魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2024-04-19 13:51:39 2024-04-19 13:53:48 129 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp03-1 win7-sp1-x64-shaapp03-1 KVM 2024-04-19 13:51:39 2024-04-19 13:53:49
魔盾分数

5.95

可疑的

文件详细信息

文件名 自动准备挂机.exe
文件大小 1187840 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 CD423F40
MD5 ca6682337b4b31d92dcc3780f680ff6f
SHA1 95cf1da5ee2b2b9abcbc915e4b655e3a22276753
SHA256 8ac7ef2adca33efe2910222c54bf0cb3313069a8aa27d3dd41cd9197a0d53e37
SHA512 3b0ff637225bb3ed0818a398abaf7154f79ed430761dc13eaab4f23e71f055a41bb1d93b0eb4c35678acecfcbaedbf27df4c21309ac06279695391727d3b3b5b
Ssdeep 24576:DlE8u23m1pR7RAQHU4lGIOCHBIZZ40Q58vnt:DX38Rx+ChCQe
PEiD 无匹配
Yara
  • CRC32_poly_Constant (Look for CRC32 [poly])
  • CRC32_table (Look for CRC32 table)
  • MD5_Constants (Look for MD5 constants)
  • IsPE32 (Detected a 32bit PE sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
  • HasRichSignature (Detected Rich Signature)
  • DebuggerCheck__QueryInfo ()
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • win_mutex (Create or check mutex)
  • screenshot (Detected take screenshot function)
  • create_process (Detection function for creating a new process)
  • keylogger (Detected keylogger function)
  • win_registry (Detected system registries modification function)
  • change_win_registry (Change registries to affect system)
  • win_files_operation (Affect private profile)
  • win_hook (Detected hook table access function)
  • win_private_profile (Detected private profile access function)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
VirusTotal VirusTotal查询失败

特征

创建RWX内存
二进制文件可能包含加密或压缩数据
section: name: .data, entropy: 6.88, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00081000, virtual_size: 0x0009c23e
专有的Yara规则检测结果 - 高危
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files

运行截图

网络分析

TCP连接

IP地址 端口
104.114.76.144 80

UDP连接

IP地址 端口
192.168.122.1 53

HTTP请求

URL HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x004859f0
声明校验值 0x00000000
实际校验值 0x001285a2
最低操作系统版本要求 4.0
编译时间 2024-04-18 17:11:49
载入哈希 a6d76d9d5d8488a907b5ed0e17a34239

版本信息

LegalCopyright: \xe4\xe8\xe7\xe6\xe6\xe6 \xe8\xe5\xe9\xe5\xe4\xe7\xe6\xe7
FileVersion: 1.0.0.0
Comments: \xe6\xe7\xe5\xe4\xe7\xe6\xe8\xe8\xe7\xe5(http://www.eyuyan.com)
ProductName: \xe6\xe8\xe8\xe7\xe5
ProductVersion: 1.0.0.0
FileDescription: \xe6\xe8\xe8\xe7\xe5
Translation: 0x0804 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x00098fde 0x00099000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.18
.rdata 0x0009a000 0x00005836 0x00006000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.78
.data 0x000a0000 0x0009c23e 0x00081000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 6.88
.rsrc 0x0013d000 0x00000298 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.51

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_VERSION 0x0013d058 0x00000240 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.83 data

导入

库 SHLWAPI.dll:
0x49a28c - PathFileExistsA
0x49a290 - PathIsDirectoryA
库 WS2_32.dll:
0x49a4a0 - WSACleanup
库 KERNEL32.dll:
0x49a0b0 - LoadLibraryA
0x49a0b4 - GetProcAddress
0x49a0b8 - FreeLibrary
0x49a0bc - GetCommandLineA
0x49a0c0 - LCMapStringA
0x49a0c4 - GetEnvironmentVariableA
0x49a0c8 - DeleteFileA
0x49a0cc - WriteFile
0x49a0d0 - CreateFileA
0x49a0d4 - GetFileSize
0x49a0d8 - ReadFile
0x49a0dc - CloseHandle
0x49a0e0 - GlobalAlloc
0x49a0e4 - GlobalLock
0x49a0e8 - GlobalFree
0x49a0ec - MultiByteToWideChar
0x49a0f0 - Sleep
0x49a0f4 - GetTickCount
0x49a0f8 - GetModuleFileNameA
0x49a0fc - IsBadReadPtr
0x49a100 - HeapReAlloc
0x49a104 - ExitProcess
0x49a108 - InterlockedExchange
0x49a10c - SetStdHandle
0x49a110 - IsBadCodePtr
0x49a114 - GetStringTypeW
0x49a118 - GetStringTypeA
0x49a11c - SetUnhandledExceptionFilter
0x49a120 - LCMapStringW
0x49a124 - IsBadWritePtr
0x49a128 - VirtualAlloc
0x49a12c - VirtualFree
0x49a130 - GetFileType
0x49a134 - GetStdHandle
0x49a138 - SetHandleCount
0x49a13c - GetEnvironmentStringsW
0x49a140 - GetEnvironmentStrings
0x49a144 - FreeEnvironmentStringsW
0x49a148 - FreeEnvironmentStringsA
0x49a14c - UnhandledExceptionFilter
0x49a150 - GetACP
0x49a154 - HeapSize
0x49a158 - RaiseException
0x49a15c - RtlUnwind
0x49a160 - GetStartupInfoA
0x49a164 - GetOEMCP
0x49a168 - GetCPInfo
0x49a16c - SetErrorMode
0x49a170 - GetProcessVersion
0x49a174 - GlobalGetAtomNameA
0x49a178 - GetModuleHandleA
0x49a17c - GetSystemInfo
0x49a180 - CreateMutexA
0x49a184 - GlobalAddAtomA
0x49a188 - GlobalFindAtomA
0x49a18c - WritePrivateProfileStringA
0x49a190 - GlobalFlags
0x49a194 - TlsGetValue
0x49a198 - LocalReAlloc
0x49a19c - CreateEventA
0x49a1a0 - GlobalSize
0x49a1a4 - lstrcpyn
0x49a1a8 - GlobalUnlock
0x49a1ac - GetSystemDirectoryA
0x49a1b0 - GetTempPathA
0x49a1b4 - HeapCreate
0x49a1b8 - RtlZeroMemory
0x49a1bc - HeapDestroy
0x49a1c0 - HeapFree
0x49a1c4 - HeapAlloc
0x49a1c8 - GetProcessHeap
0x49a1cc - ReleaseMutex
0x49a1d0 - RtlMoveMemory
0x49a1d4 - WideCharToMultiByte
0x49a1d8 - QueryDosDeviceA
0x49a1dc - GetLogicalDriveStringsA
0x49a1e0 - TerminateProcess
0x49a1e4 - Process32Next
0x49a1e8 - Process32First
0x49a1ec - CreateToolhelp32Snapshot
0x49a1f0 - SetFilePointer
0x49a1f4 - GetLastError
0x49a1f8 - GetCurrentProcess
0x49a1fc - GetVersionExA
0x49a200 - OpenProcess
0x49a204 - lstrcpyA
0x49a208 - lstrlenA
0x49a20c - SetLastError
0x49a210 - lstrcatA
0x49a214 - LockResource
0x49a218 - LoadResource
0x49a21c - FindResourceA
0x49a220 - GetVersion
0x49a224 - GetCurrentThreadId
0x49a228 - GetCurrentThread
0x49a22c - lstrcmpiA
0x49a230 - lstrcmpA
0x49a234 - GlobalDeleteAtom
0x49a238 - InterlockedIncrement
0x49a23c - InterlockedDecrement
0x49a240 - MulDiv
0x49a244 - LocalFree
0x49a248 - FlushFileBuffers
0x49a24c - lstrcpynA
0x49a250 - LocalAlloc
0x49a254 - InitializeCriticalSection
0x49a258 - TlsAlloc
0x49a25c - DeleteCriticalSection
0x49a260 - GlobalHandle
0x49a264 - TlsFree
0x49a268 - LeaveCriticalSection
0x49a26c - GlobalReAlloc
0x49a270 - EnterCriticalSection
0x49a274 - TlsSetValue
库 USER32.dll:
0x49a298 - GetWindowThreadProcessId
0x49a29c - FindWindowA
0x49a2a0 - SystemParametersInfoA
0x49a2a4 - UpdateWindow
0x49a2a8 - SetWindowLongA
0x49a2ac - GetWindowTextA
0x49a2b0 - GetWindowLongA
0x49a2b4 - IsWindowVisible
0x49a2b8 - PtInRect
0x49a2bc - GetWindow
0x49a2c0 - GetParent
0x49a2c4 - PostQuitMessage
0x49a2c8 - PostMessageA
0x49a2cc - SetCursor
0x49a2d0 - SetWindowsHookExA
0x49a2d4 - ValidateRect
0x49a2d8 - CallNextHookEx
0x49a2dc - GetKeyState
0x49a2e0 - GetActiveWindow
0x49a2e4 - GetNextDlgTabItem
0x49a2e8 - GetFocus
0x49a2ec - CheckMenuItem
0x49a2f0 - SetMenuItemBitmaps
0x49a2f4 - ModifyMenuA
0x49a2f8 - GetMenuState
0x49a2fc - LoadBitmapA
0x49a300 - GetMenuCheckMarkDimensions
0x49a304 - RegisterClipboardFormatA
0x49a308 - ClientToScreen
0x49a30c - TabbedTextOutA
0x49a310 - DrawTextA
0x49a314 - GrayStringA
0x49a318 - UnhookWindowsHookEx
0x49a31c - DestroyWindow
0x49a320 - CreateDialogIndirectParamA
0x49a324 - EndDialog
0x49a328 - GetDlgCtrlID
0x49a32c - SetWindowTextA
0x49a330 - GetMenuItemCount
0x49a334 - SendDlgItemMessageA
0x49a338 - IsDialogMessageA
0x49a33c - SetFocus
0x49a340 - GetWindowPlacement
0x49a344 - RegisterWindowMessageA
0x49a348 - SetForegroundWindow
0x49a34c - GetForegroundWindow
0x49a350 - GetMessagePos
0x49a354 - GetMessageTime
0x49a358 - DefWindowProcA
0x49a35c - RemovePropA
0x49a360 - CallWindowProcA
0x49a364 - GetPropA
0x49a368 - SetPropA
0x49a36c - GetClassLongA
0x49a370 - CreateWindowExA
0x49a374 - RegisterClassA
0x49a378 - GetClassInfoA
0x49a37c - WinHelpA
0x49a380 - GetCapture
0x49a384 - GetTopWindow
0x49a388 - CopyRect
0x49a38c - GetClientRect
0x49a390 - AdjustWindowRectEx
0x49a394 - GetSysColor
0x49a398 - MapWindowPoints
0x49a39c - LoadIconA
0x49a3a0 - LoadCursorA
0x49a3a4 - GetSysColorBrush
0x49a3a8 - LoadStringA
0x49a3ac - UnregisterClassA
0x49a3b0 - PostThreadMessageA
0x49a3b4 - DestroyMenu
0x49a3b8 - GetClassNameA
0x49a3bc - IsWindow
0x49a3c0 - SendMessageA
0x49a3c4 - SetKeyboardState
0x49a3c8 - GetWindowInfo
0x49a3cc - SendInput
0x49a3d0 - SetWinEventHook
0x49a3d4 - UnhookWinEvent
0x49a3d8 - DrawIcon
0x49a3dc - EnumDisplaySettingsA
0x49a3e0 - WindowFromDC
0x49a3e4 - MessageBoxA
0x49a3e8 - wsprintfA
0x49a3ec - DispatchMessageA
0x49a3f0 - TranslateMessage
0x49a3f4 - GetAsyncKeyState
0x49a3f8 - IsIconic
0x49a3fc - ShowWindow
0x49a400 - IsWindowEnabled
0x49a404 - EnableMenuItem
0x49a408 - RedrawWindow
0x49a40c - GetWindowRect
0x49a410 - GetAncestor
0x49a414 - GetMenuBarInfo
0x49a418 - WindowFromPoint
0x49a41c - SetActiveWindow
0x49a420 - SwitchToThisWindow
0x49a424 - SetWindowPos
0x49a428 - FindWindowExA
0x49a42c - IsZoomed
0x49a430 - GetWindowDC
0x49a434 - ReleaseDC
0x49a438 - GetDlgItem
0x49a43c - GetCursorInfo
0x49a440 - ChildWindowFromPointEx
0x49a444 - GetDC
0x49a448 - FillRect
0x49a44c - DrawIconEx
0x49a450 - EnableWindow
0x49a454 - GetLastActivePopup
0x49a458 - GetScrollInfo
0x49a45c - GetMenu
0x49a460 - GetSubMenu
0x49a464 - GetMenuItemID
0x49a468 - GetMenuStringA
0x49a46c - MoveWindow
0x49a470 - MessageBoxTimeoutW
0x49a474 - MapVirtualKeyA
0x49a478 - GetSystemMetrics
0x49a47c - GetCursorPos
0x49a480 - PeekMessageA
0x49a484 - GetMessageA
0x49a488 - AttachThreadInput
库 GDI32.dll:
0x49a024 - DeleteDC
0x49a028 - GetDeviceCaps
0x49a02c - GetClipBox
0x49a030 - ScaleWindowExtEx
0x49a034 - SetWindowExtEx
0x49a038 - ScaleViewportExtEx
0x49a03c - SetViewportExtEx
0x49a040 - OffsetViewportOrgEx
0x49a044 - SetViewportOrgEx
0x49a048 - SetMapMode
0x49a04c - SetTextColor
0x49a050 - SetBkColor
0x49a054 - RestoreDC
0x49a058 - SaveDC
0x49a05c - Escape
0x49a060 - ExtTextOutA
0x49a064 - TextOutA
0x49a068 - RectVisible
0x49a06c - PtVisible
0x49a070 - SelectObject
0x49a074 - Rectangle
0x49a078 - CreateCompatibleDC
0x49a07c - CreateSolidBrush
0x49a080 - CreateDIBSection
0x49a084 - BitBlt
0x49a088 - GetDIBits
0x49a08c - GetStockObject
0x49a090 - CreateDIBitmap
0x49a094 - GetTextExtentPoint32A
0x49a098 - CreateBitmap
0x49a09c - GetCurrentObject
0x49a0a0 - StretchBlt
0x49a0a4 - GetObjectA
0x49a0a8 - DeleteObject
库 ADVAPI32.dll:
0x49a000 - RegCreateKeyExA
0x49a004 - RegOpenKeyA
0x49a008 - RegQueryValueExA
0x49a00c - RegCloseKey
0x49a010 - RegOpenKeyExA
0x49a014 - RegSetValueExA
库 SHELL32.dll:
0x49a284 - SHAppBarMessage
库 ole32.dll:
0x49a4e4 - OleInitialize
0x49a4e8 - OleUninitialize
0x49a4ec - CoFreeUnusedLibraries
0x49a4f0 - CoRevokeClassObject
0x49a4f4 - OleFlushClipboard
0x49a4f8 - OleIsCurrentClipboard
0x49a4fc - CreateStreamOnHGlobal
0x49a500 - CoRegisterMessageFilter
库 gdiplus.dll:
0x49a4a8 - GdipDisposeImage
0x49a4ac - GdipDeleteGraphics
0x49a4b0 - GdiplusShutdown
0x49a4b4 - GdipDrawImageRectRect
0x49a4b8 - GdipFillRectangle
0x49a4bc - GdipGetImageGraphicsContext
0x49a4c0 - GdipCreateBitmapFromScan0
0x49a4c4 - GdipSaveImageToStream
0x49a4c8 - GdipGetImageWidth
0x49a4cc - GdipCreateSolidFill
0x49a4d0 - GdipDeleteBrush
0x49a4d4 - GdipCreateBitmapFromStream
0x49a4d8 - GdiplusStartup
0x49a4dc - GdipGetImageHeight
库 oledlg.dll:
0x49a508 - None
库 OLEAUT32.dll:
0x49a27c - VariantTimeToSystemTime
库 WINSPOOL.DRV:
0x49a490 - DocumentPropertiesA
0x49a494 - ClosePrinter
0x49a498 - OpenPrinterA
库 COMCTL32.dll:
0x49a01c - None

投放文件

无信息

行为分析

互斥量(Mutexes)
  • Local\MSCTF.Asm.MutexDefault1
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

__________________.exe PID: 2628, 上一级进程 PID: 2248

访问的文件
  • C:\Users\test\AppData\Local\Temp\1b861b7.tmp
  • C:\Windows\System32\ntdll.dll
  • C:\Users\test\AppData\Local\Temp\1b861f6.tmp
  • C:\Windows\System32\user32.dll
  • C:\Windows\Fonts\staticcache.dat
  • C:\Windows\Globalization\Sorting\sortdefault.nls
读取的文件
  • C:\Windows\System32\ntdll.dll
  • C:\Users\test\AppData\Local\Temp\1b861b7.tmp
  • C:\Windows\System32\user32.dll
  • C:\Users\test\AppData\Local\Temp\1b861f6.tmp
  • C:\Windows\Fonts\staticcache.dat
  • C:\Windows\Globalization\Sorting\sortdefault.nls
修改的文件
  • C:\Users\test\AppData\Local\Temp\1b861b7.tmp
  • C:\Users\test\AppData\Local\Temp\1b861f6.tmp
删除的文件
  • C:\Users\test\AppData\Local\Temp\1b861b7.tmp
  • C:\Users\test\AppData\Local\Temp\1b861f6.tmp
注册表键
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\__________________.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_CURRENT_USER
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
读取的注册表键
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • kernel32.dll.IsProcessorFeaturePresent
  • cryptbase.dll.SystemFunction036
  • kernel32.dll.GetModuleHandleA
  • ntdll.dll.LdrGetProcedureAddress
  • kernel32.dll.ExitProcess
  • kernel32.dll.HeapAlloc
  • kernel32.dll.HeapReAlloc
  • kernel32.dll.HeapFree
  • kernel32.dll.IsBadReadPtr
  • kernel32.dll.Sleep
  • kernel32.dll.CloseHandle
  • kernel32.dll.ReadFile
  • kernel32.dll.GetFileSize
  • kernel32.dll.MapViewOfFile
  • kernel32.dll.WriteFile
  • kernel32.dll.DeleteFileA
  • kernel32.dll.GetTickCount
  • kernel32.dll.GetProcessHeap
  • kernel32.dll.FreeLibrary
  • kernel32.dll.GetProcAddress
  • kernel32.dll.LoadLibraryA
  • kernel32.dll.LCMapStringA
  • kernel32.dll.ReleaseMutex
  • kernel32.dll.LoadLibraryExA
  • kernel32.dll.CopyFileA
  • kernel32.dll.HeapCreate
  • kernel32.dll.GetSystemDirectoryA
  • kernel32.dll.ExpandEnvironmentStringsA
  • kernel32.dll.UpdateResourceA
  • kernel32.dll.EndUpdateResourceA
  • kernel32.dll.BeginUpdateResourceA
  • kernel32.dll.CreateMutexA
  • kernel32.dll.GetTempPathA
  • kernel32.dll.UnmapViewOfFile
  • kernel32.dll.WideCharToMultiByte
  • kernel32.dll.GetSystemInfo
  • kernel32.dll.CreateFileA
  • user32.dll.DispatchMessageA
  • user32.dll.IsWindow
  • user32.dll.GetWindowThreadProcessId
  • user32.dll.GetDCEx
  • user32.dll.wsprintfA
  • user32.dll.MessageBoxA
  • user32.dll.WindowFromDC
  • user32.dll.GetAncestor
  • user32.dll.PrintWindow
  • user32.dll.GetWindowInfo
  • user32.dll.GetWindowRect
  • user32.dll.IsIconic
  • user32.dll.ReleaseDC
  • user32.dll.GetDC
  • user32.dll.IsWindowVisible
  • user32.dll.GetWindow
  • user32.dll.GetKeyboardLayoutList
  • user32.dll.UnloadKeyboardLayout
  • user32.dll.SystemParametersInfoA
  • user32.dll.CallWindowProcA
  • shlwapi.dll.PathFileExistsA
  • shlwapi.dll.PathFindFileNameA
  • version.dll.GetFileVersionInfoA
  • version.dll.VerQueryValueA
  • version.dll.GetFileVersionInfoSizeA
  • imm32.dll.ImmInstallIMEA
  • gdi32.dll.SelectObject
  • gdi32.dll.CreateDIBSection
  • gdi32.dll.BitBlt
  • gdi32.dll.GetObjectA
  • gdi32.dll.GetCurrentObject
  • gdi32.dll.CreateCompatibleDC
  • gdi32.dll.GetStockObject
  • gdi32.dll.GetDIBits
  • msvcrt.dll.strrchr
  • msvcrt.dll.??3@YAXPAX@Z
  • msvcrt.dll.rand
  • msvcrt.dll._atoi64
  • msvcrt.dll.strncpy
  • msvcrt.dll.strncmp
  • msvcrt.dll._ftol
  • msvcrt.dll.atoi
  • msvcrt.dll.sprintf
  • msvcrt.dll._CIfmod
  • msvcrt.dll._stricmp
  • msvcrt.dll.??2@YAPAXI@Z
  • msvcrt.dll.__CxxFrameHandler
  • msvcrt.dll.floor
  • msvcrt.dll.strchr
  • msvcrt.dll.memmove
  • msvcrt.dll.modf
  • msvcrt.dll.free
  • msvcrt.dll.malloc
  • msvcrt.dll._strnicmp
  • advapi32.dll.RegQueryValueExA
  • advapi32.dll.RegCloseKey
  • advapi32.dll.RegOpenKeyA
  • kernel32.dll.MultiByteToWideChar
  • ntdll.dll.LdrGetDllHandleEx
  • kernel32.dll.GetVersionExA
  • ntdll.dll.RtlGetNtVersionNumbers
  • kernel32.dll.GetSystemWow64DirectoryA
  • kernel32.dll.IsBadCodePtr
  • ntdll.dll.RtlMoveMemory
  • ntdll.dll.RtlAllocateHeap
  • kernel32.dll.lstrlenA
  • ntdll.dll.RtlComputeCrc32
  • kernel32.dll.InterlockedExchange
  • ntdll.dll.ZwClose
  • kernel32.dll.GetLastError
  • advpack.dll.IsNTAdmin
  • advapi32.dll.CheckTokenMembership
  • user32.dll.GetDesktopWindow
  • user32.dll.GetActiveWindow
  • gdi32.dll.GetLayout
  • gdi32.dll.GdiRealizationInfo
  • gdi32.dll.FontIsLinked
  • advapi32.dll.RegOpenKeyExW
  • advapi32.dll.RegQueryInfoKeyW
  • gdi32.dll.GetTextFaceAliasW
  • advapi32.dll.RegEnumValueW
  • advapi32.dll.RegQueryValueExW
  • advapi32.dll.RegEnumKeyExW
  • gdi32.dll.GetTextExtentExPointWPri
  • ole32.dll.CoInitializeEx
  • ole32.dll.CoUninitialize
  • ole32.dll.CoRegisterInitializeSpy
  • ole32.dll.CoRevokeInitializeSpy
  • kernel32.dll.SortGetHandle
  • kernel32.dll.SortCloseHandle
  • oleaut32.dll.SysAllocString
  • oleaut32.dll.SysStringLen
  • oleaut32.dll.SysFreeString
  • kernel32.dll.InterlockedDecrement
  • gdi32.dll.GetFontAssocStatus