魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2016-05-28 14:56:56 | 2016-05-28 14:59:30 | 154 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64 | win7-sp1-x64 | KVM | 2016-05-28 14:56:56 | 2016-05-28 14:59:28 |
| 魔盾分数 |
|---|
2.8可疑的 |
文件详细信息
| 文件名 | atl71.dll |
|---|---|
| 文件大小 | 89600 字节 |
| 文件类型 | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
| CRC32 | 1387F05A |
| MD5 | 79cb6457c81ada9eb7f2087ce799aaa7 |
| SHA1 | 322ddde439d9254182f5945be8d97e9d897561ae |
| SHA256 | a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a |
| SHA512 | eca4b91109d105b2ce8c40710b8e3309c4cc944194843b7930e06daf3d1df6ae85c1b7063036c7e5cd10276e5e5535b33e49930adbad88166228316283d011b8 |
| Ssdeep | 1536:kIlL9T5Xx1ogKMvw5Br7KLKLI+Xe+QnyH4Cc0tR6nGVp/VTbkE0DJ4ZwmroV:BtvBOI+FQny5R6nG//SdaZwms |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal |
VirusTotal链接 VirusTotal扫描时间: 2016-05-27 23:32:19 扫描结果: 0/56 |
特征
创建RWX内存
发起了一些HTTP请求
url: http://www.msftncsi.com/ncsi.txt
检测到网络活动但没有显示在API日志中
运行截图
网络分析
访问主机记录
| 直接访问 | IP地址 | 国家名 |
|---|---|---|
| 否 | 111.108.54.10 | Japan |
域名解析
| 域名 | 响应 |
|---|---|
| www.msftncsi.com |
A 111.108.54.11
CNAME www.msftncsi.com.edgesuite.net A 111.108.54.10 CNAME a1961.g2.akamai.net |
TCP连接
| IP地址 | 端口 |
|---|---|
| 111.108.54.10 | 80 |
UDP连接
| IP地址 | 端口 |
|---|---|
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.255 | 137 |
| 192.168.122.255 | 138 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 239.255.255.250 | 1900 |
| 52.169.179.91 | 123 |
| 192.168.122.69 | 53197 |
HTTP请求
| URL | HTTP数据 |
|---|---|
| http://www.msftncsi.com/ncsi.txt | GET /ncsi.txt HTTP/1.1 Connection: Close User-Agent: Microsoft NCSI Host: www.msftncsi.com |
静态分析
PE 信息
| 初始地址 | 0x7c120000 |
|---|---|
| 入口地址 | 0x7c12c872 |
| 声明校验值 | 0x00000000 |
| 实际校验值 | 0x00021ff1 |
| 最低操作系统版本要求 | 4.0 |
| PDB路径 | atl71.pdb |
| 编译时间 | 2006-07-12 09:07:28 |
| 导出DLL库名称 | ATL71.DLL |
版本信息
| LegalCopyright: | \xa9 Microsoft Corporation. All rights reserved. |
| InternalName: | ATL71.DLL |
| FileVersion: | 7.10.6030.0 |
| CompanyName: | Microsoft Corporation |
| ProductName: | Microsoft\xae Visual Studio .NET |
| ProductVersion: | 7.10.6030.0 |
| FileDescription: | ATL Module for Windows (Unicode) |
| OriginalFilename: | ATL71.DLL |
| Translation: | 0x0409 0x04b0 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x0000cc34 | 0x0000ce00 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.49 |
| .rdata | 0x0000e000 | 0x0000374d | 0x00003800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.64 |
| .data | 0x00012000 | 0x00001bc0 | 0x00001a00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 4.92 |
| .rsrc | 0x00014000 | 0x00002330 | 0x00002400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.60 |
| .reloc | 0x00017000 | 0x000014ca | 0x00001600 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 6.00 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| TYPELIB | 0x00014130 | 0x00001e34 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.81 | data |
| RT_STRING | 0x00016308 | 0x00000026 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.70 | data |
| RT_STRING | 0x00016308 | 0x00000026 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.70 | data |
| RT_VERSION | 0x00015f68 | 0x00000358 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.52 | data |
导入
库 KERNEL32.dll:
• 0x7c12e000 - InterlockedExchange
• 0x7c12e004 - GetACP
• 0x7c12e008 - GetLocaleInfoA
• 0x7c12e00c - GetThreadLocale
• 0x7c12e010 - GetVersionExW
• 0x7c12e014 - RaiseException
• 0x7c12e018 - EnterCriticalSection
• 0x7c12e01c - LeaveCriticalSection
• 0x7c12e020 - InitializeCriticalSection
• 0x7c12e024 - DeleteCriticalSection
• 0x7c12e028 - GetCurrentThreadId
• 0x7c12e02c - lstrlenW
• 0x7c12e030 - lstrcpyW
• 0x7c12e034 - GetLastError
• 0x7c12e038 - DisableThreadLibraryCalls
• 0x7c12e03c - GetVersionExA
• 0x7c12e040 - InterlockedIncrement
• 0x7c12e044 - InterlockedDecrement
• 0x7c12e048 - FreeLibrary
• 0x7c12e04c - MultiByteToWideChar
• 0x7c12e050 - SizeofResource
• 0x7c12e054 - LoadResource
• 0x7c12e058 - FindResourceW
• 0x7c12e05c - LoadLibraryExW
• 0x7c12e060 - lstrcmpiW
• 0x7c12e064 - lstrcpynW
• 0x7c12e068 - CloseHandle
• 0x7c12e06c - ReadFile
• 0x7c12e070 - GetFileSize
• 0x7c12e074 - CreateFileW
• 0x7c12e078 - GetModuleHandleW
• 0x7c12e07c - GetModuleFileNameW
• 0x7c12e080 - WideCharToMultiByte
• 0x7c12e084 - WaitForSingleObject
• 0x7c12e088 - GlobalAlloc
• 0x7c12e08c - FindResourceA
• 0x7c12e090 - MulDiv
• 0x7c12e094 - lstrcatW
• 0x7c12e098 - FlushInstructionCache
• 0x7c12e09c - GetCurrentProcess
• 0x7c12e0a0 - GlobalUnlock
• 0x7c12e0a4 - GlobalLock
• 0x7c12e0a8 - lstrcmpW
• 0x7c12e0ac - SetLastError
• 0x7c12e0b0 - GlobalFree
• 0x7c12e0b4 - GlobalHandle
• 0x7c12e0b8 - LockResource
• 0x7c12e0bc - lstrcmpA
• 0x7c12e0c0 - GetModuleHandleA
• 0x7c12e0c4 - GetTickCount
• 0x7c12e0c8 - LocalAlloc
• 0x7c12e0cc - VirtualQuery
• 0x7c12e0d0 - HeapFree
• 0x7c12e0d4 - GetProcessHeap
• 0x7c12e0d8 - InterlockedCompareExchange
• 0x7c12e0dc - HeapAlloc
• 0x7c12e0e0 - GetProcAddress
• 0x7c12e0e4 - LoadLibraryA
• 0x7c12e0e8 - IsProcessorFeaturePresent
• 0x7c12e0ec - VirtualFree
• 0x7c12e0f0 - VirtualAlloc
• 0x7c12e0f4 - ExitProcess
• 0x7c12e0f8 - HeapSize
• 0x7c12e0fc - DebugBreak
• 0x7c12e100 - HeapReAlloc
• 0x7c12e104 - QueryPerformanceCounter
• 0x7c12e108 - GetCurrentProcessId
• 0x7c12e10c - GetSystemTimeAsFileTime
• 0x7c12e110 - lstrcatA
• 0x7c12e114 - lstrcpyA
• 0x7c12e118 - lstrlenA
• 0x7c12e11c - GetModuleFileNameA
• 0x7c12e120 - RtlUnwind
库 SHLWAPI.dll:
• 0x7c12e128 - PathFindExtensionW
导出
| 序列 | 地址 | 名称 |
|---|---|---|
| 10 | 0x7c124fe7 | AtlAdvise |
| 41 | 0x7c12a0d3 | AtlAxAttachControl |
| 39 | 0x7c129b97 | AtlAxCreateControl |
| 40 | 0x7c1297dd | AtlAxCreateControlEx |
| 59 | 0x7c129800 | AtlAxCreateControlLic |
| 60 | 0x7c12970d | AtlAxCreateControlLicEx |
| 38 | 0x7c12a0b5 | AtlAxCreateDialogA |
| 37 | 0x7c12a097 | AtlAxCreateDialogW |
| 36 | 0x7c12a079 | AtlAxDialogBoxA |
| 35 | 0x7c12a05b | AtlAxDialogBoxW |
| 47 | 0x7c1242cc | AtlAxGetControl |
| 48 | 0x7c124304 | AtlAxGetHost |
| 42 | 0x7c129bb9 | AtlAxWinInit |
| 64 | 0x7c12175d | AtlCallTermFunc |
| 15 | 0x7c1250d2 | AtlComModuleGetClassObject |
| 17 | 0x7c123de3 | AtlComModuleRegisterClassObjects |
| 18 | 0x7c12595f | AtlComModuleRegisterServer |
| 20 | 0x7c123e21 | AtlComModuleRevokeClassObjects |
| 22 | 0x7c1259e5 | AtlComModuleUnregisterServer |
| 30 | 0x7c121187 | AtlComPtrAssign |
| 31 | 0x7c12389a | AtlComQIPtrAssign |
| 61 | 0x7c1234ec | AtlCreateRegistrar |
| 26 | 0x7c124353 | AtlCreateTargetDC |
| 29 | 0x7c124481 | AtlDevModeW2A |
| 12 | 0x7c123d2a | AtlFreeMarshalStream |
| 54 | 0x7c1256a3 | AtlGetObjectSourceInterface |
| 34 | 0x7c123f08 | AtlGetVersion |
| 27 | 0x7c1243c1 | AtlHiMetricToPixel |
| 52 | 0x7c1246da | AtlIPersistPropertyBag_Load |
| 53 | 0x7c1248b6 | AtlIPersistPropertyBag_Save |
| 50 | 0x7c1253ba | AtlIPersistStreamInit_Load |
| 51 | 0x7c12553e | AtlIPersistStreamInit_Save |
| 32 | 0x7c1211e3 | AtlInternalQueryInterface |
| 56 | 0x7c124521 | AtlLoadTypeLib |
| 13 | 0x7c123d54 | AtlMarshalPtrInProc |
| 58 | 0x7c1251a9 | AtlModuleAddTermFunc |
| 28 | 0x7c124423 | AtlPixelToHiMetric |
| 49 | 0x7c124da0 | AtlRegisterClassCategoriesHelper |
| 19 | 0x7c124c8e | AtlRegisterTypeLib |
| 25 | 0x7c125234 | AtlSetErrorInfo |
| 55 | 0x7c124c0b | AtlUnRegisterTypeLib |
| 11 | 0x7c12505e | AtlUnadvise |
| 14 | 0x7c123da4 | AtlUnmarshalPtr |
| 23 | 0x7c12350e | AtlUpdateRegistryFromResourceD |
| 24 | 0x7c123e56 | AtlWaitWithMessageLoop |
| 43 | 0x7c121390 | AtlWinModuleAddCreateWndData |
| 44 | 0x7c1213f1 | AtlWinModuleExtractCreateWndData |
| 65 | 0x7c121284 | AtlWinModuleInit |
| 63 | 0x7c125b49 | AtlWinModuleRegisterClassExA |
| 62 | 0x7c1214dc | AtlWinModuleRegisterClassExW |
| 46 | 0x7c129009 | AtlWinModuleRegisterWndClassInfoA |
| 45 | 0x7c121656 | AtlWinModuleRegisterWndClassInfoW |
| 66 | 0x7c1212e5 | AtlWinModuleTerm |
投放文件
行为分析
互斥量(Mutexes)
- Local\MSCTF.Asm.MutexDefault1
执行的命令
无信息
创建的服务
无信息
启动的服务
无信息
进程
rundll32.exe PID: 2764, 上一级进程 PID: 1784
访问的文件
- C:\Users\test\AppData\Local\Temp\atl71.dll
- C:\Users\test\AppData\Local\Temp\atl71.dll.123.Manifest
- C:\Users\test\AppData\Local\Temp\atl71.dll.124.Manifest
- C:\Users\test\AppData\Local\Temp\atl71.dll.2.Manifest
- C:\Windows\SysWOW64\rundll32.exe
- C:\Windows\Fonts\staticcache.dat
- \Device\KsecDD
- C:\Windows\Globalization\Sorting\sortdefault.nls
读取的文件
- C:\Users\test\AppData\Local\Temp\atl71.dll
- C:\Users\test\AppData\Local\Temp\atl71.dll.123.Manifest
- C:\Users\test\AppData\Local\Temp\atl71.dll.124.Manifest
- C:\Users\test\AppData\Local\Temp\atl71.dll.2.Manifest
- C:\Windows\SysWOW64\rundll32.exe
- C:\Windows\Fonts\staticcache.dat
- \Device\KsecDD
- C:\Windows\Globalization\Sorting\sortdefault.nls
修改的文件
无信息
删除的文件
无信息
注册表键
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\atl71.dll
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\\xe5\xbe\xae\xe8\xbd\xaf\xe9\x9b\x85\xe9\xbb\x91
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\rundll32.exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_CURRENT_USER
- HKEY_CURRENT_USER\Keyboard Layout\Toggle
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
读取的注册表键
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\atl71.dll
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- gdi32.dll.GetLayout
- gdi32.dll.GdiRealizationInfo
- gdi32.dll.FontIsLinked
- advapi32.dll.RegOpenKeyExW
- advapi32.dll.RegQueryInfoKeyW
- gdi32.dll.GetTextFaceAliasW
- advapi32.dll.RegEnumValueW
- advapi32.dll.RegCloseKey
- advapi32.dll.RegQueryValueExW
- advapi32.dll.RegQueryValueExA
- advapi32.dll.RegEnumKeyExW
- uxtheme.dll.ThemeInitApiHook
- user32.dll.IsProcessDPIAware
- dwmapi.dll.DwmIsCompositionEnabled
- gdi32.dll.GdiIsMetaPrintDC
- ole32.dll.CoInitializeEx
- ole32.dll.CoUninitialize
- cryptbase.dll.SystemFunction036
- ole32.dll.CoRegisterInitializeSpy
- ole32.dll.CoRevokeInitializeSpy
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle