魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2019-11-09 22:57:15 2019-11-09 22:59:35 140 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-hpdapp01-1 win7-sp1-x64-hpdapp01-1 KVM 2019-11-09 22:57:25 2019-11-09 22:59:35
魔盾分数

6.65

恶意的

文件详细信息

文件名 smzz.exe
文件大小 4313904 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 5CA3E97C
MD5 0d7b1fe28e1be419a7c42232b679795b
SHA1 59bf7c603e0b9af3045f7a8a790071b5bdfd64b4
SHA256 bec3266e76b7f9b208935f1934bc6f14c7b0cf61302a9e6eaaeb3ed3ab5ee5db
SHA512 80f8819ed7f5dfee0bb5b57c1a11e8807bc04d50b64675b90bf101ed2756cc4512b1fc661b2ea6ee93a969517c7fddc66d95c49f67aa9bf876ac312cd2c230cd
Ssdeep 98304:25ViW0WTWnxhxY0T769Zs9pX2o31ZC3hTvOU3kSqu:60D3mC71vX2o31Zsh6u7qu
PEiD 无匹配
Yara
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • screenshot (Detected take screenshot function)
  • keylogger (Detected keylogger function)
  • win_registry (Detected system registries modification function)
  • change_win_registry (Change registries to affect system)
  • win_files_operation (Affect private profile)
  • win_hook (Detected hook table access function)
  • win_private_profile (Detected private profile access function)
  • with_urls (Detected the presence of an or several urls)
  • IsPE32 (Detected a 32bit PE sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
  • IsPacked (Detected Entropy signature)
  • HasOverlay (Detected Overlay signature)
  • HasDigitalSignature (Detected Digital Signature)
  • HasRichSignature (Detected Rich Signature)
VirusTotal 无此文件扫描结果

特征

二进制文件可能包含加密或压缩数据
section: name: .vmp1, entropy: 7.80, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0041a000, virtual_size: 0x004197b1
对一个无法找到的进程进行重复搜索,可能希望以startbrowser=1选项运行
魔盾安全Yara规则检测结果 - 安全告警
Informational: Detected Overlay signature
可执行文件可能使用VMProtect打包
section: {'name': '.vmp0', 'characteristics': 'IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ', 'virtual_address': '0x003d8000', 'size_of_data': '0x00000000', 'entropy': '0.00', 'virtual_size': '0x00004060', 'characteristics_raw': '0x60000060'}
对一些具体的运行中的进程呈现出兴趣
process: smss.exe

运行截图

网络分析

无信息

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x00be155c
声明校验值 0x0042bd46
实际校验值 0x0042bd46
最低操作系统版本要求 4.0
编译时间 2019-11-09 21:45:49
载入哈希 91de9443c52b13d81c6c88f1fc933378

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x00018d36 0x00000000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 0.00
.rdata 0x0001a000 0x000040d6 0x00000000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 0.00
.data 0x0001f000 0x003b8f5e 0x00000000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.vmp0 0x003d8000 0x00004060 0x00000000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 0.00
.vmp1 0x003dd000 0x004197b1 0x0041a000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.80
.reloc 0x007f7000 0x00000088 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.28

导入

库 WINMM.dll:
0x7dd000 - PlaySoundA
库 KERNEL32.dll:
0x7dd008 - LocalFree
0x7dd00c - FlushFileBuffers
0x7dd010 - lstrcpynA
0x7dd014 - LocalAlloc
0x7dd018 - InitializeCriticalSection
0x7dd01c - TlsAlloc
0x7dd020 - DeleteCriticalSection
0x7dd024 - GlobalHandle
0x7dd028 - TlsFree
0x7dd02c - LeaveCriticalSection
0x7dd030 - GlobalReAlloc
0x7dd034 - EnterCriticalSection
0x7dd038 - TlsSetValue
0x7dd03c - LocalReAlloc
0x7dd040 - TlsGetValue
0x7dd044 - GlobalFlags
0x7dd048 - WritePrivateProfileStringA
0x7dd04c - GlobalFindAtomA
0x7dd050 - GlobalAddAtomA
0x7dd054 - GlobalGetAtomNameA
0x7dd058 - GetProcessVersion
0x7dd05c - SetErrorMode
0x7dd060 - GetCPInfo
0x7dd064 - GetOEMCP
0x7dd068 - GetStartupInfoA
0x7dd06c - RtlUnwind
0x7dd070 - RaiseException
0x7dd074 - HeapSize
0x7dd078 - GetACP
0x7dd07c - UnhandledExceptionFilter
0x7dd080 - FreeEnvironmentStringsA
0x7dd084 - FreeEnvironmentStringsW
0x7dd088 - GetEnvironmentStrings
0x7dd08c - GetEnvironmentStringsW
0x7dd090 - SetHandleCount
0x7dd094 - GetStdHandle
0x7dd098 - GetFileType
0x7dd09c - GetEnvironmentVariableA
0x7dd0a0 - HeapDestroy
0x7dd0a4 - HeapCreate
0x7dd0a8 - VirtualFree
0x7dd0ac - VirtualAlloc
0x7dd0b0 - IsBadWritePtr
0x7dd0b4 - LCMapStringA
0x7dd0b8 - LCMapStringW
0x7dd0bc - SetUnhandledExceptionFilter
0x7dd0c0 - GetStringTypeA
0x7dd0c4 - GetStringTypeW
0x7dd0c8 - SetStdHandle
0x7dd0cc - IsBadCodePtr
0x7dd0d0 - InterlockedExchange
0x7dd0d4 - CreateEventA
0x7dd0d8 - CreateToolhelp32Snapshot
0x7dd0dc - Process32First
0x7dd0e0 - Process32Next
0x7dd0e4 - OpenProcess
0x7dd0e8 - CloseHandle
0x7dd0ec - lstrcpyn
0x7dd0f0 - RtlMoveMemory
0x7dd0f4 - QueryDosDeviceA
0x7dd0f8 - GetProcessHeap
0x7dd0fc - GetModuleHandleA
0x7dd100 - ExitProcess
0x7dd104 - HeapAlloc
0x7dd108 - HeapReAlloc
0x7dd10c - HeapFree
0x7dd110 - IsBadReadPtr
0x7dd114 - ReadFile
0x7dd118 - GetFileSize
0x7dd11c - CreateFileA
0x7dd120 - MoveFileA
0x7dd124 - WriteFile
0x7dd128 - CopyFileA
0x7dd12c - DeleteFileA
0x7dd130 - GetCommandLineA
0x7dd134 - GetModuleFileNameA
0x7dd138 - FreeLibrary
0x7dd13c - GetProcAddress
0x7dd140 - LoadLibraryA
0x7dd144 - GetTickCount
0x7dd148 - GlobalFree
0x7dd14c - GlobalUnlock
0x7dd150 - GlobalLock
0x7dd154 - SetFilePointer
0x7dd158 - GetLastError
0x7dd15c - GetCurrentProcess
0x7dd160 - GetVersionExA
0x7dd164 - TerminateProcess
0x7dd168 - Sleep
0x7dd16c - lstrcpyA
0x7dd170 - lstrlenA
0x7dd174 - MultiByteToWideChar
0x7dd178 - GlobalAlloc
0x7dd17c - SetLastError
0x7dd180 - lstrcatA
0x7dd184 - GetVersion
0x7dd188 - GetCurrentThreadId
0x7dd18c - GetCurrentThread
0x7dd190 - lstrcmpiA
0x7dd194 - lstrcmpA
0x7dd198 - GlobalDeleteAtom
0x7dd19c - InterlockedIncrement
0x7dd1a0 - InterlockedDecrement
0x7dd1a4 - WideCharToMultiByte
0x7dd1a8 - OpenEventA
库 USER32.dll:
0x7dd1b0 - GetMenuItemID
0x7dd1b4 - GetSubMenu
0x7dd1b8 - GetMenu
0x7dd1bc - RegisterClassA
0x7dd1c0 - GetClassInfoA
0x7dd1c4 - WinHelpA
0x7dd1c8 - GetCapture
0x7dd1cc - GetTopWindow
0x7dd1d0 - CopyRect
0x7dd1d4 - GetClientRect
0x7dd1d8 - AdjustWindowRectEx
0x7dd1dc - GetSysColor
0x7dd1e0 - MapWindowPoints
0x7dd1e4 - LoadIconA
0x7dd1e8 - LoadCursorA
0x7dd1ec - GetSysColorBrush
0x7dd1f0 - LoadStringA
0x7dd1f4 - DestroyMenu
0x7dd1f8 - CreateWindowExA
0x7dd1fc - GetMenuItemCount
0x7dd200 - SetWindowTextA
0x7dd204 - GetDlgCtrlID
0x7dd208 - RemovePropA
0x7dd20c - DestroyWindow
0x7dd210 - UnhookWindowsHookEx
0x7dd214 - GrayStringA
0x7dd218 - DrawTextA
0x7dd21c - TabbedTextOutA
0x7dd220 - ClientToScreen
0x7dd224 - DefWindowProcA
0x7dd228 - GetMessageTime
0x7dd22c - GetMessagePos
0x7dd230 - GetForegroundWindow
0x7dd234 - SetForegroundWindow
0x7dd238 - RegisterWindowMessageA
0x7dd23c - UnregisterClassA
0x7dd240 - GetClassLongA
0x7dd244 - SetPropA
0x7dd248 - GetPropA
0x7dd24c - CallWindowProcA
0x7dd250 - IsIconic
0x7dd254 - GetWindowPlacement
0x7dd258 - SetFocus
0x7dd25c - SetWindowPos
0x7dd260 - LoadBitmapA
0x7dd264 - GetMenuState
0x7dd268 - ModifyMenuA
0x7dd26c - SetMenuItemBitmaps
0x7dd270 - CheckMenuItem
0x7dd274 - EnableMenuItem
0x7dd278 - GetFocus
0x7dd27c - GetNextDlgTabItem
0x7dd280 - GetActiveWindow
0x7dd284 - GetKeyState
0x7dd288 - CallNextHookEx
0x7dd28c - ValidateRect
0x7dd290 - SetWindowsHookExA
0x7dd294 - GetLastActivePopup
0x7dd298 - IsWindowEnabled
0x7dd29c - EnableWindow
0x7dd2a0 - SetCursor
0x7dd2a4 - PostMessageA
0x7dd2a8 - PostQuitMessage
0x7dd2ac - GetParent
0x7dd2b0 - GetWindow
0x7dd2b4 - IsWindowVisible
0x7dd2b8 - GetWindowLongA
0x7dd2bc - GetWindowTextA
0x7dd2c0 - PeekMessageA
0x7dd2c4 - GetMessageA
0x7dd2c8 - TranslateMessage
0x7dd2cc - DispatchMessageA
0x7dd2d0 - wsprintfA
0x7dd2d4 - MessageBoxA
0x7dd2d8 - FindWindowA
0x7dd2dc - GetCursorPos
0x7dd2e0 - SetWindowLongA
0x7dd2e4 - GetDlgItem
0x7dd2e8 - ShowWindow
0x7dd2ec - SystemParametersInfoA
0x7dd2f0 - GetDC
0x7dd2f4 - ReleaseDC
0x7dd2f8 - GetClassNameA
0x7dd2fc - SendMessageA
0x7dd300 - GetWindowRect
0x7dd304 - GetSystemMetrics
0x7dd308 - PtInRect
0x7dd30c - GetMenuCheckMarkDimensions
库 GDI32.dll:
0x7dd314 - RestoreDC
0x7dd318 - SaveDC
0x7dd31c - CreateBitmap
0x7dd320 - SetBkColor
0x7dd324 - GetObjectA
0x7dd328 - GetStockObject
0x7dd32c - Escape
0x7dd330 - ExtTextOutA
0x7dd334 - TextOutA
0x7dd338 - SelectObject
0x7dd33c - DeleteDC
0x7dd340 - DeleteObject
0x7dd344 - PtVisible
0x7dd348 - RectVisible
0x7dd34c - SetTextColor
0x7dd350 - SetMapMode
0x7dd354 - SetViewportOrgEx
0x7dd358 - OffsetViewportOrgEx
0x7dd35c - SetViewportExtEx
0x7dd360 - ScaleViewportExtEx
0x7dd364 - SetWindowExtEx
0x7dd368 - ScaleWindowExtEx
0x7dd36c - GetClipBox
0x7dd370 - GetDeviceCaps
库 PSAPI.DLL:
0x7dd378 - GetProcessImageFileNameA
库 ADVAPI32.dll:
0x7dd380 - RegCloseKey
0x7dd384 - RegOpenKeyExA
0x7dd388 - RegSetValueExA
0x7dd38c - RegCreateKeyExA
库 WINSPOOL.DRV:
0x7dd394 - ClosePrinter
0x7dd398 - DocumentPropertiesA
0x7dd39c - OpenPrinterA
库 COMCTL32.dll:
0x7dd3a4 - None
库 KERNEL32.dll:
0x7dd3ac - VirtualProtect
0x7dd3b0 - GetModuleFileNameA
0x7dd3b4 - ExitProcess
库 USER32.dll:
0x7dd3bc - MessageBoxA

投放文件

无信息

行为分析

互斥量(Mutexes)
  • Local\MSCTF.Asm.MutexDefault1
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

smzz.exe PID: 2484, 上一级进程 PID: 2332

访问的文件
  • C:\Windows\Fonts\staticcache.dat
  • C:\Windows\Globalization\Sorting\sortdefault.nls
读取的文件
  • C:\Windows\Fonts\staticcache.dat
  • C:\Windows\Globalization\Sorting\sortdefault.nls
修改的文件 无信息
删除的文件 无信息
注册表键
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\smzz.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_CURRENT_USER
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
读取的注册表键
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • kernel32.dll.IsProcessorFeaturePresent
  • gdi32.dll.GetLayout
  • gdi32.dll.GdiRealizationInfo
  • gdi32.dll.FontIsLinked
  • advapi32.dll.RegOpenKeyExW
  • advapi32.dll.RegQueryInfoKeyW
  • gdi32.dll.GetTextFaceAliasW
  • advapi32.dll.RegEnumValueW
  • advapi32.dll.RegCloseKey
  • advapi32.dll.RegQueryValueExW
  • advapi32.dll.RegQueryValueExA
  • advapi32.dll.RegEnumKeyExW
  • gdi32.dll.GetTextExtentExPointWPri
  • ole32.dll.CoInitializeEx
  • ole32.dll.CoUninitialize
  • cryptbase.dll.SystemFunction036
  • ole32.dll.CoRegisterInitializeSpy
  • ole32.dll.CoRevokeInitializeSpy
  • kernel32.dll.SortGetHandle
  • kernel32.dll.SortCloseHandle
  • gdi32.dll.GetFontAssocStatus
  • oleaut32.dll.SysAllocString
  • oleaut32.dll.SysStringLen
  • oleaut32.dll.SysFreeString
  • oleaut32.dll.#500