魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2021-04-21 23:31:13 2021-04-21 23:31:58 45 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp03-1 win7-sp1-x64-shaapp03-1 KVM 2021-04-21 23:31:13 2021-04-21 23:31:59
魔盾分数

2.95

可疑的

文件详细信息

文件名 Kay.exe
文件大小 13352960 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 63E261B2
MD5 33ae554c503afed5ee01e55261ee96dc
SHA1 611ca7d4da6b9214e31d16e4be3a9422d6153676
SHA256 2791fc769e1f8e423483b172ee1fc7774328f6f6b65e122b4ea7084ea6b3c13b
SHA512 034f8361585df4ad921820a37079b2756b74a90ec42d62cdcf8b54469cbe3728f6bb082b50ef5535c6e419a0151dd13ea5270cd9fb4befef2a3b1a688a983736
Ssdeep 196608:kpRO6OHDIcmxXZz3Kzk+VZjRezWpRkK/BJfJDt63B0Z3+oe7ihvO3B8kOdok9qTO:kbhOjeZ2JrpyKtDeE5O3HTcqY2o
PEiD 无匹配
Yara
  • IsPE32 (Detected a 32bit PE sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
  • IsPacked (Detected Entropy signature)
  • HasRichSignature (Detected Rich Signature)
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • screenshot (Detected take screenshot function)
  • create_process (Detection function for creating a new process)
  • keylogger (Detected keylogger function)
  • win_registry (Detected system registries modification function)
  • change_win_registry (Change registries to affect system)
  • win_files_operation (Affect private profile)
  • win_hook (Detected hook table access function)
  • win_private_profile (Detected private profile access function)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
VirusTotal VirusTotal查询失败

特征

二进制文件可能包含加密或压缩数据
section: name: .data, entropy: 7.99, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00c9e000, virtual_size: 0x00cb31be
魔盾安全Yara规则检测结果 - 安全告警
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
检测到网络活动但没有显示在API日志中
ip: 23.74.15.56
domain: acroipm.adobe.com

运行截图

网络分析

域名解析

域名 响应
acroipm.adobe.com A 23.74.15.65
CNAME acroipm.adobe.com.edgesuite.net
CNAME a1983.dscd.akamai.net
A 23.74.15.56

TCP连接

IP地址 端口
23.74.15.65 80

UDP连接

IP地址 端口
192.168.122.1 53

HTTP请求

URL HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x00405148
声明校验值 0x00000000
实际校验值 0x00cbc620
最低操作系统版本要求 4.0
编译时间 2021-04-08 12:40:54
载入哈希 d335f46f3af407f7f25e559cd6800c58

版本信息

LegalCopyright: Kay
FileVersion: 1.0.0.0
CompanyName: Kay
Comments: Kay
ProductName: \xe6\xe8\xe8\xe7\xe5
ProductVersion: 1.0.0.0
FileDescription: Kay
Translation: 0x0804 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000160ba 0x00017000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.50
.rdata 0x00018000 0x000041d8 0x00005000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.27
.data 0x0001d000 0x00cb31be 0x00c9e000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.99
.rsrc 0x00cd1000 0x00000268 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.39

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_VERSION 0x00cd1058 0x00000210 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.24 data

导入

库 SHLWAPI.dll:
0x41823c - PathFileExistsA
库 KERNEL32.dll:
0x418080 - GetVersion
0x418084 - WideCharToMultiByte
0x418088 - GetCurrentThreadId
0x41808c - GetCurrentThread
0x418090 - lstrcmpiA
0x418094 - lstrcmpA
0x418098 - GlobalDeleteAtom
0x41809c - InterlockedIncrement
0x4180a0 - InterlockedDecrement
0x4180a4 - LocalFree
0x4180a8 - FlushFileBuffers
0x4180ac - lstrcpynA
0x4180b0 - LocalAlloc
0x4180b4 - InitializeCriticalSection
0x4180b8 - DeleteCriticalSection
0x4180bc - GlobalHandle
0x4180c0 - TlsFree
0x4180c4 - LeaveCriticalSection
0x4180c8 - GlobalReAlloc
0x4180cc - EnterCriticalSection
0x4180d0 - TlsSetValue
0x4180d4 - LocalReAlloc
0x4180d8 - TlsGetValue
0x4180dc - GlobalFlags
0x4180e0 - GlobalFindAtomA
0x4180e4 - GlobalAddAtomA
0x4180e8 - GlobalGetAtomNameA
0x4180ec - GetProcessVersion
0x4180f0 - SetErrorMode
0x4180f4 - GetCPInfo
0x4180f8 - GetOEMCP
0x4180fc - RtlUnwind
0x418100 - RaiseException
0x418104 - HeapSize
0x418108 - GetACP
0x41810c - UnhandledExceptionFilter
0x418110 - FreeEnvironmentStringsA
0x418114 - FreeEnvironmentStringsW
0x418118 - GetEnvironmentStrings
0x41811c - GetEnvironmentStringsW
0x418120 - SetHandleCount
0x418124 - GetStdHandle
0x418128 - GetFileType
0x41812c - GetEnvironmentVariableA
0x418130 - HeapDestroy
0x418134 - HeapCreate
0x418138 - VirtualFree
0x41813c - VirtualAlloc
0x418140 - IsBadWritePtr
0x418144 - LCMapStringA
0x418148 - LCMapStringW
0x41814c - SetUnhandledExceptionFilter
0x418150 - GetStringTypeA
0x418154 - GetStringTypeW
0x418158 - IsBadCodePtr
0x41815c - SetStdHandle
0x418160 - InterlockedExchange
0x418164 - lstrcatA
0x418168 - SetLastError
0x41816c - GlobalAlloc
0x418170 - MultiByteToWideChar
0x418174 - lstrlenA
0x418178 - LoadLibraryA
0x41817c - GetSystemDirectoryA
0x418180 - lstrcpyA
0x418184 - CreateToolhelp32Snapshot
0x418188 - FreeLibrary
0x41818c - Sleep
0x418190 - GetWindowsDirectoryA
0x418194 - GetTempPathA
0x418198 - GetProcAddress
0x41819c - OpenProcess
0x4181a0 - TerminateProcess
0x4181a4 - GetVersionExA
0x4181a8 - GetCurrentProcess
0x4181ac - GetLastError
0x4181b0 - SetFilePointer
0x4181b4 - GlobalLock
0x4181b8 - GlobalUnlock
0x4181bc - GlobalFree
0x4181c0 - Process32First
0x4181c4 - CloseHandle
0x4181c8 - Process32Next
0x4181cc - CreateDirectoryA
0x4181d0 - MoveFileA
0x4181d4 - GetProcessHeap
0x4181d8 - GetModuleHandleA
0x4181dc - ExitProcess
0x4181e0 - HeapAlloc
0x4181e4 - HeapReAlloc
0x4181e8 - HeapFree
0x4181ec - IsBadReadPtr
0x4181f0 - GetPrivateProfileStringA
0x4181f4 - WritePrivateProfileStringA
0x4181f8 - WriteFile
0x4181fc - CreateFileA
0x418200 - WaitForSingleObject
0x418204 - CreateProcessA
0x418208 - GetStartupInfoA
0x41820c - GetTickCount
0x418210 - FindClose
0x418214 - GetModuleFileNameA
0x418218 - GetCommandLineA
0x41821c - FindFirstFileA
0x418220 - RemoveDirectoryA
0x418224 - DeleteFileA
0x418228 - FindNextFileA
0x41822c - TlsAlloc
库 USER32.dll:
0x418244 - SetWindowPos
0x418248 - SetFocus
0x41824c - GetWindowPlacement
0x418250 - IsIconic
0x418254 - RegisterWindowMessageA
0x418258 - GetMessagePos
0x41825c - GetMessageTime
0x418260 - DefWindowProcA
0x418264 - RemovePropA
0x418268 - CallWindowProcA
0x41826c - GetPropA
0x418270 - SetPropA
0x418274 - GetClassLongA
0x418278 - CreateWindowExA
0x41827c - GetMenuItemID
0x418280 - GetSubMenu
0x418284 - GetMenu
0x418288 - RegisterClassA
0x41828c - GetClassInfoA
0x418290 - WinHelpA
0x418294 - GetCapture
0x418298 - GetTopWindow
0x41829c - CopyRect
0x4182a0 - GetClientRect
0x4182a4 - AdjustWindowRectEx
0x4182a8 - GetSysColor
0x4182ac - MapWindowPoints
0x4182b0 - LoadIconA
0x4182b4 - LoadCursorA
0x4182b8 - GetSysColorBrush
0x4182bc - LoadStringA
0x4182c0 - DestroyMenu
0x4182c4 - GetMenuItemCount
0x4182c8 - SetWindowTextA
0x4182cc - GetDlgCtrlID
0x4182d0 - DestroyWindow
0x4182d4 - UnhookWindowsHookEx
0x4182d8 - GrayStringA
0x4182dc - DrawTextA
0x4182e0 - TabbedTextOutA
0x4182e4 - ClientToScreen
0x4182e8 - GetMenuCheckMarkDimensions
0x4182ec - LoadBitmapA
0x4182f0 - GetMenuState
0x4182f4 - ModifyMenuA
0x4182f8 - SetMenuItemBitmaps
0x4182fc - CheckMenuItem
0x418300 - EnableMenuItem
0x418304 - GetFocus
0x418308 - GetNextDlgTabItem
0x41830c - GetKeyState
0x418310 - CallNextHookEx
0x418314 - ValidateRect
0x418318 - SetWindowsHookExA
0x41831c - GetLastActivePopup
0x418320 - SetCursor
0x418324 - PostMessageA
0x418328 - PostQuitMessage
0x41832c - SetForegroundWindow
0x418330 - GetActiveWindow
0x418334 - GetForegroundWindow
0x418338 - IsWindowEnabled
0x41833c - EnableWindow
0x418340 - GetParent
0x418344 - GetWindow
0x418348 - PtInRect
0x41834c - IsWindowVisible
0x418350 - GetWindowLongA
0x418354 - GetWindowTextA
0x418358 - GetCursorPos
0x41835c - SetWindowLongA
0x418360 - GetDlgItem
0x418364 - ShowWindow
0x418368 - SystemParametersInfoA
0x41836c - GetDC
0x418370 - FindWindowA
0x418374 - GetWindowThreadProcessId
0x418378 - GetClassNameA
0x41837c - SendMessageA
0x418380 - GetWindowRect
0x418384 - GetSystemMetrics
0x418388 - PeekMessageA
0x41838c - GetMessageA
0x418390 - TranslateMessage
0x418394 - DispatchMessageA
0x418398 - wsprintfA
0x41839c - MessageBoxA
0x4183a0 - ReleaseDC
0x4183a4 - UnregisterClassA
库 GDI32.dll:
0x41801c - SetBkColor
0x418020 - RestoreDC
0x418024 - GetObjectA
0x418028 - GetStockObject
0x41802c - SaveDC
0x418030 - SetTextColor
0x418034 - SetMapMode
0x418038 - SetViewportOrgEx
0x41803c - OffsetViewportOrgEx
0x418040 - SetViewportExtEx
0x418044 - ScaleViewportExtEx
0x418048 - SetWindowExtEx
0x41804c - ScaleWindowExtEx
0x418050 - GetClipBox
0x418054 - CreateBitmap
0x418058 - PtVisible
0x41805c - RectVisible
0x418060 - TextOutA
0x418064 - ExtTextOutA
0x418068 - Escape
0x41806c - GetDeviceCaps
0x418070 - SelectObject
0x418074 - DeleteDC
0x418078 - DeleteObject
库 WINSPOOL.DRV:
0x4183ac - DocumentPropertiesA
0x4183b0 - ClosePrinter
0x4183b4 - OpenPrinterA
库 ADVAPI32.dll:
0x418000 - RegSetValueExA
0x418004 - RegCreateKeyExA
0x418008 - RegCloseKey
0x41800c - RegOpenKeyExA
库 SHELL32.dll:
0x418234 - SHGetSpecialFolderPathA
库 COMCTL32.dll:
0x418014 - None

投放文件

无信息

行为分析

互斥量(Mutexes)
  • Local\MSCTF.Asm.MutexDefault1
执行的命令
  • C:\PHHYGHFIRBZKFYC.dll
创建的服务 无信息
启动的服务 无信息

进程

Kay.exe PID: 2556, 上一级进程 PID: 2176

PHHYGHFIRBZKFYC.dll PID: 2656, 上一级进程 PID: 2556

访问的文件
  • C:\Windows\AWMMark.ini
  • C:\PHHYGHFIRBZKFYC.dll
  • C:\Windows\Fonts\staticcache.dat
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\imageres.dll
  • C:\Windows\System32\imageres.dll
  • C:\Windows\System32\zh-CN\imageres.dll.mui
  • C:\Windows\sysnative\zh-CN\imageres.dll.mui
  • C:\Windows\System32\zh-Hans\imageres.dll.mui
  • C:\Windows\System32\zh\imageres.dll.mui
  • C:\Windows\System32\en-US\imageres.dll.mui
  • \Device\KsecDD
读取的文件
  • C:\Windows\AWMMark.ini
  • C:\Windows\Fonts\staticcache.dat
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\System32\imageres.dll
  • C:\Windows\System32\zh-CN\imageres.dll.mui
  • C:\Windows\sysnative\zh-CN\imageres.dll.mui
  • C:\Windows\System32\zh-Hans\imageres.dll.mui
  • C:\Windows\System32\zh\imageres.dll.mui
  • C:\Windows\System32\en-US\imageres.dll.mui
  • \Device\KsecDD
修改的文件
  • C:\Windows\AWMMark.ini
  • C:\PHHYGHFIRBZKFYC.dll
删除的文件 无信息
注册表键
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\PHHYGHFIRBZKFYC.dll
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_CURRENT_USER
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
读取的注册表键
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • kernel32.dll.IsProcessorFeaturePresent
  • gdi32.dll.GetLayout
  • gdi32.dll.GdiRealizationInfo
  • gdi32.dll.FontIsLinked
  • advapi32.dll.RegOpenKeyExW
  • advapi32.dll.RegQueryInfoKeyW
  • gdi32.dll.GetTextFaceAliasW
  • advapi32.dll.RegEnumValueW
  • advapi32.dll.RegCloseKey
  • advapi32.dll.RegQueryValueExW
  • advapi32.dll.RegQueryValueExA
  • advapi32.dll.RegEnumKeyExW
  • gdi32.dll.GetTextExtentExPointWPri
  • comctl32.dll.RegisterClassNameW
  • kernel32.dll.SortGetHandle
  • kernel32.dll.SortCloseHandle
  • uxtheme.dll.EnableThemeDialogTexture
  • uxtheme.dll.OpenThemeData
  • ole32.dll.CoInitializeEx
  • ole32.dll.CoUninitialize
  • cryptbase.dll.SystemFunction036
  • ole32.dll.CoRegisterInitializeSpy
  • ole32.dll.CoRevokeInitializeSpy
  • oleaut32.dll.SysAllocString
  • oleaut32.dll.SysStringLen
  • oleaut32.dll.SysFreeString
  • oleaut32.dll.#500