOutA
0x481158 - TextOutA
0x48115c - RectVisible
0x481160 - PtVisible
0x481164 - GetViewportExtEx
0x481168 - ExtSelectClipRgn
库 WINMM.dll:
0x481600 - midiStreamRestart
0x481604 - midiStreamClose
0x481608 - midiOutReset
0x48160c - midiStreamStop
0x481610 - midiStreamOut
0x481614 - midiOutPrepareHeader
0x481618 - midiStreamProperty
0x48161c - midiStreamOpen
0x481620 - midiOutUnprepareHeader
0x481624 - waveOutOpen
0x481628 - waveOutGetNumDevs
0x48162c - waveOutClose
0x481630 - waveOutReset
0x481634 - waveOutPause
0x481638 - waveOutWrite
0x48163c - waveOutPrepareHeader
0x481640 - waveOutUnprepareHeader
库 WINSPOOL.DRV:
0x481648 - ClosePrinter
0x48164c - DocumentPropertiesA
0x481650 - OpenPrinterA
库 ADVAPI32.dll:
0x481000 - RegCloseKey
0x481004 - RegOpenKeyExA
0x481008 - RegSetValueExA
0x48100c - RegQueryValueA
0x481010 - RegCreateKeyExA
库 SHELL32.dll:
0x481388 - ShellExecuteA
0x48138c - Shell_NotifyIconA
库 ole32.dll:
0x481694 - OleInitialize
0x481698 - OleUninitialize
0x48169c - CLSIDFromString
库 OLEAUT32.dll:
0x481378 - UnRegisterTypeLib
0x48137c - RegisterTypeLib
0x481380 - LoadTypeLib
库 COMCTL32.dll:
0x481018 - ImageList_Destroy
0x48101c - None
库 WS2_32.dll:
0x481658 - recvfrom
0x48165c - ioctlsocket
0x481660 - recv
0x481664 - getpeername
0x481668 - accept
0x48166c - WSAAsyncSelect
0x481670 - closesocket
0x481674 - inet_ntoa
0x481678 - WSACleanup
库 comdlg32.dll:
0x481680 - GetFileTitleA
0x481684 - GetSaveFileNameA
0x481688 - GetOpenFileNameA
0x48168c - ChooseColorA

投放文件

无信息

行为分析

互斥量(Mutexes)
  • Local\MSCTF.Asm.MutexDefault1
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

8.exe PID: 2484, 上一级进程 PID: 2172

访问的文件
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\Fonts\staticcache.dat
  • C:\Users\test\AppData\Local\Temp\shark.dll
  • C:\
  • C:\Users\test\AppData\Local\Temp\Sandy.dll
读取的文件
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\Fonts\staticcache.dat
修改的文件
  • C:\Users\test\AppData\Local\Temp\shark.dll
删除的文件 无信息
注册表键
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\8.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_CURRENT_USER
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
读取的注册表键
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • kernel32.dll.IsProcessorFeaturePresent
  • cryptbase.dll.SystemFunction036
  • kernel32.dll.SortGetHandle
  • kernel32.dll.SortCloseHandle
  • comctl32.dll.RegisterClassNameW
  • uxtheme.dll.EnableThemeDialogTexture
  • uxtheme.dll.OpenThemeData
  • imm32.dll.ImmIsIME
  • gdi32.dll.GetLayout
  • gdi32.dll.GdiRealizationInfo
  • gdi32.dll.FontIsLinked
  • advapi32.dll.RegOpenKeyExW
  • advapi32.dll.RegQueryInfoKeyW
  • gdi32.dll.GetTextFaceAliasW
  • advapi32.dll.RegEnumValueW
  • advapi32.dll.RegCloseKey
  • advapi32.dll.RegQueryValueExW
  • advapi32.dll.RegQueryValueExA
  • advapi32.dll.RegEnumKeyExW
  • gdi32.dll.GetTextExtentExPointWPri
  • ole32.dll.CoInitializeEx
  • ole32.dll.CoUninitialize
  • ole32.dll.CoRegisterInitializeSpy
  • ole32.dll.CoRevokeInitializeSpy
  • user32.dll.GetSystemMetrics
  • user32.dll.MonitorFromWindow
  • user32.dll.MonitorFromRect
  • user32.dll.MonitorFromPoint
  • user32.dll.EnumDisplayMonitors
  • user32.dll.GetMonitorInfoA
  • gdi32.dll.GetFontAssocStatus
  • oleaut32.dll.SysAllocString
  • oleaut32.dll.SysStringLen
  • oleaut32.dll.SysFreeString