魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2024-04-26 09:00:34 2024-04-26 09:01:13 39 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp02-1 win7-sp1-x64-shaapp02-1 KVM 2024-04-26 09:00:35 2024-04-26 09:01:15
魔盾分数

9.875

恶意的

文件详细信息

文件名 ProcessGovernor.exe
文件大小 1291160 字节
文件类型 PE32+ executable (GUI) x86-64, for MS Windows
CRC32 227C2923
MD5 9f69590ea0c52f140406bcfb7106a4c0
SHA1 d03d36c9d42f8fcb404057a02bae2932ccb11f41
SHA256 b92fc4d600cb21ad91af944616e7a0bb2ce79a782c822303e6661db5353290a1
SHA512 8a9490c6034c6a5d970dc313840be8c856efd234345902cd8e5c2d0669130cea5d20a2884b250f1dd528780bc28fc760e4fb96846294ed985924d6683a6c1f88
Ssdeep 24576:y3MJYI4mj337UXuX6D2VUugC+1w4iBzo8ug:y3MJYIXD7BX6D2/gCU0t
PEiD 无匹配
Yara
  • DebuggerCheck__QueryInfo ()
  • DebuggerTiming__PerformanceCounter ()
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • anti_dbg (Detected self protection if being debugged)
  • antisb_threatExpert (Anti-Sandbox checks for ThreatExpert)
  • win_mutex (Create or check mutex)
  • create_process (Detection function for creating a new process)
  • escalate_priv (Detected escalate priviledges function)
  • keylogger (Detected keylogger function)
  • win_registry (Detected system registries modification function)
  • win_token (Affect system token)
  • win_files_operation (Affect private profile)
  • Proprietary_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
  • IsPE64 (Detected a 64bit PE sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
  • HasOverlay (Detected Overlay signature)
  • HasDebugData (Detected Debug Data)
  • HasRichSignature (Detected Rich Signature)
  • MD5_Constants (Look for MD5 constants)
  • with_urls (Detected the presence of an or several urls)
VirusTotal VirusTotal查询失败

特征

可疑的样本异常终止
专有的Yara规则检测结果 - 高危
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
检查注册表中的CPU名信息,可能被用来实现反虚拟机

运行截图

网络分析

TCP连接

IP地址 端口
23.206.229.72 80

UDP连接

IP地址 端口
192.168.122.1 53

HTTP请求

URL HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

静态分析

PE 信息

初始地址 0x140000000
入口地址 0x14009546c
声明校验值 0x00144d42
实际校验值 0x00144d42
最低操作系统版本要求 6.0
PDB路径 c:\pl\output\ProcessGovernor.pdb
编译时间 2024-04-17 22:23:40
载入哈希 f43d794eb38694fa05c8366f0853d4e2

版本信息

LegalCopyright: (c)2024 Bitsum LLC
InternalName: processgovernor.exe
FileVersion: \x0e
CompanyName: Bitsum LLC
Comments: A component of Process Lasso.
ProductName: Process Lasso
ProductVersion: 14.0.2.12
FileDescription: Process Lasso Core Engine
OriginalFilename: processgovernor.exe
Translation: 0x0409 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000c7a9e 0x000c7c00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.43
.rdata 0x000c9000 0x00029da2 0x00029e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.09
.data 0x000f3000 0x000095ec 0x00005800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.05
.pdata 0x000fd000 0x00007770 0x00007800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.89
_RDATA 0x00105000 0x000001f4 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.21
.rsrc 0x00106000 0x000387d0 0x00038800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.40
.reloc 0x0013f000 0x000010b8 0x00001200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 5.32

导入

库 KERNEL32.dll:
0x1400c9158 - GetDateFormatEx
0x1400c9160 - OpenEventW
0x1400c9168 - GetVersionExW
0x1400c9170 - ReleaseMutex
0x1400c9178 - OpenProcess
0x1400c9180 - CreateEventW
0x1400c9188 - Sleep
0x1400c9190 - GetTickCount64
0x1400c9198 - SetEvent
0x1400c91a0 - FileTimeToSystemTime
0x1400c91a8 - GetCurrentThread
0x1400c91b0 - TerminateThread
0x1400c91b8 - DeleteFileW
0x1400c91c0 - LoadLibraryW
0x1400c91c8 - CreateThread
0x1400c91d0 - ResetEvent
0x1400c91d8 - FileTimeToLocalFileTime
0x1400c91e0 - GetCurrentDirectoryW
0x1400c91e8 - SetThreadPriorityBoost
0x1400c91f0 - GetProcAddress
0x1400c91f8 - GetFileSize
0x1400c9200 - ExitProcess
0x1400c9208 - GetComputerNameW
0x1400c9210 - GetCurrentProcessId
0x1400c9218 - CreateProcessW
0x1400c9220 - SetThreadExecutionState
0x1400c9228 - GetModuleHandleW
0x1400c9230 - FreeLibrary
0x1400c9238 - GetSystemTime
0x1400c9240 - GetTickCount
0x1400c9248 - GetProcessTimes
0x1400c9250 - SetUnhandledExceptionFilter
0x1400c9258 - GlobalMemoryStatusEx
0x1400c9260 - FindFirstChangeNotificationW
0x1400c9268 - FindCloseChangeNotification
0x1400c9270 - FindNextChangeNotification
0x1400c9278 - SetEndOfFile
0x1400c9280 - SetFilePointer
0x1400c9288 - InitializeCriticalSection
0x1400c9290 - SetThreadPriority
0x1400c9298 - SetProcessShutdownParameters
0x1400c92a0 - WaitForMultipleObjects
0x1400c92a8 - GetProcessAffinityMask
0x1400c92b0 - GetTimeFormatEx
0x1400c92b8 - WriteFile
0x1400c92c0 - SetProcessAffinityMask
0x1400c92c8 - GetCurrentProcess
0x1400c92d0 - GetCommandLineW
0x1400c92d8 - SetPriorityClass
0x1400c92e0 - ReadFile
0x1400c92e8 - CreateDirectoryW
0x1400c92f0 - SetProcessPriorityBoost
0x1400c92f8 - LeaveCriticalSection
0x1400c9300 - EnterCriticalSection
0x1400c9308 - GetSystemInfo
0x1400c9310 - CloseHandle
0x1400c9318 - MultiByteToWideChar
0x1400c9320 - GetFileAttributesW
0x1400c9328 - InitializeCriticalSectionAndSpinCount
0x1400c9330 - GetFileTime
0x1400c9338 - GetSystemTimeAsFileTime
0x1400c9340 - GetProcessHeap
0x1400c9348 - DeleteCriticalSection
0x1400c9350 - HeapDestroy
0x1400c9358 - DecodePointer
0x1400c9360 - HeapAlloc
0x1400c9368 - FindResourceW
0x1400c9370 - LoadResource
0x1400c9378 - FindResourceExW
0x1400c9380 - CreateMutexW
0x1400c9388 - HeapReAlloc
0x1400c9390 - LockResource
0x1400c9398 - GetActiveProcessorGroupCount
0x1400c93a0 - GetActiveProcessorCount
0x1400c93a8 - CreateToolhelp32Snapshot
0x1400c93b0 - Thread32First
0x1400c93b8 - Thread32Next
0x1400c93c0 - OpenThread
0x1400c93c8 - SetThreadGroupAffinity
0x1400c93d0 - FormatMessageW
0x1400c93d8 - GetProcessGroupAffinity
0x1400c93e0 - LocalFree
0x1400c93e8 - WideCharToMultiByte
0x1400c93f0 - VerifyVersionInfoW
0x1400c93f8 - GetLastError
0x1400c9400 - GetPriorityClass
0x1400c9408 - SetProcessWorkingSetSize
0x1400c9410 - TerminateProcess
0x1400c9418 - GetLogicalProcessorInformationEx
0x1400c9420 - GetHandleInformation
0x1400c9428 - GetUserDefaultUILanguage
0x1400c9430 - GetModuleFileNameW
0x1400c9438 - GetStartupInfoW
0x1400c9440 - ProcessIdToSessionId
0x1400c9448 - SetLastError
0x1400c9450 - GetVolumeNameForVolumeMountPointW
0x1400c9458 - MoveFileW
0x1400c9460 - GetSystemDirectoryW
0x1400c9468 - GlobalAlloc
0x1400c9470 - GlobalLock
0x1400c9478 - GlobalUnlock
0x1400c9480 - GetProcessPriorityBoost
0x1400c9488 - ResumeThread
0x1400c9490 - GetLocalTime
0x1400c9498 - OpenMutexW
0x1400c94a0 - K32GetModuleBaseNameW
0x1400c94a8 - GetDateFormatW
0x1400c94b0 - GetTimeFormatW
0x1400c94b8 - GetCurrentThreadId
0x1400c94c0 - SuspendThread
0x1400c94c8 - GetExitCodeThread
0x1400c94d0 - MoveFileExW
0x1400c94d8 - FlushFileBuffers
0x1400c94e0 - FindNextFileW
0x1400c94e8 - LocalAlloc
0x1400c94f0 - MulDiv
0x1400c94f8 - LocalLock
0x1400c9500 - LocalUnlock
0x1400c9508 - ReleaseSRWLockExclusive
0x1400c9510 - AcquireSRWLockExclusive
0x1400c9518 - TryAcquireSRWLockExclusive
0x1400c9520 - WaitForSingleObjectEx
0x1400c9528 - LoadLibraryExW
0x1400c9530 - GetStringTypeW
0x1400c9538 - EncodePointer
0x1400c9540 - QueryPerformanceCounter
0x1400c9548 - WakeAllConditionVariable
0x1400c9550 - SleepConditionVariableSRW
0x1400c9558 - CompareStringEx
0x1400c9560 - GetCPInfo
0x1400c9568 - LCMapStringEx
0x1400c9570 - IsDebuggerPresent
0x1400c9578 - OutputDebugStringW
0x1400c9580 - RaiseException
0x1400c9588 - RtlCaptureContext
0x1400c9590 - RtlLookupFunctionEntry
0x1400c9598 - RtlVirtualUnwind
0x1400c95a0 - UnhandledExceptionFilter
0x1400c95a8 - IsProcessorFeaturePresent
0x1400c95b0 - InitializeSListHead
0x1400c95b8 - RtlUnwindEx
0x1400c95c0 - RtlPcToFileHeader
0x1400c95c8 - TlsAlloc
0x1400c95d0 - TlsGetValue
0x1400c95d8 - TlsSetValue
0x1400c95e0 - TlsFree
0x1400c95e8 - ExitThread
0x1400c95f0 - FreeLibraryAndExitThread
0x1400c95f8 - GetModuleHandleExW
0x1400c9600 - GetStdHandle
0x1400c9608 - GetCommandLineA
0x1400c9610 - GetFileType
0x1400c9618 - FlsAlloc
0x1400c9620 - FlsGetValue
0x1400c9628 - FlsSetValue
0x1400c9630 - FlsFree
0x1400c9638 - CompareStringW
0x1400c9640 - LCMapStringW
0x1400c9648 - GetLocaleInfoW
0x1400c9650 - IsValidLocale
0x1400c9658 - GetUserDefaultLCID
0x1400c9660 - EnumSystemLocalesW
0x1400c9668 - GetFileSizeEx
0x1400c9670 - SetFilePointerEx
0x1400c9678 - GetTimeZoneInformation
0x1400c9680 - FindClose
0x1400c9688 - FindFirstFileExW
0x1400c9690 - IsValidCodePage
0x1400c9698 - GetACP
0x1400c96a0 - GetOEMCP
0x1400c96a8 - GetEnvironmentStringsW
0x1400c96b0 - FreeEnvironmentStringsW
0x1400c96b8 - SetEnvironmentVariableW
0x1400c96c0 - SetStdHandle
0x1400c96c8 - GetConsoleOutputCP
0x1400c96d0 - GetConsoleMode
0x1400c96d8 - WriteConsoleW
0x1400c96e0 - HeapSize
0x1400c96e8 - CreateFileW
0x1400c96f0 - WaitForSingleObject
0x1400c96f8 - InitializeCriticalSectionEx
0x1400c9700 - HeapFree
0x1400c9708 - SizeofResource
0x1400c9710 - VerSetConditionMask
0x1400c9718 - GetLocaleInfoEx
库 USER32.dll:
0x1400c9790 - SetRect
0x1400c9798 - GetActiveWindow
0x1400c97a0 - GetLastActivePopup
0x1400c97a8 - MessageBeep
0x1400c97b0 - BeginPaint
0x1400c97b8 - DrawIcon
0x1400c97c0 - EndPaint
0x1400c97c8 - GetSysColor
0x1400c97d0 - GetDialogBaseUnits
0x1400c97d8 - SystemParametersInfoW
0x1400c97e0 - DrawTextW
0x1400c97e8 - LoadIconW
0x1400c97f0 - DestroyIcon
0x1400c97f8 - FillRect
0x1400c9800 - IsWindow
0x1400c9808 - GetClassNameW
0x1400c9810 - EnableMenuItem
0x1400c9818 - GetSystemMenu
0x1400c9820 - SetFocus
0x1400c9828 - SetWindowPos
0x1400c9830 - SetForegroundWindow
0x1400c9838 - GetWindowRect
0x1400c9840 - MoveWindow
0x1400c9848 - SetTimer
0x1400c9850 - KillTimer
0x1400c9858 - WinHelpW
0x1400c9860 - RedrawWindow
0x1400c9868 - GetAsyncKeyState
0x1400c9870 - PeekMessageW
0x1400c9878 - IsDialogMessageW
0x1400c9880 - TranslateMessage
0x1400c9888 - DispatchMessageW
0x1400c9890 - WaitMessage
0x1400c9898 - PostQuitMessage
0x1400c98a0 - DestroyWindow
0x1400c98a8 - EnumWindows
0x1400c98b0 - IsWindowVisible
0x1400c98b8 - GetWindow
0x1400c98c0 - SendMessageW
0x1400c98c8 - GetSystemMetrics
0x1400c98d0 - GetClientRect
0x1400c98d8 - LoadStringW
0x1400c98e0 - wvsprintfW
0x1400c98e8 - GetWindowLongPtrW
0x1400c98f0 - SetWindowLongPtrW
0x1400c98f8 - SetWindowTextW
0x1400c9900 - CloseClipboard
0x1400c9908 - SetClipboardData
0x1400c9910 - EmptyClipboard
0x1400c9918 - OpenClipboard
0x1400c9920 - EnableWindow
0x1400c9928 - GetWindowTextW
0x1400c9930 - CheckDlgButton
0x1400c9938 - CreateDialogIndirectParamW
0x1400c9940 - MessageBoxW
0x1400c9948 - GetDlgItem
0x1400c9950 - GetParent
0x1400c9958 - PostMessageW
0x1400c9960 - GetForegroundWindow
0x1400c9968 - GetWindowThreadProcessId
0x1400c9970 - GetLastInputInfo
库 ADVAPI32.dll:
0x1400c9000 - DuplicateTokenEx
0x1400c9008 - EnumServicesStatusExW
0x1400c9010 - StartServiceW
0x1400c9018 - QueryServiceStatus
0x1400c9020 - QueryServiceConfigW
0x1400c9028 - CloseServiceHandle
0x1400c9030 - OpenServiceW
0x1400c9038 - GetUserNameW
0x1400c9040 - InitializeSecurityDescriptor
0x1400c9048 - SetSecurityDescriptorDacl
0x1400c9050 - OpenProcessToken
0x1400c9058 - LookupPrivilegeValueW
0x1400c9060 - AdjustTokenPrivileges
0x1400c9068 - RegOpenKeyExW
0x1400c9070 - RegCreateKeyExW
0x1400c9078 - RegDeleteValueW
0x1400c9080 - RegCloseKey
0x1400c9088 - RegQueryValueExW
0x1400c9090 - RegSetValueExW
0x1400c9098 - GetTokenInformation
0x1400c90a0 - ControlService
0x1400c90a8 - ConvertStringSidToSidW
0x1400c90b0 - SetTokenInformation
0x1400c90b8 - GetLengthSid
0x1400c90c0 - CreateProcessAsUserW
0x1400c90c8 - LookupAccountSidW
0x1400c90d0 - GetSidSubAuthorityCount
0x1400c90d8 - GetSidSubAuthority
0x1400c90e0 - RegDeleteKeyW
0x1400c90e8 - RegQueryInfoKeyW
0x1400c90f0 - RegEnumKeyExW
0x1400c90f8 - OpenSCManagerW
库 SHELL32.dll:
0x1400c9758 - ShellExecuteExW
0x1400c9760 - SHGetSpecialFolderPathW
0x1400c9768 - ShellExecuteW
0x1400c9770 - SHCreateDirectoryExW
库 OLEAUT32.dll:
0x1400c9728 - SysFreeString
0x1400c9730 - VariantClear
库 WTSAPI32.dll:
0x1400c9980 - WTSFreeMemory
0x1400c9988 - WTSQuerySessionInformationW
库 SHLWAPI.dll:
0x1400c9780 - SHDeleteKeyW
库 pdh.dll:
0x1400c99c0 - PdhCloseQuery
0x1400c99c8 - PdhCollectQueryData
0x1400c99d0 - PdhAddEnglishCounterW
0x1400c99d8 - PdhGetFormattedCounterValue
0x1400c99e0 - PdhRemoveCounter
0x1400c99e8 - PdhOpenQueryW
库 dbghelp.dll:
0x1400c9998 - MiniDumpWriteDump
库 RPCRT4.dll:
0x1400c9740 - UuidCreate
0x1400c9748 - UuidFromStringW
库 GDI32.dll:
0x1400c9108 - SetTextColor
0x1400c9110 - SetBkColor
0x1400c9118 - SelectObject
0x1400c9120 - DeleteDC
0x1400c9128 - CreateFontIndirectW
0x1400c9130 - CreateDCW
0x1400c9138 - CreateSolidBrush
0x1400c9140 - DeleteObject
0x1400c9148 - GetTextExtentPoint32W
库 ole32.dll:
0x1400c99a8 - StringFromGUID2
0x1400c99b0 - IIDFromString

投放文件

无信息

行为分析

互斥量(Mutexes)
  • Local\MSCTF.Asm.MutexDefault1
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

ProcessGovernor.exe PID: 2604, 上一级进程 PID: 2244

访问的文件
  • C:\Users\test\AppData\Local\Temp\pl_rsrc_english.dll
  • C:\Windows\sysnative\pl_rsrc_english.dll
  • C:\Windows\system\pl_rsrc_english.dll
  • C:\Windows\pl_rsrc_english.dll
  • C:\ProgramData\Oracle\Java\javapath\pl_rsrc_english.dll
  • C:\Windows\sysnative\wbem\pl_rsrc_english.dll
  • C:\Windows\sysnative\WindowsPowerShell\v1.0\pl_rsrc_english.dll
  • C:\Program Files (x86)\WinRAR\pl_rsrc_english.dll
  • C:\Windows\Fonts\staticcache.dat
  • \Device\KsecDD
  • C:\Windows\Globalization\Sorting\sortdefault.nls
读取的文件
  • C:\Windows\Fonts\staticcache.dat
  • \Device\KsecDD
  • C:\Windows\Globalization\Sorting\sortdefault.nls
修改的文件 无信息
删除的文件 无信息
注册表键
  • HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
  • HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
  • HKEY_LOCAL_MACHINE\Software\ProcessLasso
  • HKEY_LOCAL_MACHINE\SOFTWARE\ProcessLasso\DateTimeFormat
  • HKEY_CURRENT_USER\Software\ProcessLasso
  • HKEY_LOCAL_MACHINE\SOFTWARE\ProcessLasso\InstallerLanguageDWORD
  • HKEY_LOCAL_MACHINE\SOFTWARE\ProcessLasso\InstallerLanguage
  • HKEY_LOCAL_MACHINE\SOFTWARE\ProcessLasso\Language
  • HKEY_CURRENT_USER\Software\ProcessLasso\Language
  • HKEY_CURRENT_USER\Software\ProcessLasso\InstallerLanguageDWORD
  • HKEY_LOCAL_MACHINE\SOFTWARE\ProcessLasso
  • HKEY_LOCAL_MACHINE\SOFTWARE\ProcessLasso\ProcessLasso
  • HKEY_CURRENT_USER\SOFTWARE\ProcessLasso
  • HKEY_CURRENT_USER\Software\ProcessLasso\ProcessLasso
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\ProcessGovernor.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_CURRENT_USER
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
读取的注册表键
  • HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
  • HKEY_LOCAL_MACHINE\SOFTWARE\ProcessLasso\DateTimeFormat
  • HKEY_LOCAL_MACHINE\SOFTWARE\ProcessLasso\InstallerLanguageDWORD
  • HKEY_LOCAL_MACHINE\SOFTWARE\ProcessLasso\InstallerLanguage
  • HKEY_LOCAL_MACHINE\SOFTWARE\ProcessLasso\Language
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键
  • HKEY_LOCAL_MACHINE\Software\ProcessLasso
  • HKEY_CURRENT_USER\Software\ProcessLasso
  • HKEY_CURRENT_USER\Software\ProcessLasso\Language
  • HKEY_LOCAL_MACHINE\SOFTWARE\ProcessLasso\Language
  • HKEY_CURRENT_USER\Software\ProcessLasso\InstallerLanguageDWORD
  • HKEY_LOCAL_MACHINE\SOFTWARE\ProcessLasso\InstallerLanguageDWORD
  • HKEY_LOCAL_MACHINE\SOFTWARE\ProcessLasso\ProcessLasso
  • HKEY_CURRENT_USER\Software\ProcessLasso\ProcessLasso
删除的注册表键 无信息
API解析
  • kernel32.dll.InitializeCriticalSectionEx
  • kernel32.dll.FlsAlloc
  • kernel32.dll.FlsSetValue
  • kernel32.dll.LCMapStringEx
  • powrprof.dll.PowerSetActiveScheme
  • powrprof.dll.PowerGetActiveScheme
  • powrprof.dll.PowerEnumerate
  • powrprof.dll.PowerReadFriendlyName
  • powrprof.dll.PowerDuplicateScheme
  • powrprof.dll.PowerWriteFriendlyName
  • powrprof.dll.PowerWriteDescription
  • powrprof.dll.PowerDeleteScheme
  • powrprof.dll.PowerReadACValueIndex
  • powrprof.dll.PowerReadDCValueIndex
  • powrprof.dll.PowerWriteACValueIndex
  • powrprof.dll.PowerWriteDCValueIndex
  • powrprof.dll.PowerReadPossibleValue
  • powrprof.dll.PowerWriteSettingAttributes
  • gdi32.dll.GetLayout
  • gdi32.dll.GdiRealizationInfo
  • gdi32.dll.FontIsLinked
  • advapi32.dll.RegOpenKeyExW
  • advapi32.dll.RegQueryInfoKeyW
  • gdi32.dll.GetTextFaceAliasW
  • advapi32.dll.RegEnumValueW
  • advapi32.dll.RegCloseKey
  • advapi32.dll.RegQueryValueExW
  • advapi32.dll.RegQueryValueExA
  • advapi32.dll.RegEnumKeyExW
  • gdi32.dll.GetTextExtentExPointWPri
  • ole32.dll.CoInitializeEx
  • ole32.dll.CoUninitialize
  • cryptbase.dll.SystemFunction036
  • ole32.dll.CoRegisterInitializeSpy
  • ole32.dll.CoRevokeInitializeSpy
  • kernel32.dll.SortGetHandle
  • kernel32.dll.SortCloseHandle
  • oleaut32.dll.SysAllocString
  • oleaut32.dll.SysStringLen
  • oleaut32.dll.SysFreeString
  • oleaut32.dll.#500