魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2020-01-18 14:33:51 2020-01-18 14:36:10 139 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-hpdapp01-1 win7-sp1-x64-hpdapp01-1 KVM 2020-01-18 14:33:59 2020-01-18 14:36:11
魔盾分数

10.0

恶意的

文件详细信息

文件名 神秘人REZ隔离检测v1.0.exe
文件大小 1257472 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 B6E326DC
MD5 1d37e4b7f1e2d189a4f83959de5f8a32
SHA1 8d0bb5a53c1736b1d508a63ef4f4e1df6e0366a5
SHA256 e55b3f322d23014ba5250b563654f452800ce2ac9544971c4c7769d361696df8
SHA512 84c79274a88c1bd624e3165803d132f66857a2336d558404ac67c5ba7f31c05a307e899833bdbf70fd2572102e2d0426ac2afbe721dff0ace20c6916ce29ce60
Ssdeep 24576:KlEBJsB1XwWpstjRckW7GOgvlUUTVzyQ0y2mL92fE6P9D:KSJJWpuY7slUcV+Q0y2VZd
PEiD 无匹配
Yara
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • screenshot (Detected take screenshot function)
  • create_process (Detection function for creating a new process)
  • keylogger (Detected keylogger function)
  • win_registry (Detected system registries modification function)
  • change_win_registry (Change registries to affect system)
  • win_files_operation (Affect private profile)
  • win_hook (Detected hook table access function)
  • win_private_profile (Detected private profile access function)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
  • with_images (Detected the presence of an or several images)
  • CRC32_poly_Constant (Look for CRC32 [poly])
  • CRC32_table (Look for CRC32 table)
  • MD5_Constants (Look for MD5 constants)
  • IsPE32 (Detected a 32bit PE sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
  • IsPacked (Detected Entropy signature)
  • HasRichSignature (Detected Rich Signature)
VirusTotal 无此文件扫描结果

特征

二进制文件可能包含加密或压缩数据
section: name: .rdata, entropy: 7.15, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x0009c000, virtual_size: 0x0009bf44
魔盾安全Yara规则检测结果 - 安全告警
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
检测到样本尝试模糊或欺骗文件类型

运行截图

网络分析

无信息

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x0045ff75
声明校验值 0x00000000
实际校验值 0x0013dd28
最低操作系统版本要求 4.0
编译时间 2020-01-18 13:36:24
载入哈希 3e38c2d4addb5ac9ba080e333ef852a1

版本信息

LegalCopyright: \u4f5c\u8005\u7248\u6743\u6240\u6709 \u8bf7\u5c0a\u91cd\u5e76\u4f7f\u7528\u6b63\u7248
FileVersion: 1.0.0.0
Comments: \u672c\u7a0b\u5e8f\u4f7f\u7528\u6613\u8bed\u8a00\u7f16\u5199(http://www.eyuyan.com)
ProductName: \u6613\u8bed\u8a00\u7a0b\u5e8f
ProductVersion: 1.0.0.0
FileDescription: \u6613\u8bed\u8a00\u7a0b\u5e8f
Translation: 0x0804 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0007ddaa 0x0007e000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.58
.rdata 0x0007f000 0x0009bf44 0x0009c000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.15
.data 0x0011b000 0x000219e8 0x00012000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.04
.rsrc 0x0013d000 0x00005958 0x00006000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.82

导入

库 KERNEL32.dll:
0x47f174 - SetEndOfFile
0x47f178 - UnlockFile
0x47f17c - LockFile
0x47f180 - FlushFileBuffers
0x47f184 - SetFilePointer
0x47f188 - GetCurrentProcess
0x47f18c - DuplicateHandle
0x47f190 - lstrcpynA
0x47f194 - SetLastError
0x47f198 - FileTimeToLocalFileTime
0x47f19c - FileTimeToSystemTime
0x47f1a0 - LocalFree
0x47f1a4 - InterlockedDecrement
0x47f1a8 - CreateSemaphoreA
0x47f1ac - ResumeThread
0x47f1b0 - ReleaseSemaphore
0x47f1b4 - EnterCriticalSection
0x47f1b8 - LeaveCriticalSection
0x47f1bc - GetProfileStringA
0x47f1c0 - SetStdHandle
0x47f1c4 - IsBadCodePtr
0x47f1c8 - IsBadReadPtr
0x47f1cc - CompareStringW
0x47f1d0 - CompareStringA
0x47f1d4 - SetUnhandledExceptionFilter
0x47f1d8 - GetStringTypeW
0x47f1dc - GetStringTypeA
0x47f1e0 - IsBadWritePtr
0x47f1e4 - VirtualAlloc
0x47f1e8 - LCMapStringW
0x47f1ec - LCMapStringA
0x47f1f0 - SetEnvironmentVariableA
0x47f1f4 - VirtualFree
0x47f1f8 - HeapCreate
0x47f1fc - HeapDestroy
0x47f200 - GetEnvironmentVariableA
0x47f204 - GetFileType
0x47f208 - GetStdHandle
0x47f20c - SetHandleCount
0x47f210 - GetEnvironmentStringsW
0x47f214 - GetEnvironmentStrings
0x47f218 - FreeEnvironmentStringsW
0x47f21c - FreeEnvironmentStringsA
0x47f220 - UnhandledExceptionFilter
0x47f224 - GetACP
0x47f228 - HeapSize
0x47f22c - TerminateProcess
0x47f230 - GetLocalTime
0x47f234 - GetSystemTime
0x47f238 - GetTimeZoneInformation
0x47f23c - WriteFile
0x47f240 - WaitForMultipleObjects
0x47f244 - CreateFileA
0x47f248 - SetEvent
0x47f24c - FindResourceA
0x47f250 - LoadResource
0x47f254 - LockResource
0x47f258 - ReadFile
0x47f25c - GetModuleFileNameA
0x47f260 - WideCharToMultiByte
0x47f264 - MultiByteToWideChar
0x47f268 - GetCurrentThreadId
0x47f26c - ExitProcess
0x47f270 - GlobalSize
0x47f274 - GlobalFree
0x47f278 - DeleteCriticalSection
0x47f27c - InitializeCriticalSection
0x47f280 - lstrcatA
0x47f284 - lstrlenA
0x47f288 - WinExec
0x47f28c - lstrcpyA
0x47f290 - FindNextFileA
0x47f294 - GlobalReAlloc
0x47f298 - HeapFree
0x47f29c - HeapReAlloc
0x47f2a0 - GetProcessHeap
0x47f2a4 - HeapAlloc
0x47f2a8 - GetFullPathNameA
0x47f2ac - FreeLibrary
0x47f2b0 - LoadLibraryA
0x47f2b4 - GetLastError
0x47f2b8 - GetVersionExA
0x47f2bc - WritePrivateProfileStringA
0x47f2c0 - CreateThread
0x47f2c4 - CreateEventA
0x47f2c8 - Sleep
0x47f2cc - ExpandEnvironmentStringsA
0x47f2d0 - GlobalAlloc
0x47f2d4 - GlobalLock
0x47f2d8 - GlobalUnlock
0x47f2dc - FindFirstFileA
0x47f2e0 - FindClose
0x47f2e4 - GetFileAttributesA
0x47f2e8 - RaiseException
0x47f2ec - RtlUnwind
0x47f2f0 - GetStartupInfoA
0x47f2f4 - GetOEMCP
0x47f2f8 - GetCPInfo
0x47f2fc - GetProcessVersion
0x47f300 - SetErrorMode
0x47f304 - GlobalFlags
0x47f308 - GetCurrentThread
0x47f30c - GetFileTime
0x47f310 - GetFileSize
0x47f314 - TlsGetValue
0x47f318 - LocalReAlloc
0x47f31c - TlsSetValue
0x47f320 - TlsFree
0x47f324 - GlobalHandle
0x47f328 - SetCurrentDirectoryA
0x47f32c - GetVolumeInformationA
0x47f330 - GetModuleHandleA
0x47f334 - GetProcAddress
0x47f338 - TlsAlloc
0x47f33c - LocalAlloc
0x47f340 - lstrcmpA
0x47f344 - GetVersion
0x47f348 - GlobalGetAtomNameA
0x47f34c - GlobalAddAtomA
0x47f350 - GlobalFindAtomA
0x47f354 - GlobalDeleteAtom
0x47f358 - lstrcmpiA
0x47f35c - MulDiv
0x47f360 - GetCommandLineA
0x47f364 - GetTickCount
0x47f368 - CreateProcessA
0x47f36c - WaitForSingleObject
0x47f370 - CloseHandle
0x47f374 - InterlockedIncrement
库 USER32.dll:
0x47f398 - OpenClipboard
0x47f39c - SetClipboardData
0x47f3a0 - EmptyClipboard
0x47f3a4 - GetSystemMetrics
0x47f3a8 - GetCursorPos
0x47f3ac - MessageBoxA
0x47f3b0 - SetWindowPos
0x47f3b4 - SendMessageA
0x47f3b8 - DestroyCursor
0x47f3bc - SetParent
0x47f3c0 - GetClipboardData
0x47f3c4 - PostMessageA
0x47f3c8 - GetTopWindow
0x47f3cc - GetParent
0x47f3d0 - CloseClipboard
0x47f3d4 - wsprintfA
0x47f3d8 - GetFocus
0x47f3dc - GetClientRect
0x47f3e0 - InvalidateRect
0x47f3e4 - ValidateRect
0x47f3e8 - UpdateWindow
0x47f3ec - EqualRect
0x47f3f0 - GetWindowRect
0x47f3f4 - SetForegroundWindow
0x47f3f8 - WaitForInputIdle
0x47f3fc - IsWindow
0x47f400 - RegisterClassA
0x47f404 - DestroyMenu
0x47f408 - IsChild
0x47f40c - ReleaseDC
0x47f410 - IsRectEmpty
0x47f414 - FillRect
0x47f418 - GetDC
0x47f41c - SetCursor
0x47f420 - LoadCursorA
0x47f424 - SetCursorPos
0x47f428 - SetActiveWindow
0x47f42c - GetSysColor
0x47f430 - SetWindowLongA
0x47f434 - GetWindowLongA
0x47f438 - RedrawWindow
0x47f43c - EnableWindow
0x47f440 - IsWindowVisible
0x47f444 - OffsetRect
0x47f448 - PtInRect
0x47f44c - DestroyIcon
0x47f450 - IntersectRect
0x47f454 - InflateRect
0x47f458 - SetRect
0x47f45c - SetScrollPos
0x47f460 - SetScrollRange
0x47f464 - GetScrollRange
0x47f468 - SetCapture
0x47f46c - LoadIconA
0x47f470 - TranslateMessage
0x47f474 - DrawFrameControl
0x47f478 - DrawEdge
0x47f47c - DrawFocusRect
0x47f480 - WindowFromPoint
0x47f484 - GetMessageA
0x47f488 - DispatchMessageA
0x47f48c - SetRectEmpty
0x47f490 - RegisterClipboardFormatA
0x47f494 - CreateIconFromResourceEx
0x47f498 - CreateIconFromResource
0x47f49c - DrawIconEx
0x47f4a0 - CreatePopupMenu
0x47f4a4 - AppendMenuA
0x47f4a8 - ModifyMenuA
0x47f4ac - CreateMenu
0x47f4b0 - CreateAcceleratorTableA
0x47f4b4 - GetDlgCtrlID
0x47f4b8 - GetSubMenu
0x47f4bc - EnableMenuItem
0x47f4c0 - ClientToScreen
0x47f4c4 - EnumDisplaySettingsA
0x47f4c8 - LoadImageA
0x47f4cc - SystemParametersInfoA
0x47f4d0 - ShowWindow
0x47f4d4 - IsWindowEnabled
0x47f4d8 - TranslateAcceleratorA
0x47f4dc - GetKeyState
0x47f4e0 - CopyAcceleratorTableA
0x47f4e4 - PostQuitMessage
0x47f4e8 - IsZoomed
0x47f4ec - GetClassInfoA
0x47f4f0 - DefWindowProcA
0x47f4f4 - GetSystemMenu
0x47f4f8 - DeleteMenu
0x47f4fc - GetMenu
0x47f500 - SetMenu
0x47f504 - PeekMessageA
0x47f508 - GetWindowTextA
0x47f50c - GetWindowTextLengthA
0x47f510 - CharUpperA
0x47f514 - GetWindowDC
0x47f518 - BeginPaint
0x47f51c - EndPaint
0x47f520 - TabbedTextOutA
0x47f524 - DrawTextA
0x47f528 - GrayStringA
0x47f52c - GetDlgItem
0x47f530 - DestroyWindow
0x47f534 - CreateDialogIndirectParamA
0x47f538 - EndDialog
0x47f53c - GetNextDlgTabItem
0x47f540 - GetWindowPlacement
0x47f544 - RegisterWindowMessageA
0x47f548 - GetForegroundWindow
0x47f54c - GetLastActivePopup
0x47f550 - GetMessageTime
0x47f554 - RemovePropA
0x47f558 - CallWindowProcA
0x47f55c - GetPropA
0x47f560 - UnhookWindowsHookEx
0x47f564 - SetPropA
0x47f568 - GetClassLongA
0x47f56c - CallNextHookEx
0x47f570 - SetWindowsHookExA
0x47f574 - CreateWindowExA
0x47f578 - GetMenuItemID
0x47f57c - GetMenuItemCount
0x47f580 - UnregisterClassA
0x47f584 - GetScrollPos
0x47f588 - AdjustWindowRectEx
0x47f58c - MapWindowPoints
0x47f590 - SendDlgItemMessageA
0x47f594 - ScrollWindowEx
0x47f598 - IsDialogMessageA
0x47f59c - SetWindowTextA
0x47f5a0 - MoveWindow
0x47f5a4 - CheckMenuItem
0x47f5a8 - SetMenuItemBitmaps
0x47f5ac - GetMenuState
0x47f5b0 - GetMenuCheckMarkDimensions
0x47f5b4 - GetClassNameA
0x47f5b8 - GetDesktopWindow
0x47f5bc - LoadStringA
0x47f5c0 - GetSysColorBrush
0x47f5c4 - IsIconic
0x47f5c8 - SetFocus
0x47f5cc - GetActiveWindow
0x47f5d0 - GetWindow
0x47f5d4 - DestroyAcceleratorTable
0x47f5d8 - SetWindowRgn
0x47f5dc - GetMessagePos
0x47f5e0 - ScreenToClient
0x47f5e4 - ChildWindowFromPointEx
0x47f5e8 - CopyRect
0x47f5ec - LoadBitmapA
0x47f5f0 - WinHelpA
0x47f5f4 - KillTimer
0x47f5f8 - SetTimer
0x47f5fc - ReleaseCapture
0x47f600 - GetCapture
库 GDI32.dll:
0x47f028 - GetClipRgn
0x47f02c - CreatePolygonRgn
0x47f030 - SelectClipRgn
0x47f034 - DeleteObject
0x47f038 - CreateDIBitmap
0x47f03c - GetSystemPaletteEntries
0x47f040 - CreatePalette
0x47f044 - StretchBlt
0x47f048 - SelectPalette
0x47f04c - RealizePalette
0x47f050 - GetDIBits
0x47f054 - GetWindowExtEx
0x47f058 - GetViewportOrgEx
0x47f05c - GetWindowOrgEx
0x47f060 - BeginPath
0x47f064 - EndPath
0x47f068 - PathToRegion
0x47f06c - CreateEllipticRgn
0x47f070 - CreateRoundRectRgn
0x47f074 - GetTextColor
0x47f078 - GetBkMode
0x47f07c - GetBkColor
0x47f080 - GetROP2
0x47f084 - GetStretchBltMode
0x47f088 - GetPolyFillMode
0x47f08c - CreateCompatibleBitmap
0x47f090 - CreateDCA
0x47f094 - CreateBitmap
0x47f098 - SelectObject
0x47f09c - GetObjectA
0x47f0a0 - CreatePen
0x47f0a4 - PatBlt
0x47f0a8 - SetStretchBltMode
0x47f0ac - CreateRectRgn
0x47f0b0 - FillRgn
0x47f0b4 - CreateSolidBrush
0x47f0b8 - GetStockObject
0x47f0bc - CreateFontIndirectA
0x47f0c0 - EndPage
0x47f0c4 - EndDoc
0x47f0c8 - DeleteDC
0x47f0cc - StartDocA
0x47f0d0 - StartPage
0x47f0d4 - BitBlt
0x47f0d8 - CreateCompatibleDC
0x47f0dc - Ellipse
0x47f0e0 - Rectangle
0x47f0e4 - LPtoDP
0x47f0e8 - DPtoLP
0x47f0ec - GetCurrentObject
0x47f0f0 - RoundRect
0x47f0f4 - GetTextExtentPoint32A
0x47f0f8 - GetDeviceCaps
0x47f0fc - SaveDC
0x47f100 - RestoreDC
0x47f104 - SetBkMode
0x47f108 - SetPolyFillMode
0x47f10c - SetROP2
0x47f110 - SetTextColor
0x47f114 - SetMapMode
0x47f118 - SetViewportOrgEx
0x47f11c - OffsetViewportOrgEx
0x47f120 - SetViewportExtEx
0x47f124 - ScaleViewportExtEx
0x47f128 - SetWindowOrgEx
0x47f12c - SetWindowExtEx
0x47f130 - ScaleWindowExtEx
0x47f134 - GetClipBox
0x47f138 - ExcludeClipRect
0x47f13c - MoveToEx
0x47f140 - LineTo
0x47f144 - CreateRectRgnIndirect
0x47f148 - SetBkColor
0x47f14c - CombineRgn
0x47f150 - GetTextMetricsA
0x47f154 - Escape
0x47f158 - ExtTextOutA
0x47f15c - TextOutA
0x47f160 - RectVisible
0x47f164 - PtVisible
0x47f168 - GetViewportExtEx
0x47f16c - ExtSelectClipRgn
库 WINMM.dll:
0x47f608 - midiStreamRestart
0x47f60c - midiStreamClose
0x47f610 - midiOutReset
0x47f614 - midiStreamStop
0x47f618 - midiStreamOut
0x47f61c - midiOutPrepareHeader
0x47f620 - midiStreamProperty
0x47f624 - midiStreamOpen
0x47f628 - midiOutUnprepareHeader
0x47f62c - waveOutOpen
0x47f630 - waveOutGetNumDevs
0x47f634 - waveOutClose
0x47f638 - waveOutReset
0x47f63c - waveOutPause
0x47f640 - waveOutWrite
0x47f644 - waveOutPrepareHeader
0x47f648 - waveOutUnprepareHeader
库 WINSPOOL.DRV:
0x47f650 - ClosePrinter
0x47f654 - DocumentPropertiesA
0x47f658 - OpenPrinterA
库 ADVAPI32.dll:
0x47f000 - RegCloseKey
0x47f004 - RegQueryValueExA
0x47f008 - RegOpenKeyExA
0x47f00c - RegSetValueExA
0x47f010 - RegQueryValueA
0x47f014 - RegCreateKeyExA
库 SHELL32.dll:
0x47f38c - ShellExecuteA
0x47f390 - Shell_NotifyIconA
库 ole32.dll:
0x47f69c - OleInitialize
0x47f6a0 - OleUninitialize
0x47f6a4 - CLSIDFromString
库 OLEAUT32.dll:
0x47f37c - UnRegisterTypeLib
0x47f380 - RegisterTypeLib
0x47f384 - LoadTypeLib
库 COMCTL32.dll:
0x47f01c - ImageList_Destroy
0x47f020 - None
库 WS2_32.dll:
0x47f660 - ioctlsocket
0x47f664 - recv
0x47f668 - getpeername
0x47f66c - accept
0x47f670 - recvfrom
0x47f674 - WSAAsyncSelect
0x47f678 - closesocket
0x47f67c - inet_ntoa
0x47f680 - WSACleanup
库 comdlg32.dll:
0x47f688 - ChooseColorA
0x47f68c - GetSaveFileNameA
0x47f690 - GetOpenFileNameA
0x47f694 - GetFileTitleA

投放文件

无信息

行为分析

互斥量(Mutexes)
  • Local\MSCTF.Asm.MutexDefault1
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

_________REZ____________v1.0.exe PID: 2628, 上一级进程 PID: 2332

访问的文件
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\test\AppData\Local\Temp\_________REZ____________v1.0.exe.Local\
  • C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_b7a33d2d3f47b7fb
  • C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_b7a33d2d3f47b7fb\COMCTL32.dll.mui
  • C:\Windows\Fonts\staticcache.dat
读取的文件
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_b7a33d2d3f47b7fb\COMCTL32.dll.mui
  • C:\Windows\Fonts\staticcache.dat
修改的文件 无信息
删除的文件 无信息
注册表键
  • HKEY_CURRENT_USER\SOFTWARE\Tencent\CrossFire
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\_________REZ____________v1.0.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_CURRENT_USER
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
读取的注册表键
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • kernel32.dll.IsProcessorFeaturePresent
  • cryptbase.dll.SystemFunction036
  • kernel32.dll.SortGetHandle
  • kernel32.dll.SortCloseHandle
  • comctl32.dll.RegisterClassNameW
  • uxtheme.dll.EnableThemeDialogTexture
  • uxtheme.dll.OpenThemeData
  • comctl32.dll.InitCommonControlsEx
  • imm32.dll.ImmIsIME
  • gdi32.dll.GetLayout
  • gdi32.dll.GdiRealizationInfo
  • gdi32.dll.FontIsLinked
  • advapi32.dll.RegOpenKeyExW
  • advapi32.dll.RegQueryInfoKeyW
  • gdi32.dll.GetTextFaceAliasW
  • advapi32.dll.RegEnumValueW
  • advapi32.dll.RegCloseKey
  • advapi32.dll.RegQueryValueExW
  • advapi32.dll.RegQueryValueExA
  • advapi32.dll.RegEnumKeyExW
  • gdi32.dll.GetTextExtentExPointWPri
  • imm32.dll.ImmGetContext
  • imm32.dll.ImmReleaseContext
  • imm32.dll.ImmAssociateContext
  • ole32.dll.CoInitializeEx
  • ole32.dll.CoUninitialize
  • ole32.dll.CoRegisterInitializeSpy
  • ole32.dll.CoRevokeInitializeSpy
  • imm32.dll.ImmLockIMC
  • imm32.dll.ImmUnlockIMC
  • imm32.dll.ImmSetCompositionFontW
  • imm32.dll.ImmGetCompositionWindow
  • imm32.dll.ImmSetCompositionWindow
  • gdi32.dll.GetFontAssocStatus
  • uxtheme.dll.BufferedPaintInit
  • uxtheme.dll.BeginBufferedPaint
  • gdi32.dll.GdiIsMetaPrintDC