魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2020-01-18 16:30:19	2020-01-18 16:32:47	148 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-hpdapp01-1	win7-sp1-x64-hpdapp01-1	KVM	2020-01-18 16:30:30	2020-01-18 16:32:47

魔盾分数
0.0 正常的

文件详细信息

文件名	360se.exe
文件大小	1592640 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
CRC32	830F7355
MD5	20a542f734d3eccd3e1653b91491497f
SHA1	b19f02d98b57050fe28fe938c584322fe8c2950e
SHA256	c57ac156558695bab745c12ee9748ccff4ef5925c90e7800709e7cf48c85ad77
SHA512	6f90d1059d0585174b365fa753911901bbc5e9e9fb0f18d647220b5a3247bda5ee7a483f7ae05c897bbf7bfd59f45892581ae2b20a4b3fdccc0fe742f6f30a35
Ssdeep	24576:z1oelUFZ/Il87lQLcE2L/Un9R4z9lSPIa/YXP/PfaRUreF4PSJsjWdrUnKBEbO1O:z/lUD887+4E2LWj8gZllHr422rLH
PEiD	无匹配
Yara	DebuggerCheck__QueryInfo () DebuggerHiding__Thread () DebuggerTiming__PerformanceCounter () DebuggerTiming__Ticks (Detected timing ticks function) ThreadControl__Context () anti_dbg (Detected self protection if being debugged) disable_dep (Bypass DEP) inject_thread (Detected code injection function with CreateRemoteThread in a remote process) win_mutex (Create or check mutex) create_process (Detection function for creating a new process) escalate_priv (Detected escalate priviledges function) win_registry (Detected system registries modification function) win_token (Affect system token) win_files_operation (Affect private profile) Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files) with_urls (Detected the presence of an or several urls) MD5_Constants (Look for MD5 constants) RIPEMD160_Constants (Look for RIPEMD-160 constants) SHA1_Constants (Look for SHA1 constants) IsPE32 (Detected a 32bit PE sample) IsWindowsGUI (Detected a Windows GUI sample) HasOverlay (Detected Overlay signature) HasDigitalSignature (Detected Digital Signature) HasDebugData (Detected Debug Data) HasRichSignature (Detected Rich Signature)
VirusTotal	VirusTotal链接 VirusTotal扫描时间: 2020-01-13 02:19:39 扫描结果: 0/72

特征

样本的签名证书合法

魔盾安全Yara检测结果 - 普通

Warning: Bypass DEP

Warning: Detected code injection function with CreateRemoteThread in a remote process

Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files

二进制文件可能包含加密或压缩数据

section: name: .rsrc, entropy: 7.41, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00061000, virtual_size: 0x00060ea8

运行截图

网络分析

无信息

静态分析

PE 信息

初始地址	0x00400000
入口地址	0x0048bb00
声明校验值	0x0018c385
实际校验值	0x0018c385
最低操作系统版本要求	5.1
PDB路径	E:\se10\src\out\Release\initialexe\360se.exe.pdb
编译时间	2020-01-03 17:31:32
载入哈希	7de57d0d8feaf4d897a7494fe0bbbe96
导出DLL库名称	\x35\x35\x34\x31\x31\x34\x31\x31\x31

版本信息

LegalCopyright:	(C) 360.cn All Rights Reserved.
InternalName:	360se_exe
CompanyShortName:	360.cn
FileVersion:	10.0.2364.0
CompanyName:	360.cn
ProductShortName:	360\u5b89\u5168\u6d4f\u89c8\u5668
ProductName:	360\u5b89\u5168\u6d4f\u89c8\u5668
LastChange:	f07cfba5373416595ec2cce0cef6facca9866fe6
ProductVersion:	10.0.2364.0
FileDescription:	360\u5b89\u5168\u6d4f\u89c8\u5668
OriginalFilename:	360se.exe
Official Build:	1
Translation:	0x0409 0x04b0

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x000b17da	0x000b1800	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.68
.rdata	0x000b3000	0x0005d8fc	0x0005da00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.17
.data	0x00111000	0x0000d554	0x00008e00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.91
.didat	0x0011f000	0x0000011c	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.52
.rsrc	0x00120000	0x00060ea8	0x00061000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	7.41
.reloc	0x00181000	0x00007004	0x00007200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	6.63

导入

库 ADVAPI32.dll:

• 0x4b3000 - RegQueryValueExW

• 0x4b3004 - DuplicateTokenEx

• 0x4b3008 - RegOpenKeyExW

• 0x4b300c - CheckTokenMembership

• 0x4b3010 - FreeSid

• 0x4b3014 - OpenProcessToken

• 0x4b3018 - AllocateAndInitializeSid

• 0x4b301c - RegCloseKey

• 0x4b3020 - CreateProcessAsUserW

• 0x4b3024 - RegDeleteValueW

• 0x4b3028 - RegSetValueExW

• 0x4b302c - RegEnumKeyExW

• 0x4b3030 - RegCreateKeyExW

• 0x4b3034 - RegDeleteKeyW

• 0x4b3038 - GetTokenInformation

• 0x4b303c - ConvertSidToStringSidW

• 0x4b3040 - AdjustTokenPrivileges

• 0x4b3044 - LookupPrivilegeValueW

• 0x4b3048 - SystemFunction036

• 0x4b304c - InitializeSecurityDescriptor

• 0x4b3050 - SetSecurityDescriptorDacl

• 0x4b3054 - RegQueryValueExA

• 0x4b3058 - RegDisablePredefinedCache

• 0x4b305c - RevertToSelf

• 0x4b3060 - GetLengthSid

• 0x4b3064 - SetKernelObjectSecurity

• 0x4b3068 - ConvertStringSecurityDescriptorToSecurityDescriptorW

• 0x4b306c - GetKernelObjectSecurity

• 0x4b3070 - SetSecurityInfo

• 0x4b3074 - ConvertStringSidToSidW

• 0x4b3078 - SetTokenInformation

• 0x4b307c - GetAce

• 0x4b3080 - GetSecurityDescriptorSacl

• 0x4b3084 - SetThreadToken

• 0x4b3088 - DuplicateToken

• 0x4b308c - CreateRestrictedToken

• 0x4b3090 - EqualSid

• 0x4b3094 - CopySid

• 0x4b3098 - CreateWellKnownSid

• 0x4b309c - GetSecurityInfo

• 0x4b30a0 - SetEntriesInAclW

库 KERNEL32.dll:

• 0x4b30a8 - ReadFile

• 0x4b30ac - VirtualProtect

• 0x4b30b0 - GetModuleFileNameW

• 0x4b30b4 - CreateFileW

• 0x4b30b8 - GetLastError

• 0x4b30bc - CloseHandle

• 0x4b30c0 - GetFileSize

• 0x4b30c4 - GetModuleHandleW

• 0x4b30c8 - GetCurrentProcess

• 0x4b30cc - GetVersionExW

• 0x4b30d0 - GetCurrentThread

• 0x4b30d4 - LoadLibraryW

• 0x4b30d8 - VirtualQuery

• 0x4b30dc - TerminateProcess

• 0x4b30e0 - WaitForSingleObject

• 0x4b30e4 - GetSystemDirectoryW

• 0x4b30e8 - OpenProcess

• 0x4b30ec - CreateEventW

• 0x4b30f0 - Sleep

• 0x4b30f4 - GetUserDefaultLCID

• 0x4b30f8 - SetEvent

• 0x4b30fc - CreateThread

• 0x4b3100 - HeapSetInformation

• 0x4b3104 - ReplaceFileW

• 0x4b3108 - GetCurrentProcessId

• 0x4b310c - FreeLibrary

• 0x4b3110 - WritePrivateProfileStringW

• 0x4b3114 - SetLastError

• 0x4b3118 - GetPrivateProfileIntW

• 0x4b311c - ProcessIdToSessionId

• 0x4b3120 - DeleteFileW

• 0x4b3124 - SetCurrentDirectoryW

• 0x4b3128 - WTSGetActiveConsoleSessionId

• 0x4b312c - CreateProcessW

• 0x4b3130 - LoadLibraryExW

• 0x4b3134 - VirtualFree

• 0x4b3138 - VirtualAlloc

• 0x4b313c - SetFilePointer

• 0x4b3140 - GetSystemInfo

• 0x4b3144 - GetFileAttributesW

• 0x4b3148 - GetSystemTime

• 0x4b314c - MultiByteToWideChar

• 0x4b3150 - WideCharToMultiByte

• 0x4b3154 - GetModuleHandleExW

• 0x4b3158 - lstrcmpiW

• 0x4b315c - DuplicateHandle

• 0x4b3160 - GetExitCodeProcess

• 0x4b3164 - SetEnvironmentVariableW

• 0x4b3168 - SetInformationJobObject

• 0x4b316c - SetHandleInformation

• 0x4b3170 - GetStdHandle

• 0x4b3174 - AssignProcessToJobObject

• 0x4b3178 - GetProcessId

• 0x4b317c - ResumeThread

• 0x4b3180 - GetCommandLineW

• 0x4b3184 - LocalFree

• 0x4b3188 - GetModuleHandleA

• 0x4b318c - GetNativeSystemInfo

• 0x4b3190 - ExpandEnvironmentStringsW

• 0x4b3194 - GetUserDefaultLangID

• 0x4b3198 - WriteFile

• 0x4b319c - GetLocalTime

• 0x4b31a0 - GetCurrentDirectoryW

• 0x4b31a4 - CreateDirectoryW

• 0x4b31a8 - QueryDosDeviceW

• 0x4b31ac - GetLongPathNameW

• 0x4b31b0 - RemoveDirectoryW

• 0x4b31b4 - GetTempPathW

• 0x4b31b8 - UnmapViewOfFile

• 0x4b31bc - SetFileAttributesW

• 0x4b31c0 - GetFileAttributesExW

• 0x4b31c4 - CopyFileW

• 0x4b31c8 - CreateFileMappingW

• 0x4b31cc - MapViewOfFile

• 0x4b31d0 - GetProcAddress

• 0x4b31d4 - SetThreadPriority

• 0x4b31d8 - QueryPerformanceFrequency

• 0x4b31dc - GetThreadPriority

• 0x4b31e0 - SystemTimeToFileTime

• 0x4b31e4 - GetSystemTimeAsFileTime

• 0x4b31e8 - QueryPerformanceCounter

• 0x4b31ec - HeapCreate

• 0x4b31f0 - HeapDestroy

• 0x4b31f4 - FormatMessageA

• 0x4b31f8 - GetTickCount

• 0x4b31fc - InitializeCriticalSectionAndSpinCount

• 0x4b3200 - RaiseException

• 0x4b3204 - DecodePointer

• 0x4b3208 - DeleteCriticalSection

• 0x4b320c - ReadProcessMemory

• 0x4b3210 - EnterCriticalSection

• 0x4b3214 - LeaveCriticalSection

• 0x4b3218 - GetFileSizeEx

• 0x4b321c - SetFilePointerEx

• 0x4b3220 - FlushFileBuffers

• 0x4b3224 - FindFirstFileW

• 0x4b3228 - FindFirstFileExW

• 0x4b322c - FindNextFileW

• 0x4b3230 - FindClose

• 0x4b3234 - CreateToolhelp32Snapshot

• 0x4b3238 - Process32NextW

• 0x4b323c - Process32FirstW

• 0x4b3240 - GetCurrentThreadId

• 0x4b3244 - GetProcessTimes

• 0x4b3248 - HeapFree

• 0x4b324c - InitializeCriticalSection

• 0x4b3250 - HeapSize

• 0x4b3254 - WritePrivateProfileStructW

• 0x4b3258 - HeapReAlloc

• 0x4b325c - HeapAlloc

• 0x4b3260 - GetProcessHeap

• 0x4b3264 - GlobalMemoryStatusEx

• 0x4b3268 - DebugBreak

• 0x4b326c - SetUnhandledExceptionFilter

• 0x4b3270 - GetWindowsDirectoryW

• 0x4b3274 - RegisterWaitForSingleObject

• 0x4b3278 - UnregisterWaitEx

• 0x4b327c - SizeofResource

• 0x4b3280 - LockResource

• 0x4b3284 - LoadResource

• 0x4b3288 - FindResourceW

• 0x4b328c - IsDebuggerPresent

• 0x4b3290 - DeviceIoControl

• 0x4b3294 - TlsGetValue

• 0x4b3298 - lstrcmpA

• 0x4b329c - lstrcmpiA

• 0x4b32a0 - TlsSetValue

• 0x4b32a4 - TlsAlloc

• 0x4b32a8 - ResetEvent

• 0x4b32ac - TlsFree

• 0x4b32b0 - TryEnterCriticalSection

• 0x4b32b4 - RtlCaptureStackBackTrace

• 0x4b32b8 - VirtualQueryEx

• 0x4b32bc - HeapLock

• 0x4b32c0 - HeapWalk

• 0x4b32c4 - HeapUnlock

• 0x4b32c8 - GetQueuedCompletionStatus

• 0x4b32cc - PostQueuedCompletionStatus

• 0x4b32d0 - CreateIoCompletionPort

• 0x4b32d4 - CreateRemoteThread

• 0x4b32d8 - GetLocaleInfoW

• 0x4b32dc - SuspendThread

• 0x4b32e0 - GetThreadContext

• 0x4b32e4 - FlushInstructionCache

• 0x4b32e8 - SetThreadContext

• 0x4b32ec - CreateFileA

• 0x4b32f0 - GetTimeZoneInformation

• 0x4b32f4 - OutputDebugStringW

• 0x4b32f8 - VirtualAllocEx

• 0x4b32fc - TerminateJobObject

• 0x4b3300 - WriteProcessMemory

• 0x4b3304 - VirtualProtectEx

• 0x4b3308 - GetProcessHeaps

• 0x4b330c - GetProcessHandleCount

• 0x4b3310 - SignalObjectAndWait

• 0x4b3314 - GetFileType

• 0x4b3318 - VirtualFreeEx

• 0x4b331c - CreateJobObjectW

• 0x4b3320 - CreateNamedPipeW

• 0x4b3324 - CreateMutexW

• 0x4b3328 - SearchPathW

• 0x4b332c - LoadLibraryExA

• 0x4b3330 - WriteConsoleW

• 0x4b3334 - SetEnvironmentVariableA

• 0x4b3338 - FreeEnvironmentStringsW

• 0x4b333c - GetEnvironmentStringsW

• 0x4b3340 - GetCommandLineA

• 0x4b3344 - GetOEMCP

• 0x4b3348 - IsValidCodePage

• 0x4b334c - EnumSystemLocalesW

• 0x4b3350 - IsValidLocale

• 0x4b3354 - ReadConsoleW

• 0x4b3358 - GetACP

• 0x4b335c - GetEnvironmentVariableW

• 0x4b3360 - lstrlenW

• 0x4b3364 - GetConsoleMode

• 0x4b3368 - GetConsoleCP

• 0x4b336c - GetFullPathNameW

• 0x4b3370 - FormatMessageW

• 0x4b3374 - GetStringTypeW

• 0x4b3378 - EncodePointer

• 0x4b337c - GetCPInfo

• 0x4b3380 - CompareStringW

• 0x4b3384 - LCMapStringW

• 0x4b3388 - UnhandledExceptionFilter

• 0x4b338c - IsProcessorFeaturePresent

• 0x4b3390 - GetStartupInfoW

• 0x4b3394 - InitializeSListHead

• 0x4b3398 - LocalFileTimeToFileTime

• 0x4b339c - ReleaseMutex

• 0x4b33a0 - OpenThread

• 0x4b33a4 - RtlUnwind

• 0x4b33a8 - ExitProcess

• 0x4b33ac - GetDriveTypeW

• 0x4b33b0 - SetStdHandle

库 PSAPI.DLL:

• 0x4b33c0 - QueryWorkingSet

• 0x4b33c4 - GetModuleInformation

• 0x4b33c8 - GetProcessMemoryInfo

• 0x4b33cc - GetProcessImageFileNameW

库 VERSION.dll:

• 0x4b33d4 - GetFileVersionInfoW

• 0x4b33d8 - VerQueryValueW

• 0x4b33dc - GetFileVersionInfoSizeW

库 NETAPI32.dll:

• 0x4b33b8 - Netbios

导出

序列	地址	名称
1	0x40dfd0	??0ShellResourceRequestDetails@@QAE@XZ
2	0x401a20	??1ShellResourceRequestDetails@@QAE@XZ
3	0x40e040	??4ShellResourceRequestDetails@@QAEAAU0@ABU0@@Z
4	0x42c090	GetHandleVerifier
5	0x403c60	GetUploadedReportsImpl
6	0x46d9d0	IsSandboxedProcess
7	0x403b20	get_launch_failed

投放文件

无信息

行为分析

互斥量(Mutexes)

1830B7BD-F7A3-4c4d-989B-C004DE465EDE 2648
Local\MSCTF.Asm.MutexDefault1

执行的命令 无信息

创建的服务 无信息

启动的服务 无信息

进程

360se.exe PID: 2648, 上一级进程 PID: 2352

访问的文件

C:\Users\test\AppData\Local\Temp\10.0.2364.0\chrome_elf.dll
C:\Users\test\AppData\Local\Temp\chrome_elf.dll
C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Fonts\staticcache.dat
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\test\AppData\Local\Temp\imageres.dll
C:\Windows\System32\imageres.dll
C:\Windows\System32\zh-CN\imageres.dll.mui
C:\Windows\sysnative\zh-CN\imageres.dll.mui
C:\Windows\System32\zh-Hans\imageres.dll.mui
C:\Windows\System32\zh\imageres.dll.mui
C:\Windows\System32\en-US\imageres.dll.mui
\Device\KsecDD

读取的文件

C:\Users\test\AppData\Local\Temp\chrome_elf.dll
C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
C:\Windows\Fonts\staticcache.dat
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\System32\imageres.dll
C:\Windows\System32\zh-CN\imageres.dll.mui
C:\Windows\sysnative\zh-CN\imageres.dll.mui
C:\Windows\System32\zh-Hans\imageres.dll.mui
C:\Windows\System32\zh\imageres.dll.mui
C:\Windows\System32\en-US\imageres.dll.mui
\Device\KsecDD

修改的文件 无信息

删除的文件 无信息

注册表键

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\360se.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext

读取的注册表键

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext

修改的注册表键 无信息

删除的注册表键 无信息

API解析

kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.FlsAlloc
kernel32.dll.FlsSetValue
kernel32.dll.FlsGetValue
kernel32.dll.LCMapStringEx
kernel32.dll.FlsFree
kernel32.dll.InitOnceExecuteOnce
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.GetTickCount64
kernel32.dll.GetFileInformationByHandleEx
kernel32.dll.SetFileInformationByHandle
kernel32.dll.InitializeConditionVariable
kernel32.dll.WakeConditionVariable
kernel32.dll.WakeAllConditionVariable
kernel32.dll.SleepConditionVariableCS
kernel32.dll.InitializeSRWLock
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.TryAcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
kernel32.dll.SleepConditionVariableSRW
kernel32.dll.CreateThreadpoolWork
kernel32.dll.SubmitThreadpoolWork
kernel32.dll.CloseThreadpoolWork
kernel32.dll.CompareStringEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.AreFileApisANSI
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCIDToLocaleName
kernel32.dll.LocaleNameToLCID
kernel32.dll.AcquireSRWLockShared
kernel32.dll.ReleaseSRWLockShared
shell32.dll.SHGetSpecialFolderPathW
user32.dll.wsprintfW
shlwapi.dll.PathFileExistsW
user32.dll.MessageBoxW
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
gdi32.dll.GetTextExtentExPointWPri
comctl32.dll.RegisterClassNameW
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
uxtheme.dll.EnableThemeDialogTexture
uxtheme.dll.OpenThemeData
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
cryptbase.dll.SystemFunction036
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
gdi32.dll.GetFontAssocStatus
gdi32.dll.GdiIsMetaPrintDC