魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2020-11-30 08:47:46 2020-11-30 08:50:01 135 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp03-1 win7-sp1-x64-shaapp03-1 KVM 2020-11-30 08:47:48 2020-11-30 08:50:03
魔盾分数

10.0

恶意的

文件详细信息

文件名 Louisa Bypass VIP.sp.exe
文件大小 23920640 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 509DB0D8
MD5 40a7c8b3e686bbb4a2d1087745339f4b
SHA1 b1de478dba5d553303ebd2db1eaaad9edd7ed610
SHA256 b3f2aeef652dce7da02353373084bd2cee249b866092e795f30bdf508b532b51
SHA512 4463b7241ef5718855e9959cb9b136ccda2da2fa3ffb495e0ed269fadfe96d1ea7577c024dd9eec3c6d41fe446c717054d6a477902bff0ff4870fc6308b2d16a
Ssdeep 393216:q9XUKjn0uoErRp1xw2RMAUdETkSHqjEsu2zpLN7aa2a5/oAROiBEPFgBZkGWjKv:mX5YSrb1x/RMAUAkSHQEsuoGmaWoKv
PEiD 无匹配
Yara
  • CRC32_poly_Constant (Look for CRC32 [poly])
  • CRC32_table (Look for CRC32 table)
  • BASE64_table (Look for Base64 table)
  • with_urls (Detected the presence of an or several urls)
  • IsPE32 (Detected a 32bit PE sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
  • IsPacked (Detected Entropy signature)
  • HasRichSignature (Detected Rich Signature)
  • DebuggerTiming__PerformanceCounter ()
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • anti_dbg (Detected self protection if being debugged)
  • antisb_threatExpert (Anti-Sandbox checks for ThreatExpert)
  • network_tcp_socket (Detected network communications over RAW socket)
  • maldoc_OLE_file_magic_number (Detected OLE in the file)
  • create_process (Detection function for creating a new process)
  • win_registry (Detected system registries modification function)
  • win_files_operation (Affect private profile)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
VirusTotal 无此文件扫描结果

特征

二进制文件可能包含加密或压缩数据
section: name: .svmp2, entropy: 8.00, characteristics: IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x005e5000, virtual_size: 0x005e4403
section: name: .svmp3, entropy: 7.84, characteristics: IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x000cd000, virtual_size: 0x000cc87e
section: name: .svmp4, entropy: 7.72, characteristics: IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00fa7000, virtual_size: 0x00fa6e0f
section: name: .svmp6, entropy: 7.02, characteristics: IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00065000, virtual_size: 0x000646dc
检测到样本尝试模糊或欺骗文件类型
魔盾安全Yara规则检测结果 - 高危
Critical: Detected OLE in the file
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files

运行截图

网络分析

域名解析

域名 响应
acroipm.adobe.com CNAME acroipm.adobe.com.edgesuite.net
A 23.218.94.163
CNAME a1983.dscd.akamai.net
A 23.218.94.155

TCP连接

IP地址 端口
23.218.94.163 80

UDP连接

IP地址 端口
192.168.122.1 53

HTTP请求

URL HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x0230f419
声明校验值 0x016d9298
实际校验值 0x016d9298
最低操作系统版本要求 4.0
编译时间 2020-11-29 23:40:57
载入哈希 0c599dcff3934042a71fe7e3b144f099
图标
图标精确哈希值 b3f9d91c0941b7b3185414551cf17cec
图标相似性哈希值 c060329b2871a54ebb8ab456effdd111

版本信息

LegalCopyright: Louisa Bypass \xe7\xe6\xe6\xe6
FileVersion: 1.0.0.0
CompanyName: Louisa Bypass
Comments: \xe6\xe7\xe5\xe4\xe7\xe6\xe8\xe8\xe7\xe5(http://www.eyuyan.com)
ProductName: Louisa Bypass
ProductVersion: 1.0.0.0
FileDescription: \xe6\xe8\xe8\xe7\xe5
Translation: 0x0804 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000c208a 0x00000000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 0.00
.rdata 0x000c4000 0x00122078 0x00000000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 0.00
.data 0x001e7000 0x00051d0a 0x00000000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rsrc 0x00239000 0x0000d918 0x0000e000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 6.63
.svmp1 0x00247000 0x0066caa5 0x00000000 IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.svmp2 0x008b4000 0x005e4403 0x005e5000 IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 8.00
.svmp3 0x00e99000 0x000cc87e 0x000cd000 IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.84
.svmp4 0x00f66000 0x00fa6e0f 0x00fa7000 IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.72
.svmp5 0x01f0d000 0x00002982 0x00003000 IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 6.32
.svmp6 0x01f10000 0x000646dc 0x00065000 IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.02

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
TEXTINCLUDE 0x00239c80 0x00000151 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.25 C source, ASCII text, with CRLF line terminators
TEXTINCLUDE 0x00239c80 0x00000151 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.25 C source, ASCII text, with CRLF line terminators
TEXTINCLUDE 0x00239c80 0x00000151 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.25 C source, ASCII text, with CRLF line terminators
RT_CURSOR 0x0023a170 0x000000b4 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.74 data
RT_CURSOR 0x0023a170 0x000000b4 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.74 data
RT_CURSOR 0x0023a170 0x000000b4 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.74 data
RT_CURSOR 0x0023a170 0x000000b4 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.74 data
RT_BITMAP 0x0023b878 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x0023b878 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x0023b878 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x0023b878 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x0023b878 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x0023b878 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x0023b878 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x0023b878 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x0023b878 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x0023b878 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x0023b878 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x0023b878 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x0023b878 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x0023b878 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_ICON 0x002442cc 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 4.86 GLS_BINARY_LSB_FIRST
RT_ICON 0x002442cc 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 4.86 GLS_BINARY_LSB_FIRST
RT_ICON 0x002442cc 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 4.86 GLS_BINARY_LSB_FIRST
RT_ICON 0x002442cc 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 4.86 GLS_BINARY_LSB_FIRST
RT_ICON 0x002442cc 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 4.86 GLS_BINARY_LSB_FIRST
RT_ICON 0x002442cc 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 4.86 GLS_BINARY_LSB_FIRST
RT_ICON 0x002442cc 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 4.86 GLS_BINARY_LSB_FIRST
RT_MENU 0x00244740 0x00000284 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.28 data
RT_MENU 0x00244740 0x00000284 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.28 data
RT_DIALOG 0x00245988 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.74 data
RT_DIALOG 0x00245988 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.74 data
RT_DIALOG 0x00245988 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.74 data
RT_DIALOG 0x00245988 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.74 data
RT_DIALOG 0x00245988 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.74 data
RT_DIALOG 0x00245988 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.74 data
RT_DIALOG 0x00245988 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.74 data
RT_DIALOG 0x00245988 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.74 data
RT_DIALOG 0x00245988 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.74 data
RT_DIALOG 0x00245988 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.74 data
RT_STRING 0x002463d0 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_STRING 0x002463d0 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_STRING 0x002463d0 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_STRING 0x002463d0 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_STRING 0x002463d0 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_STRING 0x002463d0 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_STRING 0x002463d0 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_STRING 0x002463d0 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_STRING 0x002463d0 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_STRING 0x002463d0 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_STRING 0x002463d0 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_GROUP_CURSOR 0x0024641c 0x00000022 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.25 MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR 0x0024641c 0x00000022 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.25 MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR 0x0024641c 0x00000022 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.25 MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_ICON 0x002464a0 0x00000014 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.02 MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_GROUP_ICON 0x002464a0 0x00000014 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.02 MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_GROUP_ICON 0x002464a0 0x00000014 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.02 MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_VERSION 0x002464b4 0x00000294 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.59 data
RT_MANIFEST 0x00246748 0x000001cd LANG_NEUTRAL SUBLANG_NEUTRAL 5.08 XML 1.0 document, ASCII text, with very long lines, with no line terminators

导入

库 WINMM.dll:
0x129823f - midiStreamOut
库 WS2_32.dll:
0x1298247 - WSACleanup
库 KERNEL32.dll:
0x129824f - Process32Next
库 USER32.dll:
0x1298257 - SetFocus
库 GDI32.dll:
0x129825f - TextOutA
库 WINSPOOL.DRV:
0x1298267 - OpenPrinterA
库 ADVAPI32.dll:
0x129826f - RegQueryValueExA
库 SHELL32.dll:
0x1298277 - Shell_NotifyIconA
库 ole32.dll:
0x129827f - CLSIDFromProgID
库 OLEAUT32.dll:
0x1298287 - UnRegisterTypeLib
库 COMCTL32.dll:
0x129828f - None
库 comdlg32.dll:
0x1298297 - ChooseColorA

投放文件

无信息

行为分析

互斥量(Mutexes)
  • Local\MSCTF.Asm.MutexDefault1
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

Louisa Bypass VIP.sp.exe PID: 2412, 上一级进程 PID: 2268

访问的文件
  • C:\Users\test\AppData\Local\Temp\Louisa Bypass VIP.sp.exe.lic
  • \Device\KsecDD
  • C:\Windows\Fonts\staticcache.dat
读取的文件
  • C:\Users\test\AppData\Local\Temp\Louisa Bypass VIP.sp.exe.lic
  • \Device\KsecDD
  • C:\Windows\Fonts\staticcache.dat
修改的文件 无信息
删除的文件 无信息
注册表键
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\Louisa Bypass VIP.sp.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_CURRENT_USER
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\\xe5\xbe\xae\xe8\xbd\xaf\xe9\x9b\x85\xe9\xbb\x91
读取的注册表键
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • kernel32.dll.VirtualAlloc
  • kernel32.dll.LoadLibraryA
  • gdi32.dll.BitBlt
  • gdi32.dll.CreateCompatibleDC
  • gdi32.dll.CreateCompatibleBitmap
  • gdi32.dll.SetBitmapBits
  • gdi32.dll.SelectObject
  • gdi32.dll.SetTextColor
  • gdi32.dll.SetBkMode
  • gdi32.dll.DeleteObject
  • gdi32.dll.DeleteDC
  • gdi32.dll.CreateFontA
  • gdi32.dll.CreateSolidBrush
  • gdi32.dll.CreatePen
  • gdi32.dll.GetDeviceCaps
  • gdi32.dll.MoveToEx
  • gdi32.dll.LineTo
  • gdi32.dll.GetTextExtentPoint32A
  • gdi32.dll.GetStockObject
  • gdi32.dll.CreateDIBSection
  • kernel32.dll.GetModuleFileNameA
  • kernel32.dll.GetModuleHandleA
  • kernel32.dll.CreateFileA
  • kernel32.dll.CreateFileW
  • kernel32.dll.DeleteFileW
  • kernel32.dll.GetFileSize
  • kernel32.dll.VirtualFree
  • kernel32.dll.ReadFile
  • kernel32.dll.WriteFile
  • kernel32.dll.TerminateProcess
  • kernel32.dll.VirtualProtect
  • kernel32.dll.Sleep
  • kernel32.dll.GetTickCount
  • kernel32.dll.CreateThread
  • kernel32.dll.CloseHandle
  • kernel32.dll.MulDiv
  • kernel32.dll.OutputDebugStringA
  • kernel32.dll.GetTempPathA
  • kernel32.dll.CreateProcessA
  • kernel32.dll.InitializeCriticalSection
  • kernel32.dll.EnterCriticalSection
  • kernel32.dll.LeaveCriticalSection
  • kernel32.dll.FileTimeToSystemTime
  • shell32.dll.ShellExecuteA
  • kernel32.dll.GetTempFileNameA
  • ws2_32.dll.WSAStartup
  • ws2_32.dll.socket
  • ws2_32.dll.inet_addr
  • ws2_32.dll.inet_ntoa
  • ws2_32.dll.htons
  • ws2_32.dll.connect
  • ws2_32.dll.send
  • ws2_32.dll.recv
  • ws2_32.dll.gethostbyname
  • ws2_32.dll.closesocket
  • ws2_32.dll.WSACleanup
  • ws2_32.dll.setsockopt
  • user32.dll.LoadIconA
  • user32.dll.DrawTextA
  • user32.dll.LoadCursorA
  • user32.dll.RegisterClassExA
  • user32.dll.CreateWindowExA
  • user32.dll.SetWindowLongA
  • user32.dll.SetPropA
  • user32.dll.GetSystemMetrics
  • user32.dll.GetWindowRect
  • user32.dll.SetWindowPos
  • user32.dll.UpdateWindow
  • user32.dll.GetMessageA
  • user32.dll.TranslateMessage
  • user32.dll.DispatchMessageA
  • user32.dll.CallWindowProcA
  • user32.dll.GetPropA
  • user32.dll.PostMessageA
  • user32.dll.TrackMouseEvent
  • user32.dll.InvalidateRect
  • user32.dll.SetFocus
  • user32.dll.BeginPaint
  • user32.dll.EndPaint
  • user32.dll.SendMessageA
  • user32.dll.DestroyWindow
  • user32.dll.PostQuitMessage
  • user32.dll.GetDC
  • user32.dll.ReleaseDC
  • user32.dll.MessageBoxA
  • user32.dll.DefWindowProcA
  • user32.dll.EnableWindow
  • user32.dll.FillRect
  • user32.dll.MoveWindow
  • advapi32.dll.CryptAcquireContextA
  • advapi32.dll.CryptCreateHash
  • advapi32.dll.CryptHashData
  • advapi32.dll.CryptGetHashParam
  • advapi32.dll.CryptDestroyHash
  • advapi32.dll.CryptReleaseContext
  • ntdll.dll.sprintf
  • ntdll.dll._allmul
  • advapi32.dll.GetUserNameA
  • advapi32.dll.LookupAccountNameA
  • advapi32.dll.GetSidIdentifierAuthority
  • advapi32.dll.GetSidSubAuthorityCount
  • advapi32.dll.GetSidSubAuthority
  • sechost.dll.LookupAccountNameLocalA
  • comctl32.dll.RegisterClassNameW
  • uxtheme.dll.OpenThemeData
  • imm32.dll.ImmIsIME
  • uxtheme.dll.EnableThemeDialogTexture
  • ole32.dll.CoInitializeEx
  • ole32.dll.CoUninitialize
  • cryptbase.dll.SystemFunction036
  • ole32.dll.CoRegisterInitializeSpy
  • ole32.dll.CoRevokeInitializeSpy
  • imm32.dll.ImmGetContext
  • imm32.dll.ImmLockIMC
  • imm32.dll.ImmUnlockIMC
  • imm32.dll.ImmReleaseContext
  • imm32.dll.ImmSetCompositionFontW
  • imm32.dll.ImmGetCompositionWindow
  • imm32.dll.ImmSetCompositionWindow
  • gdi32.dll.GetLayout
  • gdi32.dll.GdiRealizationInfo
  • gdi32.dll.FontIsLinked
  • advapi32.dll.RegOpenKeyExW
  • advapi32.dll.RegQueryInfoKeyW
  • gdi32.dll.GetTextFaceAliasW
  • advapi32.dll.RegEnumValueW
  • advapi32.dll.RegCloseKey
  • advapi32.dll.RegQueryValueExW
  • advapi32.dll.RegQueryValueExA
  • advapi32.dll.RegEnumKeyExW
  • gdi32.dll.GdiIsMetaPrintDC
  • uxtheme.dll.BufferedPaintInit
  • uxtheme.dll.BeginBufferedPaint
  • uxtheme.dll.EndBufferedPaint