魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2020-04-08 19:38:32 2020-04-08 19:40:34 122 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp01-1 win7-sp1-x64-shaapp01-1 KVM 2020-04-08 19:38:32 2020-04-08 19:40:36
魔盾分数

10.0

恶意的

文件详细信息

文件名 Faronics Products Keymaker.exe
文件大小 161280 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 31B43E3D
MD5 14bf3bd3defb3bfa6163e736d1c51b8c
SHA1 65fec4b152678de74fafbe579a27d29b27c22087
SHA256 a8561d40c92849f0cb4b346c255c630f7917182505eecc3819eb0e4aa8639a3d
SHA512 4ed9c49998aa7c3631eb56299c2bbabcec213a0eb9e547b6477823aa44c36ac958c784a3b76ec53e7b190b92b79a7aae0a1e2c1b13de2d6c6966dbf68416071f
Ssdeep 3072:SdO6xhdIcOjK9FyZNPo2ng1I2dY0/INhZnH:d6hVO+2ZNPVg1IWY0wNz
PEiD 无匹配
Yara
  • DebuggerTiming__PerformanceCounter ()
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • anti_dbg (Detected self protection if being debugged)
  • BLOWFISH_Constants (Look for Blowfish constants)
  • IsPE32 (Detected a 32bit PE sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
  • HasRichSignature (Detected Rich Signature)
VirusTotal VirusTotal链接
VirusTotal扫描时间: 2020-02-02 23:49:01
扫描结果: 30/71

特征

魔盾安全Yara检测结果 - 普通
二进制文件可能包含加密或压缩数据
section: name: .rsrc, entropy: 6.95, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00019400, virtual_size: 0x00019310
文件已被至少一个VirusTotal上的反病毒引擎检测为病毒
MicroWorld-eScan: Gen:Variant.Graftor.497454
CAT-QuickHeal: Trojan.GenericPMF.S3117420
McAfee: Artemis!14BF3BD3DEFB
Cylance: Unsafe
VIPRE: Trojan.Win32.Generic!BT
Sangfor: Malware
BitDefender: Gen:Variant.Graftor.497454
Symantec: ML.Attribute.HighConfidence
ESET-NOD32: a variant of Win32/Keygen.TJ potentially unsafe
APEX: Malicious
Alibaba: RiskWare:Win32/Generic.ee631259
SUPERAntiSpyware: Hack.Tool/Gen-KeyGen
Ad-Aware: Gen:Variant.Graftor.497454
Emsisoft: Gen:Variant.Graftor.497454 (B)
McAfee-GW-Edition: BehavesLike.Win32.Generic.ch
Trapmine: malicious.moderate.ml.score
FireEye: Generic.mg.14bf3bd3defb3bfa
Sophos: Generic PUA GF (PUA)
Jiangmin: Trojan.Generic.fosr
Webroot: W32.Malware.Gen
MAX: malware (ai score=88)
Microsoft: Trojan:Win32/Detplock
Arcabit: Trojan.Graftor.D7972E
GData: Gen:Variant.Graftor.497454
Acronis: suspicious
ALYac: Gen:Variant.Graftor.497454
Panda: Trj/Genetic.gen
Rising: Malware.Generic.5!tfe (CLOUD)
BitDefenderTheta: Gen:NN.ZexaCO.34084.jq0@a8zxqIgb
CrowdStrike: win/malicious_confidence_60% (W)

运行截图

网络分析

无信息

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x00401ef5
声明校验值 0x00036baa
实际校验值 0x00036baa
最低操作系统版本要求 5.0
编译时间 2015-01-10 22:02:42
载入哈希 d6cc89e4096e578c23e5f7e60715901e
图标
图标精确哈希值 c4246f36827f9d427eaa70d80c88fbf2
图标相似性哈希值 0b3f0091790a26c67b6154f16043cef6

版本信息

LegalCopyright: Copyright (C) 2015 TEAM ZWT All Rights Reserved.
FileVersion: 2015, 1, 7, 3
CompanyName: TEAM ZWT
Comments: Modified by an unpaid evaluation copy of Resource Tuner 2 (www.heaventools.com)
ProductVersion: 2015, 1, 7, 3
FileDescription: Faronics Products Keymaker
Translation: 0x0409 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x00009282 0x00009400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.56
.rdata 0x0000b000 0x00003904 0x00003a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 6.31
.data 0x0000f000 0x00001a40 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.41
.rsrc 0x00011000 0x00019310 0x00019400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 6.95

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_BITMAP 0x00011220 0x0000dc00 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 6.25 data
RT_ICON 0x00028a28 0x000010a8 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 6.17 data
RT_ICON 0x00028a28 0x000010a8 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 6.17 data
RT_ICON 0x00028a28 0x000010a8 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 6.17 data
RT_DIALOG 0x00029ad0 0x00000284 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.22 data
RT_GROUP_ICON 0x00029d54 0x00000030 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.30 MS Windows icon resource - 3 icons, 256x256
RT_VERSION 0x00029d84 0x0000032c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.55 data
RT_MANIFEST 0x0002a0b0 0x00000253 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.13 XML 1.0 document, ASCII text, with CRLF line terminators

导入

库 KERNEL32.DLL:
0x40b008 - LCMapStringW
0x40b00c - GetTickCount
0x40b010 - GetStringTypeW
0x40b014 - MultiByteToWideChar
0x40b018 - GetStringTypeA
0x40b01c - GetLocaleInfoA
0x40b020 - LCMapStringA
0x40b024 - lstrlenA
0x40b028 - GetSystemTimeAsFileTime
0x40b02c - GetCommandLineA
0x40b030 - GetStartupInfoA
0x40b034 - TerminateProcess
0x40b038 - GetCurrentProcess
0x40b03c - UnhandledExceptionFilter
0x40b040 - SetUnhandledExceptionFilter
0x40b044 - IsDebuggerPresent
0x40b048 - GetLastError
0x40b04c - HeapFree
0x40b050 - HeapAlloc
0x40b054 - RaiseException
0x40b058 - GetModuleHandleW
0x40b05c - GetProcAddress
0x40b060 - TlsGetValue
0x40b064 - TlsAlloc
0x40b068 - TlsSetValue
0x40b06c - TlsFree
0x40b070 - InterlockedIncrement
0x40b074 - SetLastError
0x40b078 - GetCurrentThreadId
0x40b07c - InterlockedDecrement
0x40b080 - Sleep
0x40b084 - ExitProcess
0x40b088 - WriteFile
0x40b08c - GetStdHandle
0x40b090 - GetModuleFileNameA
0x40b094 - FreeEnvironmentStringsA
0x40b098 - GetEnvironmentStrings
0x40b09c - FreeEnvironmentStringsW
0x40b0a0 - WideCharToMultiByte
0x40b0a4 - GetEnvironmentStringsW
0x40b0a8 - SetHandleCount
0x40b0ac - GetFileType
0x40b0b0 - DeleteCriticalSection
0x40b0b4 - HeapCreate
0x40b0b8 - VirtualFree
0x40b0bc - QueryPerformanceCounter
0x40b0c0 - GetCurrentProcessId
0x40b0c4 - LeaveCriticalSection
0x40b0c8 - EnterCriticalSection
0x40b0cc - VirtualAlloc
0x40b0d0 - HeapReAlloc
0x40b0d4 - RtlUnwind
0x40b0d8 - HeapSize
0x40b0dc - GetCPInfo
0x40b0e0 - GetACP
0x40b0e4 - GetOEMCP
0x40b0e8 - IsValidCodePage
0x40b0ec - LoadLibraryA
0x40b0f0 - InitializeCriticalSectionAndSpinCount
库 COMCTL32.dll:
0x40b000 - InitCommonControlsEx
库 USER32.dll:
0x40b0f8 - RegisterClassA
0x40b0fc - LoadIconA
0x40b100 - SendMessageA
0x40b104 - MessageBoxA
0x40b108 - GetDlgItem
0x40b10c - EndDialog
0x40b110 - DefDlgProcA
0x40b114 - SetWindowTextA
0x40b118 - LoadCursorA
0x40b11c - DialogBoxParamA
库 WS2_32.dll:
0x40b124 - htonl

投放文件

无信息

行为分析

互斥量(Mutexes)
  • Local\MSCTF.Asm.MutexDefault1
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

Faronics Products Keymaker.exe PID: 2648, 上一级进程 PID: 2320

访问的文件
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\Fonts\staticcache.dat
  • \Device\KsecDD
读取的文件
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\Fonts\staticcache.dat
  • \Device\KsecDD
修改的文件 无信息
删除的文件 无信息
注册表键
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\Faronics Products Keymaker.exe
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg 2
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_CURRENT_USER
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
读取的注册表键
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • kernel32.dll.FlsAlloc
  • kernel32.dll.FlsGetValue
  • kernel32.dll.FlsSetValue
  • kernel32.dll.FlsFree
  • comctl32.dll.RegisterClassNameW
  • kernel32.dll.SortGetHandle
  • kernel32.dll.SortCloseHandle
  • uxtheme.dll.OpenThemeData
  • imm32.dll.ImmGetContext
  • imm32.dll.ImmReleaseContext
  • imm32.dll.ImmAssociateContext
  • imm32.dll.ImmIsIME
  • uxtheme.dll.EnableThemeDialogTexture
  • uxtheme.dll.SetWindowTheme
  • gdi32.dll.GetLayout
  • gdi32.dll.GdiRealizationInfo
  • gdi32.dll.FontIsLinked
  • advapi32.dll.RegOpenKeyExW
  • advapi32.dll.RegQueryInfoKeyW
  • gdi32.dll.GetTextFaceAliasW
  • advapi32.dll.RegEnumValueW
  • advapi32.dll.RegCloseKey
  • advapi32.dll.RegQueryValueExW
  • advapi32.dll.RegQueryValueExA
  • advapi32.dll.RegEnumKeyExW
  • gdi32.dll.GdiIsMetaPrintDC
  • ole32.dll.CoInitializeEx
  • ole32.dll.CoUninitialize
  • cryptbase.dll.SystemFunction036
  • ole32.dll.CoRegisterInitializeSpy
  • ole32.dll.CoRevokeInitializeSpy
  • imm32.dll.ImmLockIMC
  • uxtheme.dll.BufferedPaintInit
  • uxtheme.dll.BeginBufferedPaint
  • uxtheme.dll.BufferedPaintRenderAnimation
  • uxtheme.dll.BeginBufferedAnimation
  • uxtheme.dll.EndBufferedAnimation