魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2019-12-29 22:48:00 2019-12-29 22:50:21 141 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-hpdapp01-1 win7-sp1-x64-hpdapp01-1 KVM 2019-12-29 22:48:10 2019-12-29 22:50:22
魔盾分数

3.5

可疑的

文件详细信息

文件名 逐鹿人.exe
文件大小 4560896 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 2E0052C0
MD5 2c4d390afe6232c37b1e30cf1ec52927
SHA1 aeb3d9b9ad665024a5c03b2f3068f8070fbb9f15
SHA256 a6f444713e100d821e3b2595e880e0813b1358a4164b8b323752018a9e1f6fc7
SHA512 7bad821106ecdd71536d241d5969ac0df17ea6552017f34a470ecab0b66536620d137927f4edd201aae85ea1205225396314dea24e21ec8aa9aa5651f82829e1
Ssdeep 49152:pmQKGYM3kP45R4ZCR/jSuQaNjQJCUXQuzRfV0kfw+QujY22RNi6x:UBP47k41NjiC18po+Bj6Pi6
PEiD 无匹配
Yara
  • DebuggerTiming__PerformanceCounter ()
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • anti_dbg (Detected self protection if being debugged)
  • screenshot (Detected take screenshot function)
  • create_process (Detection function for creating a new process)
  • keylogger (Detected keylogger function)
  • win_registry (Detected system registries modification function)
  • win_files_operation (Affect private profile)
  • win_private_profile (Detected private profile access function)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
  • with_urls (Detected the presence of an or several urls)
  • UPX (Detected UPX. Commonly used by RAT!)
  • CRC32_poly_Constant (Look for CRC32 [poly])
  • CRC32_table (Look for CRC32 table)
  • MD5_Constants (Look for MD5 constants)
  • RijnDael_AES (Look for RijnDael AES)
  • IsPE32 (Detected a 32bit PE sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
  • IsPacked (Detected Entropy signature)
  • HasTaggantSignature (Detected Taggant Signature)
  • HasRichSignature (Detected Rich Signature)
VirusTotal 无此文件扫描结果

特征

创建RWX内存
二进制文件可能包含加密或压缩数据
section: name: .data, entropy: 7.26, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0038ce00, virtual_size: 0x003a4560
魔盾安全Yara规则检测结果 - 安全告警
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
Warning: Detected UPX. Commonly used by RAT!
Informational: Detected Taggant Signature

运行截图

网络分析

无信息

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x00401000
声明校验值 0x00000000
实际校验值 0x004634aa
最低操作系统版本要求 4.0
编译时间 2019-12-29 22:42:15
载入哈希 e9f45238b186fd000263a217191b6ef2

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000ad6cc 0x000ad800 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.05
.rdata 0x000af000 0x0000e146 0x0000e200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.88
.data 0x000be000 0x003a4560 0x0038ce00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.26
.rsrc 0x00463000 0x00010b40 0x00010c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.63

导入

库 KERNEL32.dll:
0x4af060 - LoadResource
0x4af064 - LockResource
0x4af068 - SizeofResource
0x4af06c - FreeResource
0x4af070 - lstrlenW
0x4af074 - GlobalSize
0x4af078 - LocalSize
0x4af07c - DeviceIoControl
0x4af080 - CreateFileA
0x4af084 - GetLastError
0x4af088 - ExitProcess
0x4af08c - HeapAlloc
0x4af090 - HeapReAlloc
0x4af094 - IsBadReadPtr
0x4af098 - GetPrivateProfileStringA
0x4af09c - GetModuleFileNameA
0x4af0a0 - WriteFile
0x4af0a4 - SetFileAttributesA
0x4af0a8 - FindResourceA
0x4af0ac - CreateProcessA
0x4af0b0 - GetStartupInfoA
0x4af0b4 - GetTickCount
0x4af0b8 - Sleep
0x4af0bc - FindClose
0x4af0c0 - FindNextFileA
0x4af0c4 - DeleteFileA
0x4af0c8 - RemoveDirectoryA
0x4af0cc - FindFirstFileA
0x4af0d0 - RtlMoveMemory
0x4af0d4 - ReadFile
0x4af0d8 - GetFileSize
0x4af0dc - GetUserDefaultLCID
0x4af0e0 - FormatMessageA
0x4af0e4 - GetCommandLineA
0x4af0e8 - FreeLibrary
0x4af0ec - LoadLibraryA
0x4af0f0 - GetNativeSystemInfo
0x4af0f4 - WaitForSingleObject
0x4af0f8 - GetProcessHeap
0x4af0fc - GetTempPathA
0x4af100 - GetSystemDirectoryA
0x4af104 - GetWindowsDirectoryA
0x4af108 - GetSystemInfo
0x4af10c - IsProcessorFeaturePresent
0x4af110 - CloseHandle
0x4af114 - SetWaitableTimer
0x4af118 - MapViewOfFile
0x4af11c - OpenFileMappingA
0x4af120 - CreateThread
0x4af124 - GetModuleHandleA
0x4af128 - Module32First
0x4af12c - MoveFileA
0x4af130 - CreateDirectoryA
0x4af134 - IsWow64Process
0x4af138 - Process32Next
0x4af13c - Process32First
0x4af140 - GetModuleHandleW
0x4af144 - CreateToolhelp32Snapshot
0x4af148 - CreateWaitableTimerW
0x4af14c - HeapFree
0x4af150 - GlobalFree
0x4af154 - GlobalUnlock
0x4af158 - GlobalLock
0x4af15c - GlobalAlloc
0x4af160 - VirtualAlloc
0x4af164 - MultiByteToWideChar
0x4af168 - WideCharToMultiByte
0x4af16c - GetProcAddress
0x4af170 - VirtualFree
0x4af174 - LCMapStringA
库 USER32.dll:
0x4af22c - LoadCursorW
0x4af230 - LookupIconIdFromDirectoryEx
0x4af234 - RegisterClassExW
0x4af238 - DefWindowProcW
0x4af23c - SetCursor
0x4af240 - BringWindowToTop
0x4af244 - KillTimer
0x4af248 - GetAsyncKeyState
0x4af24c - IntersectRect
0x4af250 - InvalidateRect
0x4af254 - UpdateLayeredWindow
0x4af258 - SendMessageA
0x4af25c - UpdateWindow
0x4af260 - ReleaseCapture
0x4af264 - CreateWindowExW
0x4af268 - SendMessageW
0x4af26c - SystemParametersInfoA
0x4af270 - GetClassNameW
0x4af274 - MoveWindow
0x4af278 - GetMessageW
0x4af27c - TranslateMessage
0x4af280 - DispatchMessageW
0x4af284 - GetSystemMetrics
0x4af288 - PostMessageW
0x4af28c - IsZoomed
0x4af290 - IsIconic
0x4af294 - GetPropA
0x4af298 - LoadCursorFromFileW
0x4af29c - SetTimer
0x4af2a0 - PtInRect
0x4af2a4 - ReleaseDC
0x4af2a8 - SetCaretPos
0x4af2ac - GetCursorPos
0x4af2b0 - CallWindowProcW
0x4af2b4 - PeekMessageA
0x4af2b8 - GetMessageA
0x4af2bc - DispatchMessageA
0x4af2c0 - wsprintfA
0x4af2c4 - MessageBoxA
0x4af2c8 - SetForegroundWindow
0x4af2cc - RemovePropA
0x4af2d0 - SetWindowRgn
0x4af2d4 - GetWindowTextW
0x4af2d8 - GetClassLongW
0x4af2dc - SetPropA
0x4af2e0 - SetWindowPos
0x4af2e4 - SetWindowLongW
0x4af2e8 - SetFocus
0x4af2ec - FindWindowExA
0x4af2f0 - GetDesktopWindow
0x4af2f4 - GetWindow
0x4af2f8 - IsWindowVisible
0x4af2fc - GetWindowTextA
0x4af300 - GetClassNameA
0x4af304 - GetWindowThreadProcessId
0x4af308 - ClientToScreen
0x4af30c - GetWindowRect
0x4af310 - GetParent
0x4af314 - MsgWaitForMultipleObjects
0x4af318 - CopyImage
0x4af31c - CreateIconFromResourceEx
0x4af320 - GetFocus
0x4af324 - SetCapture
0x4af328 - EndPaint
0x4af32c - BeginPaint
0x4af330 - ShowWindow
0x4af334 - IsWindow
0x4af338 - TrackMouseEvent
库 ADVAPI32.dll:
0x4af000 - ControlService
0x4af004 - CreateServiceA
0x4af008 - CloseServiceHandle
0x4af00c - OpenServiceA
0x4af010 - StartServiceA
0x4af014 - DeleteService
0x4af018 - RegCloseKey
0x4af01c - RegQueryValueExA
0x4af020 - RegOpenKeyA
0x4af024 - OpenSCManagerA
库 SHELL32.dll:
0x4af214 - ShellExecuteA
0x4af218 - Shell_NotifyIconW
0x4af21c - SHGetSpecialFolderPathA
库 ole32.dll:
0x4af47c - CLSIDFromProgID
0x4af480 - CoCreateInstance
0x4af484 - OleRun
0x4af488 - CoUninitialize
0x4af48c - CoInitialize
0x4af490 - StringFromGUID2
0x4af494 - CLSIDFromString
0x4af498 - CreateStreamOnHGlobal
库 SHLWAPI.dll:
0x4af224 - PathFileExistsA
库 GDI32.dll:
0x4af02c - BitBlt
0x4af030 - CreateDIBSection
0x4af034 - SelectObject
0x4af038 - DeleteObject
0x4af03c - DeleteDC
0x4af040 - CreateRoundRectRgn
0x4af044 - CreateRectRgn
0x4af048 - GetDIBits
0x4af04c - CreateCompatibleDC
库 gdiplus.dll:
0x4af340 - GdipCreateHBITMAPFromBitmap
0x4af344 - GdipGetCompositingQuality
0x4af348 - GdipCreatePathGradientFromPath
0x4af34c - GdipDrawPolygon
0x4af350 - GdipFillPolygon
0x4af354 - GdipCreatePen2
0x4af358 - GdipCreateLineBrush
0x4af35c - GdipFillPath
0x4af360 - GdipClosePathFigure
0x4af364 - GdipAddPathArc
0x4af368 - GdipCreatePath
0x4af36c - GdipDeletePath
0x4af370 - GdipDrawPath
0x4af374 - GdipCreateRegionHrgn
0x4af378 - GdipDeleteRegion
0x4af37c - GdipGetRegionBounds
0x4af380 - GdipMeasureCharacterRanges
0x4af384 - GdipCreateRegion
0x4af388 - GdipSetStringFormatMeasurableCharacterRanges
0x4af38c - GdipGetImageEncoders
0x4af390 - GdipGetImageEncodersSize
0x4af394 - GdipSaveImageToStream
0x4af398 - GdipLoadImageFromStream
0x4af39c - GdipGetPropertyItem
0x4af3a0 - GdipGetPropertyItemSize
0x4af3a4 - GdipImageGetFrameCount
0x4af3a8 - GdipImageSelectActiveFrame
0x4af3ac - GdipGetStringFormatFlags
0x4af3b0 - GdipGetStringFormatTrimming
0x4af3b4 - GdipGetStringFormatAlign
0x4af3b8 - GdipSetStringFormatFlags
0x4af3bc - GdipSetStringFormatTrimming
0x4af3c0 - GdipSetStringFormatAlign
0x4af3c4 - GdipSetInterpolationMode
0x4af3c8 - GdipSetCompositingQuality
0x4af3cc - GdipGetImageGraphicsContext
0x4af3d0 - GdipCreateBitmapFromScan0
0x4af3d4 - GdipDrawString
0x4af3d8 - GdipCreateSolidFill
0x4af3dc - GdipGetFontHeight
0x4af3e0 - GdipMeasureString
0x4af3e4 - GdipDeleteBrush
0x4af3e8 - GdipFillRectangle
0x4af3ec - GdipCreateLineBrushFromRect
0x4af3f0 - GdipDeleteStringFormat
0x4af3f4 - GdipSetStringFormatHotkeyPrefix
0x4af3f8 - GdipCreateStringFormat
0x4af3fc - GdipDrawImageRect
0x4af400 - GdipBitmapUnlockBits
0x4af404 - GdipBitmapLockBits
0x4af408 - GdipDisposeImage
0x4af40c - GdipGetImageHeight
0x4af410 - GdipGetImageWidth
0x4af414 - GdipCloneBitmapArea
0x4af418 - GdipGetImagePixelFormat
0x4af41c - GdipDrawImageRectRect
0x4af420 - GdipGraphicsClear
0x4af424 - GdipSetSmoothingMode
0x4af428 - GdipGetSmoothingMode
0x4af42c - GdipCreateFromHDC
0x4af430 - GdipDeleteGraphics
0x4af434 - GdipResetClip
0x4af438 - GdipSetClipRect
0x4af43c - GdipSetClipRegion
0x4af440 - GdipCreateImageAttributes
0x4af444 - GdipSetPenDashStyle
0x4af448 - GdipDeletePen
0x4af44c - GdipDrawRectangle
0x4af450 - GdipSetTextRenderingHint
0x4af454 - GdipGetTextRenderingHint
0x4af458 - GdipDeleteFont
0x4af45c - GdipDeleteFontFamily
0x4af460 - GdipCreateFontFamilyFromName
0x4af464 - GdipCreateFont
0x4af468 - GdipGetFontStyle
0x4af46c - GdipGetFontSize
0x4af470 - GdipGetFamilyName
0x4af474 - GdiplusStartup
库 OLEAUT32.dll:
0x4af1e0 - VarR8FromCy
0x4af1e4 - VarR8FromBool
0x4af1e8 - VariantChangeType
0x4af1ec - LoadTypeLib
0x4af1f0 - LHashValOfNameSys
0x4af1f4 - RegisterTypeLib
0x4af1f8 - VariantCopy
0x4af1fc - SafeArrayCreate
0x4af200 - SysAllocString
0x4af204 - VariantClear
0x4af208 - SafeArrayDestroy
0x4af20c - OleLoadPicture
库 IMM32.dll:
0x4af054 - ImmGetContext
0x4af058 - ImmAssociateContext
库 MSVCRT.dll:
0x4af17c - rand
0x4af180 - _ftol
0x4af184 - floor
0x4af188 - modf
0x4af18c - ??2@YAPAXI@Z
0x4af190 - ??3@YAXPAX@Z
0x4af194 - srand
0x4af198 - _CIfmod
0x4af19c - strtod
0x4af1a0 - free
0x4af1a4 - malloc
0x4af1a8 - strncpy
0x4af1ac - strncmp
0x4af1b0 - __CxxFrameHandler
0x4af1b4 - strchr
0x4af1b8 - realloc
0x4af1bc - memmove
0x4af1c0 - _CIacos
0x4af1c4 - _finite
0x4af1c8 - strrchr
0x4af1cc - _CIpow
0x4af1d0 - _stricmp
0x4af1d4 - sprintf
0x4af1d8 - atoi

投放文件

无信息

行为分析

互斥量(Mutexes)
  • Local\MSCTF.Asm.MutexDefault1
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

_________.exe PID: 2492, 上一级进程 PID: 2332

访问的文件
  • \Device\KsecDD
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\test\AppData\Local\GDIPFONTCACHEV1.DAT
  • C:\Windows\Fonts\AGENCYR.TTF
  • C:\Windows\Fonts\simsun.ttc
  • C:\Windows\System32\msxml3.dll\1
  • C:\Windows\System32\msxml3.dll
  • C:\Windows\SysWOW64\stdole2.tlb
  • C:\Windows\Fonts\msyh.ttf
  • C:\Windows\Fonts\msyhbd.ttf
  • C:\yiyou.ini
  • C:\Windows\win.ini
读取的文件
  • \Device\KsecDD
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\test\AppData\Local\GDIPFONTCACHEV1.DAT
  • C:\Windows\Fonts\simsun.ttc
  • C:\Windows\System32\msxml3.dll\1
  • C:\Windows\System32\msxml3.dll
  • C:\Windows\SysWOW64\stdole2.tlb
  • C:\Windows\Fonts\msyh.ttf
  • C:\Windows\Fonts\msyhbd.ttf
  • C:\yiyou.ini
  • C:\Windows\win.ini
修改的文件
  • C:\Users\test\AppData\Local\GDIPFONTCACHEV1.DAT
删除的文件 无信息
注册表键
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
  • HKEY_CURRENT_USER\Software\Microsoft\GDIPlus
  • HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath
  • HKEY_CURRENT_USER\Software\Classes
  • HKEY_CURRENT_USER\Software\Classes\TypeLib
  • HKEY_CURRENT_USER\Software\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32\(Default)
  • HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
  • HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\_________.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_CURRENT_USER
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
读取的注册表键
  • HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • cryptbase.dll.SystemFunction036
  • d3d9.dll.Direct3DCreate9
  • kernel32.dll.IsProcessorFeaturePresent
  • user32.dll.GetWindowInfo
  • user32.dll.GetAncestor
  • user32.dll.GetMonitorInfoA
  • user32.dll.EnumDisplayMonitors
  • user32.dll.EnumDisplayDevicesA
  • kernel32.dll.SortGetHandle
  • kernel32.dll.SortCloseHandle
  • gdi32.dll.ExtTextOutW
  • gdi32.dll.GdiIsMetaPrintDC
  • ntdll.dll.RtlGetNtVersionNumbers
  • ntdll.dll.RtlGetNtProductType
  • kernel32.dll.IsBadWritePtr
  • kernel32.dll.RegOpenKeyExW
  • kernel32.dll.RegQueryInfoKeyA
  • kernel32.dll.RegCloseKey
  • kernel32.dll.RegCreateKeyExW
  • kernel32.dll.RegQueryValueExW
  • kernel32.dll.InitAtomTable
  • kernel32.dll.IsBadReadPtr
  • kernel32.dll.LoadLibraryA
  • kernel32.dll.GetProcAddress
  • advapi32.dll.CryptHashData
  • atl.dll.#10
  • gdi32.dll.GetDIBits
  • gdiplus.dll.GdipDrawString
  • msvcrt.dll.atoi
  • ole32.dll.OleRun
  • oleaut32.dll.#9
  • shell32.dll.DragFinish
  • shlwapi.dll.PathFileExistsA
  • user32.dll.wsprintfA
  • kernel32.dll.IsBadCodePtr
  • kernel32.dll.MultiByteToWideChar
  • kernel32.dll.GetUserDefaultLCID
  • kernel32.dll.CloseHandle
  • kernel32.dll.HeapReAlloc
  • kernel32.dll.GetFileSize
  • kernel32.dll.CreateFileA
  • kernel32.dll.FreeLibrary
  • kernel32.dll.LCMapStringA
  • kernel32.dll.HeapAlloc
  • kernel32.dll.ExitProcess
  • kernel32.dll.EnterCriticalSection
  • kernel32.dll.GetModuleHandleA
  • kernel32.dll.GetProcessHeap
  • kernel32.dll.WideCharToMultiByte
  • kernel32.dll.VirtualProtect
  • kernel32.dll.VirtualAlloc
  • kernel32.dll.InitializeCriticalSection
  • kernel32.dll.VirtualFree
  • kernel32.dll.CreateThread
  • kernel32.dll.RtlMoveMemory
  • kernel32.dll.HeapFree
  • kernel32.dll.LeaveCriticalSection
  • kernel32.dll.ReadFile
  • advapi32.dll.CryptDestroyHash
  • advapi32.dll.CryptCreateHash
  • advapi32.dll.CryptReleaseContext
  • advapi32.dll.CryptAcquireContextA
  • advapi32.dll.CryptGetHashParam
  • atl.dll.#11
  • gdi32.dll.CreateDIBSection
  • gdi32.dll.CreateRectRgn
  • gdiplus.dll.GdipBitmapLockBits
  • gdiplus.dll.GdipGetImageWidth
  • gdiplus.dll.GdipGetImagePixelFormat
  • gdiplus.dll.GdipCreateBitmapFromHBITMAP
  • gdiplus.dll.GdipCreateBitmapFromScan0
  • gdiplus.dll.GdipBitmapUnlockBits
  • gdiplus.dll.GdipDrawImageRect
  • gdiplus.dll.GdipGetImageGraphicsContext
  • gdiplus.dll.GdipSetInterpolationMode
  • gdiplus.dll.GdipSetTextRenderingHint
  • gdiplus.dll.GdipCreateSolidFill
  • gdiplus.dll.GdipDeleteBrush
  • gdiplus.dll.GdipDeleteGraphics
  • gdiplus.dll.GdipDisposeImage
  • gdiplus.dll.GdipGetImageHeight
  • gdiplus.dll.GdipCreateBitmapFromHICON
  • gdiplus.dll.GdipCreateFromHDC
  • gdiplus.dll.GdipGraphicsClear
  • gdiplus.dll.GdipLoadImageFromStream
  • msvcrt.dll.toupper
  • msvcrt.dll.sprintf
  • msvcrt.dll.strchr
  • msvcrt.dll.??3@YAXPAX@Z
  • msvcrt.dll.??2@YAPAXI@Z
  • msvcrt.dll._ftol
  • msvcrt.dll.tolower
  • msvcrt.dll.qsort
  • msvcrt.dll._CIfmod
  • msvcrt.dll.__CxxFrameHandler
  • msvcrt.dll.atof
  • msvcrt.dll._atoi64
  • msvcrt.dll.strtod
  • msvcrt.dll.strncmp
  • msvcrt.dll.modf
  • msvcrt.dll.memmove
  • msvcrt.dll.free
  • msvcrt.dll._stricmp
  • msvcrt.dll.malloc
  • msvcrt.dll._strnicmp
  • ole32.dll.StringFromCLSID
  • ole32.dll.OleInitialize
  • ole32.dll.RegisterDragDrop
  • ole32.dll.RevokeDragDrop
  • ole32.dll.OleUninitialize
  • ole32.dll.ReleaseStgMedium
  • ole32.dll.CoUninitialize
  • ole32.dll.CoCreateInstance
  • ole32.dll.CLSIDFromString
  • ole32.dll.CLSIDFromProgID
  • ole32.dll.CoInitialize
  • ole32.dll.CreateStreamOnHGlobal
  • oleaut32.dll.#2
  • oleaut32.dll.#16
  • oleaut32.dll.#15
  • oleaut32.dll.#163
  • oleaut32.dll.#165
  • oleaut32.dll.#161
  • oleaut32.dll.#86
  • oleaut32.dll.#82
  • shell32.dll.DragQueryFileA
  • user32.dll.MessageBoxA
  • user32.dll.UpdateLayeredWindow
  • user32.dll.GetWindowRect
  • user32.dll.GetWindow
  • kernel32.dll.FindAtomA
  • kernel32.dll.AddAtomA
  • cryptsp.dll.CryptAcquireContextA
  • cryptsp.dll.CryptHashData
  • cryptsp.dll.CryptCreateHash
  • cryptsp.dll.CryptGetHashParam
  • cryptsp.dll.CryptDestroyHash
  • cryptsp.dll.CryptReleaseContext
  • msvcrt.dll.strerror
  • msvcrt.dll.fflush
  • msvcrt.dll._errno
  • msvcrt.dll.fopen
  • msvcrt.dll.fread
  • msvcrt.dll.fprintf
  • msvcrt.dll._vsnprintf
  • msvcrt.dll.ftell
  • msvcrt.dll.fseek
  • msvcrt.dll.fclose
  • msvcrt.dll.clearerr
  • msvcrt.dll._fdopen
  • msvcrt.dll._initterm
  • msvcrt.dll._adjust_fdiv
  • msvcrt.dll.fwrite
  • msvcrt.dll.fputc
  • kernel32.dll.DisableThreadLibraryCalls
  • sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid
  • sxs.dll.SxsOleAut32RedirectTypeLibrary
  • advapi32.dll.RegOpenKeyW
  • advapi32.dll.RegQueryValueW
  • ntdll.dll.RtlComputeCrc32
  • kernel32.dll.lstrlenA
  • shell32.dll.StrCmpNA
  • kernel32.dll.GlobalAlloc
  • kernel32.dll.GlobalLock
  • kernel32.dll.GlobalUnlock
  • windowscodecs.dll.DllGetClassObject
  • kernel32.dll.WerRegisterMemoryBlock
  • user32.dll.GetWindowLongW
  • kernel32.dll.GetCurrentProcess
  • kernel32.dll.FlushInstructionCache
  • user32.dll.SetWindowLongW
  • comctl32.dll.RegisterClassNameW
  • uxtheme.dll.OpenThemeData
  • ole32.dll.CoInitializeEx
  • ole32.dll.CoRegisterInitializeSpy
  • ole32.dll.CoRevokeInitializeSpy
  • gdiplus.dll.GdipCreatePen1
  • gdiplus.dll.GdipDrawLine
  • kernel32.dll.lstrlenW
  • gdiplus.dll.GdipDrawImage
  • gdiplus.dll.GdipGetFamily
  • gdi32.dll.GetDeviceCaps
  • kernel32.dll.MulDiv
  • riched20.dll.CreateTextServices
  • gdi32.dll.SelectClipRgn
  • user32.dll.UnionRect
  • gdi32.dll.GdiAlphaBlend
  • gdi32.dll.CreateCompatibleDC
  • gdi32.dll.SelectObject
  • gdi32.dll.DeleteObject
  • user32.dll.SendMessageW
  • dwmapi.dll.DwmIsCompositionEnabled
  • user32.dll.ShowWindow
  • user32.dll.IsWindow
  • oleaut32.dll.SysAllocString
  • oleaut32.dll.SysStringLen
  • oleaut32.dll.SysFreeString
  • user32.dll.WindowFromPoint
  • user32.dll.RedrawWindow
  • gdi32.dll.DeleteDC