魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2018-02-20 12:05:00 | 2018-02-20 12:07:27 | 147 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-hpdapp01-1 | win7-sp1-x64-hpdapp01-1 | KVM | 2018-02-20 12:05:04 | 2018-02-20 12:07:26 |
| 魔盾分数 |
|---|
0.55正常的 |
文件详细信息
| 文件名 | MusicDownMan.exe |
|---|---|
| 文件大小 | 字节 |
| 文件类型 | |
| CRC32 | |
| MD5 | |
| SHA1 | |
| SHA256 | |
| SHA512 | |
| Ssdeep | |
| PEiD | 无匹配 |
| Yara | 无Yara规则匹配 |
| VirusTotal | VirusTotal查询失败 |
特征
投放了一个或多个文件
file: c:\users\test\appdata\local\gdipfontcachev1.dat
创建RWX内存
运行截图
网络分析
静态分析
投放文件
GDIPFONTCACHEV1.DAT
| 文件名 | GDIPFONTCACHEV1.DAT |
|---|---|
| 相关文件 |
|
| 文件大小 | 114272 bytes |
| 文件类型 | data |
| MD5 | 2262103813c49a07c65813bb58143c21 |
| SHA1 | a1e4a613f51e8e57592464c61cc271f2fecec4f2 |
| SHA256 | ac3bd52d544a061ee8c90fa787f07af9d01a0c5a72981ed8172617b210798d31 |
| SHA512 | 56e78d1556d3240f80d9168c035ac2a2db9b3d60f5e9865c9eeeb072c33c93785b3f8addb7b11c1e4f142f4d56946ab7b68e1ce0058f5892eef7696623e453f2 |
| Ssdeep | 1536:mLKAaE8z5wHgTlyhAQcDnBlC+X886UMMDbEDuezh:moiuzBzXGMDezh |
| VirusTotal | 搜索相关分析 |
行为分析
互斥量(Mutexes)
- Local\MSCTF.Asm.MutexDefault1
执行的命令
无信息
创建的服务
无信息
启动的服务
无信息
进程
MusicDownMan.exe PID: 1548, 上一级进程 PID: 1236
访问的文件
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Users\test\AppData\Local\GDIPFONTCACHEV1.DAT
- C:\Windows\Fonts\AGENCYR.TTF
- C:\Windows\Fonts\simsun.ttc
- C:\Windows\System32\msxml3.dll\1
- C:\Windows\System32\msxml3.dll
- C:\Windows\SysWOW64\stdole2.tlb
- C:\Users\test\AppData\Local\Temp\downsongs
- C:\Users\test\AppData\Local\Temp\data
- C:\Users\test\AppData\Local\Temp\data\settings.ini
- C:\Users\test\AppData\Local\Temp\Plugin\xldown\xldl.dll
- C:\Windows\System32\Plugin\xldown\xldl.dll
- C:\Windows\system\Plugin\xldown\xldl.dll
- C:\Windows\Plugin\xldown\xldl.dll
- C:\ProgramData\Oracle\Java\javapath\Plugin\xldown\xldl.dll
- C:\Windows\System32\wbem\Plugin\xldown\xldl.dll
- C:\Windows\System32\WindowsPowerShell\v1.0\Plugin\xldown\xldl.dll
- C:\Program Files (x86)\WinRAR\Plugin\xldown\xldl.dll
- C:\Windows\Fonts\staticcache.dat
读取的文件
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Users\test\AppData\Local\GDIPFONTCACHEV1.DAT
- C:\Windows\Fonts\simsun.ttc
- C:\Windows\System32\msxml3.dll\1
- C:\Windows\System32\msxml3.dll
- C:\Windows\SysWOW64\stdole2.tlb
- C:\Users\test\AppData\Local\Temp\data\settings.ini
- C:\Windows\Fonts\staticcache.dat
修改的文件
- C:\Users\test\AppData\Local\GDIPFONTCACHEV1.DAT
删除的文件
无信息
注册表键
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
- HKEY_CURRENT_USER\Software\Microsoft\GDIPlus
- HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath
- HKEY_CURRENT_USER\Software\Classes
- HKEY_CURRENT_USER\Software\Classes\TypeLib
- HKEY_CURRENT_USER\Software\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32\(Default)
- HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
- HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\MusicDownMan.exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_CURRENT_USER
- HKEY_CURRENT_USER\Keyboard Layout\Toggle
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
读取的注册表键
- HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32\(Default)
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- kernel32.dll.LCMapStringA
- kernel32.dll.LoadLibraryA
- kernel32.dll.FreeLibrary
- kernel32.dll.GetCommandLineA
- kernel32.dll.GetLocalTime
- kernel32.dll.FormatMessageA
- kernel32.dll.GetUserDefaultLCID
- kernel32.dll.CreateFileA
- kernel32.dll.GetFileSize
- kernel32.dll.ReadFile
- kernel32.dll.FindClose
- kernel32.dll.FindFirstFileA
- kernel32.dll.FindNextFileA
- kernel32.dll.WritePrivateProfileStringA
- kernel32.dll.GetPrivateProfileStringA
- kernel32.dll.CreateDirectoryA
- kernel32.dll.GetModuleFileNameA
- kernel32.dll.IsBadReadPtr
- kernel32.dll.HeapReAlloc
- kernel32.dll.ExitProcess
- kernel32.dll.GetModuleHandleA
- kernel32.dll.lstrcmpW
- kernel32.dll.HeapCreate
- kernel32.dll.HeapDestroy
- kernel32.dll.RtlZeroMemory
- kernel32.dll.InterlockedDecrement
- kernel32.dll.InterlockedIncrement
- kernel32.dll.HeapAlloc
- kernel32.dll.LocalSize
- kernel32.dll.GlobalSize
- kernel32.dll.RtlMoveMemory
- kernel32.dll.FreeResource
- kernel32.dll.SizeofResource
- kernel32.dll.LockResource
- kernel32.dll.LoadResource
- kernel32.dll.FindResourceA
- kernel32.dll.GetNativeSystemInfo
- kernel32.dll.GetProcessHeap
- kernel32.dll.MoveFileW
- kernel32.dll.lstrlenW
- kernel32.dll.GetModuleHandleW
- kernel32.dll.CreateThread
- kernel32.dll.CloseHandle
- kernel32.dll.SetWaitableTimer
- kernel32.dll.CreateWaitableTimerW
- kernel32.dll.HeapFree
- kernel32.dll.GlobalFree
- kernel32.dll.GlobalUnlock
- kernel32.dll.GlobalLock
- kernel32.dll.GlobalAlloc
- kernel32.dll.MultiByteToWideChar
- kernel32.dll.WideCharToMultiByte
- kernel32.dll.SetStdHandle
- kernel32.dll.IsBadCodePtr
- kernel32.dll.GetStringTypeW
- kernel32.dll.GetStringTypeA
- kernel32.dll.SetUnhandledExceptionFilter
- kernel32.dll.IsBadWritePtr
- kernel32.dll.LCMapStringW
- kernel32.dll.GetEnvironmentVariableA
- kernel32.dll.GetFileType
- kernel32.dll.GetStdHandle
- kernel32.dll.SetHandleCount
- kernel32.dll.GetEnvironmentStringsW
- kernel32.dll.GetEnvironmentStrings
- kernel32.dll.FreeEnvironmentStringsW
- kernel32.dll.FreeEnvironmentStringsA
- kernel32.dll.UnhandledExceptionFilter
- kernel32.dll.GetACP
- kernel32.dll.HeapSize
- kernel32.dll.RaiseException
- kernel32.dll.TerminateProcess
- kernel32.dll.RtlUnwind
- kernel32.dll.GetStartupInfoA
- kernel32.dll.GetOEMCP
- kernel32.dll.GetCPInfo
- kernel32.dll.FlushFileBuffers
- kernel32.dll.SetFilePointer
- kernel32.dll.WriteFile
- kernel32.dll.SetErrorMode
- kernel32.dll.GetProcessVersion
- kernel32.dll.GetVersion
- kernel32.dll.GlobalGetAtomNameA
- kernel32.dll.GlobalAddAtomA
- kernel32.dll.GlobalFindAtomA
- kernel32.dll.SetLastError
- kernel32.dll.lstrcpyA
- kernel32.dll.lstrcatA
- kernel32.dll.GlobalFlags
- kernel32.dll.MulDiv
- kernel32.dll.lstrcpynA
- kernel32.dll.TlsGetValue
- kernel32.dll.LocalReAlloc
- kernel32.dll.TlsSetValue
- kernel32.dll.EnterCriticalSection
- kernel32.dll.GlobalReAlloc
- kernel32.dll.LeaveCriticalSection
- kernel32.dll.TlsFree
- kernel32.dll.GlobalHandle
- kernel32.dll.DeleteCriticalSection
- kernel32.dll.TlsAlloc
- kernel32.dll.InitializeCriticalSection
- kernel32.dll.LocalFree
- kernel32.dll.LocalAlloc
- kernel32.dll.GetTickCount
- kernel32.dll.GlobalDeleteAtom
- kernel32.dll.lstrcmpA
- kernel32.dll.lstrcmpiA
- kernel32.dll.GetCurrentThread
- kernel32.dll.GetCurrentThreadId
- kernel32.dll.GetCurrentProcess
- kernel32.dll.GetLastError
- kernel32.dll.GetVersionExA
- kernel32.dll.lstrlenA
- kernel32.dll.GetProcAddress
- kernel32.dll.VirtualFree
- kernel32.dll.VirtualAlloc
- advapi32.dll.RegCloseKey
- advapi32.dll.RegCreateKeyExA
- advapi32.dll.RegOpenKeyExA
- advapi32.dll.RegSetValueExA
- comctl32.dll.#17
- gdi32.dll.ScaleViewportExtEx
- gdi32.dll.SetWindowExtEx
- gdi32.dll.TextOutA
- gdi32.dll.GetClipBox
- gdi32.dll.SetViewportExtEx
- gdi32.dll.GetDeviceCaps
- gdi32.dll.BitBlt
- gdi32.dll.CreateCompatibleDC
- gdi32.dll.CreateDIBSection
- gdi32.dll.SelectObject
- gdi32.dll.DeleteObject
- gdi32.dll.DeleteDC
- gdi32.dll.CreateRoundRectRgn
- gdi32.dll.CreateRectRgn
- gdi32.dll.GetDIBits
- gdi32.dll.GetObjectA
- gdi32.dll.GetStockObject
- gdi32.dll.SetViewportOrgEx
- gdi32.dll.OffsetViewportOrgEx
- gdi32.dll.SetMapMode
- gdi32.dll.SetTextColor
- gdi32.dll.SetBkColor
- gdi32.dll.RestoreDC
- gdi32.dll.SaveDC
- gdi32.dll.CreateBitmap
- gdi32.dll.RectVisible
- gdi32.dll.PtVisible
- gdi32.dll.ScaleWindowExtEx
- gdi32.dll.Escape
- gdi32.dll.ExtTextOutA
- gdiplus.dll.GdipDrawPolygon
- gdiplus.dll.GdipFillPolygon
- gdiplus.dll.GdipCreatePen2
- gdiplus.dll.GdipCreateLineBrush
- gdiplus.dll.GdipFillPath
- gdiplus.dll.GdipGetFamilyName
- gdiplus.dll.GdipGetFontSize
- gdiplus.dll.GdipGetFontStyle
- gdiplus.dll.GdipCreateFont
- gdiplus.dll.GdipCreateFontFamilyFromName
- gdiplus.dll.GdipDeleteFontFamily
- gdiplus.dll.GdipDeleteFont
- gdiplus.dll.GdipMeasureString
- gdiplus.dll.GdipGetImagePixelFormat
- gdiplus.dll.GdipCloneBitmapArea
- gdiplus.dll.GdipGetImageWidth
- gdiplus.dll.GdipGetImageHeight
- gdiplus.dll.GdipDrawImageRectRect
- gdiplus.dll.GdipDisposeImage
- gdiplus.dll.GdipFillRectangle
- gdiplus.dll.GdipDeleteBrush
- gdiplus.dll.GdipCreateSolidFill
- gdiplus.dll.GdipDeletePen
- gdiplus.dll.GdipGetPropertyItemSize
- gdiplus.dll.GdipCreateImageAttributes
- gdiplus.dll.GdipSetClipRegion
- gdiplus.dll.GdipSetClipRect
- gdiplus.dll.GdipCreatePathGradientFromPath
- gdiplus.dll.GdipSetPenDashStyle
- gdiplus.dll.GdipResetClip
- gdiplus.dll.GdipGetTextRenderingHint
- gdiplus.dll.GdipSetTextRenderingHint
- gdiplus.dll.GdipDeleteGraphics
- gdiplus.dll.GdipCreateFromHDC
- gdiplus.dll.GdipGetSmoothingMode
- gdiplus.dll.GdipSetSmoothingMode
- gdiplus.dll.GdipGraphicsClear
- gdiplus.dll.GdipBitmapLockBits
- gdiplus.dll.GdipBitmapUnlockBits
- gdiplus.dll.GdipDrawImageRect
- gdiplus.dll.GdipCreateStringFormat
- gdiplus.dll.GdipSetStringFormatHotkeyPrefix
- gdiplus.dll.GdipDeleteStringFormat
- gdiplus.dll.GdipCreateLineBrushFromRect
- gdiplus.dll.GdipGetFontHeight
- gdiplus.dll.GdipDrawString
- gdiplus.dll.GdipCreateBitmapFromScan0
- gdiplus.dll.GdipGetImageGraphicsContext
- gdiplus.dll.GdipSetCompositingQuality
- gdiplus.dll.GdipSetInterpolationMode
- gdiplus.dll.GdipSetStringFormatAlign
- gdiplus.dll.GdipSetStringFormatTrimming
- gdiplus.dll.GdipSetStringFormatFlags
- gdiplus.dll.GdipGetStringFormatAlign
- gdiplus.dll.GdipGetStringFormatTrimming
- gdiplus.dll.GdipGetCompositingQuality
- gdiplus.dll.GdipCreateHBITMAPFromBitmap
- gdiplus.dll.GdipDrawRectangle
- gdiplus.dll.GdipGetPropertyItem
- gdiplus.dll.GdipLoadImageFromStream
- gdiplus.dll.GdiplusStartup
- gdiplus.dll.GdipSaveImageToStream
- gdiplus.dll.GdipGetStringFormatFlags
- gdiplus.dll.GdipImageSelectActiveFrame
- gdiplus.dll.GdipGetImageEncodersSize
- gdiplus.dll.GdipGetImageEncoders
- gdiplus.dll.GdipSetStringFormatMeasurableCharacterRanges
- gdiplus.dll.GdipCreateRegion
- gdiplus.dll.GdipMeasureCharacterRanges
- gdiplus.dll.GdipGetRegionBounds
- gdiplus.dll.GdipDeleteRegion
- gdiplus.dll.GdipCreateRegionHrgn
- gdiplus.dll.GdipClosePathFigure
- gdiplus.dll.GdipAddPathArc
- gdiplus.dll.GdipCreatePath
- gdiplus.dll.GdipDeletePath
- gdiplus.dll.GdipDrawPath
- gdiplus.dll.GdipImageGetFrameCount
- imm32.dll.ImmAssociateContext
- imm32.dll.ImmGetContext
- ole32.dll.CoRevokeClassObject
- ole32.dll.OleFlushClipboard
- ole32.dll.OleIsCurrentClipboard
- ole32.dll.CoRegisterMessageFilter
- ole32.dll.CoFreeUnusedLibraries
- ole32.dll.OleUninitialize
- ole32.dll.OleInitialize
- ole32.dll.CLSIDFromProgID
- ole32.dll.CoCreateInstance
- ole32.dll.OleRun
- ole32.dll.CoUninitialize
- ole32.dll.CoInitialize
- ole32.dll.StringFromGUID2
- ole32.dll.CLSIDFromString
- ole32.dll.CreateStreamOnHGlobal
- oleaut32.dll.#12
- oleaut32.dll.#8
- oleaut32.dll.#36
- oleaut32.dll.#37
- oleaut32.dll.#10
- oleaut32.dll.#17
- oleaut32.dll.#20
- oleaut32.dll.#19
- oleaut32.dll.#23
- oleaut32.dll.#24
- oleaut32.dll.#18
- oleaut32.dll.#6
- oleaut32.dll.#82
- oleaut32.dll.#86
- oleaut32.dll.#161
- oleaut32.dll.#165
- oleaut32.dll.#163
- oleaut32.dll.#15
- oleaut32.dll.#2
- oleaut32.dll.#9
- oleaut32.dll.#16
- oleaut32.dll.#418
- oledlg.dll.#8
- shell32.dll.Shell_NotifyIconW
- shell32.dll.ShellExecuteA
- shell32.dll.SHGetMalloc
- shell32.dll.SHBrowseForFolderA
- shell32.dll.SHGetPathFromIDListA
- shlwapi.dll.StrToIntW
- shlwapi.dll.PathFileExistsA
- shlwapi.dll.StrToIntExW
- shlwapi.dll.PathFindFileNameA
- shlwapi.dll.PathFindExtensionA
- user32.dll.EnableMenuItem
- user32.dll.CreateIconFromResourceEx
- user32.dll.CopyImage
- user32.dll.EndDialog
- user32.dll.CreateDialogIndirectParamA
- user32.dll.DestroyMenu
- user32.dll.PostThreadMessageA
- user32.dll.UnregisterClassA
- user32.dll.LoadStringA
- user32.dll.GetSysColorBrush
- user32.dll.LoadCursorA
- user32.dll.LoadIconA
- user32.dll.UpdateWindow
- user32.dll.MapWindowPoints
- user32.dll.GetSysColor
- user32.dll.AdjustWindowRectEx
- user32.dll.GetClientRect
- user32.dll.CopyRect
- user32.dll.GetTopWindow
- user32.dll.GetCapture
- user32.dll.WinHelpA
- user32.dll.GetClassInfoA
- user32.dll.RegisterClassA
- user32.dll.GetMenu
- user32.dll.GetSubMenu
- user32.dll.GetMenuItemID
- user32.dll.CreateWindowExA
- user32.dll.GetClassLongA
- user32.dll.CallWindowProcA
- user32.dll.DefWindowProcA
- user32.dll.GetMessageTime
- user32.dll.GetMessagePos
- user32.dll.RegisterWindowMessageA
- user32.dll.GetWindowPlacement
- user32.dll.SetWindowLongA
- user32.dll.IsDialogMessageA
- user32.dll.SendDlgItemMessageA
- user32.dll.GetDlgItem
- user32.dll.GrayStringA
- user32.dll.DrawTextA
- user32.dll.TabbedTextOutA
- user32.dll.PeekMessageA
- user32.dll.GetMessageA
- user32.dll.wsprintfA
- user32.dll.MessageBoxA
- user32.dll.GetWindowTextW
- user32.dll.SetWindowRgn
- user32.dll.GetParent
- user32.dll.GetWindowTextA
- user32.dll.GetClassLongW
- user32.dll.SetPropA
- user32.dll.SetWindowPos
- user32.dll.SetWindowLongW
- user32.dll.SetFocus
- user32.dll.GetFocus
- user32.dll.PostMessageA
- user32.dll.GetSystemMetrics
- user32.dll.OpenIcon
- user32.dll.SetCapture
- user32.dll.EndPaint
- user32.dll.BeginPaint
- user32.dll.ShowWindow
- user32.dll.TrackMouseEvent
- user32.dll.CallWindowProcW
- user32.dll.GetCursorPos
- user32.dll.SetCaretPos
- user32.dll.ReleaseDC
- user32.dll.PtInRect
- user32.dll.SetTimer
- user32.dll.LoadCursorFromFileW
- user32.dll.IsIconic
- user32.dll.IsZoomed
- user32.dll.ReleaseCapture
- user32.dll.UpdateLayeredWindow
- user32.dll.InvalidateRect
- user32.dll.IntersectRect
- user32.dll.GetAsyncKeyState
- user32.dll.KillTimer
- user32.dll.SendMessageA
- user32.dll.SetCursor
- user32.dll.DefWindowProcW
- user32.dll.RegisterClassExW
- user32.dll.LookupIconIdFromDirectoryEx
- user32.dll.LoadCursorW
- user32.dll.DestroyWindow
- user32.dll.DispatchMessageA
- user32.dll.PostMessageW
- user32.dll.RemovePropA
- user32.dll.GetDC
- user32.dll.TranslateMessage
- user32.dll.SetForegroundWindow
- user32.dll.GetMessageW
- user32.dll.GetPropA
- user32.dll.GetClassNameW
- user32.dll.SendMessageW
- user32.dll.CreateWindowExW
- user32.dll.SystemParametersInfoA
- user32.dll.MessageBeep
- user32.dll.SetActiveWindow
- user32.dll.MoveWindow
- user32.dll.GetWindowRect
- user32.dll.IsWindow
- user32.dll.MsgWaitForMultipleObjects
- user32.dll.EnableWindow
- user32.dll.IsWindowEnabled
- user32.dll.GetForegroundWindow
- user32.dll.GetActiveWindow
- user32.dll.PostQuitMessage
- user32.dll.GetWindowLongA
- user32.dll.GetLastActivePopup
- user32.dll.SetWindowsHookExA
- user32.dll.IsWindowVisible
- user32.dll.ValidateRect
- user32.dll.CallNextHookEx
- user32.dll.GetKeyState
- user32.dll.GetNextDlgTabItem
- user32.dll.DispatchMessageW
- user32.dll.CheckMenuItem
- user32.dll.SetMenuItemBitmaps
- user32.dll.ModifyMenuA
- user32.dll.GetMenuState
- user32.dll.LoadBitmapA
- user32.dll.GetMenuCheckMarkDimensions
- user32.dll.RegisterClipboardFormatA
- user32.dll.GetClassNameA
- user32.dll.GetDlgCtrlID
- user32.dll.GetWindow
- user32.dll.ClientToScreen
- user32.dll.SetWindowTextA
- user32.dll.UnhookWindowsHookEx
- user32.dll.GetMenuItemCount
- wininet.dll.HttpOpenRequestA
- wininet.dll.InternetOpenA
- wininet.dll.InternetCloseHandle
- wininet.dll.InternetConnectA
- wininet.dll.HttpSendRequestA
- wininet.dll.InternetReadFile
- wininet.dll.HttpQueryInfoA
- winspool.drv.DocumentPropertiesA
- winspool.drv.ClosePrinter
- winspool.drv.OpenPrinterA
- kernel32.dll.IsProcessorFeaturePresent
- cryptbase.dll.SystemFunction036
- user32.dll.GetWindowInfo
- user32.dll.GetAncestor
- user32.dll.GetMonitorInfoA
- user32.dll.EnumDisplayMonitors
- user32.dll.EnumDisplayDevicesA
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle
- gdi32.dll.ExtTextOutW
- gdi32.dll.GdiIsMetaPrintDC
- ntdll.dll.RtlGetNtVersionNumbers
- ntdll.dll.RtlGetNtProductType
- kernel32.dll.RegOpenKeyExW
- kernel32.dll.RegQueryInfoKeyA
- kernel32.dll.RegCloseKey
- kernel32.dll.RegCreateKeyExW
- kernel32.dll.RegQueryValueExW
- kernel32.dll.InitAtomTable
- advapi32.dll.CryptHashData
- atl.dll.#10
- msvcrt.dll.atoi
- shell32.dll.DragFinish
- kernel32.dll.VirtualProtect
- advapi32.dll.CryptDestroyHash
- advapi32.dll.CryptCreateHash
- advapi32.dll.CryptReleaseContext
- advapi32.dll.CryptAcquireContextA
- advapi32.dll.CryptGetHashParam
- atl.dll.#11
- gdiplus.dll.GdipCreateBitmapFromHBITMAP
- gdiplus.dll.GdipCreateBitmapFromHICON
- msvcrt.dll.toupper
- msvcrt.dll.sprintf
- msvcrt.dll.strchr
- msvcrt.dll.??3@YAXPAX@Z
- msvcrt.dll.??2@YAPAXI@Z
- msvcrt.dll._ftol
- msvcrt.dll.tolower
- msvcrt.dll.qsort
- msvcrt.dll._CIfmod
- msvcrt.dll.__CxxFrameHandler
- msvcrt.dll.atof
- msvcrt.dll._atoi64
- msvcrt.dll.strtod
- msvcrt.dll.strncmp
- msvcrt.dll.modf
- msvcrt.dll.memmove
- msvcrt.dll.free
- msvcrt.dll._stricmp
- msvcrt.dll.malloc
- msvcrt.dll._strnicmp
- ole32.dll.StringFromCLSID
- ole32.dll.RegisterDragDrop
- ole32.dll.RevokeDragDrop
- ole32.dll.ReleaseStgMedium
- shell32.dll.DragQueryFileA
- kernel32.dll.FindAtomA
- kernel32.dll.AddAtomA
- cryptsp.dll.CryptAcquireContextA
- cryptsp.dll.CryptHashData
- cryptsp.dll.CryptCreateHash
- cryptsp.dll.CryptGetHashParam
- cryptsp.dll.CryptDestroyHash
- cryptsp.dll.CryptReleaseContext
- msvcrt.dll.strerror
- msvcrt.dll.fflush
- msvcrt.dll._errno
- msvcrt.dll.fopen
- msvcrt.dll.fread
- msvcrt.dll.fprintf
- msvcrt.dll._vsnprintf
- msvcrt.dll.ftell
- msvcrt.dll.fseek
- msvcrt.dll.fclose
- msvcrt.dll.clearerr
- msvcrt.dll._fdopen
- msvcrt.dll._initterm
- msvcrt.dll._adjust_fdiv
- msvcrt.dll.fwrite
- msvcrt.dll.fputc
- kernel32.dll.DisableThreadLibraryCalls
- sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid
- sxs.dll.SxsOleAut32RedirectTypeLibrary
- advapi32.dll.RegOpenKeyW
- advapi32.dll.RegQueryValueW
- ntdll.dll.RtlComputeCrc32
- shell32.dll.StrCmpNA
- windowscodecs.dll.DllGetClassObject
- kernel32.dll.WerRegisterMemoryBlock
- rasapi32.dll.RasConnectionNotificationW
- sechost.dll.NotifyServiceStatusChangeA
- gdi32.dll.GetLayout
- gdi32.dll.GdiRealizationInfo
- gdi32.dll.FontIsLinked
- advapi32.dll.RegOpenKeyExW
- advapi32.dll.RegQueryInfoKeyW
- gdi32.dll.GetTextFaceAliasW
- advapi32.dll.RegEnumValueW
- advapi32.dll.RegQueryValueExW
- advapi32.dll.RegQueryValueExA
- advapi32.dll.RegEnumKeyExW
- gdi32.dll.GetTextExtentExPointWPri
- ole32.dll.CoInitializeEx
- ole32.dll.CoRegisterInitializeSpy
- ole32.dll.CoRevokeInitializeSpy
- oleaut32.dll.SysAllocString
- oleaut32.dll.SysStringLen
- oleaut32.dll.SysFreeString
- rpcrt4.dll.RpcBindingFree