魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2022-08-19 14:21:41	2022-08-19 14:22:30	49 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-shaapp02-2	win7-sp1-x64-shaapp02-2	KVM	2022-08-19 14:21:43	2022-08-19 14:22:31

魔盾分数
10.0 恶意的

文件详细信息

文件名	杏雨梨云启动维护系统.exe
文件大小	4386872 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
CRC32	0C70510D
MD5	f887c1ce1e4b260d5a82e3e1e91b55e9
SHA1	81a9931e61b367a4550ef11bc5e514fa85f8f429
SHA256	70f557edd49712e17b2996547bd24df1a9e83ae142969d1cc1a554ed75a916a9
SHA512	077ee14963b9b53f29a441e09aa35294a674b82aa4bd2426dd64f87dbcc024585641842e74bb7d54c82da358ae68c08ad200225a0406374a789c13b0cfb1e57c
Ssdeep	98304:5TYbInQVB80dOZO9mVOeoKmR/AvpdwdLI9j:5cb2gOg9O6aB6
PEiD	无匹配
Yara	DebuggerTiming__PerformanceCounter () anti_dbg (Detected self protection if being debugged) inject_thread (Detected code injection function with CreateRemoteThread in a remote process) network_http (Detected communications function over HTTP) screenshot (Detected take screenshot function) create_process (Detection function for creating a new process) escalate_priv (Detected escalate priviledges function) keylogger (Detected keylogger function) win_registry (Detected system registries modification function) win_token (Affect system token) win_files_operation (Affect private profile) Maldun_Anomoly_Combined_Activities_Network_Logging (Spotted potential abnormal behaviors, like logging and network communications) Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files) IsPE32 (Detected a 32bit PE sample) IsWindowsGUI (Detected a Windows GUI sample) IsPacked (Detected Entropy signature) HasOverlay (Detected Overlay signature) HasDebugData (Detected Debug Data) HasRichSignature (Detected Rich Signature) AutoIt (Detected the compiler AutoIt) CRC32_poly_Constant (Look for CRC32 [poly]) CRC32_table (Look for CRC32 table) with_urls (Detected the presence of an or several urls)
VirusTotal	VirusTotal查询失败

特征

创建RWX内存

魔盾wping.org IP地址信誉系统

Greylist: 207.246.127.148

发起了一些HTTP请求

URL: http://cacerts.pki.jemmylovejenny.tk/EVRootCA.crt

二进制文件可能包含加密或压缩数据

section: name: .rsrc, entropy: 7.48, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00357200, virtual_size: 0x00357119

生成可疑网络流量，可能被用来进行恶意活动

signature: ET POLICY HTTP Request to a *.tk domain

检测到网络活动但没有显示在API日志中

country_name: United States

ip: 207.246.127.148

inaddrarpa:

hostname: cacerts.pki.jemmylovejenny.tk

score: 5

ip: 207.246.127.148

domain: cacerts.pki.jemmylovejenny.tk

可疑的样本异常终止

魔盾安全Yara规则检测结果 - 高危

Warning: Detected code injection function with CreateRemoteThread in a remote process

Critical: Spotted potential abnormal behaviors, like logging and network communications

Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files

Informational: Detected the compiler AutoIt

运行截图

无运行截图

网络分析

访问主机记录

直接访问	IP地址	国家名
否	207.246.127.148	United States

域名解析

域名	响应
cacerts.pki.jemmylovejenny.tk	A 207.246.127.148

TCP连接

IP地址	端口
207.246.127.148	80
23.202.50.136	80

UDP连接

IP地址	端口
192.168.122.1	53
192.168.122.1	53

HTTP请求

URL	HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache
http://cacerts.pki.jemmylovejenny.tk/EVRootCA.crt	GET /EVRootCA.crt HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: cacerts.pki.jemmylovejenny.tk

URL

HTTP数据

http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip

GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

http://cacerts.pki.jemmylovejenny.tk/EVRootCA.crt

GET /EVRootCA.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: cacerts.pki.jemmylovejenny.tk

静态分析

PE 信息

初始地址	0x00400000
入口地址	0x004204f7
声明校验值	0x0043266a
实际校验值	0x0043266a
最低操作系统版本要求	5.1
编译时间	2022-05-25 08:14:23
载入哈希	0b768923437678ce375719e30b21693e

版本信息

LegalCopyright:	Free https://www.xyboot.com/
FileVersion:	20.22.05.28
CompanyName:	https://www.xyboot.com/
Comments:	Compiled 2022Q2
ProductName:	\u674f\u96e8\u68a8\u4e91\u542f\u52a8\u7ef4\u62a4\u7cfb\u7edf
ProductVersion:	20.22.05.28
FileDescription:	\u674f\u96e8\u68a8\u4e91\u542f\u52a8\u7ef4\u62a4\u7cfb\u7edf
Translation:	0x0804 0x04b0

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x0009aa37	0x0009ac00	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.67
.rdata	0x0009c000	0x0002fb92	0x0002fc00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.69
.data	0x000cc000	0x0000705c	0x00004800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.58
.rsrc	0x000d4000	0x00357119	0x00357200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	7.48
.reloc	0x0042c000	0x000075cc	0x00007600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	6.80

导入

库 WSOCK32.dll:

• 0x49c7d8 - gethostbyname

• 0x49c7dc - recv

• 0x49c7e0 - send

• 0x49c7e4 - socket

• 0x49c7e8 - inet_ntoa

• 0x49c7ec - setsockopt

• 0x49c7f0 - ntohs

• 0x49c7f4 - WSACleanup

• 0x49c7f8 - WSAStartup

• 0x49c7fc - sendto

• 0x49c800 - htons

• 0x49c804 - __WSAFDIsSet

• 0x49c808 - select

• 0x49c80c - accept

• 0x49c810 - listen

• 0x49c814 - bind

• 0x49c818 - inet_addr

• 0x49c81c - ioctlsocket

• 0x49c820 - recvfrom

• 0x49c824 - WSAGetLastError

• 0x49c828 - closesocket

• 0x49c82c - gethostname

• 0x49c830 - connect

库 VERSION.dll:

• 0x49c77c - GetFileVersionInfoW

• 0x49c780 - VerQueryValueW

• 0x49c784 - GetFileVersionInfoSizeW

库 WINMM.dll:

• 0x49c7c8 - timeGetTime

• 0x49c7cc - waveOutSetVolume

• 0x49c7d0 - mciSendStringW

库 COMCTL32.dll:

• 0x49c088 - ImageList_ReplaceIcon

• 0x49c08c - ImageList_Destroy

• 0x49c090 - ImageList_Remove

• 0x49c094 - ImageList_SetDragCursorImage

• 0x49c098 - ImageList_BeginDrag

• 0x49c09c - ImageList_DragEnter

• 0x49c0a0 - ImageList_DragLeave

• 0x49c0a4 - ImageList_EndDrag

• 0x49c0a8 - ImageList_DragMove

• 0x49c0ac - InitCommonControlsEx

• 0x49c0b0 - ImageList_Create

库 MPR.dll:

• 0x49c408 - WNetGetConnectionW

• 0x49c40c - WNetCancelConnection2W

• 0x49c410 - WNetUseConnectionW

• 0x49c414 - WNetAddConnection2W

库 WININET.dll:

• 0x49c78c - HttpOpenRequestW

• 0x49c790 - InternetCloseHandle

• 0x49c794 - InternetOpenW

• 0x49c798 - InternetSetOptionW

• 0x49c79c - InternetCrackUrlW

• 0x49c7a0 - HttpQueryInfoW

• 0x49c7a4 - InternetQueryOptionW

• 0x49c7a8 - InternetConnectW

• 0x49c7ac - HttpSendRequestW

• 0x49c7b0 - FtpOpenFileW

• 0x49c7b4 - FtpGetFileSize

• 0x49c7b8 - InternetOpenUrlW

• 0x49c7bc - InternetReadFile

• 0x49c7c0 - InternetQueryDataAvailable

库 PSAPI.DLL:

• 0x49c494 - GetProcessMemoryInfo

库 IPHLPAPI.DLL:

• 0x49c154 - IcmpSendEcho

• 0x49c158 - IcmpCloseHandle

• 0x49c15c - IcmpCreateFile

库 USERENV.dll:

• 0x49c760 - DestroyEnvironmentBlock

• 0x49c764 - LoadUserProfileW

• 0x49c768 - CreateEnvironmentBlock

• 0x49c76c - UnloadUserProfile

库 UxTheme.dll:

• 0x49c774 - IsThemeActive

库 KERNEL32.dll:

• 0x49c164 - DuplicateHandle

• 0x49c168 - CreateThread

• 0x49c16c - WaitForSingleObject

• 0x49c170 - HeapAlloc

• 0x49c174 - GetProcessHeap

• 0x49c178 - HeapFree

• 0x49c17c - Sleep

• 0x49c180 - GetCurrentThreadId

• 0x49c184 - MultiByteToWideChar

• 0x49c188 - MulDiv

• 0x49c18c - GetVersionExW

• 0x49c190 - IsWow64Process

• 0x49c194 - GetSystemInfo

• 0x49c198 - FreeLibrary

• 0x49c19c - LoadLibraryA

• 0x49c1a0 - GetProcAddress

• 0x49c1a4 - SetErrorMode

• 0x49c1a8 - GetModuleFileNameW

• 0x49c1ac - WideCharToMultiByte

• 0x49c1b0 - lstrcpyW

• 0x49c1b4 - lstrlenW

• 0x49c1b8 - GetModuleHandleW

• 0x49c1bc - QueryPerformanceCounter

• 0x49c1c0 - VirtualFreeEx

• 0x49c1c4 - OpenProcess

• 0x49c1c8 - VirtualAllocEx

• 0x49c1cc - WriteProcessMemory

• 0x49c1d0 - ReadProcessMemory

• 0x49c1d4 - CreateFileW

• 0x49c1d8 - SetFilePointerEx

• 0x49c1dc - SetEndOfFile

• 0x49c1e0 - ReadFile

• 0x49c1e4 - WriteFile

• 0x49c1e8 - FlushFileBuffers

• 0x49c1ec - TerminateProcess

• 0x49c1f0 - CreateToolhelp32Snapshot

• 0x49c1f4 - Process32FirstW

• 0x49c1f8 - Process32NextW

• 0x49c1fc - SetFileTime

• 0x49c200 - GetFileAttributesW

• 0x49c204 - FindFirstFileW

• 0x49c208 - FindClose

• 0x49c20c - GetLongPathNameW

• 0x49c210 - GetShortPathNameW

• 0x49c214 - DeleteFileW

• 0x49c218 - IsDebuggerPresent

• 0x49c21c - CopyFileExW

• 0x49c220 - MoveFileW

• 0x49c224 - CreateDirectoryW

• 0x49c228 - RemoveDirectoryW

• 0x49c22c - SetSystemPowerState

• 0x49c230 - QueryPerformanceFrequency

• 0x49c234 - LoadResource

• 0x49c238 - LockResource

• 0x49c23c - SizeofResource

• 0x49c240 - OutputDebugStringW

• 0x49c244 - GetTempPathW

• 0x49c248 - GetTempFileNameW

• 0x49c24c - DeviceIoControl

• 0x49c250 - GetLocalTime

• 0x49c254 - CompareStringW

• 0x49c258 - GetCurrentThread

• 0x49c25c - LeaveCriticalSection

• 0x49c260 - GetStdHandle

• 0x49c264 - CreatePipe

• 0x49c268 - InterlockedExchange

• 0x49c26c - TerminateThread

• 0x49c270 - LoadLibraryExW

• 0x49c274 - FindResourceExW

• 0x49c278 - CopyFileW

• 0x49c27c - VirtualFree

• 0x49c280 - FormatMessageW

• 0x49c284 - GetExitCodeProcess

• 0x49c288 - GetPrivateProfileStringW

• 0x49c28c - WritePrivateProfileStringW

• 0x49c290 - GetPrivateProfileSectionW

• 0x49c294 - WritePrivateProfileSectionW

• 0x49c298 - GetPrivateProfileSectionNamesW

• 0x49c29c - FileTimeToLocalFileTime

• 0x49c2a0 - FileTimeToSystemTime

• 0x49c2a4 - SystemTimeToFileTime

• 0x49c2a8 - LocalFileTimeToFileTime

• 0x49c2ac - GetDriveTypeW

• 0x49c2b0 - GetDiskFreeSpaceExW

• 0x49c2b4 - GetDiskFreeSpaceW

• 0x49c2b8 - GetVolumeInformationW

• 0x49c2bc - SetVolumeLabelW

• 0x49c2c0 - CreateHardLinkW

• 0x49c2c4 - SetFileAttributesW

• 0x49c2c8 - CreateEventW

• 0x49c2cc - SetEvent

• 0x49c2d0 - GetEnvironmentVariableW

• 0x49c2d4 - SetEnvironmentVariableW

• 0x49c2d8 - GlobalLock

• 0x49c2dc - GlobalUnlock

• 0x49c2e0 - GlobalAlloc

• 0x49c2e4 - GetFileSize

• 0x49c2e8 - GlobalFree

• 0x49c2ec - GlobalMemoryStatusEx

• 0x49c2f0 - Beep

• 0x49c2f4 - GetSystemDirectoryW

• 0x49c2f8 - HeapReAlloc

• 0x49c2fc - HeapSize

• 0x49c300 - GetComputerNameW

• 0x49c304 - GetWindowsDirectoryW

• 0x49c308 - GetCurrentProcessId

• 0x49c30c - GetProcessIoCounters

• 0x49c310 - CreateProcessW

• 0x49c314 - GetProcessId

• 0x49c318 - SetPriorityClass

• 0x49c31c - LoadLibraryW

• 0x49c320 - VirtualAlloc

• 0x49c324 - GetCurrentDirectoryW

• 0x49c328 - lstrcmpiW

• 0x49c32c - DecodePointer

• 0x49c330 - GetLastError

• 0x49c334 - RaiseException

• 0x49c338 - InitializeCriticalSectionAndSpinCount

• 0x49c33c - DeleteCriticalSection

• 0x49c340 - InterlockedDecrement

• 0x49c344 - InterlockedIncrement

• 0x49c348 - ResetEvent

• 0x49c34c - WaitForSingleObjectEx

• 0x49c350 - IsProcessorFeaturePresent

• 0x49c354 - UnhandledExceptionFilter

• 0x49c358 - SetUnhandledExceptionFilter

• 0x49c35c - GetCurrentProcess

• 0x49c360 - CloseHandle

• 0x49c364 - GetFullPathNameW

• 0x49c368 - EnterCriticalSection

• 0x49c36c - GetStartupInfoW

• 0x49c370 - GetSystemTimeAsFileTime

• 0x49c374 - InitializeSListHead

• 0x49c378 - RtlUnwind

• 0x49c37c - SetLastError

• 0x49c380 - TlsAlloc

• 0x49c384 - TlsGetValue

• 0x49c388 - TlsSetValue

• 0x49c38c - TlsFree

• 0x49c390 - EncodePointer

• 0x49c394 - ExitProcess

• 0x49c398 - GetModuleHandleExW

• 0x49c39c - ExitThread

• 0x49c3a0 - ResumeThread

• 0x49c3a4 - FreeLibraryAndExitThread

• 0x49c3a8 - GetACP

• 0x49c3ac - GetDateFormatW

• 0x49c3b0 - GetTimeFormatW

• 0x49c3b4 - LCMapStringW

• 0x49c3b8 - GetStringTypeW

• 0x49c3bc - GetFileType

• 0x49c3c0 - SetStdHandle

• 0x49c3c4 - GetConsoleCP

• 0x49c3c8 - GetConsoleMode

• 0x49c3cc - ReadConsoleW

• 0x49c3d0 - GetTimeZoneInformation

• 0x49c3d4 - FindFirstFileExW

• 0x49c3d8 - IsValidCodePage

• 0x49c3dc - GetOEMCP

• 0x49c3e0 - GetCPInfo

• 0x49c3e4 - GetCommandLineA

• 0x49c3e8 - GetCommandLineW

• 0x49c3ec - GetEnvironmentStringsW

• 0x49c3f0 - FreeEnvironmentStringsW

• 0x49c3f4 - SetEnvironmentVariableA

• 0x49c3f8 - SetCurrentDirectoryW

• 0x49c3fc - FindNextFileW

• 0x49c400 - WriteConsoleW

库 USER32.dll:

• 0x49c4dc - IsCharAlphaW

• 0x49c4e0 - IsCharAlphaNumericW

• 0x49c4e4 - IsCharLowerW

• 0x49c4e8 - IsCharUpperW

• 0x49c4ec - GetMenuStringW

• 0x49c4f0 - GetSubMenu

• 0x49c4f4 - GetCaretPos

• 0x49c4f8 - IsZoomed

• 0x49c4fc - MonitorFromPoint

• 0x49c500 - GetMonitorInfoW

• 0x49c504 - SetWindowLongW

• 0x49c508 - SetLayeredWindowAttributes

• 0x49c50c - FlashWindow

• 0x49c510 - GetClassLongW

• 0x49c514 - TranslateAcceleratorW

• 0x49c518 - IsDialogMessageW

• 0x49c51c - GetSysColor

• 0x49c520 - InflateRect

• 0x49c524 - DrawFocusRect

• 0x49c528 - DrawTextW

• 0x49c52c - FrameRect

• 0x49c530 - DrawFrameControl

• 0x49c534 - FillRect

• 0x49c538 - PtInRect

• 0x49c53c - DestroyAcceleratorTable

• 0x49c540 - CreateAcceleratorTableW

• 0x49c544 - SetCursor

• 0x49c548 - GetWindowDC

• 0x49c54c - GetSystemMetrics

• 0x49c550 - GetActiveWindow

• 0x49c554 - CharNextW

• 0x49c558 - wsprintfW

• 0x49c55c - RedrawWindow

• 0x49c560 - DrawMenuBar

• 0x49c564 - DestroyMenu

• 0x49c568 - SetMenu

• 0x49c56c - GetWindowTextLengthW

• 0x49c570 - CreateMenu

• 0x49c574 - IsDlgButtonChecked

• 0x49c578 - DefDlgProcW

• 0x49c57c - CallWindowProcW

• 0x49c580 - ReleaseCapture

• 0x49c584 - SetCapture

• 0x49c588 - TranslateMessage

• 0x49c58c - PeekMessageW

• 0x49c590 - GetInputState

• 0x49c594 - UnregisterHotKey

• 0x49c598 - CharLowerBuffW

• 0x49c59c - MonitorFromRect

• 0x49c5a0 - LoadImageW

• 0x49c5a4 - mouse_event

• 0x49c5a8 - ExitWindowsEx

• 0x49c5ac - SetActiveWindow

• 0x49c5b0 - FindWindowExW

• 0x49c5b4 - EnumThreadWindows

• 0x49c5b8 - SetMenuDefaultItem

• 0x49c5bc - InsertMenuItemW

• 0x49c5c0 - IsMenu

• 0x49c5c4 - GetKeyboardLayoutNameW

• 0x49c5c8 - GetCursorPos

• 0x49c5cc - DeleteMenu

• 0x49c5d0 - CheckMenuRadioItem

• 0x49c5d4 - GetMenuItemID

• 0x49c5d8 - GetMenuItemCount

• 0x49c5dc - SetMenuItemInfoW

• 0x49c5e0 - GetMenuItemInfoW

• 0x49c5e4 - SetForegroundWindow

• 0x49c5e8 - IsIconic

• 0x49c5ec - FindWindowW

• 0x49c5f0 - SystemParametersInfoW

• 0x49c5f4 - GetMessageW

• 0x49c5f8 - SendInput

• 0x49c5fc - GetAsyncKeyState

• 0x49c600 - SetKeyboardState

• 0x49c604 - GetKeyboardState

• 0x49c608 - GetKeyState

• 0x49c60c - VkKeyScanW

• 0x49c610 - LoadStringW

• 0x49c614 - DialogBoxParamW

• 0x49c618 - MessageBeep

• 0x49c61c - EndDialog

• 0x49c620 - SendDlgItemMessageW

• 0x49c624 - GetDlgItem

• 0x49c628 - SetWindowTextW

• 0x49c62c - CopyRect

• 0x49c630 - EndPaint

• 0x49c634 - BeginPaint

• 0x49c638 - GetClientRect

• 0x49c63c - GetMenu

• 0x49c640 - DestroyWindow

• 0x49c644 - EnumWindows

• 0x49c648 - GetDesktopWindow

• 0x49c64c - IsWindow

• 0x49c650 - IsWindowEnabled

• 0x49c654 - IsWindowVisible

• 0x49c658 - EnableWindow

• 0x49c65c - InvalidateRect

• 0x49c660 - GetWindowLongW

• 0x49c664 - ReleaseDC

• 0x49c668 - GetDC

• 0x49c66c - GetWindowThreadProcessId

• 0x49c670 - AttachThreadInput

• 0x49c674 - GetFocus

• 0x49c678 - GetWindowTextW

• 0x49c67c - SendMessageTimeoutW

• 0x49c680 - EnumChildWindows

• 0x49c684 - CharUpperBuffW

• 0x49c688 - GetClassNameW

• 0x49c68c - GetParent

• 0x49c690 - GetDlgCtrlID

• 0x49c694 - SendMessageW

• 0x49c698 - MapVirtualKeyW

• 0x49c69c - PostMessageW

• 0x49c6a0 - GetWindowRect

• 0x49c6a4 - SetUserObjectSecurity

• 0x49c6a8 - CloseDesktop

• 0x49c6ac - CloseWindowStation

• 0x49c6b0 - OpenDesktopW

• 0x49c6b4 - ClientToScreen

• 0x49c6b8 - RegisterHotKey

• 0x49c6bc - GetCursorInfo

• 0x49c6c0 - SetWindowPos

• 0x49c6c4 - CopyImage

• 0x49c6c8 - AdjustWindowRectEx

• 0x49c6cc - SetRect

• 0x49c6d0 - SetClipboardData

• 0x49c6d4 - EmptyClipboard

• 0x49c6d8 - CountClipboardFormats

• 0x49c6dc - CloseClipboard

• 0x49c6e0 - GetClipboardData

• 0x49c6e4 - IsClipboardFormatAvailable

• 0x49c6e8 - OpenClipboard

• 0x49c6ec - TrackPopupMenuEx

• 0x49c6f0 - BlockInput

• 0x49c6f4 - SetProcessWindowStation

• 0x49c6f8 - GetProcessWindowStation

• 0x49c6fc - OpenWindowStationW

• 0x49c700 - GetUserObjectSecurity

• 0x49c704 - MessageBoxW

• 0x49c708 - DefWindowProcW

• 0x49c70c - MoveWindow

• 0x49c710 - SetFocus

• 0x49c714 - PostQuitMessage

• 0x49c718 - KillTimer

• 0x49c71c - CreatePopupMenu

• 0x49c720 - RegisterWindowMessageW

• 0x49c724 - SetTimer

• 0x49c728 - ShowWindow

• 0x49c72c - CreateWindowExW

• 0x49c730 - RegisterClassExW

• 0x49c734 - LoadIconW

• 0x49c738 - LoadCursorW

• 0x49c73c - GetSysColorBrush

• 0x49c740 - GetForegroundWindow

• 0x49c744 - MessageBoxA

• 0x49c748 - DestroyIcon

• 0x49c74c - LockWindowUpdate

• 0x49c750 - keybd_event

• 0x49c754 - DispatchMessageW

• 0x49c758 - ScreenToClient

库 GDI32.dll:

• 0x49c0c4 - EndPath

• 0x49c0c8 - DeleteObject

• 0x49c0cc - GetTextExtentPoint32W

• 0x49c0d0 - ExtCreatePen

• 0x49c0d4 - StrokeAndFillPath

• 0x49c0d8 - GetDeviceCaps

• 0x49c0dc - SetPixel

• 0x49c0e0 - CloseFigure

• 0x49c0e4 - LineTo

• 0x49c0e8 - AngleArc

• 0x49c0ec - MoveToEx

• 0x49c0f0 - Ellipse

• 0x49c0f4 - CreateCompatibleBitmap

• 0x49c0f8 - CreateCompatibleDC

• 0x49c0fc - PolyDraw

• 0x49c100 - BeginPath

• 0x49c104 - Rectangle

• 0x49c108 - SetViewportOrgEx

• 0x49c10c - GetObjectW

• 0x49c110 - SetBkMode

• 0x49c114 - RoundRect

• 0x49c118 - SetBkColor

• 0x49c11c - CreatePen

• 0x49c120 - SelectObject

• 0x49c124 - StretchBlt

• 0x49c128 - CreateSolidBrush

• 0x49c12c - SetTextColor

• 0x49c130 - CreateFontW

• 0x49c134 - GetTextFaceW

• 0x49c138 - GetStockObject

• 0x49c13c - CreateDCW

• 0x49c140 - GetPixel

• 0x49c144 - DeleteDC

• 0x49c148 - GetDIBits

• 0x49c14c - StrokePath

库 COMDLG32.dll:

• 0x49c0b8 - GetSaveFileNameW

• 0x49c0bc - GetOpenFileNameW

库 ADVAPI32.dll:

• 0x49c000 - GetAce

• 0x49c004 - RegEnumValueW

• 0x49c008 - RegDeleteValueW

• 0x49c00c - RegDeleteKeyW

• 0x49c010 - RegEnumKeyExW

• 0x49c014 - RegSetValueExW

• 0x49c018 - RegOpenKeyExW

• 0x49c01c - RegCloseKey

• 0x49c020 - RegQueryValueExW

• 0x49c024 - RegConnectRegistryW

• 0x49c028 - InitializeSecurityDescriptor

• 0x49c02c - InitializeAcl

• 0x49c030 - AdjustTokenPrivileges

• 0x49c034 - OpenThreadToken

• 0x49c038 - OpenProcessToken

• 0x49c03c - LookupPrivilegeValueW

• 0x49c040 - DuplicateTokenEx

• 0x49c044 - CreateProcessAsUserW

• 0x49c048 - CreateProcessWithLogonW

• 0x49c04c - GetLengthSid

• 0x49c050 - CopySid

• 0x49c054 - LogonUserW

• 0x49c058 - AllocateAndInitializeSid

• 0x49c05c - CheckTokenMembership

• 0x49c060 - FreeSid

• 0x49c064 - GetTokenInformation

• 0x49c068 - RegCreateKeyExW

• 0x49c06c - GetSecurityDescriptorDacl

• 0x49c070 - GetAclInformation

• 0x49c074 - GetUserNameW

• 0x49c078 - AddAce

• 0x49c07c - SetSecurityDescriptorDacl

• 0x49c080 - InitiateSystemShutdownExW

库 SHELL32.dll:

• 0x49c49c - DragFinish

• 0x49c4a0 - DragQueryPoint

• 0x49c4a4 - ShellExecuteExW

• 0x49c4a8 - DragQueryFileW

• 0x49c4ac - SHEmptyRecycleBinW

• 0x49c4b0 - SHGetPathFromIDListW

• 0x49c4b4 - SHBrowseForFolderW

• 0x49c4b8 - SHCreateShellItem

• 0x49c4bc - SHGetDesktopFolder

• 0x49c4c0 - SHGetSpecialFolderLocation

• 0x49c4c4 - SHGetFolderPathW

• 0x49c4c8 - SHFileOperationW

• 0x49c4cc - ExtractIconExW

• 0x49c4d0 - Shell_NotifyIconW

• 0x49c4d4 - ShellExecuteW

库 ole32.dll:

• 0x49c838 - CoTaskMemAlloc

• 0x49c83c - CoTaskMemFree

• 0x49c840 - CLSIDFromString

• 0x49c844 - ProgIDFromCLSID

• 0x49c848 - CLSIDFromProgID

• 0x49c84c - OleSetMenuDescriptor

• 0x49c850 - MkParseDisplayName

• 0x49c854 - OleSetContainedObject

• 0x49c858 - CoCreateInstance

• 0x49c85c - IIDFromString

• 0x49c860 - StringFromGUID2

• 0x49c864 - CreateStreamOnHGlobal

• 0x49c868 - OleInitialize

• 0x49c86c - OleUninitialize

• 0x49c870 - CoInitialize

• 0x49c874 - CoUninitialize

• 0x49c878 - GetRunningObjectTable

• 0x49c87c - CoGetInstanceFromFile

• 0x49c880 - CoGetObject

• 0x49c884 - CoInitializeSecurity

• 0x49c888 - CoCreateInstanceEx

• 0x49c88c - CoSetProxyBlanket

库 OLEAUT32.dll:

• 0x49c41c - CreateStdDispatch

• 0x49c420 - CreateDispTypeInfo

• 0x49c424 - UnRegisterTypeLib

• 0x49c428 - UnRegisterTypeLibForUser

• 0x49c42c - RegisterTypeLibForUser

• 0x49c430 - RegisterTypeLib

• 0x49c434 - LoadTypeLibEx

• 0x49c438 - VariantCopyInd

• 0x49c43c - SysReAllocString

• 0x49c440 - SysFreeString

• 0x49c444 - VariantChangeType

• 0x49c448 - SafeArrayDestroyData

• 0x49c44c - SafeArrayUnaccessData

• 0x49c450 - SafeArrayAccessData

• 0x49c454 - SafeArrayAllocData

• 0x49c458 - SafeArrayAllocDescriptorEx

• 0x49c45c - SafeArrayCreateVector

• 0x49c460 - SysStringLen

• 0x49c464 - QueryPathOfRegTypeLib

• 0x49c468 - SysAllocString

• 0x49c46c - VariantInit

• 0x49c470 - VariantClear

• 0x49c474 - DispCallFunc

• 0x49c478 - VariantTimeToSystemTime

• 0x49c47c - VarR8FromDec

• 0x49c480 - SafeArrayGetVartype

• 0x49c484 - SafeArrayDestroyDescriptor

• 0x49c488 - VariantCopy

• 0x49c48c - OleLoadPicture

投放文件

无信息

行为分析

互斥量(Mutexes)

Local\MSCTF.Asm.MutexDefault1

执行的命令 无信息

创建的服务 无信息

启动的服务 无信息

进程

______________________________.exe PID: 2992, 上一级进程 PID: 2312

访问的文件

C:\Users\test\AppData\Local\Temp\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\System32\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\system\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\api-ms-win-core-fibers-l1-1-1.DLL
C:\ProgramData\Oracle\Java\javapath\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\System32\wbem\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-core-fibers-l1-1-1.DLL
C:\Program Files (x86)\WinRAR\api-ms-win-core-fibers-l1-1-1.DLL
\Device\KsecDD
C:\Users\test\AppData\Local\Temp\______________________________.exe
C:\Users\test\AppData\Local\Temp\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\Windows\System32\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\Windows\system\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\Windows\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\ProgramData\Oracle\Java\javapath\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\Windows\System32\wbem\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\Program Files (x86)\WinRAR\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\Users
C:\Users\test
C:\Users\test\AppData
C:\Users\test\AppData\Local
C:\Users\test\AppData\Local\Temp
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\System32\tzres.dll
C:\Windows\Fonts\staticcache.dat
C:\Users\test\AppData\Local\Temp\imageres.dll
C:\Windows\System32\imageres.dll
C:\Windows\System32\zh-CN\imageres.dll.mui
C:\Windows\sysnative\zh-CN\imageres.dll.mui
C:\Windows\System32\zh-Hans\imageres.dll.mui
C:\Windows\System32\zh\imageres.dll.mui
C:\Windows\System32\en-US\imageres.dll.mui
C:\Users\test\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Windows\system\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Windows\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\ProgramData\Oracle\Java\javapath\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Windows\System32\wbem\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Program Files (x86)\WinRAR\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Users\test\AppData\Local\Temp\ext-ms-win-kernel32-package-current-l1-1-0.DLL

读取的文件

C:\Users\test\AppData\Local\Temp\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\System32\api-ms-win-core-fibers-l1-1-1.DLL
\Device\KsecDD
C:\Users\test\AppData\Local\Temp\______________________________.exe
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\System32\tzres.dll
C:\Windows\Fonts\staticcache.dat
C:\Windows\System32\imageres.dll
C:\Windows\System32\zh-CN\imageres.dll.mui
C:\Windows\sysnative\zh-CN\imageres.dll.mui
C:\Windows\System32\zh-Hans\imageres.dll.mui
C:\Windows\System32\zh\imageres.dll.mui
C:\Windows\System32\en-US\imageres.dll.mui
C:\Users\test\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-1.DLL
C:\Users\test\AppData\Local\Temp\ext-ms-win-kernel32-package-current-l1-1-0.DLL

修改的文件 无信息

删除的文件 无信息

注册表键

HKEY_CURRENT_USER\Control Panel\Mouse
HKEY_CURRENT_USER\Control Panel\Mouse\SwapMouseButtons
HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\______________________________.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

读取的注册表键

HKEY_CURRENT_USER\Control Panel\Mouse\SwapMouseButtons
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

修改的注册表键 无信息

删除的注册表键 无信息

API解析

kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.FlsAlloc
kernel32.dll.FlsSetValue
kernel32.dll.FlsGetValue
api-ms-win-core-localization-l1-2-1.dll.LCMapStringEx
api-ms-win-core-synch-l1-2-0.dll.InitializeConditionVariable
api-ms-win-core-synch-l1-2-0.dll.SleepConditionVariableCS
api-ms-win-core-synch-l1-2-0.dll.WakeAllConditionVariable
kernel32.dll.GetNativeSystemInfo
cryptbase.dll.SystemFunction036
kernel32.dll.Wow64DisableWow64FsRedirection
kernel32.dll.Wow64RevertWow64FsRedirection
comctl32.dll.RegisterClassNameW
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
uxtheme.dll.OpenThemeData
imm32.dll.ImmGetContext
imm32.dll.ImmReleaseContext
imm32.dll.ImmAssociateContext
imm32.dll.ImmIsIME
kernel32.dll.GetModuleHandleW
kernel32.dll.FindResourceW
kernel32.dll.SizeofResource
kernel32.dll.LoadResource
kernel32.dll.LockResource
kernel32.dll.VirtualAlloc
user32.dll.CallWindowProcA
kernel32.dll.VirtualFree
kernel32.dll.GetSystemWow64DirectoryW
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
gdi32.dll.GetTextExtentExPointWPri
uxtheme.dll.EnableThemeDialogTexture
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
gdi32.dll.GetFontAssocStatus
oleaut32.dll.SysAllocString
oleaut32.dll.SysStringLen
oleaut32.dll.SysFreeString
oleaut32.dll.#500
ext-ms-win-kernel32-package-current-l1-1-0.dll.GetCurrentPackageId