魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2022-09-24 15:10:15 | 2022-09-24 15:10:48 | 33 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-shaapp03-1 | win7-sp1-x64-shaapp03-1 | KVM | 2022-09-24 15:10:15 | 2022-09-24 15:10:49 |
| 魔盾分数 |
|---|
3.475可疑的 |
文件详细信息
| 文件名 | SecurityLaunchCLR.dll |
|---|---|
| 文件大小 | 309760 字节 |
| 文件类型 | PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows |
| CRC32 | AA4FEA21 |
| MD5 | 352f989b53cf3509d8c21f83e9900a84 |
| SHA1 | cf8d0cb3700f612e31f96db5fbafb12e4d5d3cd5 |
| SHA256 | 1a3998c65661e55c6b5290e7a59bfb6b4d2a59371e4eaa488ebd1cdd95f9e970 |
| SHA512 | 8e0b472125c573613472f1f3a9a8a3213f0052f08d312874765eef002ee5d87be5e6c53e940cb3fe1827d61b247cba4aed371e7a128363b43976ae13903eeab8 |
| Ssdeep | 6144:fj0ppLQ84fcM9xLbhNStBWy3ubxW2Gt7:7YyFrSFu |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal | VirusTotal查询失败 |
特征
魔盾安全Yara检测结果 - 普通
异常的二进制特征
anomaly: Found duplicated section names
可疑的样本异常终止
运行截图
网络分析
TCP连接
| IP地址 | 端口 |
|---|---|
| 104.88.193.211 | 80 |
UDP连接
| IP地址 | 端口 |
|---|---|
| 192.168.122.1 | 53 |
HTTP请求
| URL | HTTP数据 |
|---|---|
| http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip | GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache |
静态分析
PE 信息
| 初始地址 | 0x10000000 |
|---|---|
| 入口地址 | 0x10019e83 |
| 声明校验值 | 0x0004c807 |
| 实际校验值 | 0x0004c807 |
| 最低操作系统版本要求 | 6.0 |
| 编译时间 | 2019-02-18 17:49:50 |
| 载入哈希 | ab6436867c08472060c8065f660ca43d |
| 图标 |  |
| 图标精确哈希值 | 9db58d4913256d2b52c5163864b9f7a7 |
| 图标相似性哈希值 | c3ca946d749a15ad18efd3e5d7b0d8f5 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x000192a8 | 0x00019400 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.39 |
| .rdata | 0x0001b000 | 0x000259ec | 0x00025a00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 6.12 |
| .data | 0x00041000 | 0x00005464 | 0x00000c00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 4.09 |
| .rsrc | 0x00047000 | 0x0000a638 | 0x0000a800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 3.36 |
| .reloc | 0x00052000 | 0x000010d4 | 0x00001200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 6.51 |
| .text | 0x00054000 | 0x0000000e | 0x00000200 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 0.16 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| RT_ICON | 0x00050f68 | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.76 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00050f68 | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.76 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00050f68 | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.76 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00050f68 | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.76 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00050f68 | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.76 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00050f68 | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.76 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00050f68 | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.76 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00050f68 | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.76 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00050f68 | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.76 | GLS_BINARY_LSB_FIRST |
| RT_GROUP_ICON | 0x000513d0 | 0x00000084 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.79 | MS Windows icon resource - 9 icons, 256x256 |
| RT_VERSION | 0x00051454 | 0x0000005c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.26 | data |
| RT_MANIFEST | 0x000514b0 | 0x0000017d | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.91 | XML 1.0 document text |
导入
库 VCRUNTIME140.dll:
• 0x1001b0e0 - memmove
• 0x1001b0e4 - _purecall
• 0x1001b0e8 - memcpy
• 0x1001b0ec - __std_terminate
• 0x1001b0f0 - memset
• 0x1001b0f4 - __std_type_info_destroy_list
• 0x1001b0f8 - _CxxThrowException
• 0x1001b0fc - __std_exception_destroy
• 0x1001b100 - _except_handler4_common
• 0x1001b104 - __FrameUnwindFilter
• 0x1001b108 - __std_exception_copy
• 0x1001b10c - __CxxFrameHandler3
库 api-ms-win-crt-runtime-l1-1-0.dll:
• 0x1001b144 - _invalid_parameter_noinfo_noreturn
• 0x1001b148 - _configure_narrow_argv
• 0x1001b14c - _initialize_narrow_environment
• 0x1001b150 - _initialize_onexit_table
• 0x1001b154 - _register_onexit_function
• 0x1001b158 - _execute_onexit_table
• 0x1001b15c - _crt_atexit
• 0x1001b160 - _initterm
• 0x1001b164 - perror
• 0x1001b168 - _initterm_e
• 0x1001b16c - abort
• 0x1001b170 - _crt_at_quick_exit
• 0x1001b174 - _cexit
• 0x1001b178 - terminate
• 0x1001b17c - _seh_filter_dll
库 api-ms-win-crt-heap-l1-1-0.dll:
• 0x1001b12c - free
• 0x1001b130 - malloc
• 0x1001b134 - calloc
• 0x1001b138 - realloc
• 0x1001b13c - _callnewh
库 KERNEL32.dll:
• 0x1001b018 - FindClose
• 0x1001b01c - FindNextFileW
• 0x1001b020 - CopyFileW
• 0x1001b024 - SetLastError
• 0x1001b028 - GetLastError
• 0x1001b02c - Process32FirstW
• 0x1001b030 - GetFileAttributesW
• 0x1001b034 - Sleep
• 0x1001b038 - GetModuleFileNameW
• 0x1001b03c - MultiByteToWideChar
• 0x1001b040 - GetProcAddress
• 0x1001b044 - CreateEventW
• 0x1001b048 - WaitForSingleObjectEx
• 0x1001b04c - CreateToolhelp32Snapshot
• 0x1001b050 - Process32NextW
• 0x1001b054 - OpenProcess
• 0x1001b058 - CreateDirectoryW
• 0x1001b05c - QueryPerformanceCounter
• 0x1001b060 - GetCurrentProcessId
• 0x1001b064 - GetCurrentThreadId
• 0x1001b068 - GetSystemTimeAsFileTime
• 0x1001b06c - DisableThreadLibraryCalls
• 0x1001b070 - InitializeSListHead
• 0x1001b074 - IsDebuggerPresent
• 0x1001b078 - UnhandledExceptionFilter
• 0x1001b07c - SetUnhandledExceptionFilter
• 0x1001b080 - GetStartupInfoW
• 0x1001b084 - IsProcessorFeaturePresent
• 0x1001b088 - GetModuleHandleW
• 0x1001b08c - GetCurrentProcess
• 0x1001b090 - TerminateProcess
• 0x1001b094 - ResetEvent
• 0x1001b098 - SetEvent
• 0x1001b09c - CloseHandle
• 0x1001b0a0 - EnterCriticalSection
• 0x1001b0a4 - LeaveCriticalSection
• 0x1001b0a8 - InitializeCriticalSectionAndSpinCount
• 0x1001b0ac - DeleteCriticalSection
• 0x1001b0b0 - FindFirstFileW
库 USER32.dll:
• 0x1001b0d8 - wsprintfW
库 ADVAPI32.dll:
• 0x1001b000 - OpenServiceW
• 0x1001b004 - OpenSCManagerW
• 0x1001b008 - QueryServiceStatus
• 0x1001b00c - StartServiceW
• 0x1001b010 - CloseServiceHandle
库 MSVCP140.dll:
• 0x1001b0b8 - ?__ExceptionPtrCopy@@YAXPAXPBX@Z
• 0x1001b0bc - ?_Xout_of_range@std@@YAXPBD@Z
• 0x1001b0c0 - ?_Xlength_error@std@@YAXPBD@Z
• 0x1001b0c4 - ?_Xbad_alloc@std@@YAXXZ
• 0x1001b0c8 - ?__ExceptionPtrDestroy@@YAXPAX@Z
库 api-ms-win-crt-stdio-l1-1-0.dll:
• 0x1001b184 - fseek
• 0x1001b188 - __stdio_common_vsprintf_s
• 0x1001b18c - fread
• 0x1001b190 - feof
• 0x1001b194 - fclose
• 0x1001b198 - ferror
• 0x1001b19c - _wfopen_s
库 api-ms-win-crt-string-l1-1-0.dll:
• 0x1001b1a4 - towlower
• 0x1001b1a8 - strtok_s
库 api-ms-win-crt-filesystem-l1-1-0.dll:
• 0x1001b124 - _wstat64
库 SHLWAPI.dll:
• 0x1001b0d0 - PathFileExistsW
库 VERSION.dll:
• 0x1001b114 - VerQueryValueW
• 0x1001b118 - GetFileVersionInfoW
• 0x1001b11c - GetFileVersionInfoSizeW
库 mscoree.dll:
• 0x1001b1b0 - _CorDllMain
投放文件
行为分析
互斥量(Mutexes)
- Local\MSCTF.Asm.MutexDefault1
执行的命令
无信息
创建的服务
无信息
启动的服务
无信息
进程
rundll32.exe PID: 2512, 上一级进程 PID: 2196
访问的文件
- C:\Users\test\AppData\Local\Temp\SecurityLaunchCLR.dll
- C:\Users\test\AppData\Local\Temp\SecurityLaunchCLR.dll.123.Manifest
- C:\Users\test\AppData\Local\Temp\SecurityLaunchCLR.dll.124.Manifest
- C:\Users\test\AppData\Local\Temp\VCRUNTIME140.dll
- C:\Windows\System32\VCRUNTIME140.dll
- C:\Windows\system\VCRUNTIME140.dll
- C:\Windows\VCRUNTIME140.dll
- C:\ProgramData\Oracle\Java\javapath\VCRUNTIME140.dll
- C:\Windows\System32\wbem\VCRUNTIME140.dll
- C:\Windows\System32\WindowsPowerShell\v1.0\VCRUNTIME140.dll
- C:\Program Files (x86)\WinRAR\VCRUNTIME140.dll
- C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
- C:\Windows\Fonts\staticcache.dat
- \Device\KsecDD
- C:\Windows\Globalization\Sorting\sortdefault.nls
读取的文件
- C:\Users\test\AppData\Local\Temp\SecurityLaunchCLR.dll
- C:\Users\test\AppData\Local\Temp\SecurityLaunchCLR.dll.123.Manifest
- C:\Users\test\AppData\Local\Temp\SecurityLaunchCLR.dll.124.Manifest
- C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
- C:\Windows\Fonts\staticcache.dat
- \Device\KsecDD
- C:\Windows\Globalization\Sorting\sortdefault.nls
修改的文件
无信息
删除的文件
无信息
注册表键
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\rundll32.exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_CURRENT_USER
- HKEY_CURRENT_USER\Keyboard Layout\Toggle
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
读取的注册表键
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- mscoree.dll._CorExeMain
- mscoree.dll._CorImageUnloading
- mscoree.dll._CorValidateImage
- gdi32.dll.GetLayout
- gdi32.dll.GdiRealizationInfo
- gdi32.dll.FontIsLinked
- advapi32.dll.RegOpenKeyExW
- advapi32.dll.RegQueryInfoKeyW
- gdi32.dll.GetTextFaceAliasW
- advapi32.dll.RegEnumValueW
- advapi32.dll.RegCloseKey
- advapi32.dll.RegQueryValueExW
- advapi32.dll.RegQueryValueExA
- advapi32.dll.RegEnumKeyExW
- gdi32.dll.GetTextExtentExPointWPri
- ole32.dll.CoInitializeEx
- ole32.dll.CoUninitialize
- cryptbase.dll.SystemFunction036
- ole32.dll.CoRegisterInitializeSpy
- ole32.dll.CoRevokeInitializeSpy
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle
- oleaut32.dll.SysAllocString
- oleaut32.dll.SysStringLen
- oleaut32.dll.SysFreeString
- oleaut32.dll.#500