魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2016-11-12 22:56:37 | 2016-11-12 22:58:52 | 135 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64 | win7-sp1-x64 | KVM | 2016-11-12 22:56:37 | 2016-11-12 22:58:52 |
| 魔盾分数 |
|---|
1.5正常的 |
文件详细信息
| 文件名 | _shfoldr.dll |
|---|---|
| 文件大小 | 23312 字节 |
| 文件类型 | PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
| CRC32 | AE2C3EC2 |
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
| Ssdeep | 384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4 |
| PEiD | 无匹配 |
| Yara | 无Yara规则匹配 |
| VirusTotal |
VirusTotal链接 VirusTotal扫描时间: 2016-11-08 22:05:29 扫描结果: 0/57 |
特征
创建RWX内存
二进制源中出现非常规语言: Spanish (Modern)
运行截图
网络分析
静态分析
PE 信息
| 初始地址 | 0x71950000 |
|---|---|
| 入口地址 | 0x719527f6 |
| 声明校验值 | 0x00008df0 |
| 实际校验值 | 0x00008df0 |
| 最低操作系统版本要求 | 5.0 |
| 编译时间 | 2001-07-24 10:12:21 |
| 导出DLL库名称 | SHFOLDER.dll |
版本信息
| LegalCopyright: | Copyright (C) Microsoft Corp. 1981-2001 |
| InternalName: | shfolder |
| FileVersion: | 5.50.4807.2300 |
| CompanyName: | Microsoft Corporation |
| ProductName: | Microsoft(R) Windows (R) 2000 Operating System |
| OleSelfRegister: | |
| ProductVersion: | 5.50.4807.2300 |
| FileDescription: | Shell Folder Service |
| OriginalFilename: | shfolder.dll |
| Translation: | 0x0409 0x04b0 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x00001e7b | 0x00002000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 5.93 |
| .data | 0x00003000 | 0x0000005c | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.44 |
| .rsrc | 0x00004000 | 0x00002f10 | 0x00003000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 3.58 |
| .reloc | 0x00007000 | 0x000001dc | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 4.80 |
覆盖
| 偏移量: | 0x00005a00 |
| 大小: | 0x00000110 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_VERSION | 0x00004330 | 0x00000394 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 3.52 | data |
导入
库 KERNEL32.dll:
• 0x7195103c - EnumResourceLanguagesW
• 0x71951040 - EnumResourceNamesW
• 0x71951044 - lstrcatA
• 0x71951048 - lstrcpyA
• 0x7195104c - CompareStringW
• 0x71951050 - CreateDirectoryA
• 0x71951054 - CreateDirectoryW
• 0x71951058 - GetLastError
• 0x7195105c - FindResourceExW
• 0x71951060 - GetSystemDefaultLangID
• 0x71951064 - GetFileAttributesA
• 0x71951068 - GetFileAttributesW
• 0x7195106c - GetSystemDirectoryA
• 0x71951070 - GetSystemDirectoryW
• 0x71951074 - IsBadWritePtr
• 0x71951078 - DisableThreadLibraryCalls
• 0x7195107c - GlobalAlloc
• 0x71951080 - GlobalFree
• 0x71951084 - GetWindowsDirectoryW
• 0x71951088 - LoadResource
• 0x7195108c - LockResource
• 0x71951090 - lstrlenA
• 0x71951094 - GetWindowsDirectoryA
• 0x71951098 - ExpandEnvironmentStringsW
• 0x7195109c - GetVersionExA
• 0x719510a0 - lstrlenW
• 0x719510a4 - MultiByteToWideChar
• 0x719510a8 - GetProcAddress
• 0x719510ac - LoadLibraryA
• 0x719510b0 - FreeLibrary
• 0x719510b4 - ExpandEnvironmentStringsA
• 0x719510b8 - WideCharToMultiByte
• 0x719510bc - lstrcpynW
库 ADVAPI32.dll:
• 0x71951000 - InitializeSecurityDescriptor
• 0x71951004 - SetSecurityDescriptorDacl
• 0x71951008 - InitializeAcl
• 0x7195100c - GetAce
• 0x71951010 - SetFileSecurityW
• 0x71951014 - AddAccessAllowedAce
• 0x71951018 - RegSetValueExA
• 0x7195101c - LookupAccountSidW
• 0x71951020 - RegCreateKeyExA
• 0x71951024 - RegOpenKeyA
• 0x71951028 - RegSetValueExW
• 0x7195102c - RegQueryValueExA
• 0x71951030 - RegCloseKey
• 0x71951034 - RegQueryValueExW
导出
| 序列 | 地址 | 名称 |
|---|---|---|
| 1 | 0x7195278e | SHGetFolderPathA |
| 2 | 0x71952705 | SHGetFolderPathW |
投放文件
行为分析
互斥量(Mutexes)
- Local\MSCTF.Asm.MutexDefault1
执行的命令
无信息
创建的服务
无信息
启动的服务
无信息
进程
rundll32.exe PID: 2520, 上一级进程 PID: 2556
访问的文件
- C:\Users\test\AppData\Local\Temp\_shfoldr.dll
- C:\Users\test\AppData\Local\Temp\_shfoldr.dll.123.Manifest
- C:\Users\test\AppData\Local\Temp\_shfoldr.dll.124.Manifest
- C:\Users\test\AppData\Local\Temp\_shfoldr.dll.2.Manifest
- C:\Windows\SysWOW64\rundll32.exe
- C:\Windows\Fonts\staticcache.dat
- \Device\KsecDD
- C:\Windows\Globalization\Sorting\sortdefault.nls
读取的文件
- C:\Users\test\AppData\Local\Temp\_shfoldr.dll
- C:\Users\test\AppData\Local\Temp\_shfoldr.dll.123.Manifest
- C:\Users\test\AppData\Local\Temp\_shfoldr.dll.124.Manifest
- C:\Users\test\AppData\Local\Temp\_shfoldr.dll.2.Manifest
- C:\Windows\SysWOW64\rundll32.exe
- C:\Windows\Fonts\staticcache.dat
- \Device\KsecDD
- C:\Windows\Globalization\Sorting\sortdefault.nls
修改的文件
无信息
删除的文件
无信息
注册表键
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\_shfoldr.dll
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\\xe5\xbe\xae\xe8\xbd\xaf\xe9\x9b\x85\xe9\xbb\x91
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\rundll32.exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_CURRENT_USER
- HKEY_CURRENT_USER\Keyboard Layout\Toggle
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
读取的注册表键
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\_shfoldr.dll
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- gdi32.dll.GetLayout
- gdi32.dll.GdiRealizationInfo
- gdi32.dll.FontIsLinked
- advapi32.dll.RegOpenKeyExW
- advapi32.dll.RegQueryInfoKeyW
- gdi32.dll.GetTextFaceAliasW
- advapi32.dll.RegEnumValueW
- advapi32.dll.RegCloseKey
- advapi32.dll.RegQueryValueExW
- advapi32.dll.RegQueryValueExA
- advapi32.dll.RegEnumKeyExW
- uxtheme.dll.ThemeInitApiHook
- user32.dll.IsProcessDPIAware
- dwmapi.dll.DwmIsCompositionEnabled
- gdi32.dll.GdiIsMetaPrintDC
- ole32.dll.CoInitializeEx
- ole32.dll.CoUninitialize
- cryptbase.dll.SystemFunction036
- ole32.dll.CoRegisterInitializeSpy
- ole32.dll.CoRevokeInitializeSpy
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle
- ole32.dll.CoCreateInstance
- oleaut32.dll.SysAllocString
- oleaut32.dll.SysStringLen
- oleaut32.dll.SysFreeString