魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2020-11-30 12:19:55	2020-11-30 12:21:16	81 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-shaapp03-1	win7-sp1-x64-shaapp03-1	KVM	2020-11-30 12:19:56	2020-11-30 12:21:17

魔盾分数
10.0 Malicious

文件详细信息

文件名	授权文件解压到桌面看教程.zip
文件大小	901120 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
CRC32	A8FA06A0
MD5	e07f5616dd0a367d7fa2a25213a50e38
SHA1	f11296f15350587363d012343f139fa0d18b6688
SHA256	73a226d69404704c52ed802d5c1ad6f47639a3a1faf4143860d9ba1b0c5e91be
SHA512	63c5107d63266469a3ffd202ee88a1a9862cda31bf9df58537d1cfc745554247cb7a0c627a8fa97ee0f72e334dbcedd794a9cf19527efdf4710e32fb56ed4bd7
Ssdeep	12288:wc2zmx2sg8HpkFZpQQBZgqPsJ9Xl5ak5uGD1OUMdzmQK4Z/eMXRCHAk:wrzmBg8JkvpQKZgSsJB6dyQKI/eIW
PEiD	无匹配
Yara	CRC32_poly_Constant (Look for CRC32 [poly]) CRC32_table (Look for CRC32 table) MD5_Constants (Look for MD5 constants) with_images (Detected the presence of an or several images) IsPE32 (Detected a 32bit PE sample) IsWindowsGUI (Detected a Windows GUI sample) HasRichSignature (Detected Rich Signature) DebuggerCheck__QueryInfo () DebuggerTiming__Ticks (Detected timing ticks function) win_mutex (Create or check mutex) screenshot (Detected take screenshot function) create_process (Detection function for creating a new process) keylogger (Detected keylogger function) win_registry (Detected system registries modification function) change_win_registry (Change registries to affect system) win_files_operation (Affect private profile) win_hook (Detected hook table access function) win_private_profile (Detected private profile access function) Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
VirusTotal	VirusTotal链接 VirusTotal扫描时间: 2020-04-25 15:41:16 扫描结果: 34/73

特征

魔盾安全Yara规则检测结果 - 安全告警

Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files

检测到样本尝试模糊或欺骗文件类型

文件已被至少一个VirusTotal上的反病毒引擎检测为病毒

Bkav: W32.AIDetectVM.malware

FireEye: Generic.mg.e07f5616dd0a367d

CAT-QuickHeal: Risktool.Flystudio.16885

Cylance: Unsafe

SUPERAntiSpyware: Trojan.Agent/Gen-OnlineGames

K7AntiVirus: Trojan ( 005246d51 )

Alibaba: Ransom:Win32/Wannaren.a63749a2

K7GW: Trojan ( 005246d51 )

Cybereason: malicious.153505

Invincea: heuristic

F-Prot: W32/Agent.EW.gen!Eldorado

Symantec: ML.Attribute.HighConfidence

TotalDefense: Win32/Oflwr.A!crypt

APEX: Malicious

ClamAV: Win.Malware.Zusy-6840460-0

GData: Win32.Application.PUPStudio.A

Rising: Malware.Heuristic!ET#98% (RDMK:cmRtazqiM759+vcVU04hUdbH+baS)

Comodo: Worm.Win32.Dropper.RA@1qraug

McAfee-GW-Edition: BehavesLike.Win32.Generic.ch

Trapmine: malicious.high.ml.score

Ikarus: PUA.Virbox

Cyren: W32/Agent.EW.gen!Eldorado

Antiy-AVL: GrayWare/Win32.FlyStudio.a

Microsoft: Trojan:Win32/Wacatac.D!ml

Endgame: malicious (high confidence)

Acronis: suspicious

BitDefenderTheta: Gen:NN.ZexaF.34106.3q0@aiNUNgdb

ESET-NOD32: a variant of Win32/Packed.FlyStudio.AA potentially unwanted

SentinelOne: DFI - Malicious PE

eGambit: Unsafe.AI_Score_99%

Fortinet: W32/QQWare.A!tr

MaxSecure: Trojan.Malware.300983.susgen

CrowdStrike: win/malicious_confidence_100% (D)

Qihoo-360: Generic/HEUR/QVM07.1.AD05.Malware.Gen

运行截图

网络分析

域名解析

域名	响应
acroipm.adobe.com	CNAME acroipm.adobe.com.edgesuite.net A 23.218.94.163 CNAME a1983.dscd.akamai.net A 23.218.94.155
watson.microsoft.com	CNAME blobcollector.events.data.trafficmanager.net A 52.147.198.201 CNAME skypedataprdcoleus16.cloudapp.net

TCP连接

IP地址	端口
23.218.94.155	80

UDP连接

IP地址	端口
192.168.122.1	53
192.168.122.1	53

HTTP请求

URL	HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache

静态分析

投放文件

Steam\xd2\xbb\xbc\xfc\xca\xda\xc8\xa8\xb9\xa4\xbe\xdf.exe

文件名	Steam\xd2\xbb\xbc\xfc\xca\xda\xc8\xa8\xb9\xa4\xbe\xdf.exe
相关文件	C:\Users\test\AppData\Local\Temp\zip-tmp\\xe6\x8e\x88\xe6\x9d\x83\xe6\x96\x87\xe4\xbb\xb6 \xe8\xa7\xa3\xe5\x8e\x8b\xe5\x88\xb0\xe6\xa1\x8c\xe9\x9d\xa2 \xe7\x9c\x8b\xe6\x95\x99\xe7\xa8\x8b\Steam\xe4\xb8\x80\xe9\x94\xae\xe6\x8e\x88\xe6\x9d\x83\xe5\xb7\xa5\xe5\x85\xb7.exe
文件大小	901120 bytes
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	e07f5616dd0a367d7fa2a25213a50e38
SHA1	f11296f15350587363d012343f139fa0d18b6688
SHA256	73a226d69404704c52ed802d5c1ad6f47639a3a1faf4143860d9ba1b0c5e91be
SHA512	63c5107d63266469a3ffd202ee88a1a9862cda31bf9df58537d1cfc745554247cb7a0c627a8fa97ee0f72e334dbcedd794a9cf19527efdf4710e32fb56ed4bd7
Ssdeep	12288:wc2zmx2sg8HpkFZpQQBZgqPsJ9Xl5ak5uGD1OUMdzmQK4Z/eMXRCHAk:wrzmBg8JkvpQKZgSsJB6dyQKI/eIW
VirusTotal	搜索相关分析

行为分析

互斥量(Mutexes)

Local\MSCTF.Asm.MutexDefault1

执行的命令 无信息

创建的服务 无信息

启动的服务 无信息

进程

cmd.exe PID: 2600, 上一级进程 PID: 2196

Steam一键授权工具.exe PID: 2664, 上一级进程 PID: 2600

访问的文件

C:\Users\test\AppData\Local\Temp\zip-tmp\\xe6\x8e\x88\xe6\x9d\x83\xe6\x96\x87\xe4\xbb\xb6 \xe8\xa7\xa3\xe5\x8e\x8b\xe5\x88\xb0\xe6\xa1\x8c\xe9\x9d\xa2 \xe7\x9c\x8b\xe6\x95\x99\xe7\xa8\x8b
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Fonts\staticcache.dat
C:\Users\test\AppData\Local\Temp\zip-tmp\\xe6\x8e\x88\xe6\x9d\x83\xe6\x96\x87\xe4\xbb\xb6 \xe8\xa7\xa3\xe5\x8e\x8b\xe5\x88\xb0\xe6\xa1\x8c\xe9\x9d\xa2 \xe7\x9c\x8b\xe6\x95\x99\xe7\xa8\x8b\shlwapi.dll
C:\Users\test\AppData\Local\Temp\zip-tmp\\xe6\x8e\x88\xe6\x9d\x83\xe6\x96\x87\xe4\xbb\xb6 \xe8\xa7\xa3\xe5\x8e\x8b\xe5\x88\xb0\xe6\xa1\x8c\xe9\x9d\xa2 \xe7\x9c\x8b\xe6\x95\x99\xe7\xa8\x8b\ssfn\xe6\x96\x87\xe4\xbb\xb6
C:\Users\test\AppData\Local\Temp\zip-tmp\\xe6\x8e\x88\xe6\x9d\x83\xe6\x96\x87\xe4\xbb\xb6 \xe8\xa7\xa3\xe5\x8e\x8b\xe5\x88\xb0\xe6\xa1\x8c\xe9\x9d\xa2 \xe7\x9c\x8b\xe6\x95\x99\xe7\xa8\x8b\kernel32.DLL
C:\Users\test\AppData\Local\Temp\zip-tmp\\xe6\x8e\x88\xe6\x9d\x83\xe6\x96\x87\xe4\xbb\xb6 \xe8\xa7\xa3\xe5\x8e\x8b\xe5\x88\xb0\xe6\xa1\x8c\xe9\x9d\xa2 \xe7\x9c\x8b\xe6\x95\x99\xe7\xa8\x8b\ntdll.dll
C:\Users\test\AppData\Roaming\Battlestate Games\BsgLauncher\settings
C:\Users\test\AppData\Local\Temp\zip-tmp\\xe6\x8e\x88\xe6\x9d\x83\xe6\x96\x87\xe4\xbb\xb6 \xe8\xa7\xa3\xe5\x8e\x8b\xe5\x88\xb0\xe6\xa1\x8c\xe9\x9d\xa2 \xe7\x9c\x8b\xe6\x95\x99\xe7\xa8\x8b\psapi.dll
C:\Users\test\AppData\Local\Temp\zip-tmp\\xe6\x8e\x88\xe6\x9d\x83\xe6\x96\x87\xe4\xbb\xb6 \xe8\xa7\xa3\xe5\x8e\x8b\xe5\x88\xb0\xe6\xa1\x8c\xe9\x9d\xa2 \xe7\x9c\x8b\xe6\x95\x99\xe7\xa8\x8b\imageres.dll
C:\Windows\System32\imageres.dll
C:\Windows\System32\zh-CN\imageres.dll.mui
C:\Windows\sysnative\zh-CN\imageres.dll.mui
C:\Windows\System32\zh-Hans\imageres.dll.mui
C:\Windows\System32\zh\imageres.dll.mui
C:\Windows\System32\en-US\imageres.dll.mui
C:\BsgLauncher.exe
C:\Users\test\AppData\Local\Temp\zip-tmp\\xe6\x8e\x88\xe6\x9d\x83\xe6\x96\x87\xe4\xbb\xb6 \xe8\xa7\xa3\xe5\x8e\x8b\xe5\x88\xb0\xe6\xa1\x8c\xe9\x9d\xa2 \xe7\x9c\x8b\xe6\x95\x99\xe7\xa8\x8b\kernel32.dll
C:\Users\test\AppData\Local\Temp\zip-tmp\\xe6\x8e\x88\xe6\x9d\x83\xe6\x96\x87\xe4\xbb\xb6 \xe8\xa7\xa3\xe5\x8e\x8b\xe5\x88\xb0\xe6\xa1\x8c\xe9\x9d\xa2 \xe7\x9c\x8b\xe6\x95\x99\xe7\xa8\x8b\ssfn\xe6\x96\x87\xe4\xbb\xb6\ssfn8544172921137988491
C:\Users\test\AppData\Local\Temp\zip-tmp\\xef\xbf\x8a\xef\xbf\x9a\xef\xbf\x88\xef\xbe\xa8\xef\xbf\x8e\xef\xbf\x84\xef\xbe\xbc\xef\xbf\xbe \xef\xbe\xbd\xef\xbf\xa2\xef\xbf\x91\xef\xbe\xb9\xef\xbe\xb5\xef\xbe\xbd\xef\xbf\x97\xef\xbf\x80\xef\xbf\x83\xef\xbf\xa6 \xef\xbe\xbf\xef\xbe\xb4\xef\xbe\xbd\xef\xbf\x8c\xef\xbe\xb3\xef\xbf\x8c\ssfn\xef\xbf\x8e\xef\xbf\x84\xef\xbe\xbc\xef\xbf\xbe\ssfn8544172921137988491

读取的文件

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Fonts\staticcache.dat
C:\Windows\System32\imageres.dll
C:\Windows\System32\zh-CN\imageres.dll.mui
C:\Windows\sysnative\zh-CN\imageres.dll.mui
C:\Windows\System32\zh-Hans\imageres.dll.mui
C:\Windows\System32\zh\imageres.dll.mui
C:\Windows\System32\en-US\imageres.dll.mui
C:\Users\test\AppData\Local\Temp\zip-tmp\\xe6\x8e\x88\xe6\x9d\x83\xe6\x96\x87\xe4\xbb\xb6 \xe8\xa7\xa3\xe5\x8e\x8b\xe5\x88\xb0\xe6\xa1\x8c\xe9\x9d\xa2 \xe7\x9c\x8b\xe6\x95\x99\xe7\xa8\x8b\ssfn\xe6\x96\x87\xe4\xbb\xb6\ssfn8544172921137988491
C:\Users\test\AppData\Local\Temp\zip-tmp\\xef\xbf\x8a\xef\xbf\x9a\xef\xbf\x88\xef\xbe\xa8\xef\xbf\x8e\xef\xbf\x84\xef\xbe\xbc\xef\xbf\xbe \xef\xbe\xbd\xef\xbf\xa2\xef\xbf\x91\xef\xbe\xb9\xef\xbe\xb5\xef\xbe\xbd\xef\xbf\x97\xef\xbf\x80\xef\xbf\x83\xef\xbf\xa6 \xef\xbe\xbf\xef\xbe\xb4\xef\xbe\xbd\xef\xbf\x8c\xef\xbe\xb3\xef\xbf\x8c\ssfn\xef\xbf\x8e\xef\xbf\x84\xef\xbe\xbc\xef\xbf\xbe\ssfn8544172921137988491

修改的文件

C:\BsgLauncher.exe

删除的文件

C:\Users\test\AppData\Roaming\Battlestate Games\BsgLauncher\settings
C:\BsgLauncher.exe

注册表键

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Valve\Steam
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{B0FDA062-7581-4D67-B085-C4E7C358037F}_is1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\Steam\xe4\xb8\x80\xe9\x94\xae\xe6\x8e\x88\xe6\x9d\x83\xe5\xb7\xa5\xe5\x85\xb7.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

读取的注册表键

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

修改的注册表键 无信息

删除的注册表键 无信息

API解析

kernel32.dll.IsProcessorFeaturePresent
cryptbase.dll.SystemFunction036
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
comctl32.dll.RegisterClassNameW
uxtheme.dll.OpenThemeData
imm32.dll.ImmIsIME
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
gdi32.dll.GetTextExtentExPointWPri
uxtheme.dll.EnableThemeDialogTexture
shlwapi.dll.PathFileExistsA
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.Process32First
kernel32.dll.Process32Next
kernel32.dll.CloseHandle
kernel32.dll.OpenProcess
ntdll.dll.ZwOpenProcess
ntdll.dll.ZwQuerySystemInformation
kernel32.dll.TerminateProcess
kernel32.dll.lstrcpyn
kernel32.dll.RtlMoveMemory
ntdll.dll.ZwClose
ntdll.dll.ZwDuplicateObject
psapi.dll.GetProcessImageFileNameA
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
user32.dll.GetSystemMetrics
user32.dll.MonitorFromWindow
user32.dll.MonitorFromRect
user32.dll.MonitorFromPoint
user32.dll.EnumDisplayMonitors
user32.dll.GetMonitorInfoA
gdi32.dll.GetFontAssocStatus
oleaut32.dll.SysAllocString
oleaut32.dll.SysStringLen
oleaut32.dll.SysFreeString
kernel32.dll.CopyFileA
oleaut32.dll.#500