魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2024-04-25 15:18:03 | 2024-04-25 15:18:44 | 41 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-shaapp02-1 | win7-sp1-x64-shaapp02-1 | KVM | 2024-04-25 15:18:04 | 2024-04-25 15:18:46 |
| 魔盾分数 |
|---|
7.875恶意的 |
文件详细信息
| 文件名 | wism.dll |
|---|---|
| 文件大小 | 45568 字节 |
| 文件类型 | PE32+ executable (DLL) (GUI) x86-64, for MS Windows |
| CRC32 | 033459BD |
| MD5 | cc87ea9fe511d671d586b29de944f473 |
| SHA1 | 70f606b509fe9ba598a5c80fbe66933c5c1ad264 |
| SHA256 | a1498b45c07bd5827a9ebce1a2e39ac5a97685001227680781ee1daddf72718b |
| SHA512 | 16642aab87c54f738c0462f705819c4f364e063a46cb2047acc025b2bf3df87b1944326744455bcf68c35df3369052abb4f3e3ce1daca94debba7c07dc4fa8e7 |
| Ssdeep | 768:tcf/awVNVLue+bKaP9FoR/RbpWuKwjmqX/gKspGxfjnokfEsAV7AO:tnqIoR5V7KwjmlnGrnSs07A |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal | VirusTotal查询失败 |
特征
可疑的样本异常终止
专有的Yara规则检测结果 - 高危
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
运行截图
网络分析
TCP连接
| IP地址 | 端口 |
|---|---|
| 23.214.95.221 | 80 |
UDP连接
| IP地址 | 端口 |
|---|---|
| 192.168.122.1 | 53 |
HTTP请求
| URL | HTTP数据 |
|---|---|
| http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip | GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache |
静态分析
PE 信息
| 初始地址 | 0x180000000 |
|---|---|
| 入口地址 | 0x180006bc8 |
| 声明校验值 | 0x00000000 |
| 实际校验值 | 0x0000d35f |
| 最低操作系统版本要求 | 6.0 |
| PDB路径 | C:\Users\xxxta\VisualStudioRepos\windows_input_method_manager\x64\Release\windows_input_method_manager.pdb |
| 编译时间 | 2024-04-13 22:38:30 |
| 载入哈希 | ee8b2c9cac78f19ed9b3325e6c821dd7 |
| 导出DLL库名称 | \x31\x31\x31\x31\x31\x31\x31\x39\x31\x31\x31\x31\x31\x39\x31\x31\x31\x31\x31\x31\x39\x31\x39\x31\x39\x31\x31\x31\x34\x31\x31\x31 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x00006a94 | 0x00006c00 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.16 |
| .rdata | 0x00008000 | 0x0000333e | 0x00003400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.33 |
| .data | 0x0000c000 | 0x00000818 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 2.06 |
| .pdata | 0x0000d000 | 0x00000690 | 0x00000800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 3.72 |
| .rsrc | 0x0000e000 | 0x000000f8 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 2.51 |
| .reloc | 0x0000f000 | 0x00000070 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 1.42 |
导入
库 libcrypto-1_1-x64.dll:
• 0x180008288 - EVP_MD_CTX_new
• 0x180008290 - BIO_write
• 0x180008298 - EVP_PKEY_new
• 0x1800082a0 - PEM_read_bio_RSAPrivateKey
• 0x1800082a8 - EVP_sha256
• 0x1800082b0 - EVP_DigestUpdate
• 0x1800082b8 - EVP_DigestSignFinal
• 0x1800082c0 - EVP_PKEY_assign
• 0x1800082c8 - EVP_MD_CTX_free
• 0x1800082d0 - PEM_read_bio_RSA_PUBKEY
• 0x1800082d8 - EVP_DigestVerifyFinal
• 0x1800082e0 - EVP_DigestSignInit
• 0x1800082e8 - EVP_DigestVerifyInit
• 0x1800082f0 - EVP_CIPHER_CTX_new
• 0x1800082f8 - EVP_aes_256_cbc
• 0x180008300 - EVP_DecryptUpdate
• 0x180008308 - EVP_DecryptFinal_ex
• 0x180008310 - EVP_DecryptInit_ex
• 0x180008318 - EVP_CIPHER_CTX_reset
• 0x180008320 - EVP_CIPHER_CTX_free
• 0x180008328 - BIO_new
• 0x180008330 - BIO_ctrl
• 0x180008338 - BIO_push
• 0x180008340 - BIO_f_base64
• 0x180008348 - BIO_read
• 0x180008350 - BIO_set_flags
• 0x180008358 - BIO_s_mem
• 0x180008360 - BIO_free_all
• 0x180008368 - BIO_new_mem_buf
库 IMM32.dll:
• 0x180008000 - ImmGetDefaultIMEWnd
库 KERNEL32.dll:
• 0x180008010 - CloseHandle
• 0x180008018 - GetLastError
• 0x180008020 - WaitForSingleObject
• 0x180008028 - CreatePipe
• 0x180008030 - ReadFile
• 0x180008038 - InitializeSListHead
• 0x180008040 - GetSystemTimeAsFileTime
• 0x180008048 - GetCurrentThreadId
• 0x180008050 - GetCurrentProcessId
• 0x180008058 - QueryPerformanceCounter
• 0x180008060 - CreateProcessW
• 0x180008068 - IsProcessorFeaturePresent
• 0x180008070 - TerminateProcess
• 0x180008078 - GetCurrentProcess
• 0x180008080 - SetUnhandledExceptionFilter
• 0x180008088 - UnhandledExceptionFilter
• 0x180008090 - RtlVirtualUnwind
• 0x180008098 - RtlLookupFunctionEntry
• 0x1800080a0 - RtlCaptureContext
• 0x1800080a8 - SleepConditionVariableSRW
• 0x1800080b0 - WakeAllConditionVariable
• 0x1800080b8 - AcquireSRWLockExclusive
• 0x1800080c0 - ReleaseSRWLockExclusive
• 0x1800080c8 - IsDebuggerPresent
• 0x1800080d0 - MultiByteToWideChar
库 USER32.dll:
• 0x1800080f8 - VkKeyScanW
• 0x180008100 - SendMessageW
• 0x180008108 - GetForegroundWindow
• 0x180008110 - GetKeyState
• 0x180008118 - keybd_event
• 0x180008120 - SendInput
库 MSVCP140.dll:
• 0x1800080e0 - ?_Xlength_error@std@@YAXPEBD@Z
• 0x1800080e8 - ?_Xout_of_range@std@@YAXPEBD@Z
库 VCRUNTIME140_1.dll:
• 0x180008188 - __CxxFrameHandler4
库 VCRUNTIME140.dll:
• 0x180008130 - memchr
• 0x180008138 - memmove
• 0x180008140 - memcpy
• 0x180008148 - memcmp
• 0x180008150 - memset
• 0x180008158 - __std_type_info_destroy_list
• 0x180008160 - _CxxThrowException
• 0x180008168 - __C_specific_handler
• 0x180008170 - __std_exception_destroy
• 0x180008178 - __std_exception_copy
库 api-ms-win-crt-runtime-l1-1-0.dll:
• 0x1800081e0 - _execute_onexit_table
• 0x1800081e8 - _invalid_parameter_noinfo_noreturn
• 0x1800081f0 - _crt_atexit
• 0x1800081f8 - exit
• 0x180008200 - _initterm_e
• 0x180008208 - _initterm
• 0x180008210 - _seh_filter_dll
• 0x180008218 - _configure_narrow_argv
• 0x180008220 - _initialize_narrow_environment
• 0x180008228 - _initialize_onexit_table
• 0x180008230 - _register_onexit_function
• 0x180008238 - _cexit
库 api-ms-win-crt-stdio-l1-1-0.dll:
• 0x180008248 - __acrt_iob_func
• 0x180008250 - __stdio_common_vfprintf
库 api-ms-win-crt-heap-l1-1-0.dll:
• 0x1800081a8 - malloc
• 0x1800081b0 - free
• 0x1800081b8 - _callnewh
库 api-ms-win-crt-time-l1-1-0.dll:
• 0x180008278 - _time64
库 api-ms-win-crt-convert-l1-1-0.dll:
• 0x180008198 - atoi
库 api-ms-win-crt-string-l1-1-0.dll:
• 0x180008260 - isspace
• 0x180008268 - strcpy_s
库 api-ms-win-crt-math-l1-1-0.dll:
• 0x1800081c8 - ceil
• 0x1800081d0 - pow
导出
| 序列 | 地址 | 名称 |
|---|---|---|
| 1 | 0x180002370 | Java_com_xxxtai_smartinputintellij_os_WindowsInputMethodManagerJni_changeLanguage |
| 2 | 0x180002530 | Java_com_xxxtai_smartinputintellij_os_WindowsInputMethodManagerJni_getCapsLockState |
| 3 | 0x180002400 | Java_com_xxxtai_smartinputintellij_os_WindowsInputMethodManagerJni_getCurrentLanguage |
| 4 | 0x180002490 | Java_com_xxxtai_smartinputintellij_os_WindowsInputMethodManagerJni_getUuid |
| 5 | 0x180002720 | Java_com_xxxtai_smartinputintellij_os_WindowsInputMethodManagerJni_setCapsLockState |
| 6 | 0x1800020c0 | Java_com_xxxtai_smartinputintellij_os_WindowsInputMethodManagerJni_sign |
| 7 | 0x1800024b0 | Java_com_xxxtai_smartinputintellij_os_WindowsInputMethodManagerJni_systemInput |
| 8 | 0x180006110 | changeLanguage |
| 9 | 0x1800061a0 | getCurrentLanguage |
| 10 | 0x180006220 | getUuid |
| 11 | 0x180006060 | swapShortSecretCode |
| 12 | 0x180006250 | systemInput |
投放文件
行为分析
互斥量(Mutexes)
- Local\MSCTF.Asm.MutexDefault1
执行的命令
无信息
创建的服务
无信息
启动的服务
无信息
进程
rundll32.exe PID: 2568, 上一级进程 PID: 2240
访问的文件
- C:\Users\test\AppData\Local\Temp\wism.dll
- C:\Users\test\AppData\Local\Temp\wism.dll.123.Manifest
- C:\Users\test\AppData\Local\Temp\wism.dll.124.Manifest
- C:\Users\test\AppData\Local\Temp\libcrypto-1_1-x64.dll
- C:\Windows\sysnative\libcrypto-1_1-x64.dll
- C:\Windows\system\libcrypto-1_1-x64.dll
- C:\Windows\libcrypto-1_1-x64.dll
- C:\ProgramData\Oracle\Java\javapath\libcrypto-1_1-x64.dll
- C:\Windows\sysnative\wbem\libcrypto-1_1-x64.dll
- C:\Windows\sysnative\WindowsPowerShell\v1.0\libcrypto-1_1-x64.dll
- C:\Program Files (x86)\WinRAR\libcrypto-1_1-x64.dll
- C:\Windows\sysnative\zh-CN\KERNELBASE.dll.mui
- C:\Windows\Fonts\staticcache.dat
- \Device\KsecDD
- C:\Windows\Globalization\Sorting\sortdefault.nls
读取的文件
- C:\Users\test\AppData\Local\Temp\wism.dll
- C:\Users\test\AppData\Local\Temp\wism.dll.123.Manifest
- C:\Users\test\AppData\Local\Temp\wism.dll.124.Manifest
- C:\Windows\sysnative\zh-CN\KERNELBASE.dll.mui
- C:\Windows\Fonts\staticcache.dat
- \Device\KsecDD
- C:\Windows\Globalization\Sorting\sortdefault.nls
修改的文件
无信息
删除的文件
无信息
注册表键
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\rundll32.exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_CURRENT_USER
- HKEY_CURRENT_USER\Keyboard Layout\Toggle
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
- HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
读取的注册表键
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- gdi32.dll.GetLayout
- gdi32.dll.GdiRealizationInfo
- gdi32.dll.FontIsLinked
- advapi32.dll.RegOpenKeyExW
- advapi32.dll.RegQueryInfoKeyW
- gdi32.dll.GetTextFaceAliasW
- advapi32.dll.RegEnumValueW
- advapi32.dll.RegCloseKey
- advapi32.dll.RegQueryValueExW
- advapi32.dll.RegQueryValueExA
- advapi32.dll.RegEnumKeyExW
- gdi32.dll.GetTextExtentExPointWPri
- ole32.dll.CoInitializeEx
- ole32.dll.CoUninitialize
- cryptbase.dll.SystemFunction036
- ole32.dll.CoRegisterInitializeSpy
- ole32.dll.CoRevokeInitializeSpy
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle
- oleaut32.dll.SysAllocString
- oleaut32.dll.SysStringLen
- oleaut32.dll.SysFreeString
- oleaut32.dll.#500