魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2020-11-30 12:59:53	2020-11-30 13:00:23	30 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-shaapp03-1	win7-sp1-x64-shaapp03-1	KVM	2020-11-30 12:59:53	2020-11-30 13:00:25

魔盾分数
10.0 恶意的

文件详细信息

文件名	2.exe
文件大小	1032192 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
CRC32	A964F61A
MD5	cd8f2d41c2e53af5d21d6f749877eb48
SHA1	056a4114593cfca49fd71936ad1764b7375d9a24
SHA256	ef26d2ac30ad2092683ad461159961c99e8fd6746f2c0eb59d4d99c43d06941d
SHA512	0f037994f513c23cfc078d123cdb6e23d666e79d9abf309169ecf65464968b7f4a10fbe54c003bb6172ac27b6dcf12a99eb2998d172f26acff8c058dda9362cf
Ssdeep	24576:NAI0+MMleATy9YPbkCx/XT6AA3O8ZVjYIBpDds+oBq:NAIBko/OFJrBp++H
PEiD	无匹配
Yara	MD5_Constants (Look for MD5 constants) DES_sbox (Look for DES [sbox]) with_images (Detected the presence of an or several images) IsPE32 (Detected a 32bit PE sample) IsWindowsGUI (Detected a Windows GUI sample) HasRichSignature (Detected Rich Signature) DebuggerTiming__Ticks (Detected timing ticks function) network_udp_sock (Communications over UDP socket) network_tcp_socket (Detected network communications over RAW socket) screenshot (Detected take screenshot function) create_process (Detection function for creating a new process) keylogger (Detected keylogger function) win_registry (Detected system registries modification function) change_win_registry (Change registries to affect system) win_files_operation (Affect private profile) win_hook (Detected hook table access function) win_private_profile (Detected private profile access function) Maldun_Anomoly_Combined_Activities_5 (Spotted potential mallicious behaviors like logging and network communication) Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
VirusTotal	VirusTotal链接 VirusTotal扫描时间: 2020-11-30 04:55:23 扫描结果: 29/70

特征

魔盾安全Yara规则检测结果 - 高危

Critical: Spotted potential mallicious behaviors like logging and network communication

Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files

文件已被至少一个VirusTotal上的反病毒引擎检测为病毒

Bkav: W32.AIDetectVM.malware1

Elastic: malicious (high confidence)

CAT-QuickHeal: Risktool.Flystudio.16885

Cylance: Unsafe

K7AntiVirus: Trojan ( 005246d51 )

K7GW: Trojan ( 005246d51 )

Cybereason: malicious.4593cf

Cyren: W32/Agent.EW.gen!Eldorado

Symantec: ML.Attribute.HighConfidence

APEX: Malicious

ClamAV: Win.Malware.Zusy-6840460-0

Sophos: Generic ML PUA (PUA)

Comodo: Worm.Win32.Dropper.RA@1qraug

F-Secure: Trojan:W32/DelfInject.R

McAfee-GW-Edition: BehavesLike.Win32.Generic.fh

FireEye: Generic.mg.cd8f2d41c2e53af5

SentinelOne: Static AI - Malicious PE

Antiy-AVL: GrayWare/Win32.FlyStudio.a

Microsoft: Program:Win32/Wacapew.C!ml

Cynet: Malicious (score: 100)

Acronis: suspicious

VBA32: BScope.Trojan.Downloader

Malwarebytes: Trojan.MalPack.FlyStudio

ESET-NOD32: a variant of Win32/Packed.FlyStudio.AA potentially unwanted

Rising: Trojan.Generic@ML.90 (RDML:2EU7iMQZB01ZvJM6YJipnw)

Ikarus: Trojan-Dropper.Agent

eGambit: Unsafe.AI_Score_99%

BitDefenderTheta: Gen:NN.ZexaF.34658.@q0@a0nvajhH

CrowdStrike: win/malicious_confidence_100% (D)

运行截图

网络分析

域名解析

域名	响应
acroipm.adobe.com	CNAME acroipm.adobe.com.edgesuite.net CNAME a1983.dscd.akamai.net A 23.63.75.34 A 23.63.75.9

TCP连接

IP地址	端口
23.63.75.34	80

UDP连接

IP地址	端口
192.168.122.1	53

HTTP请求

URL	HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache

静态分析

PE 信息

初始地址	0x00400000
入口地址	0x004883c8
声明校验值	0x00000000
实际校验值	0x00105ff4
最低操作系统版本要求	4.0
编译时间	2020-07-05 23:54:11
载入哈希	8ba0f071fd62f26bb6319ad85c51a746
图标
图标精确哈希值	30aa988a4602603bb4b92b24d422bf3b
图标相似性哈希值	3a53e744bf59e0be645925b543465196

版本信息

LegalCopyright:	MuDi
FileVersion:	1.0.0.0
CompanyName:	MuDi
Comments:	I264instX\xe5\xe8\xe5
ProductName:	I264instX\xe5\xe8\xe5
ProductVersion:	1.0.0.0
FileDescription:	I264instX\xe5\xe8\xe5
Translation:	0x0804 0x04b0

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x000a9656	0x000aa000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.52
.rdata	0x000ab000	0x000360c4	0x00037000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.97
.data	0x000e2000	0x0004ecaa	0x00011000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	5.03
.rsrc	0x00131000	0x00008be4	0x00009000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.63

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
TEXTINCLUDE	0x00131e08	0x00000151	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.25	C source, ASCII text, with CRLF line terminators
TEXTINCLUDE	0x00131e08	0x00000151	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.25	C source, ASCII text, with CRLF line terminators
TEXTINCLUDE	0x00131e08	0x00000151	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.25	C source, ASCII text, with CRLF line terminators
RT_CURSOR	0x00132614	0x00000134	LANG_ITALIAN	SUBLANG_ITALIAN	3.07	data
RT_CURSOR	0x00132614	0x00000134	LANG_ITALIAN	SUBLANG_ITALIAN	3.07	data
RT_CURSOR	0x00132614	0x00000134	LANG_ITALIAN	SUBLANG_ITALIAN	3.07	data
RT_CURSOR	0x00132614	0x00000134	LANG_ITALIAN	SUBLANG_ITALIAN	3.07	data
RT_CURSOR	0x00132614	0x00000134	LANG_ITALIAN	SUBLANG_ITALIAN	3.07	data
RT_CURSOR	0x00132614	0x00000134	LANG_ITALIAN	SUBLANG_ITALIAN	3.07	data
RT_CURSOR	0x00132614	0x00000134	LANG_ITALIAN	SUBLANG_ITALIAN	3.07	data
RT_BITMAP	0x00134f0c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x00134f0c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x00134f0c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x00134f0c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x00134f0c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x00134f0c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x00134f0c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x00134f0c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x00134f0c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x00134f0c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x00134f0c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x00134f0c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x00134f0c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x00134f0c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x00134f0c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x00134f0c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_ICON	0x00135460	0x000025a8	LANG_NEUTRAL	SUBLANG_NEUTRAL	5.40	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_ICON	0x00135460	0x000025a8	LANG_NEUTRAL	SUBLANG_NEUTRAL	5.40	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_ICON	0x00135460	0x000025a8	LANG_NEUTRAL	SUBLANG_NEUTRAL	5.40	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_MENU	0x00137a14	0x00000284	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.28	data
RT_MENU	0x00137a14	0x00000284	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.28	data
RT_DIALOG	0x00138c5c	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x00138c5c	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x00138c5c	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x00138c5c	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x00138c5c	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x00138c5c	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x00138c5c	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x00138c5c	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x00138c5c	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x00138c5c	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_STRING	0x001396a4	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x001396a4	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x001396a4	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x001396a4	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x001396a4	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x001396a4	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x001396a4	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x001396a4	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x001396a4	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x001396a4	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x001396a4	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_GROUP_CURSOR	0x0013972c	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x0013972c	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x0013972c	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x0013972c	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x0013972c	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x0013972c	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_ICON	0x00139778	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.02	MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_GROUP_ICON	0x00139778	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.02	MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_GROUP_ICON	0x00139778	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.02	MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_VERSION	0x0013978c	0x00000250	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.32	data
RT_MANIFEST	0x001399dc	0x00000206	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.05	XML 1.0 document, ASCII text, with CRLF line terminators

导入

库 WINMM.dll:

• 0x4ab6bc - midiStreamOut

• 0x4ab6c0 - midiOutPrepareHeader

• 0x4ab6c4 - waveOutUnprepareHeader

• 0x4ab6c8 - waveOutPrepareHeader

• 0x4ab6cc - waveOutWrite

• 0x4ab6d0 - waveOutPause

• 0x4ab6d4 - waveOutReset

• 0x4ab6d8 - waveOutClose

• 0x4ab6dc - waveOutGetNumDevs

• 0x4ab6e0 - waveOutOpen

• 0x4ab6e4 - midiOutUnprepareHeader

• 0x4ab6e8 - midiStreamOpen

• 0x4ab6ec - midiStreamStop

• 0x4ab6f0 - midiOutReset

• 0x4ab6f4 - midiStreamClose

• 0x4ab6f8 - midiStreamRestart

• 0x4ab6fc - midiStreamProperty

库 WS2_32.dll:

• 0x4ab714 - htonl

• 0x4ab718 - bind

• 0x4ab71c - htons

• 0x4ab720 - WSAAsyncSelect

• 0x4ab724 - closesocket

• 0x4ab728 - send

• 0x4ab72c - socket

• 0x4ab730 - WSACleanup

• 0x4ab734 - WSAStartup

• 0x4ab738 - gethostbyname

• 0x4ab73c - sendto

• 0x4ab740 - recvfrom

• 0x4ab744 - ioctlsocket

• 0x4ab748 - connect

• 0x4ab74c - recv

• 0x4ab750 - listen

• 0x4ab754 - getpeername

• 0x4ab758 - inet_ntoa

• 0x4ab75c - inet_addr

• 0x4ab760 - accept

• 0x4ab764 - getsockname

• 0x4ab768 - select

• 0x4ab76c - ntohs

• 0x4ab770 - __WSAFDIsSet

• 0x4ab774 - gethostname

库 KERNEL32.dll:

• 0x4ab1b0 - GetTimeZoneInformation

• 0x4ab1b4 - GetVersion

• 0x4ab1b8 - GetACP

• 0x4ab1bc - HeapSize

• 0x4ab1c0 - RaiseException

• 0x4ab1c4 - GetLocalTime

• 0x4ab1c8 - GetSystemTime

• 0x4ab1cc - RtlUnwind

• 0x4ab1d0 - GetOEMCP

• 0x4ab1d4 - GetCPInfo

• 0x4ab1d8 - GetProcessVersion

• 0x4ab1dc - SetErrorMode

• 0x4ab1e0 - GlobalFlags

• 0x4ab1e4 - GetCurrentThread

• 0x4ab1e8 - GetFileTime

• 0x4ab1ec - TlsGetValue

• 0x4ab1f0 - LocalReAlloc

• 0x4ab1f4 - TlsSetValue

• 0x4ab1f8 - TlsFree

• 0x4ab1fc - GlobalHandle

• 0x4ab200 - TlsAlloc

• 0x4ab204 - LocalAlloc

• 0x4ab208 - lstrcmpA

• 0x4ab20c - GlobalGetAtomNameA

• 0x4ab210 - GlobalAddAtomA

• 0x4ab214 - GlobalFindAtomA

• 0x4ab218 - GlobalDeleteAtom

• 0x4ab21c - lstrcmpiA

• 0x4ab220 - SetEndOfFile

• 0x4ab224 - UnlockFile

• 0x4ab228 - LockFile

• 0x4ab22c - FlushFileBuffers

• 0x4ab230 - DuplicateHandle

• 0x4ab234 - lstrcpynA

• 0x4ab238 - FileTimeToLocalFileTime

• 0x4ab23c - FileTimeToSystemTime

• 0x4ab240 - LocalFree

• 0x4ab244 - InterlockedDecrement

• 0x4ab248 - InterlockedIncrement

• 0x4ab24c - SetLastError

• 0x4ab250 - OpenProcess

• 0x4ab254 - TerminateProcess

• 0x4ab258 - GetFileSize

• 0x4ab25c - SetFilePointer

• 0x4ab260 - CreateToolhelp32Snapshot

• 0x4ab264 - Process32First

• 0x4ab268 - Process32Next

• 0x4ab26c - WideCharToMultiByte

• 0x4ab270 - MultiByteToWideChar

• 0x4ab274 - GetCurrentProcess

• 0x4ab278 - GetWindowsDirectoryA

• 0x4ab27c - GetSystemDirectoryA

• 0x4ab280 - CreateSemaphoreA

• 0x4ab284 - ResumeThread

• 0x4ab288 - ReleaseSemaphore

• 0x4ab28c - EnterCriticalSection

• 0x4ab290 - LeaveCriticalSection

• 0x4ab294 - GetProfileStringA

• 0x4ab298 - WriteFile

• 0x4ab29c - ReadFile

• 0x4ab2a0 - GetLastError

• 0x4ab2a4 - WaitForMultipleObjects

• 0x4ab2a8 - CreateFileA

• 0x4ab2ac - SetEvent

• 0x4ab2b0 - FindResourceA

• 0x4ab2b4 - LoadResource

• 0x4ab2b8 - LockResource

• 0x4ab2bc - RemoveDirectoryA

• 0x4ab2c0 - GetModuleFileNameA

• 0x4ab2c4 - GetCurrentThreadId

• 0x4ab2c8 - ExitProcess

• 0x4ab2cc - GlobalSize

• 0x4ab2d0 - GlobalFree

• 0x4ab2d4 - DeleteCriticalSection

• 0x4ab2d8 - InitializeCriticalSection

• 0x4ab2dc - lstrcatA

• 0x4ab2e0 - WinExec

• 0x4ab2e4 - lstrcpyA

• 0x4ab2e8 - FindNextFileA

• 0x4ab2ec - GetDriveTypeA

• 0x4ab2f0 - GlobalReAlloc

• 0x4ab2f4 - HeapFree

• 0x4ab2f8 - HeapReAlloc

• 0x4ab2fc - GetProcessHeap

• 0x4ab300 - HeapAlloc

• 0x4ab304 - GetFullPathNameA

• 0x4ab308 - FreeLibrary

• 0x4ab30c - LoadLibraryA

• 0x4ab310 - lstrlenA

• 0x4ab314 - GetVersionExA

• 0x4ab318 - GetPrivateProfileSectionNamesA

• 0x4ab31c - WritePrivateProfileStringA

• 0x4ab320 - GetPrivateProfileStringA

• 0x4ab324 - InterlockedExchange

• 0x4ab328 - CreateThread

• 0x4ab32c - CreateEventA

• 0x4ab330 - Sleep

• 0x4ab334 - GlobalAlloc

• 0x4ab338 - GlobalLock

• 0x4ab33c - GlobalUnlock

• 0x4ab340 - GetTempPathA

• 0x4ab344 - FindFirstFileA

• 0x4ab348 - FindClose

• 0x4ab34c - SetFileAttributesA

• 0x4ab350 - GetFileAttributesA

• 0x4ab354 - MoveFileA

• 0x4ab358 - DeleteFileA

• 0x4ab35c - CopyFileA

• 0x4ab360 - CreateDirectoryA

• 0x4ab364 - SetCurrentDirectoryA

• 0x4ab368 - GetVolumeInformationA

• 0x4ab36c - GetModuleHandleA

• 0x4ab370 - GetProcAddress

• 0x4ab374 - MulDiv

• 0x4ab378 - GetCommandLineA

• 0x4ab37c - GetTickCount

• 0x4ab380 - WaitForSingleObject

• 0x4ab384 - CloseHandle

• 0x4ab388 - UnhandledExceptionFilter

• 0x4ab38c - FreeEnvironmentStringsA

• 0x4ab390 - FreeEnvironmentStringsW

• 0x4ab394 - GetEnvironmentStrings

• 0x4ab398 - GetEnvironmentStringsW

• 0x4ab39c - SetHandleCount

• 0x4ab3a0 - GetStdHandle

• 0x4ab3a4 - GetFileType

• 0x4ab3a8 - GetEnvironmentVariableA

• 0x4ab3ac - HeapDestroy

• 0x4ab3b0 - HeapCreate

• 0x4ab3b4 - VirtualFree

• 0x4ab3b8 - SetEnvironmentVariableA

• 0x4ab3bc - LCMapStringA

• 0x4ab3c0 - LCMapStringW

• 0x4ab3c4 - VirtualAlloc

• 0x4ab3c8 - IsBadWritePtr

• 0x4ab3cc - SetUnhandledExceptionFilter

• 0x4ab3d0 - GetStringTypeA

• 0x4ab3d4 - GetStringTypeW

• 0x4ab3d8 - CompareStringA

• 0x4ab3dc - CompareStringW

• 0x4ab3e0 - IsBadReadPtr

• 0x4ab3e4 - IsBadCodePtr

• 0x4ab3e8 - SetStdHandle

• 0x4ab3ec - GetStartupInfoA

库 USER32.dll:

• 0x4ab428 - IsWindowEnabled

• 0x4ab42c - TranslateAcceleratorA

• 0x4ab430 - GetKeyState

• 0x4ab434 - CopyAcceleratorTableA

• 0x4ab438 - PostQuitMessage

• 0x4ab43c - IsZoomed

• 0x4ab440 - GetSystemMenu

• 0x4ab444 - DeleteMenu

• 0x4ab448 - GetClassInfoA

• 0x4ab44c - DefWindowProcA

• 0x4ab450 - GetMenu

• 0x4ab454 - SetMenu

• 0x4ab458 - PeekMessageA

• 0x4ab45c - IsIconic

• 0x4ab460 - SetFocus

• 0x4ab464 - GetActiveWindow

• 0x4ab468 - ShowWindow

• 0x4ab46c - LoadImageA

• 0x4ab470 - EnumDisplaySettingsA

• 0x4ab474 - ClientToScreen

• 0x4ab478 - EnableMenuItem

• 0x4ab47c - GetSubMenu

• 0x4ab480 - GetDlgCtrlID

• 0x4ab484 - CreateAcceleratorTableA

• 0x4ab488 - CreateMenu

• 0x4ab48c - ModifyMenuA

• 0x4ab490 - AppendMenuA

• 0x4ab494 - GetSysColorBrush

• 0x4ab498 - LoadStringA

• 0x4ab49c - DispatchMessageA

• 0x4ab4a0 - GetMessageA

• 0x4ab4a4 - WindowFromPoint

• 0x4ab4a8 - DrawFocusRect

• 0x4ab4ac - DrawEdge

• 0x4ab4b0 - DrawFrameControl

• 0x4ab4b4 - LoadIconA

• 0x4ab4b8 - TranslateMessage

• 0x4ab4bc - SystemParametersInfoA

• 0x4ab4c0 - GetForegroundWindow

• 0x4ab4c4 - GetDesktopWindow

• 0x4ab4c8 - GetClassNameA

• 0x4ab4cc - UnregisterClassA

• 0x4ab4d0 - GetWindowThreadProcessId

• 0x4ab4d4 - FindWindowA

• 0x4ab4d8 - GetDlgItem

• 0x4ab4dc - GetWindow

• 0x4ab4e0 - DestroyAcceleratorTable

• 0x4ab4e4 - SetWindowRgn

• 0x4ab4e8 - GetMessagePos

• 0x4ab4ec - ScreenToClient

• 0x4ab4f0 - ChildWindowFromPointEx

• 0x4ab4f4 - CopyRect

• 0x4ab4f8 - LoadBitmapA

• 0x4ab4fc - WinHelpA

• 0x4ab500 - KillTimer

• 0x4ab504 - SetTimer

• 0x4ab508 - ReleaseCapture

• 0x4ab50c - GetCapture

• 0x4ab510 - SetCapture

• 0x4ab514 - GetScrollRange

• 0x4ab518 - SetScrollRange

• 0x4ab51c - CreatePopupMenu

• 0x4ab520 - InflateRect

• 0x4ab524 - SetRect

• 0x4ab528 - IntersectRect

• 0x4ab52c - GetMenuCheckMarkDimensions

• 0x4ab530 - SetMenuItemBitmaps

• 0x4ab534 - CheckMenuItem

• 0x4ab538 - IsDialogMessageA

• 0x4ab53c - ScrollWindowEx

• 0x4ab540 - DestroyIcon

• 0x4ab544 - PtInRect

• 0x4ab548 - OffsetRect

• 0x4ab54c - IsWindowVisible

• 0x4ab550 - EnableWindow

• 0x4ab554 - RedrawWindow

• 0x4ab558 - GetWindowLongA

• 0x4ab55c - SetWindowLongA

• 0x4ab560 - GetSysColor

• 0x4ab564 - SetActiveWindow

• 0x4ab568 - SetCursorPos

• 0x4ab56c - LoadCursorA

• 0x4ab570 - SetCursor

• 0x4ab574 - GetDC

• 0x4ab578 - FillRect

• 0x4ab57c - IsRectEmpty

• 0x4ab580 - ReleaseDC

• 0x4ab584 - IsChild

• 0x4ab588 - TrackPopupMenu

• 0x4ab58c - DestroyMenu

• 0x4ab590 - SetForegroundWindow

• 0x4ab594 - GetWindowRect

• 0x4ab598 - EqualRect

• 0x4ab59c - UpdateWindow

• 0x4ab5a0 - ValidateRect

• 0x4ab5a4 - InvalidateRect

• 0x4ab5a8 - GetClientRect

• 0x4ab5ac - GetFocus

• 0x4ab5b0 - GetParent

• 0x4ab5b4 - GetTopWindow

• 0x4ab5b8 - PostMessageA

• 0x4ab5bc - IsWindow

• 0x4ab5c0 - SetParent

• 0x4ab5c4 - DestroyCursor

• 0x4ab5c8 - SendMessageA

• 0x4ab5cc - SetWindowPos

• 0x4ab5d0 - MessageBoxA

• 0x4ab5d4 - GetCursorPos

• 0x4ab5d8 - GetSystemMetrics

• 0x4ab5dc - EmptyClipboard

• 0x4ab5e0 - SetClipboardData

• 0x4ab5e4 - OpenClipboard

• 0x4ab5e8 - GetClipboardData

• 0x4ab5ec - CloseClipboard

• 0x4ab5f0 - wsprintfA

• 0x4ab5f4 - DrawIconEx

• 0x4ab5f8 - GetWindowTextA

• 0x4ab5fc - GetCursor

• 0x4ab600 - DrawTextA

• 0x4ab604 - SetPropA

• 0x4ab608 - CallWindowProcA

• 0x4ab60c - MoveWindow

• 0x4ab610 - GetPropA

• 0x4ab614 - FrameRect

• 0x4ab618 - SetWindowsHookExA

• 0x4ab61c - CallNextHookEx

• 0x4ab620 - UnhookWindowsHookEx

• 0x4ab624 - GetWindowDC

• 0x4ab628 - EnumChildWindows

• 0x4ab62c - WindowFromDC

• 0x4ab630 - TabbedTextOutA

• 0x4ab634 - GrayStringA

• 0x4ab638 - DrawStateA

• 0x4ab63c - GetTabbedTextExtentA

• 0x4ab640 - GetMenuState

• 0x4ab644 - GetMenuStringA

• 0x4ab648 - GetMenuItemID

• 0x4ab64c - GetMenuItemCount

• 0x4ab650 - SetWindowTextA

• 0x4ab654 - CreateIconFromResource

• 0x4ab658 - CreateIconFromResourceEx

• 0x4ab65c - RegisterClipboardFormatA

• 0x4ab660 - SetScrollPos

• 0x4ab664 - SetRectEmpty

• 0x4ab668 - GetWindowTextLengthA

• 0x4ab66c - CharUpperA

• 0x4ab670 - BeginPaint

• 0x4ab674 - EndPaint

• 0x4ab678 - DestroyWindow

• 0x4ab67c - CreateDialogIndirectParamA

• 0x4ab680 - EndDialog

• 0x4ab684 - GetNextDlgTabItem

• 0x4ab688 - GetWindowPlacement

• 0x4ab68c - RegisterWindowMessageA

• 0x4ab690 - GetLastActivePopup

• 0x4ab694 - GetMessageTime

• 0x4ab698 - RemovePropA

• 0x4ab69c - GetClassLongA

• 0x4ab6a0 - CreateWindowExA

• 0x4ab6a4 - RegisterClassA

• 0x4ab6a8 - GetScrollPos

• 0x4ab6ac - AdjustWindowRectEx

• 0x4ab6b0 - MapWindowPoints

• 0x4ab6b4 - SendDlgItemMessageA

库 GDI32.dll:

• 0x4ab050 - ExtSelectClipRgn

• 0x4ab054 - LineTo

• 0x4ab058 - MoveToEx

• 0x4ab05c - GetCurrentObject

• 0x4ab060 - RoundRect

• 0x4ab064 - GetTextExtentPoint32A

• 0x4ab068 - GetDeviceCaps

• 0x4ab06c - GetWindowOrgEx

• 0x4ab070 - GetViewportOrgEx

• 0x4ab074 - GetWindowExtEx

• 0x4ab078 - GetDIBits

• 0x4ab07c - RealizePalette

• 0x4ab080 - SelectPalette

• 0x4ab084 - StretchBlt

• 0x4ab088 - CreatePalette

• 0x4ab08c - GetSystemPaletteEntries

• 0x4ab090 - CreateDIBitmap

• 0x4ab094 - DeleteObject

• 0x4ab098 - SelectClipRgn

• 0x4ab09c - GetClipRgn

• 0x4ab0a0 - SetStretchBltMode

• 0x4ab0a4 - SetPixel

• 0x4ab0a8 - CreateRectRgnIndirect

• 0x4ab0ac - SetBkColor

• 0x4ab0b0 - SetBkMode

• 0x4ab0b4 - SetTextColor

• 0x4ab0b8 - SetWindowOrgEx

• 0x4ab0bc - SaveDC

• 0x4ab0c0 - RestoreDC

• 0x4ab0c4 - CreatePenIndirect

• 0x4ab0c8 - PtVisible

• 0x4ab0cc - RectVisible

• 0x4ab0d0 - TextOutA

• 0x4ab0d4 - ExtTextOutA

• 0x4ab0d8 - Escape

• 0x4ab0dc - ExcludeClipRect

• 0x4ab0e0 - GetClipBox

• 0x4ab0e4 - ScaleWindowExtEx

• 0x4ab0e8 - SetWindowExtEx

• 0x4ab0ec - ScaleViewportExtEx

• 0x4ab0f0 - SetViewportExtEx

• 0x4ab0f4 - OffsetViewportOrgEx

• 0x4ab0f8 - SetViewportOrgEx

• 0x4ab0fc - SetMapMode

• 0x4ab100 - SetROP2

• 0x4ab104 - SetPolyFillMode

• 0x4ab108 - GetViewportExtEx

• 0x4ab10c - GetTextMetricsA

• 0x4ab110 - DPtoLP

• 0x4ab114 - LPtoDP

• 0x4ab118 - Rectangle

• 0x4ab11c - Ellipse

• 0x4ab120 - SetPixelV

• 0x4ab124 - CreateCompatibleDC

• 0x4ab128 - GetPixel

• 0x4ab12c - BitBlt

• 0x4ab130 - StartPage

• 0x4ab134 - StartDocA

• 0x4ab138 - DeleteDC

• 0x4ab13c - EndDoc

• 0x4ab140 - EndPage

• 0x4ab144 - CreateFontIndirectA

• 0x4ab148 - GetStockObject

• 0x4ab14c - CreateSolidBrush

• 0x4ab150 - CombineRgn

• 0x4ab154 - CreateRectRgn

• 0x4ab158 - FillRgn

• 0x4ab15c - PatBlt

• 0x4ab160 - CreatePen

• 0x4ab164 - GetObjectA

• 0x4ab168 - SelectObject

• 0x4ab16c - CreateBitmap

• 0x4ab170 - CreateBrushIndirect

• 0x4ab174 - CreateDCA

• 0x4ab178 - CreateCompatibleBitmap

• 0x4ab17c - GetPolyFillMode

• 0x4ab180 - GetStretchBltMode

• 0x4ab184 - GetROP2

• 0x4ab188 - GetBkColor

• 0x4ab18c - GetBkMode

• 0x4ab190 - GetTextColor

• 0x4ab194 - CreateRoundRectRgn

• 0x4ab198 - CreateEllipticRgn

• 0x4ab19c - BeginPath

• 0x4ab1a0 - CreatePolygonRgn

• 0x4ab1a4 - PathToRegion

• 0x4ab1a8 - EndPath

库 MSIMG32.dll:

• 0x4ab3f4 - GradientFill

库 WINSPOOL.DRV:

• 0x4ab704 - OpenPrinterA

• 0x4ab708 - DocumentPropertiesA

• 0x4ab70c - ClosePrinter

库 ADVAPI32.dll:

• 0x4ab000 - RegOpenKeyExA

• 0x4ab004 - RegSetValueExA

• 0x4ab008 - RegQueryValueA

• 0x4ab00c - RegCreateKeyExA

• 0x4ab010 - RegCloseKey

库 SHELL32.dll:

• 0x4ab40c - Shell_NotifyIconA

• 0x4ab410 - SHGetMalloc

• 0x4ab414 - SHGetPathFromIDListA

• 0x4ab418 - ShellExecuteA

• 0x4ab41c - SHGetSpecialFolderPathA

• 0x4ab420 - SHBrowseForFolderA

库 ole32.dll:

• 0x4ab790 - CLSIDFromString

• 0x4ab794 - OleUninitialize

• 0x4ab798 - CoCreateInstance

• 0x4ab79c - OleInitialize

库 OLEAUT32.dll:

• 0x4ab3fc - LoadTypeLib

• 0x4ab400 - RegisterTypeLib

• 0x4ab404 - UnRegisterTypeLib

库 COMCTL32.dll:

• 0x4ab018 - ImageList_Draw

• 0x4ab01c - ImageList_GetImageInfo

• 0x4ab020 - _TrackMouseEvent

• 0x4ab024 - ImageList_GetImageCount

• 0x4ab028 - ImageList_AddMasked

• 0x4ab02c - ImageList_GetIcon

• 0x4ab030 - ImageList_SetBkColor

• 0x4ab034 - None

• 0x4ab038 - ImageList_Destroy

• 0x4ab03c - ImageList_Create

• 0x4ab040 - ImageList_Read

• 0x4ab044 - ImageList_DrawIndirect

• 0x4ab048 - ImageList_Duplicate

库 comdlg32.dll:

• 0x4ab77c - ChooseColorA

• 0x4ab780 - GetFileTitleA

• 0x4ab784 - GetSaveFileNameA

• 0x4ab788 - GetOpenFileNameA

投放文件

无信息

行为分析

互斥量(Mutexes)

Local\MSCTF.Asm.MutexDefault1

执行的命令 无信息

创建的服务 无信息

启动的服务 无信息

进程

2.exe PID: 2324, 上一级进程 PID: 2152

访问的文件

C:\Windows\Fonts\staticcache.dat
C:\Users\test\AppData\Local\Temp\winmm.dll
C:\Users\test\AppData\Local\Temp\ws2_32.dll

读取的文件

C:\Windows\Fonts\staticcache.dat

修改的文件 无信息

删除的文件 无信息

注册表键

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\2.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\\xe5\xbe\xae\xe8\xbd\xaf\xe9\x9b\x85\xe9\xbb\x91
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Arial
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

读取的注册表键

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

修改的注册表键 无信息

删除的注册表键 无信息

API解析

kernel32.dll.IsProcessorFeaturePresent
cryptbase.dll.SystemFunction036
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
gdi32.dll.GetTextExtentExPointWPri
gdi32.dll.GetFontAssocStatus
comctl32.dll.InitCommonControlsEx
user32.dll.NotifyWinEvent
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
gdi32.dll.GdiIsMetaPrintDC
oleaut32.dll.SysAllocString
oleaut32.dll.SysStringLen
oleaut32.dll.SysFreeString
winmm.dll.timeEndPeriod
ws2_32.dll.closesocket
ws2_32.dll.WSACleanup