魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2023-01-27 00:52:01 2023-01-27 00:52:47 46 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp02-1 win7-sp1-x64-shaapp02-1 KVM 2023-01-27 00:52:04 2023-01-27 00:52:47
魔盾分数

2.825

可疑的

文件详细信息

文件名 SogouComMgr.exe
文件大小 1580696 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 AB671F1B
MD5 a332b5b017a9cc154b430329cad0aabd
SHA1 987f58f7c54ec12ebe78941cb74b69b8d592ca8f
SHA256 17b533c1a29dc1f4a8e2d6f3a7156c46289b2b325caf39c81dfb93ea3e5c9d64
SHA512 1bc17bc7aef447c073111345923257259e2310cbe2f8ee43fb3592db211125ec4d41948d28bb459f6000c22ef61b5581211b5ded44a3a37181bff47434259a6a
Ssdeep 24576:Kx2yoD5Qi9TvbWzvdLLwXIelZnwmqvqTFoUI2N1ZSpTFPl/0B1j0f:RyEDkR89n5pTFoUsTF9/U1j0f
PEiD 无匹配
Yara
  • DebuggerTiming__PerformanceCounter ()
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • anti_dbg (Detected self protection if being debugged)
  • network_http (Detected communications function over HTTP)
  • win_mutex (Create or check mutex)
  • screenshot (Detected take screenshot function)
  • create_process (Detection function for creating a new process)
  • keylogger (Detected keylogger function)
  • win_registry (Detected system registries modification function)
  • win_token (Affect system token)
  • win_files_operation (Affect private profile)
  • Maldun_Anomoly_Combined_Activities_Network_Logging (Spotted potential abnormal behaviors, like logging and network communications)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
  • IsPE32 (Detected a 32bit PE sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
  • HasOverlay (Detected Overlay signature)
  • HasDebugData (Detected Debug Data)
  • HasRichSignature (Detected Rich Signature)
  • CRC32_poly_Constant (Look for CRC32 [poly])
  • CRC32_table (Look for CRC32 table)
  • MD5_Constants (Look for MD5 constants)
  • RijnDael_AES (Look for RijnDael AES)
  • BASE64_table (Look for Base64 table)
  • with_urls (Detected the presence of an or several urls)
VirusTotal VirusTotal查询失败

特征

样本的签名证书合法
魔盾安全Yara检测结果 - 普通
Critical: Spotted potential abnormal behaviors, like logging and network communications
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
可疑的样本异常终止

运行截图

网络分析

TCP连接

IP地址 端口
23.215.102.154 80

UDP连接

IP地址 端口
192.168.122.1 53

HTTP请求

URL HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x004a8bc3
声明校验值 0x0018a1ee
实际校验值 0x0018a1ee
最低操作系统版本要求 6.0
PDB路径 E:\data\landun\workspace\p-8e18b00276fd470e835a1e79d9eeecd4\src\bin\sogoupdb\sogouinput\SogouComMgr.pdb
编译时间 2023-01-16 22:16:19
载入哈希 233d466bc5c784385e6e4b1957d22ce9

版本信息

LegalCopyright: \xa9 2023 Sogou.com Inc. All rights reserved.
InternalName: SogouIME Component Manager
FileVersion: 13.2.0.6899
CompanyName: Sogou.com Inc.
ProductName: \u641c\u72d7\u8f93\u5165\u6cd5
ProductVersion: 13.2.0.6899
FileDescription: \u641c\u72d7\u8f93\u5165\u6cd5 \u6269\u5c55\u529f\u80fd\u7ba1\u7406\u5668
OriginalFilename: SogouComMgr.exe
Translation: 0x0804 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000fe0cf 0x000fe200 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.56
.rdata 0x00100000 0x0004289c 0x00042a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.29
.data 0x00143000 0x0001c618 0x00006e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.62
.rsrc 0x00160000 0x00029170 0x00029200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.49
.reloc 0x0018a000 0x0000e994 0x0000ea00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 6.68

导入

库 WININET.dll:
0x5004f8 - InternetCloseHandle
0x5004fc - HttpQueryInfoW
0x500500 - InternetOpenW
0x500504 - InternetSetOptionW
0x500508 - InternetReadFile
0x50050c - HttpAddRequestHeadersW
0x500510 - InternetConnectA
0x500514 - HttpSendRequestExW
0x500518 - HttpEndRequestW
0x50051c - InternetCrackUrlA
0x500520 - InternetWriteFile
0x500524 - HttpOpenRequestA
0x500528 - InternetOpenUrlW
库 KERNEL32.dll:
0x5000e0 - ReleaseSemaphore
0x5000e4 - EnterCriticalSection
0x5000e8 - GetExitCodeProcess
0x5000ec - GetTickCount
0x5000f0 - DebugBreak
0x5000f4 - GetCurrentProcessId
0x5000f8 - DeleteCriticalSection
0x5000fc - DecodePointer
0x500100 - RaiseException
0x500104 - CloseHandle
0x500108 - LeaveCriticalSection
0x50010c - Sleep
0x500110 - WaitForSingleObject
0x500114 - InitializeCriticalSectionEx
0x500118 - GetModuleFileNameW
0x50011c - FindNextFileW
0x500120 - FindFirstFileW
0x500124 - InitializeCriticalSection
0x500128 - TerminateThread
0x50012c - GlobalFree
0x500130 - GlobalAlloc
0x500134 - WideCharToMultiByte
0x500138 - MultiByteToWideChar
0x50013c - CreateSemaphoreW
0x500140 - FindClose
0x500144 - GetTempPathW
0x500148 - DeleteFileW
0x50014c - UnmapViewOfFile
0x500150 - GetTempFileNameW
0x500154 - MoveFileW
0x500158 - ReadFile
0x50015c - HeapFree
0x500160 - WriteFile
0x500164 - SetFilePointer
0x500168 - SetEndOfFile
0x50016c - GetProcessHeap
0x500170 - GetFileSize
0x500174 - HeapAlloc
0x500178 - SetFileAttributesW
0x50017c - GetLastError
0x500180 - CreateTimerQueue
0x500184 - UnregisterWaitEx
0x500188 - CreateFileW
0x50018c - QueryDepthSList
0x500190 - InterlockedPopEntrySList
0x500194 - VirtualProtect
0x500198 - GetModuleHandleA
0x50019c - GetThreadTimes
0x5001a0 - UnregisterWait
0x5001a4 - RegisterWaitForSingleObject
0x5001a8 - SetThreadAffinityMask
0x5001ac - GetProcessAffinityMask
0x5001b0 - GetNumaHighestNodeNumber
0x5001b4 - DeleteTimerQueueTimer
0x5001b8 - ChangeTimerQueueTimer
0x5001bc - CreateTimerQueueTimer
0x5001c0 - GetLogicalProcessorInformation
0x5001c4 - GetThreadPriority
0x5001c8 - SetThreadPriority
0x5001cc - SwitchToThread
0x5001d0 - SignalObjectAndWait
0x5001d4 - WriteConsoleW
0x5001d8 - HeapSize
0x5001dc - SetEnvironmentVariableA
0x5001e0 - FreeEnvironmentStringsW
0x5001e4 - GetEnvironmentStringsW
0x5001e8 - GetCommandLineA
0x5001ec - FindFirstFileExW
0x5001f0 - GetCurrentDirectoryW
0x5001f4 - GetOEMCP
0x5001f8 - IsValidCodePage
0x5001fc - SetStdHandle
0x500200 - ReadConsoleW
0x500204 - SetFilePointerEx
0x500208 - GetConsoleMode
0x50020c - GetConsoleCP
0x500210 - HeapReAlloc
0x500214 - GetACP
0x500218 - GetStdHandle
0x50021c - ExitProcess
0x500220 - GetFileAttributesW
0x500224 - OutputDebugStringW
0x500228 - QueryPerformanceFrequency
0x50022c - GlobalLock
0x500230 - QueryPerformanceCounter
0x500234 - GlobalUnlock
0x500238 - GetVersionExW
0x50023c - GlobalHandle
0x500240 - GetCommandLineW
0x500244 - InitializeCriticalSectionAndSpinCount
0x500248 - TlsSetValue
0x50024c - TlsGetValue
0x500250 - TlsAlloc
0x500254 - TlsFree
0x500258 - GetProcAddress
0x50025c - FreeLibrary
0x500260 - SetLastError
0x500264 - GetCurrentProcess
0x500268 - GetCurrentThreadId
0x50026c - DuplicateHandle
0x500270 - ExitThread
0x500274 - CreateEventW
0x500278 - FormatMessageW
0x50027c - CreateThread
0x500280 - LocalFree
0x500284 - GetSystemDirectoryW
0x500288 - LoadLibraryW
0x50028c - GetModuleHandleW
0x500290 - OpenMutexW
0x500294 - LoadLibraryExW
0x500298 - RemoveDirectoryW
0x50029c - FileTimeToSystemTime
0x5002a0 - MoveFileExW
0x5002a4 - CreateDirectoryW
0x5002a8 - GetProcessId
0x5002ac - CreateProcessW
0x5002b0 - CopyFileW
0x5002b4 - GetFileTime
0x5002b8 - OpenFileMappingW
0x5002bc - CreateFileMappingW
0x5002c0 - MapViewOfFile
0x5002c4 - OpenEventW
0x5002c8 - lstrlenW
0x5002cc - lstrlenA
0x5002d0 - LocalAlloc
0x5002d4 - lstrcpyW
0x5002d8 - CreateMutexW
0x5002dc - ReleaseMutex
0x5002e0 - FlushFileBuffers
0x5002e4 - VirtualFree
0x5002e8 - VirtualAlloc
0x5002ec - SetEvent
0x5002f0 - TerminateProcess
0x5002f4 - lstrcatW
0x5002f8 - GetLocalTime
0x5002fc - VirtualQuery
0x500300 - IsDebuggerPresent
0x500304 - SetUnhandledExceptionFilter
0x500308 - WaitForSingleObjectEx
0x50030c - GetQueuedCompletionStatus
0x500310 - TransactNamedPipe
0x500314 - CreateIoCompletionPort
0x500318 - SetNamedPipeHandleState
0x50031c - WaitNamedPipeW
0x500320 - ResetEvent
0x500324 - UnhandledExceptionFilter
0x500328 - IsProcessorFeaturePresent
0x50032c - GetStartupInfoW
0x500330 - GetSystemTimeAsFileTime
0x500334 - InitializeSListHead
0x500338 - TryEnterCriticalSection
0x50033c - EncodePointer
0x500340 - CompareStringW
0x500344 - LCMapStringW
0x500348 - GetStringTypeW
0x50034c - GetCPInfo
0x500350 - RtlUnwind
0x500354 - InterlockedPushEntrySList
0x500358 - InterlockedFlushSList
0x50035c - ResumeThread
0x500360 - FreeLibraryAndExitThread
0x500364 - GetModuleHandleExW
0x500368 - GetTimeZoneInformation
0x50036c - GetFileType
0x500370 - GetCurrentThread
0x500374 - GetFullPathNameW
0x500378 - GetDriveTypeW
库 USER32.dll:
0x5003c8 - SendMessageW
0x5003cc - MessageBoxW
0x5003d0 - IsWindowVisible
0x5003d4 - GetMessageW
0x5003d8 - DestroyWindow
0x5003dc - MoveWindow
0x5003e0 - GetWindowRect
0x5003e4 - LoadCursorW
0x5003e8 - RegisterClassExW
0x5003ec - CreateWindowExW
0x5003f0 - DefWindowProcW
0x5003f4 - EnableWindow
0x5003f8 - GetCursorPos
0x5003fc - SystemParametersInfoW
0x500400 - PostQuitMessage
0x500404 - IsWindow
0x500408 - DispatchMessageW
0x50040c - TranslateMessage
0x500410 - LoadIconW
0x500414 - ScreenToClient
0x500418 - FindWindowW
0x50041c - RegisterWindowMessageW
0x500420 - SetWindowPos
0x500424 - wsprintfW
0x500428 - EndPaint
0x50042c - BeginPaint
0x500430 - ReleaseDC
0x500434 - IsIconic
0x500438 - SetForegroundWindow
0x50043c - GetParent
0x500440 - KillTimer
0x500444 - AppendMenuW
0x500448 - SetCursor
0x50044c - SetCapture
0x500450 - SetPropW
0x500454 - DestroyMenu
0x500458 - IsWindowEnabled
0x50045c - TrackMouseEvent
0x500460 - SetMenuItemInfoW
0x500464 - ClientToScreen
0x500468 - TrackPopupMenu
0x50046c - GetWindowPlacement
0x500470 - NotifyWinEvent
0x500474 - CreatePopupMenu
0x500478 - GetSystemMetrics
0x50047c - GetPropW
0x500480 - GetDC
0x500484 - InsertMenuItemW
0x500488 - CallWindowProcW
0x50048c - GetKeyState
0x500490 - PtInRect
0x500494 - GetDesktopWindow
0x500498 - DrawTextW
0x50049c - UpdateLayeredWindow
0x5004a0 - GetFocus
0x5004a4 - IntersectRect
0x5004a8 - GetMonitorInfoW
0x5004ac - MonitorFromPoint
0x5004b0 - SubtractRect
0x5004b4 - SetRectEmpty
0x5004b8 - CharNextW
0x5004bc - wvsprintfW
0x5004c0 - LoadStringW
0x5004c4 - GetWindowTextW
0x5004c8 - GetWindowLongW
0x5004cc - PostMessageW
0x5004d0 - SetWindowLongW
0x5004d4 - GetClientRect
0x5004d8 - SetTimer
0x5004dc - ShowWindow
0x5004e0 - ReleaseCapture
库 ADVAPI32.dll:
0x500000 - CryptAcquireContextW
0x500004 - CryptDecrypt
0x500008 - CryptSetKeyParam
0x50000c - CryptDestroyKey
0x500010 - CryptEncrypt
0x500014 - CryptImportKey
0x500018 - CryptReleaseContext
0x50001c - RegDeleteValueW
0x500020 - GetSecurityDescriptorSacl
0x500024 - RegOpenKeyW
0x500028 - RegCloseKey
0x50002c - RegOpenKeyExW
0x500030 - RegQueryValueExW
0x500034 - GetTokenInformation
0x500038 - LookupAccountSidW
0x50003c - OpenProcessToken
0x500040 - RegDeleteKeyW
0x500044 - RegSetValueExW
0x500048 - RegCreateKeyExW
0x50004c - LookupAccountNameW
0x500050 - AddAccessAllowedAce
0x500054 - GetLengthSid
0x500058 - AddAccessAllowedAceEx
0x50005c - ConvertStringSecurityDescriptorToSecurityDescriptorW
0x500060 - SetSecurityInfo
0x500064 - InitializeAcl
0x500068 - InitializeSecurityDescriptor
0x50006c - GetFileSecurityW
0x500070 - AddAce
0x500074 - SetSecurityDescriptorSacl
0x500078 - GetNamedSecurityInfoW
0x50007c - SetNamedSecurityInfoW
0x500080 - SetEntriesInAclW
0x500084 - BuildExplicitAccessWithNameW
0x500088 - EqualSid
0x50008c - GetAce
0x500090 - GetAclInformation
0x500094 - SetFileSecurityW
0x500098 - GetSecurityDescriptorDacl
0x50009c - SetSecurityDescriptorDacl
库 ole32.dll:
0x500530 - OleSetContainedObject
0x500534 - OleCreate
0x500538 - CoInitialize
0x50053c - CoUninitialize
0x500540 - CoCreateInstance
库 OLEAUT32.dll:
0x500394 - SysAllocString
0x500398 - VariantClear
0x50039c - VariantInit
0x5003a0 - SysFreeString
库 IMM32.dll:
0x5000d8 - ImmDisableIME
库 VERSION.dll:
0x5004e8 - VerQueryValueW
0x5004ec - GetFileVersionInfoW
0x5004f0 - GetFileVersionInfoSizeW
库 PSAPI.DLL:
0x5003a8 - GetProcessMemoryInfo
库 MSIMG32.dll:
0x500380 - AlphaBlend
库 OLEACC.dll:
0x500388 - LresultFromObject
0x50038c - AccessibleObjectFromWindow
库 SHELL32.dll:
0x5003b0 - ShellExecuteW
0x5003b4 - SHGetFolderPathW
0x5003b8 - ShellExecuteExW
0x5003bc - SHFileOperationW
0x5003c0 - SHChangeNotify
库 GDI32.dll:
0x5000a4 - DeleteObject
0x5000a8 - GetObjectW
0x5000ac - CreateDIBSection
0x5000b0 - SetTextCharacterExtra
0x5000b4 - SetBkMode
0x5000b8 - SetTextColor
0x5000bc - CreateCompatibleDC
0x5000c0 - SelectObject
0x5000c4 - BitBlt
0x5000c8 - CreateFontIndirectW
0x5000cc - GetFontData
0x5000d0 - DeleteDC

投放文件

无信息

行为分析

互斥量(Mutexes)
  • Local\filemap_mutex
  • Local\sgfmPyVRMutex
  • Local\sgime_user_lock
  • Local\mutex_file_0x00380035
  • Local\mutex_file_0x0062001D
  • Local\userenv.mutex.sogouime
  • Local\userenv.mutex.sogouime.filemap
  • Local\component_config_file_mutex
  • Local\Retrieve_Bundle_Share_Proc_Mutex
  • Local\Retrieve_Bundle_Share_Mutex
  • Local\mutex_file_0x003E0036
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

SogouComMgr.exe PID: 2560, 上一级进程 PID: 2236

访问的文件
  • C:\Users\test\AppData\Local\Temp\api-ms-win-core-fibers-l1-1-1.DLL
  • C:\Windows\System32\api-ms-win-core-fibers-l1-1-1.DLL
  • C:\Windows\system\api-ms-win-core-fibers-l1-1-1.DLL
  • C:\Windows\api-ms-win-core-fibers-l1-1-1.DLL
  • C:\ProgramData\Oracle\Java\javapath\api-ms-win-core-fibers-l1-1-1.DLL
  • C:\Windows\System32\wbem\api-ms-win-core-fibers-l1-1-1.DLL
  • C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-core-fibers-l1-1-1.DLL
  • C:\Program Files (x86)\WinRAR\api-ms-win-core-fibers-l1-1-1.DLL
  • C:\Users\test\AppData\Local\Temp\Data
  • \Device\KsecDD
  • C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
  • C:\Users\test\AppData\LocalLow
  • C:\Users\test\AppData\Local\Temp\Data\runtime.ini
  • C:\Users\test\AppData\Local\Temp\Data\sgim_gl.bin
  • C:\Users\test\AppData\LocalLow\SogouPY.users
  • C:\Users\test\AppData\LocalLow\
  • C:\Users\test\AppData\LocalLow\SogouPY.users\acc.dat
  • C:\Users\test\AppData\Local\Temp\api-ms-win-core-sysinfo-l1-2-1.DLL
  • C:\Windows\System32\api-ms-win-core-sysinfo-l1-2-1.DLL
  • C:\Windows\system\api-ms-win-core-sysinfo-l1-2-1.DLL
  • C:\Windows\api-ms-win-core-sysinfo-l1-2-1.DLL
  • C:\ProgramData\Oracle\Java\javapath\api-ms-win-core-sysinfo-l1-2-1.DLL
  • C:\Windows\System32\wbem\api-ms-win-core-sysinfo-l1-2-1.DLL
  • C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-core-sysinfo-l1-2-1.DLL
  • C:\Program Files (x86)\WinRAR\api-ms-win-core-sysinfo-l1-2-1.DLL
  • C:\Users\test\AppData\LocalLow\SogouPY.users\acc.dat.sgbak
  • C:\Users\test\AppData\LocalLow\SogouPY.users\
  • C:\Users\test\AppData\Local\Components\ComponentConfig.ini
  • C:\Windows\Fonts\staticcache.dat
  • C:\Users\test\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-1.DLL
  • C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-1.DLL
  • C:\Windows\system\api-ms-win-appmodel-runtime-l1-1-1.DLL
  • C:\Windows\api-ms-win-appmodel-runtime-l1-1-1.DLL
  • C:\ProgramData\Oracle\Java\javapath\api-ms-win-appmodel-runtime-l1-1-1.DLL
  • C:\Windows\System32\wbem\api-ms-win-appmodel-runtime-l1-1-1.DLL
  • C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-appmodel-runtime-l1-1-1.DLL
  • C:\Program Files (x86)\WinRAR\api-ms-win-appmodel-runtime-l1-1-1.DLL
  • C:\Users\test\AppData\Local\Temp\ext-ms-win-kernel32-package-current-l1-1-0.DLL
读取的文件
  • C:\Users\test\AppData\Local\Temp\api-ms-win-core-fibers-l1-1-1.DLL
  • C:\Windows\System32\api-ms-win-core-fibers-l1-1-1.DLL
  • \Device\KsecDD
  • C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
  • C:\Users\test\AppData\LocalLow\SogouPY.users
  • C:\Users\test\AppData\LocalLow\SogouPY.users\acc.dat
  • C:\Windows\Fonts\staticcache.dat
  • C:\Users\test\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-1.DLL
  • C:\Users\test\AppData\Local\Temp\ext-ms-win-kernel32-package-current-l1-1-0.DLL
修改的文件
  • C:\Users\test\AppData\LocalLow\SogouPY.users\acc.dat.sgbak
  • C:\Users\test\AppData\LocalLow\SogouPY.users\acc.dat
  • C:\Users\test\AppData\Local\Components\ComponentConfig.ini
删除的文件
  • C:\Users\test\AppData\LocalLow\SogouPY.users\acc.dat.sgbak
注册表键
  • HKEY_CURRENT_USER\SoftWare\SogouInput
  • HKEY_LOCAL_MACHINE\Software\SogouInput
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
读取的注册表键
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • kernel32.dll.InitializeCriticalSectionEx
  • kernel32.dll.FlsAlloc
  • kernel32.dll.FlsSetValue
  • kernel32.dll.FlsGetValue
  • api-ms-win-core-localization-l1-2-1.dll.LCMapStringEx
  • api-ms-win-core-synch-l1-2-0.dll.InitializeConditionVariable
  • api-ms-win-core-synch-l1-2-0.dll.SleepConditionVariableCS
  • api-ms-win-core-synch-l1-2-0.dll.WakeAllConditionVariable
  • kernel32.dll.FlsFree
  • kernel32.dll.InitOnceExecuteOnce
  • kernel32.dll.CreateEventExW
  • kernel32.dll.CreateSemaphoreW
  • kernel32.dll.CreateSemaphoreExW
  • kernel32.dll.CreateThreadpoolTimer
  • kernel32.dll.SetThreadpoolTimer
  • kernel32.dll.WaitForThreadpoolTimerCallbacks
  • kernel32.dll.CloseThreadpoolTimer
  • kernel32.dll.CreateThreadpoolWait
  • kernel32.dll.SetThreadpoolWait
  • kernel32.dll.CloseThreadpoolWait
  • kernel32.dll.FlushProcessWriteBuffers
  • kernel32.dll.FreeLibraryWhenCallbackReturns
  • kernel32.dll.GetCurrentProcessorNumber
  • kernel32.dll.CreateSymbolicLinkW
  • kernel32.dll.GetTickCount64
  • kernel32.dll.GetFileInformationByHandleEx
  • kernel32.dll.SetFileInformationByHandle
  • kernel32.dll.InitializeConditionVariable
  • kernel32.dll.WakeConditionVariable
  • kernel32.dll.WakeAllConditionVariable
  • kernel32.dll.SleepConditionVariableCS
  • kernel32.dll.InitializeSRWLock
  • kernel32.dll.AcquireSRWLockExclusive
  • kernel32.dll.TryAcquireSRWLockExclusive
  • kernel32.dll.ReleaseSRWLockExclusive
  • kernel32.dll.SleepConditionVariableSRW
  • kernel32.dll.CreateThreadpoolWork
  • kernel32.dll.SubmitThreadpoolWork
  • kernel32.dll.CloseThreadpoolWork
  • kernel32.dll.CompareStringEx
  • kernel32.dll.GetLocaleInfoEx
  • kernel32.dll.LCMapStringEx
  • cryptbase.dll.SystemFunction036
  • advapi32.dll.AddMandatoryAce
  • ntmarta.dll.GetMartaExtensionInterface
  • sechost.dll.LookupAccountNameLocalW
  • user32.dll.ChangeWindowMessageFilter
  • gdi32.dll.GetLayout
  • gdi32.dll.GdiRealizationInfo
  • gdi32.dll.FontIsLinked
  • advapi32.dll.RegOpenKeyExW
  • advapi32.dll.RegQueryInfoKeyW
  • gdi32.dll.GetTextFaceAliasW
  • advapi32.dll.RegEnumValueW
  • advapi32.dll.RegCloseKey
  • advapi32.dll.RegQueryValueExW
  • advapi32.dll.RegQueryValueExA
  • advapi32.dll.RegEnumKeyExW
  • gdi32.dll.GetTextExtentExPointWPri
  • comctl32.dll.RegisterClassNameW
  • uxtheme.dll.EnableThemeDialogTexture
  • uxtheme.dll.OpenThemeData
  • gdi32.dll.GetFontAssocStatus
  • oleaut32.dll.#500
  • ext-ms-win-kernel32-package-current-l1-1-0.dll.GetCurrentPackageId