魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2024-04-25 17:36:23 2024-04-25 17:38:33 130 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp03-1 win7-sp1-x64-shaapp03-1 KVM 2024-04-25 17:36:23 2024-04-25 17:38:35
魔盾分数

10.0

恶意的

文件详细信息

文件名 CheckUDisk_v5.4.exe
文件大小 165332 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 72BA4BDB
MD5 b53bf9643b148e52a0a3aaa1ed9022ec
SHA1 d48b317da71f6b704330b66518f8c9a93f015ceb
SHA256 a561e370309f4593dc14013ceeffdda085f9a97577902b240deacb0b319388bd
SHA512 a68045dc5da27cc6b4a1140abe80157b8b24b12da71ddeea6aabdf2d6a2604c14d63c41686feb3154c1a45edc8b20211eb743c26f91bf260579cb7725665e10b
Ssdeep 3072:df4CGQBXXNfL84H9uuTz16XMdofJI1AbUNt3P9pRMj6V:df4CVNXNf5v16XQawB
PEiD 无匹配
Yara
  • with_urls (Detected the presence of an or several urls)
  • IsPE32 (Detected a 32bit PE sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
  • HasOverlay (Detected Overlay signature)
  • HasRichSignature (Detected Rich Signature)
  • screenshot (Detected take screenshot function)
  • create_process (Detection function for creating a new process)
  • keylogger (Detected keylogger function)
  • win_registry (Detected system registries modification function)
  • change_win_registry (Change registries to affect system)
  • win_files_operation (Affect private profile)
  • win_hook (Detected hook table access function)
  • win_private_profile (Detected private profile access function)
  • Proprietary_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
VirusTotal VirusTotal查询失败

特征

从文件自身的二进制镜像中读取数据
self_read: process: CheckUDisk_v5.4.exe, pid: 2604, offset: 0x00028000, length: 0x000005d4
专有的Yara规则检测结果 - 高危
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
尝试与一个交换数据流Alternate Data Stream (ADS)交互
file: \??\USB#VID_0409&PID_55AA#314159-0000:00:01.2-2#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
file: \??\usb#vid_0409&pid_55aa#314159-0000:00:01.2-2#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
检测到样本尝试模糊或欺骗文件类型

运行截图

网络分析

TCP连接

IP地址 端口
104.114.76.144 80

UDP连接

IP地址 端口
192.168.122.1 53

HTTP请求

URL HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x00405240
声明校验值 0x00000000
实际校验值 0x00037885
最低操作系统版本要求 4.0
编译时间 2010-11-08 17:46:11
载入哈希 433295c2d5090cdf8b929ed47bb35ebe
图标
图标精确哈希值 1950fe4a92a1450006ecf5b25649e727
图标相似性哈希值 c476c721d029b154a5104061f19fad3c

版本信息

LegalCopyright: Copyright (C) 2004 WuBoJian.
InternalName: CheckUDisk
FileVersion: 5, 0, 0, 1
CompanyName: WuBoJian
PrivateBuild:
LegalTrademarks: WuBoJian
Comments: CheckUDisk. Write by WuBoJian 2004.7.29 www.wbj3000.com
ProductName: CheckUDisk Application
SpecialBuild:
ProductVersion: 5, 0, 0, 1
FileDescription: CheckUDisk MFC Application
OriginalFilename: CheckUDisk.EXE
Translation: 0x0409 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x00019cee 0x0001a000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.59
.rdata 0x0001b000 0x00004f3c 0x00005000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.89
.data 0x00020000 0x0001fe08 0x00004000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.38
.rsrc 0x00040000 0x00003550 0x00004000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.37

覆盖

偏移量: 0x00028000
大小: 0x000005d4

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_CURSOR 0x00041488 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.74 data
RT_CURSOR 0x00041488 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.74 data
RT_CURSOR 0x00041488 0x000000b4 LANG_ENGLISH SUBLANG_ENGLISH_US 2.74 data
RT_BITMAP 0x00041e60 0x00000144 LANG_ENGLISH SUBLANG_ENGLISH_US 2.88 data
RT_BITMAP 0x00041e60 0x00000144 LANG_ENGLISH SUBLANG_ENGLISH_US 2.88 data
RT_BITMAP 0x00041e60 0x00000144 LANG_ENGLISH SUBLANG_ENGLISH_US 2.88 data
RT_BITMAP 0x00041e60 0x00000144 LANG_ENGLISH SUBLANG_ENGLISH_US 2.88 data
RT_ICON 0x000408c8 0x00000128 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.77 GLS_BINARY_LSB_FIRST
RT_ICON 0x000408c8 0x00000128 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.77 GLS_BINARY_LSB_FIRST
RT_DIALOG 0x00041b50 0x000000e8 LANG_ENGLISH SUBLANG_ENGLISH_US 3.07 data
RT_DIALOG 0x00041b50 0x000000e8 LANG_ENGLISH SUBLANG_ENGLISH_US 3.07 data
RT_STRING 0x00043520 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00043520 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00043520 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00043520 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00043520 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00043520 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00043520 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00043520 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00043520 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00043520 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00043520 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_STRING 0x00043520 0x0000002c LANG_ENGLISH SUBLANG_ENGLISH_US 1.08 data
RT_GROUP_CURSOR 0x00041540 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR 0x00041540 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 2.25 MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_ICON 0x000409f0 0x00000022 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.37 MS Windows icon resource - 2 icons, 32x32, 16 colors
RT_VERSION 0x00040f38 0x00000418 LANG_ENGLISH SUBLANG_ENGLISH_US 3.48 data

导入

库 KERNEL32.dll:
0x41b0b4 - GetFileSize
0x41b0b8 - RtlUnwind
0x41b0bc - GetStartupInfoA
0x41b0c0 - GetCommandLineA
0x41b0c4 - ExitProcess
0x41b0c8 - HeapFree
0x41b0cc - HeapAlloc
0x41b0d0 - TerminateProcess
0x41b0d4 - RaiseException
0x41b0d8 - HeapReAlloc
0x41b0dc - HeapSize
0x41b0e0 - GetACP
0x41b0e4 - UnhandledExceptionFilter
0x41b0e8 - FreeEnvironmentStringsA
0x41b0ec - FreeEnvironmentStringsW
0x41b0f0 - GetEnvironmentStrings
0x41b0f4 - GetEnvironmentStringsW
0x41b0f8 - GetStdHandle
0x41b0fc - GetFileType
0x41b100 - GetEnvironmentVariableA
0x41b104 - HeapDestroy
0x41b108 - HeapCreate
0x41b10c - VirtualFree
0x41b110 - VirtualAlloc
0x41b114 - IsBadWritePtr
0x41b118 - LCMapStringA
0x41b11c - LCMapStringW
0x41b120 - SetUnhandledExceptionFilter
0x41b124 - GetStringTypeA
0x41b128 - GetStringTypeW
0x41b12c - IsBadReadPtr
0x41b130 - IsBadCodePtr
0x41b134 - SetStdHandle
0x41b138 - GetProfileStringA
0x41b13c - GetSystemDefaultLangID
0x41b140 - FlushFileBuffers
0x41b144 - SetFilePointer
0x41b148 - WriteFile
0x41b14c - ReadFile
0x41b150 - GetCurrentProcess
0x41b154 - SetErrorMode
0x41b158 - GetOEMCP
0x41b15c - GetCPInfo
0x41b160 - SizeofResource
0x41b164 - GetProcessVersion
0x41b168 - WritePrivateProfileStringA
0x41b16c - GlobalFlags
0x41b170 - lstrcpynA
0x41b174 - TlsGetValue
0x41b178 - LocalReAlloc
0x41b17c - TlsSetValue
0x41b180 - EnterCriticalSection
0x41b184 - GlobalReAlloc
0x41b188 - LeaveCriticalSection
0x41b18c - TlsFree
0x41b190 - GlobalHandle
0x41b194 - DeleteCriticalSection
0x41b198 - TlsAlloc
0x41b19c - InitializeCriticalSection
0x41b1a0 - MulDiv
0x41b1a4 - SetLastError
0x41b1a8 - GetVersion
0x41b1ac - lstrcatA
0x41b1b0 - GlobalGetAtomNameA
0x41b1b4 - GlobalAddAtomA
0x41b1b8 - GlobalFindAtomA
0x41b1bc - lstrcpyA
0x41b1c0 - GetModuleHandleA
0x41b1c4 - MultiByteToWideChar
0x41b1c8 - lstrlenA
0x41b1cc - InterlockedDecrement
0x41b1d0 - InterlockedIncrement
0x41b1d4 - GlobalUnlock
0x41b1d8 - LockResource
0x41b1dc - FindResourceA
0x41b1e0 - LoadResource
0x41b1e4 - GetVersionExA
0x41b1e8 - GetModuleFileNameA
0x41b1ec - GlobalLock
0x41b1f0 - GlobalDeleteAtom
0x41b1f4 - lstrcmpA
0x41b1f8 - lstrcmpiA
0x41b1fc - GetCurrentThread
0x41b200 - GetCurrentThreadId
0x41b204 - GlobalAlloc
0x41b208 - GlobalFree
0x41b20c - Sleep
0x41b210 - GetLastError
0x41b214 - GetLogicalDrives
0x41b218 - DeviceIoControl
0x41b21c - LocalFree
0x41b220 - LocalAlloc
0x41b224 - GetDiskFreeSpaceA
0x41b228 - CreateFileA
0x41b22c - GetDriveTypeA
0x41b230 - CloseHandle
0x41b234 - WideCharToMultiByte
0x41b238 - LoadLibraryA
0x41b23c - GetProcAddress
0x41b240 - FreeLibrary
0x41b244 - SetHandleCount
库 USER32.dll:
0x41b254 - CopyRect
0x41b258 - ScreenToClient
0x41b25c - AdjustWindowRectEx
0x41b260 - SetFocus
0x41b264 - GetSysColor
0x41b268 - MapWindowPoints
0x41b26c - SendDlgItemMessageA
0x41b270 - IsDialogMessageA
0x41b274 - ShowWindow
0x41b278 - GetWindowDC
0x41b27c - BeginPaint
0x41b280 - EndPaint
0x41b284 - TabbedTextOutA
0x41b288 - GrayStringA
0x41b28c - GetClassNameA
0x41b290 - PtInRect
0x41b294 - GetSysColorBrush
0x41b298 - LoadStringA
0x41b29c - DestroyMenu
0x41b2a0 - InvalidateRect
0x41b2a4 - GetCapture
0x41b2a8 - WinHelpA
0x41b2ac - GetClassInfoA
0x41b2b0 - RegisterClassA
0x41b2b4 - GetMenu
0x41b2b8 - GetMenuItemCount
0x41b2bc - GetSubMenu
0x41b2c0 - GetMenuItemID
0x41b2c4 - GetWindowTextLengthA
0x41b2c8 - GetDlgCtrlID
0x41b2cc - DefWindowProcA
0x41b2d0 - GetClassLongA
0x41b2d4 - GetMessageTime
0x41b2d8 - GetMessagePos
0x41b2dc - GetForegroundWindow
0x41b2e0 - SetForegroundWindow
0x41b2e4 - GetWindow
0x41b2e8 - SetWindowPos
0x41b2ec - RegisterWindowMessageA
0x41b2f0 - IntersectRect
0x41b2f4 - SystemParametersInfoA
0x41b2f8 - GetWindowPlacement
0x41b2fc - EndDialog
0x41b300 - IsWindow
0x41b304 - CreateDialogIndirectParamA
0x41b308 - DestroyWindow
0x41b30c - GetMenuCheckMarkDimensions
0x41b310 - LoadBitmapA
0x41b314 - GetMenuState
0x41b318 - ModifyMenuA
0x41b31c - SetMenuItemBitmaps
0x41b320 - CheckMenuItem
0x41b324 - EnableMenuItem
0x41b328 - GetFocus
0x41b32c - GetNextDlgTabItem
0x41b330 - GetMessageA
0x41b334 - TranslateMessage
0x41b338 - DispatchMessageA
0x41b33c - GetActiveWindow
0x41b340 - GetKeyState
0x41b344 - CallNextHookEx
0x41b348 - ValidateRect
0x41b34c - IsWindowVisible
0x41b350 - PeekMessageA
0x41b354 - GetCursorPos
0x41b358 - SetWindowsHookExA
0x41b35c - GetParent
0x41b360 - GetLastActivePopup
0x41b364 - IsWindowEnabled
0x41b368 - MessageBoxA
0x41b36c - PostQuitMessage
0x41b370 - PostMessageA
0x41b374 - wsprintfA
0x41b378 - GetDlgItem
0x41b37c - CreateWindowExA
0x41b380 - SetWindowTextA
0x41b384 - SetPropA
0x41b388 - ClientToScreen
0x41b38c - GetWindowRect
0x41b390 - OffsetRect
0x41b394 - MoveWindow
0x41b398 - UpdateWindow
0x41b39c - GetPropA
0x41b3a0 - GetWindowLongA
0x41b3a4 - LoadIconA
0x41b3a8 - SendMessageA
0x41b3ac - DrawIcon
0x41b3b0 - GetClientRect
0x41b3b4 - UnregisterClassA
0x41b3b8 - HideCaret
0x41b3bc - LoadCursorA
0x41b3c0 - SetCursor
0x41b3c4 - RemovePropA
0x41b3c8 - SetWindowLongA
0x41b3cc - CallWindowProcA
0x41b3d0 - GetDC
0x41b3d4 - GetWindowTextA
0x41b3d8 - DrawTextA
0x41b3dc - ReleaseDC
0x41b3e0 - EnableWindow
0x41b3e4 - GetTopWindow
0x41b3e8 - UnhookWindowsHookEx
0x41b3ec - KillTimer
0x41b3f0 - SetTimer
0x41b3f4 - ShowCaret
0x41b3f8 - ExcludeUpdateRgn
0x41b3fc - DrawFocusRect
0x41b400 - IsIconic
0x41b404 - GetSystemMetrics
0x41b408 - SendMessageW
0x41b40c - SendDlgItemMessageW
0x41b410 - ModifyMenuW
0x41b414 - IsWindowUnicode
0x41b418 - CharNextA
0x41b41c - InflateRect
0x41b420 - DefDlgProcA
0x41b424 - SetActiveWindow
库 GDI32.dll:
0x41b024 - GetObjectA
0x41b028 - DeleteDC
0x41b02c - SaveDC
0x41b030 - RestoreDC
0x41b034 - SetMapMode
0x41b038 - SetViewportOrgEx
0x41b03c - OffsetViewportOrgEx
0x41b040 - SetViewportExtEx
0x41b044 - ScaleViewportExtEx
0x41b048 - SetWindowExtEx
0x41b04c - ScaleWindowExtEx
0x41b050 - IntersectClipRect
0x41b054 - SetBkColor
0x41b058 - GetDeviceCaps
0x41b05c - CreateSolidBrush
0x41b060 - PtVisible
0x41b064 - RectVisible
0x41b068 - TextOutA
0x41b06c - ExtTextOutA
0x41b070 - Escape
0x41b074 - GetClipBox
0x41b078 - CreateBitmap
0x41b07c - CreatePen
0x41b080 - SetTextColor
0x41b084 - SetBkMode
0x41b088 - MoveToEx
0x41b08c - LineTo
0x41b090 - GetStockObject
0x41b094 - SelectObject
0x41b098 - CreateDIBitmap
0x41b09c - PatBlt
0x41b0a0 - GetTextExtentPointA
0x41b0a4 - BitBlt
0x41b0a8 - CreateCompatibleDC
0x41b0ac - DeleteObject
库 WINSPOOL.DRV:
0x41b42c - ClosePrinter
0x41b430 - DocumentPropertiesA
0x41b434 - OpenPrinterA
库 ADVAPI32.dll:
0x41b000 - RegSetValueExA
0x41b004 - RegCloseKey
0x41b008 - RegCreateKeyExA
0x41b00c - RegEnumKeyExA
0x41b010 - RegOpenKeyExA
0x41b014 - RegQueryValueExA
库 SHELL32.dll:
0x41b24c - ShellExecuteA
库 COMCTL32.dll:
0x41b01c - None
库 ole32.dll:
0x41b43c - CoInitialize
0x41b440 - CoUninitialize

投放文件

无信息

行为分析

互斥量(Mutexes)
  • Local\MSCTF.Asm.MutexDefault1
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

CheckUDisk_v5.4.exe PID: 2604, 上一级进程 PID: 2252

访问的文件
  • C:\Users\test\AppData\Local\Temp\CheckUDisk_v5.4.exe
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\Fonts\staticcache.dat
  • \??\usb#root_hub#4&192d568&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
  • \??\USB#VID_0409&PID_55AA#314159-0000:00:01.2-2#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
  • \??\usb#vid_0409&pid_55aa#314159-0000:00:01.2-2#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
  • C:\Users\test\AppData\Local\Temp\MtpDisk.dll
  • C:\Windows\System32\MtpDisk.dll
  • C:\Windows\system\MtpDisk.dll
  • C:\Windows\MtpDisk.dll
  • C:\ProgramData\Oracle\Java\javapath\MtpDisk.dll
  • C:\Windows\System32\wbem\MtpDisk.dll
  • C:\Windows\System32\WindowsPowerShell\v1.0\MtpDisk.dll
  • C:\Program Files (x86)\WinRAR\MtpDisk.dll
读取的文件
  • C:\Users\test\AppData\Local\Temp\CheckUDisk_v5.4.exe
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\Fonts\staticcache.dat
  • \??\usb#root_hub#4&192d568&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
  • \??\usb#vid_0409&pid_55aa#314159-0000:00:01.2-2#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
修改的文件
  • \??\usb#root_hub#4&192d568&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
  • \??\USB#VID_0409&PID_55AA#314159-0000:00:01.2-2#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
  • \??\usb#vid_0409&pid_55aa#314159-0000:00:01.2-2#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
删除的文件 无信息
注册表键
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\CheckUDisk_v5.4.exe
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_CURRENT_USER
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Arial
读取的注册表键
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • kernel32.dll.IsProcessorFeaturePresent
  • cryptbase.dll.SystemFunction036
  • comctl32.dll.InitCommonControlsEx
  • kernel32.dll.SortGetHandle
  • kernel32.dll.SortCloseHandle
  • gdi32.dll.GetLayout
  • gdi32.dll.GdiRealizationInfo
  • gdi32.dll.FontIsLinked
  • advapi32.dll.RegOpenKeyExW
  • advapi32.dll.RegQueryInfoKeyW
  • gdi32.dll.GetTextFaceAliasW
  • advapi32.dll.RegEnumValueW
  • advapi32.dll.RegCloseKey
  • advapi32.dll.RegQueryValueExW
  • advapi32.dll.RegQueryValueExA
  • advapi32.dll.RegEnumKeyExW
  • gdi32.dll.GetTextExtentExPointWPri
  • setupapi.dll.SetupDiDestroyDeviceInfoList
  • setupapi.dll.SetupDiGetDeviceInterfaceDetailA
  • setupapi.dll.SetupDiEnumDeviceInterfaces
  • setupapi.dll.SetupDiGetClassDevsA
  • setupapi.dll.SetupDiEnumDeviceInfo
  • setupapi.dll.CM_Get_Child
  • setupapi.dll.CM_Get_Sibling
  • setupapi.dll.CM_Get_Device_IDA
  • setupapi.dll.CM_Get_DevNode_Status
  • setupapi.dll.CM_Request_Device_EjectA
  • setupapi.dll.SetupDiSetClassInstallParamsA
  • setupapi.dll.SetupDiCallClassInstaller
  • setupapi.dll.CM_Query_And_Remove_SubTreeA
  • wintrust.dll.WinVerifyTrust
  • user32.dll.GetSystemMetrics
  • user32.dll.MonitorFromWindow
  • user32.dll.MonitorFromRect
  • user32.dll.MonitorFromPoint
  • user32.dll.EnumDisplayMonitors
  • user32.dll.GetMonitorInfoA
  • ole32.dll.CoInitializeEx
  • ole32.dll.CoUninitialize
  • ole32.dll.CoRegisterInitializeSpy
  • ole32.dll.CoRevokeInitializeSpy
  • gdi32.dll.GetFontAssocStatus
  • gdi32.dll.GdiIsMetaPrintDC