魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2016-09-06 14:59:02 | 2016-09-06 15:01:16 | 134 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64 | win7-sp1-x64 | KVM | 2016-09-06 14:59:02 | 2016-09-06 15:01:16 |
| 魔盾分数 |
|---|
2.8可疑的 |
文件详细信息
| 文件名 | IMSCPROP.EXE |
|---|---|
| 文件大小 | 237976 字节 |
| 文件类型 | PE32+ executable (GUI) x86-64, for MS Windows |
| CRC32 | EB1062D5 |
| MD5 | 585e46c7d4e45b59926fecf27fe5dd55 |
| SHA1 | 4546da12f3466f58b8e34d082c6aa9ee745b2232 |
| SHA256 | da79cdf5a2dc462abe3ce56381ca0f60f657089e95ba712f0050276e8c28c41b |
| SHA512 | 942b0629e1c3e1e4813b24c64084297ce1cd7bf29a5f804b70f763c52194536ee744e7849c811081f25c5c85443973a97418e12de3188027be09b09c20563154 |
| Ssdeep | 6144:a0fjkJR/b951RHnpzOdFiQsOemlhxXriZz:a0fu/B51RHNnOemlhxOZz |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal |
VirusTotal链接 VirusTotal扫描时间: 2016-03-10 10:18:57 扫描结果: 0/56 |
特征
创建RWX内存
发起了一些HTTP请求
url: http://ss.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV%2Bc%2FAZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEFYsTGl7at%2BFjHRU%2BpXehLM%3D
url: http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D
url: http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAN43VPPQBXGCMiwAAQAA3jc%3D
url: http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D
url: http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK4n3BU18%2BP0%3D
url: http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQLqIKj6Gi5thHaqKC1ECU9aXsCRQQUmvMr2s%2BtT7YvuypISCoStxtCwSQCEQD0gtB5WgsdpjrFZePtaJt6
url: http://sd.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMgSk4dLKWKRB%2B2DViUmQEUw3ggwQUDURcFlNEwYJ%2BHSCrJfQBY9i%2BeaUCEFzeRE%2FrSZRDaFn%2BzErlAWw%3D
url: http://ocsp2.globalsign.com/gsorganizationvalg2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBReGXQV%2FtqUV3SNMRE%2Bs25eR%2FvhjwQUXUayjcRLdBy77fVztjq3OI91nn4CEhEhyNkSBZL0u2zY4jc9udsWFw%3D%3D
url: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJ9L2KGL92BpjF3kAtaDtxauTmhgQUPdNQpdagre7zSmAKZdMh1Pj41g8CEAIwaX55BLru0bCAsau57vM%3D
url: http://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCCwQAAAAAAS9O4UUM
url: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D
url: http://sd.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMgSk4dLKWKRB%2B2DViUmQEUw3ggwQUDURcFlNEwYJ%2BHSCrJfQBY9i%2BeaUCEFulHELau99g31whfW%2B6uJI%3D
url: http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEBkaMst1nJe4z6wRjdUSf0k%3D
url: http://ocsp2.globalsign.com/gsorganizationvalsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCEhEhGuAGlWtDRHAtLRzCaILaCA%3D%3D
url: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAnmWtgHuEl7B0nUFWjWJtA%3D
检测到网络活动但没有显示在API日志中
运行截图
网络分析
访问主机记录
| 直接访问 | IP地址 | 国家名 |
|---|---|---|
| 否 | 58.211.137.192 | China |
| 否 | 23.44.155.27 | United States |
| 否 | 198.41.215.183 | United States |
| 否 | 117.18.237.29 | Asia/Pacific Region |
域名解析
| 域名 | 响应 |
|---|---|
| ss.symcd.com |
CNAME ocsp-ds.ws.symantec.com.edgekey.net
CNAME e8218.dscb1.akamaiedge.net A 23.44.155.27 |
| ocsp.msocsp.com |
A 198.41.214.185
CNAME hostedocsp.globalsign.com A 198.41.214.186 A 198.41.214.187 A 198.41.215.183 A 198.41.215.182 A 198.41.215.185 A 198.41.214.183 A 198.41.215.184 A 198.41.215.186 A 198.41.214.184 |
| ocsp.verisign.com | |
| sd.symcd.com | |
| ocsp2.globalsign.com |
CNAME cdn.globalsigncdn.com
A 58.211.137.192 |
| ocsp.digicert.com |
CNAME cs9.wac.phicdn.net
A 117.18.237.29 |
| ocsp.globalsign.com | |
| s.symcd.com |
TCP连接
| IP地址 | 端口 |
|---|---|
| 117.18.237.29 | 80 |
| 117.18.237.29 | 80 |
| 178.255.83.1 | 80 |
| 178.255.83.1 | 80 |
| 178.255.83.1 | 80 |
| 198.41.215.183 | 80 |
| 23.32.241.24 | 80 |
| 23.44.155.27 | 80 |
| 23.44.155.27 | 80 |
| 23.44.155.27 | 80 |
| 23.44.155.27 | 80 |
| 58.211.137.192 | 80 |
| 58.211.137.192 | 80 |
UDP连接
| IP地址 | 端口 |
|---|---|
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.255 | 137 |
| 192.168.122.255 | 138 |
| 192.168.122.70 | 51435 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 239.255.255.250 | 1900 |
| 52.169.179.91 | 123 |
HTTP请求
| URL | HTTP数据 |
|---|---|
| http://www.msftncsi.com/ncsi.txt | GET /ncsi.txt HTTP/1.1 Connection: Close User-Agent: Microsoft NCSI Host: www.msftncsi.com |
| http://ss.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV%2Bc%2FAZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEFYsTGl7at%2BFjHRU%2BpXehLM%3D | GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV%2Bc%2FAZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEFYsTGl7at%2BFjHRU%2BpXehLM%3D HTTP/1.1 Cache-Control: max-age = 386960 Connection: Keep-Alive Accept: */* If-Modified-Since: Thu, 21 Jan 2016 20:44:27 GMT User-Agent: Microsoft-CryptoAPI/6.1 Host: ss.symcd.com |
| http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D | GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D HTTP/1.1 Cache-Control: max-age = 311241 Connection: Keep-Alive Accept: */* If-Modified-Since: Sat, 23 Jan 2016 23:57:39 GMT User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.usertrust.com |
| http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAN43VPPQBXGCMiwAAQAA3jc%3D | GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAN43VPPQBXGCMiwAAQAA3jc%3D HTTP/1.1 Cache-Control: max-age = 10800 Connection: Keep-Alive Accept: */* If-Modified-Since: Sun, 24 Jan 2016 06:30:15 GMT If-None-Match: "77a3ed05d7337d023a726d1efae9caf1857cedc9" User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.msocsp.com |
| http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D | GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D HTTP/1.1 Cache-Control: max-age = 311240 Connection: Keep-Alive Accept: */* If-Modified-Since: Sat, 23 Jan 2016 23:57:39 GMT User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.comodoca.com |
| http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK4n3BU18%2BP0%3D | GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK4n3BU18%2BP0%3D HTTP/1.1 Cache-Control: max-age = 603676 Connection: Keep-Alive Accept: */* If-Modified-Since: Sun, 24 Jan 2016 08:43:57 GMT User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.verisign.com |
| http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQLqIKj6Gi5thHaqKC1ECU9aXsCRQQUmvMr2s%2BtT7YvuypISCoStxtCwSQCEQD0gtB5WgsdpjrFZePtaJt6 | GET /MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQLqIKj6Gi5thHaqKC1ECU9aXsCRQQUmvMr2s%2BtT7YvuypISCoStxtCwSQCEQD0gtB5WgsdpjrFZePtaJt6 HTTP/1.1 Cache-Control: max-age = 334227 Connection: Keep-Alive Accept: */* If-Modified-Since: Sun, 24 Jan 2016 06:20:47 GMT User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.comodoca.com |
| http://sd.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMgSk4dLKWKRB%2B2DViUmQEUw3ggwQUDURcFlNEwYJ%2BHSCrJfQBY9i%2BeaUCEFzeRE%2FrSZRDaFn%2BzErlAWw%3D | GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMgSk4dLKWKRB%2B2DViUmQEUw3ggwQUDURcFlNEwYJ%2BHSCrJfQBY9i%2BeaUCEFzeRE%2FrSZRDaFn%2BzErlAWw%3D HTTP/1.1 Cache-Control: max-age = 533948 Connection: Keep-Alive Accept: */* If-Modified-Since: Sat, 23 Jan 2016 13:34:51 GMT User-Agent: Microsoft-CryptoAPI/6.1 Host: sd.symcd.com |
| http://ocsp2.globalsign.com/gsorganizationvalg2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBReGXQV%2FtqUV3SNMRE%2Bs25eR%2FvhjwQUXUayjcRLdBy77fVztjq3OI91nn4CEhEhyNkSBZL0u2zY4jc9udsWFw%3D%3D | GET /gsorganizationvalg2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBReGXQV%2FtqUV3SNMRE%2Bs25eR%2FvhjwQUXUayjcRLdBy77fVztjq3OI91nn4CEhEhyNkSBZL0u2zY4jc9udsWFw%3D%3D HTTP/1.1 Cache-Control: max-age = 180 Connection: Keep-Alive Accept: */* If-Modified-Since: Sun, 24 Jan 2016 08:12:59 GMT User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp2.globalsign.com |
| http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJ9L2KGL92BpjF3kAtaDtxauTmhgQUPdNQpdagre7zSmAKZdMh1Pj41g8CEAIwaX55BLru0bCAsau57vM%3D | GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJ9L2KGL92BpjF3kAtaDtxauTmhgQUPdNQpdagre7zSmAKZdMh1Pj41g8CEAIwaX55BLru0bCAsau57vM%3D HTTP/1.1 Cache-Control: max-age = 513914 Connection: Keep-Alive Accept: */* If-Modified-Since: Sun, 24 Jan 2016 04:05:14 GMT If-None-Match: "56a44d7a-1d7" User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.digicert.com |
| http://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCCwQAAAAAAS9O4UUM | GET /rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCCwQAAAAAAS9O4UUM HTTP/1.1 Cache-Control: max-age = 10800 Connection: Keep-Alive Accept: */* If-Modified-Since: Sun, 24 Jan 2016 06:40:24 GMT If-None-Match: "1be626cf99d21b40b0ac46e272f28ef043bd829a" User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.globalsign.com |
| http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D | GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D HTTP/1.1 Cache-Control: max-age = 500863 Connection: Keep-Alive Accept: */* If-Modified-Since: Sat, 23 Jan 2016 22:46:14 GMT If-None-Match: "56a402b6-1d7" User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.digicert.com |
| http://sd.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMgSk4dLKWKRB%2B2DViUmQEUw3ggwQUDURcFlNEwYJ%2BHSCrJfQBY9i%2BeaUCEFulHELau99g31whfW%2B6uJI%3D | GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMgSk4dLKWKRB%2B2DViUmQEUw3ggwQUDURcFlNEwYJ%2BHSCrJfQBY9i%2BeaUCEFulHELau99g31whfW%2B6uJI%3D HTTP/1.1 Cache-Control: max-age = 582766 Connection: Keep-Alive Accept: */* If-Modified-Since: Sun, 24 Jan 2016 03:09:24 GMT User-Agent: Microsoft-CryptoAPI/6.1 Host: sd.symcd.com |
| http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEBkaMst1nJe4z6wRjdUSf0k%3D | GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEBkaMst1nJe4z6wRjdUSf0k%3D HTTP/1.1 Cache-Control: max-age = 584283 Connection: Keep-Alive Accept: */* If-Modified-Since: Sun, 24 Jan 2016 03:35:04 GMT User-Agent: Microsoft-CryptoAPI/6.1 Host: s.symcd.com |
| http://ocsp2.globalsign.com/gsorganizationvalsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCEhEhGuAGlWtDRHAtLRzCaILaCA%3D%3D | GET /gsorganizationvalsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCEhEhGuAGlWtDRHAtLRzCaILaCA%3D%3D HTTP/1.1 Cache-Control: max-age = 180 Connection: Keep-Alive Accept: */* If-Modified-Since: Sun, 24 Jan 2016 03:25:57 GMT User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp2.globalsign.com |
| http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAnmWtgHuEl7B0nUFWjWJtA%3D | GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAnmWtgHuEl7B0nUFWjWJtA%3D HTTP/1.1 Cache-Control: max-age = 510937 Connection: Keep-Alive Accept: */* If-Modified-Since: Sun, 24 Jan 2016 01:36:05 GMT If-None-Match: "56a42a85-1d7" User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.digicert.com |
静态分析
PE 信息
| 初始地址 | 0x140000000 |
|---|---|
| 入口地址 | 0x140011860 |
| 声明校验值 | 0x0003bde0 |
| 实际校验值 | 0x0003bde0 |
| 最低操作系统版本要求 | 5.2 |
| PDB路径 | t:\ime\x64\ship\0\imscprop.pdb\x00\ship\0\imscprop.exe\bbtopt\imscpropO.pdb |
| 编译时间 | 2010-01-21 16:22:08 |
| 图标 |  |
| 图标精确哈希值 | 68b8d3cad94c2bf59d5de7523e98491e |
| 图标相似性哈希值 | e7a241e75fa02822c9e97888a199d797 |
版本信息
| LegalCopyright: | \xa9 2010 Microsoft Corporation. All rights reserved. |
| InternalName: | IMSCPROP |
| FileVersion: | 14.0.4734.1000 |
| CompanyName: | Microsoft Corporation |
| LegalTrademarks: | Microsoft(R) is a registered trademark of Microsoft Corporation. Windows(R) is a registered trademark of Microsoft Corporation. |
| ProductName: | Microsoft Office IME 2010 |
| ProductVersion: | 14.0.4734.1000 |
| FileDescription: | Microsoft Office Pinyin IME Property Setting |
| OriginalFilename: | IMSCPROP.EXE |
| Translation: | 0x0000 0x04e4 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x00016bfd | 0x00016c00 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.18 |
| .rdata | 0x00018000 | 0x00008a48 | 0x00008c00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.54 |
| .data | 0x00021000 | 0x00000f80 | 0x00000800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 3.37 |
| .pdata | 0x00022000 | 0x00001aa0 | 0x00001c00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.87 |
| .rsrc | 0x00024000 | 0x0001666c | 0x00016800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.40 |
| .reloc | 0x0003b000 | 0x000000d0 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 2.80 |
覆盖
| 偏移量: | 0x00038a00 |
| 大小: | 0x00001798 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| RT_ICON | 0x00033690 | 0x00000128 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.98 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00033690 | 0x00000128 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.98 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00033690 | 0x00000128 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.98 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00033690 | 0x00000128 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.98 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00033690 | 0x00000128 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.98 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00033690 | 0x00000128 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.98 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00033690 | 0x00000128 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.98 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00033690 | 0x00000128 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.98 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00033690 | 0x00000128 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.98 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00033690 | 0x00000128 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.98 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00033690 | 0x00000128 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.98 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00033690 | 0x00000128 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.98 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00033690 | 0x00000128 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.98 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00033690 | 0x00000128 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.98 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00033690 | 0x00000128 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.98 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00033690 | 0x00000128 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.98 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00033690 | 0x00000128 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.98 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00033690 | 0x00000128 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.98 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00033690 | 0x00000128 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.98 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00033690 | 0x00000128 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.98 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00033690 | 0x00000128 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.98 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00033690 | 0x00000128 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.98 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00033690 | 0x00000128 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.98 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00033690 | 0x00000128 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.98 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00033690 | 0x00000128 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.98 | GLS_BINARY_LSB_FIRST |
| RT_DIALOG | 0x000378bc | 0x00000116 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.73 | dBase III DBT |
| RT_DIALOG | 0x000378bc | 0x00000116 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.73 | dBase III DBT |
| RT_DIALOG | 0x000378bc | 0x00000116 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.73 | dBase III DBT |
| RT_DIALOG | 0x000378bc | 0x00000116 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.73 | dBase III DBT |
| RT_DIALOG | 0x000378bc | 0x00000116 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.73 | dBase III DBT |
| RT_DIALOG | 0x000378bc | 0x00000116 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.73 | dBase III DBT |
| RT_DIALOG | 0x000378bc | 0x00000116 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.73 | dBase III DBT |
| RT_DIALOG | 0x000378bc | 0x00000116 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.73 | dBase III DBT |
| RT_DIALOG | 0x000378bc | 0x00000116 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.73 | dBase III DBT |
| RT_DIALOG | 0x000378bc | 0x00000116 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.73 | dBase III DBT |
| RT_DIALOG | 0x000378bc | 0x00000116 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.73 | dBase III DBT |
| RT_DIALOG | 0x000378bc | 0x00000116 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.73 | dBase III DBT |
| RT_DIALOG | 0x000378bc | 0x00000116 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.73 | dBase III DBT |
| RT_DIALOG | 0x000378bc | 0x00000116 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.73 | dBase III DBT |
| RT_DIALOG | 0x000378bc | 0x00000116 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.73 | dBase III DBT |
| RT_DIALOG | 0x000378bc | 0x00000116 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.73 | dBase III DBT |
| RT_DIALOG | 0x000378bc | 0x00000116 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.73 | dBase III DBT |
| RT_DIALOG | 0x000378bc | 0x00000116 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.73 | dBase III DBT |
| RT_DIALOG | 0x000378bc | 0x00000116 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.73 | dBase III DBT |
| RT_DIALOG | 0x000378bc | 0x00000116 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.73 | dBase III DBT |
| RT_DIALOG | 0x000378bc | 0x00000116 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.73 | dBase III DBT |
| RT_DIALOG | 0x000378bc | 0x00000116 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.73 | dBase III DBT |
| RT_DIALOG | 0x000378bc | 0x00000116 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.73 | dBase III DBT |
| RT_DIALOG | 0x000378bc | 0x00000116 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.73 | dBase III DBT |
| RT_DIALOG | 0x000378bc | 0x00000116 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.73 | dBase III DBT |
| RT_DIALOG | 0x000378bc | 0x00000116 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.73 | dBase III DBT |
| RT_STRING | 0x000398c4 | 0x0000006e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.51 | data |
| RT_STRING | 0x000398c4 | 0x0000006e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.51 | data |
| RT_STRING | 0x000398c4 | 0x0000006e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.51 | data |
| RT_STRING | 0x000398c4 | 0x0000006e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.51 | data |
| RT_STRING | 0x000398c4 | 0x0000006e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.51 | data |
| RT_STRING | 0x000398c4 | 0x0000006e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.51 | data |
| RT_STRING | 0x000398c4 | 0x0000006e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.51 | data |
| RT_STRING | 0x000398c4 | 0x0000006e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.51 | data |
| RT_STRING | 0x000398c4 | 0x0000006e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.51 | data |
| RT_STRING | 0x000398c4 | 0x0000006e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.51 | data |
| RT_STRING | 0x000398c4 | 0x0000006e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.51 | data |
| RT_STRING | 0x000398c4 | 0x0000006e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.51 | data |
| RT_STRING | 0x000398c4 | 0x0000006e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.51 | data |
| RT_STRING | 0x000398c4 | 0x0000006e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.51 | data |
| RT_STRING | 0x000398c4 | 0x0000006e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.51 | data |
| RT_STRING | 0x000398c4 | 0x0000006e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.51 | data |
| RT_STRING | 0x000398c4 | 0x0000006e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.51 | data |
| RT_STRING | 0x000398c4 | 0x0000006e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.51 | data |
| RT_STRING | 0x000398c4 | 0x0000006e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.51 | data |
| RT_STRING | 0x000398c4 | 0x0000006e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.51 | data |
| RT_STRING | 0x000398c4 | 0x0000006e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.51 | data |
| RT_STRING | 0x000398c4 | 0x0000006e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.51 | data |
| RT_STRING | 0x000398c4 | 0x0000006e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.51 | data |
| RT_STRING | 0x000398c4 | 0x0000006e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.51 | data |
| RT_RCDATA | 0x00039cc0 | 0x00000084 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 3.66 | data |
| RT_RCDATA | 0x00039cc0 | 0x00000084 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 3.66 | data |
| RT_RCDATA | 0x00039cc0 | 0x00000084 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 3.66 | data |
| RT_RCDATA | 0x00039cc0 | 0x00000084 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 3.66 | data |
| RT_RCDATA | 0x00039cc0 | 0x00000084 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 3.66 | data |
| RT_GROUP_ICON | 0x00039ea4 | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.02 | MS Windows icon resource - 1 icon |
| RT_GROUP_ICON | 0x00039ea4 | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.02 | MS Windows icon resource - 1 icon |
| RT_GROUP_ICON | 0x00039ea4 | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.02 | MS Windows icon resource - 1 icon |
| RT_VERSION | 0x00039eb8 | 0x000004b0 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.46 | data |
| RT_MANIFEST | 0x0003a368 | 0x00000302 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.06 | ASCII text, with very long lines, with no line terminators |
导入
库 ADVAPI32.dll:
• 0x140018000 - ConvertStringSecurityDescriptorToSecurityDescriptorW
• 0x140018008 - RegOpenKeyExW
• 0x140018010 - RegQueryValueExW
• 0x140018018 - RegCloseKey
• 0x140018020 - DeregisterEventSource
• 0x140018028 - ReportEventW
• 0x140018030 - RegisterEventSourceW
• 0x140018038 - RegEnumKeyExW
• 0x140018040 - GetTokenInformation
• 0x140018048 - OpenProcessToken
• 0x140018050 - ConvertSidToStringSidW
• 0x140018058 - IsValidSid
• 0x140018060 - GetSidSubAuthority
• 0x140018068 - GetSidSubAuthorityCount
• 0x140018070 - RegSetValueExW
• 0x140018078 - RegCreateKeyExW
库 COMCTL32.dll:
• 0x140018088 - PropertySheetW
库 GDI32.dll:
• 0x140018098 - GetTextExtentPoint32W
• 0x1400180a0 - DeleteObject
• 0x1400180a8 - SetBkMode
• 0x1400180b0 - CreateSolidBrush
• 0x1400180b8 - CreateFontIndirectW
• 0x1400180c0 - DeleteDC
• 0x1400180c8 - SetTextColor
• 0x1400180d0 - BitBlt
• 0x1400180d8 - SelectObject
• 0x1400180e0 - CreateCompatibleBitmap
• 0x1400180e8 - CreateCompatibleDC
• 0x1400180f0 - GetObjectW
• 0x1400180f8 - GetDeviceCaps
库 IMM32.dll:
• 0x140018108 - ImmAssociateContext
库 KERNEL32.dll:
• 0x140018118 - SystemTimeToFileTime
• 0x140018120 - UnmapViewOfFile
• 0x140018128 - MapViewOfFile
• 0x140018130 - CreateFileMappingW
• 0x140018138 - CreateThread
• 0x140018140 - DeleteFileW
• 0x140018148 - FreeLibrary
• 0x140018150 - DeleteCriticalSection
• 0x140018158 - InitializeCriticalSection
• 0x140018160 - WaitForSingleObject
• 0x140018168 - GetVersionExW
• 0x140018170 - GetFileAttributesW
• 0x140018178 - RtlCaptureContext
• 0x140018180 - RtlLookupFunctionEntry
• 0x140018188 - GetDateFormatW
• 0x140018190 - IsDebuggerPresent
• 0x140018198 - SetUnhandledExceptionFilter
• 0x1400181a0 - UnhandledExceptionFilter
• 0x1400181a8 - GetCurrentProcess
• 0x1400181b0 - TerminateProcess
• 0x1400181b8 - GetStartupInfoA
• 0x1400181c0 - Sleep
• 0x1400181c8 - GetModuleFileNameW
• 0x1400181d0 - HeapAlloc
• 0x1400181d8 - HeapFree
• 0x1400181e0 - GetModuleHandleW
• 0x1400181e8 - GetProcessHeap
• 0x1400181f0 - GetSystemTimeAsFileTime
• 0x1400181f8 - GetCurrentProcessId
• 0x140018200 - GetCurrentThreadId
• 0x140018208 - GetTickCount
• 0x140018210 - QueryPerformanceCounter
• 0x140018218 - VirtualProtect
• 0x140018220 - GetSystemDefaultLCID
• 0x140018228 - GetCommandLineW
• 0x140018230 - CreateMutexW
• 0x140018238 - GetLastError
• 0x140018240 - CloseHandle
• 0x140018248 - LocalFree
• 0x140018250 - lstrlenW
• 0x140018258 - FindResourceExW
• 0x140018260 - FindResourceW
• 0x140018268 - SizeofResource
• 0x140018270 - LoadResource
• 0x140018278 - LoadLibraryW
• 0x140018280 - LockResource
• 0x140018288 - RtlVirtualUnwind
• 0x140018290 - GetProcAddress
库 ole32.dll:
• 0x1400182a0 - CoCreateInstance
• 0x1400182a8 - CoInitialize
• 0x1400182b0 - CoUninitialize
库 USER32.dll:
• 0x1400182c0 - FindWindowW
• 0x1400182c8 - GetLastActivePopup
• 0x1400182d0 - SetForegroundWindow
• 0x1400182d8 - LoadImageW
• 0x1400182e0 - ShowWindow
• 0x1400182e8 - DialogBoxIndirectParamW
• 0x1400182f0 - IsWindowEnabled
• 0x1400182f8 - SetWindowTextW
• 0x140018300 - CheckDlgButton
• 0x140018308 - CheckRadioButton
• 0x140018310 - DestroyIcon
• 0x140018318 - GetClientRect
• 0x140018320 - GetSystemMetrics
• 0x140018328 - GetWindowLongW
• 0x140018330 - IsWindow
• 0x140018338 - DrawFocusRect
• 0x140018340 - RemovePropW
• 0x140018348 - SetPropW
• 0x140018350 - SetWindowLongPtrW
• 0x140018358 - GetPropW
• 0x140018360 - CallWindowProcW
• 0x140018368 - IsDlgButtonChecked
• 0x140018370 - GetDlgItemTextW
• 0x140018378 - TrackMouseEvent
• 0x140018380 - InvalidateRect
• 0x140018388 - FrameRect
• 0x140018390 - InflateRect
• 0x140018398 - GetSysColor
• 0x1400183a0 - FillRect
• 0x1400183a8 - DrawFrameControl
• 0x1400183b0 - GetParent
• 0x1400183b8 - ScreenToClient
• 0x1400183c0 - SetWindowPos
• 0x1400183c8 - DestroyWindow
• 0x1400183d0 - GetDC
• 0x1400183d8 - ReleaseDC
• 0x1400183e0 - LoadIconW
• 0x1400183e8 - DrawIconEx
• 0x1400183f0 - OffsetRect
• 0x1400183f8 - DrawTextW
• 0x140018400 - GetWindowRect
• 0x140018408 - CreateWindowExW
• 0x140018410 - GetDlgItem
• 0x140018418 - EndDialog
• 0x140018420 - EnableWindow
• 0x140018428 - MessageBoxW
• 0x140018430 - GetWindowTextW
• 0x140018438 - DialogBoxParamW
• 0x140018440 - MoveWindow
• 0x140018448 - EndPaint
• 0x140018450 - DrawTextExW
• 0x140018458 - BeginPaint
• 0x140018460 - ReleaseCapture
• 0x140018468 - UpdateWindow
• 0x140018470 - SetCapture
• 0x140018478 - PtInRect
• 0x140018480 - GetCursorPos
• 0x140018488 - SetCursor
• 0x140018490 - LoadCursorW
• 0x140018498 - GetWindowLongPtrW
• 0x1400184a0 - SetFocus
• 0x1400184a8 - PostMessageW
• 0x1400184b0 - SendMessageW
库 SHELL32.dll:
• 0x1400184c0 - None
• 0x1400184c8 - ShellExecuteW
• 0x1400184d0 - ShellExecuteExW
库 MSVCR90.dll:
• 0x1400184e0 - memmove_s
• 0x1400184e8 - ?_type_info_dtor_internal_method@type_info@@QEAAXXZ
• 0x1400184f0 - __crt_debugger_hook
• 0x1400184f8 - _decode_pointer
• 0x140018500 - ??3@YAXPEAX@Z
• 0x140018508 - memset
• 0x140018510 - memcpy
• 0x140018518 - memcmp
• 0x140018520 - wcsncpy_s
• 0x140018528 - __CxxFrameHandler3
• 0x140018530 - ??_V@YAXPEAX@Z
• 0x140018538 - ??_U@YAPEAX_K@Z
• 0x140018540 - iswalpha
• 0x140018548 - wcsncat_s
• 0x140018550 - ??2@YAPEAX_K@Z
• 0x140018558 - _vsnwprintf_s
• 0x140018560 - wcsstr
• 0x140018568 - _wtoi64
• 0x140018570 - strstr
• 0x140018578 - ??0exception@std@@QEAA@AEBQEBD@Z
• 0x140018580 - ?what@exception@std@@UEBAPEBDXZ
• 0x140018588 - ??1exception@std@@UEAA@XZ
• 0x140018590 - ??0exception@std@@QEAA@XZ
• 0x140018598 - swprintf_s
• 0x1400185a0 - _invalid_parameter_noinfo
• 0x1400185a8 - _CxxThrowException
• 0x1400185b0 - ??0exception@std@@QEAA@AEBV01@@Z
• 0x1400185b8 - _itow_s
• 0x1400185c0 - rand
• 0x1400185c8 - fclose
• 0x1400185d0 - _wfopen_s
• 0x1400185d8 - wcscpy_s
• 0x1400185e0 - wcscat_s
• 0x1400185e8 - vswprintf_s
• 0x1400185f0 - _amsg_exit
• 0x1400185f8 - __getmainargs
• 0x140018600 - __C_specific_handler
• 0x140018608 - _XcptFilter
• 0x140018610 - _exit
• 0x140018618 - _ismbblead
• 0x140018620 - _cexit
• 0x140018628 - exit
• 0x140018630 - _acmdln
• 0x140018638 - _initterm
• 0x140018640 - _initterm_e
• 0x140018648 - _configthreadlocale
• 0x140018650 - __setusermatherr
• 0x140018658 - _commode
• 0x140018660 - _fmode
• 0x140018668 - _encode_pointer
• 0x140018670 - __set_app_type
• 0x140018678 - ?terminate@@YAXXZ
• 0x140018680 - _unlock
• 0x140018688 - __dllonexit
• 0x140018690 - _lock
• 0x140018698 - _onexit
库 MSVCP90.dll:
• 0x1400186a8 - ??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAAAEAV01@AEBV01@@Z
• 0x1400186b0 - ??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@XZ
• 0x1400186b8 - ?swap@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAAXAEAV12@@Z
• 0x1400186c0 - ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA@PEBD@Z
• 0x1400186c8 - ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@AEBV01@@Z
• 0x1400186d0 - ??$?H_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@AEBV10@PEB_W@Z
• 0x1400186d8 - ??$?O_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA_NAEBV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@0@Z
• 0x1400186e0 - ?c_str@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEBAPEB_WXZ
• 0x1400186e8 - ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@XZ
• 0x1400186f0 - ??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAAAEAV01@PEB_W@Z
• 0x1400186f8 - ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEBAPEBDXZ
• 0x140018700 - ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA@XZ
• 0x140018708 - ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA@AEBV01@@Z
• 0x140018710 - ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@PEB_W@Z
• 0x140018718 - ??$?M_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA_NAEBV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@0@Z
库 SHLWAPI.dll:
• 0x140018728 - SHDeleteKeyW
库 OLEAUT32.dll:
• 0x140018738 - None
• 0x140018740 - None
• 0x140018748 - None
• 0x140018750 - None
• 0x140018758 - None
投放文件
行为分析
互斥量(Mutexes)
- _IMSC14_PROP_MUTEX_{E622D225-4643-4628-873D-50535C085C14}
- Skd5yAppImeSCMutextCfgPersist_M_S-1-5-21-2280033686-3172497658-3481507381-1000
- Local\MSCTF.Asm.MutexDefault1
执行的命令
无信息
创建的服务
无信息
启动的服务
无信息
进程
IMSCPROP.EXE PID: 1388, 上一级进程 PID: 2816
访问的文件
- \Device\KsecDD
- C:\Users\test\AppData\Local\Temp\IMSCPROP.EXE.Local\
- C:\Windows\winsxs\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_6ff606562acb8ef5
- C:\Windows\winsxs\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_6ff606562acb8ef5\COMCTL32.dll.mui
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Windows\Fonts\staticcache.dat
读取的文件
- \Device\KsecDD
- C:\Windows\winsxs\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_6ff606562acb8ef5\COMCTL32.dll.mui
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Windows\Fonts\staticcache.dat
修改的文件
无信息
删除的文件
无信息
注册表键
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Security
- HKEY_CURRENT_USER\Software\Microsoft\Security
- HKEY_CLASSES_ROOT\CLSID
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{cef3834f-115f-4ee3-ae19-fc85983ab1d4}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CEF3834F-115F-4EE3-AE19-FC85983AB1D4}\InsecureQI
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\IMESC14
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Trigram
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\SelfLearning
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\NewPhraseLearning
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\WordFreqencyAdjustment
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Eudp
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Fuzzy
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\IMESC14WR
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\IMESC12
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\IMESC12LITE
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ime\imsc5
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\MSSCIPY\
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Modeless
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Domain
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Classic_PromptForcast
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Natural_PromptForcast
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Express_PromptForcast
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\MultipleSyllable
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\ReadingTip
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Natural_ReadingOnCandidate
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\PinyinWithTone
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Classic_Prompt
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Natural_Prompt
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Express_Prompt
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Natural_Incomplete
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Express_Incomplete
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\ManualConversion
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Natural_IncompleteFuzzy
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Express_IncompleteFuzzy
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Natural_DoublePinyin
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Express_DoublePinyin
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Natural_GBKCandidate
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Express_GBKCandidate
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Natural_DefaultLanguage
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Express_DefaultLanguage
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\VerticalCand
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\CandidateLargeFont
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\EudpDialogExpanded
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\CharacterSet
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\ReadLayout
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\ReconvertLength
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Natural_EnglishSwitch
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Express_EnglishSwitch
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Natural_EnterConvert
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Express_EnterConvert
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\ConfigMigrated
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\CandidatePageSize
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\EUDCFilename
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\IMESC14\FuzzyScheme
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\IMESC14WR\FuzzyScheme
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\IMESC12\FuzzyScheme
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\IMESC12LITE\FuzzyScheme
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ime\imsc5\FuzzyScheme
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\IMESC14\DoublePinyinScheme
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\IMESC14WR\DoublePinyinScheme
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\IMESC12\DoublePinyinScheme
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\IMESC12LITE\DoublePinyinScheme
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ime\imsc5\DoublePinyinScheme
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IMESC14\DomainList
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\AutoDicUpdate
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\IMSCPROP.EXE
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\\xe5\xbe\xae\xe8\xbd\xaf\xe9\x9b\x85\xe9\xbb\x91
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_CURRENT_USER
- HKEY_CURRENT_USER\Keyboard Layout\Toggle
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\System
读取的注册表键
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CEF3834F-115F-4EE3-AE19-FC85983AB1D4}\InsecureQI
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Trigram
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\SelfLearning
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\NewPhraseLearning
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\WordFreqencyAdjustment
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Eudp
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Fuzzy
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Modeless
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Domain
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Classic_PromptForcast
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Natural_PromptForcast
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Express_PromptForcast
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\MultipleSyllable
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\ReadingTip
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Natural_ReadingOnCandidate
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\PinyinWithTone
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Classic_Prompt
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Natural_Prompt
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Express_Prompt
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Natural_Incomplete
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Express_Incomplete
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\ManualConversion
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Natural_IncompleteFuzzy
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Express_IncompleteFuzzy
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Natural_DoublePinyin
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Express_DoublePinyin
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Natural_GBKCandidate
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Express_GBKCandidate
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Natural_DefaultLanguage
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Express_DefaultLanguage
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\VerticalCand
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\CandidateLargeFont
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\EudpDialogExpanded
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\CharacterSet
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\ReadLayout
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\ReconvertLength
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Natural_EnglishSwitch
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Express_EnglishSwitch
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Natural_EnterConvert
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\Express_EnterConvert
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\ConfigMigrated
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\CandidatePageSize
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\EUDCFilename
- HKEY_CURRENT_USER\Software\Microsoft\IMESC14\AutoDicUpdate
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- kernel32.dll.HeapSetInformation
- cryptbase.dll.SystemFunction036
- uxtheme.dll.ThemeInitApiHook
- user32.dll.IsProcessDPIAware
- kernel32.dll.GetUserDefaultUILanguage
- dwmapi.dll.DwmIsCompositionEnabled
- comctl32.dll.RegisterClassNameW
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle
- uxtheme.dll.EnableThemeDialogTexture
- uxtheme.dll.OpenThemeData
- uxtheme.dll.GetThemeBool
- imm32.dll.ImmAssociateContext
- gdi32.dll.GetLayout
- gdi32.dll.GdiRealizationInfo
- gdi32.dll.FontIsLinked
- advapi32.dll.RegOpenKeyExW
- advapi32.dll.RegQueryInfoKeyW
- gdi32.dll.GetTextFaceAliasW
- advapi32.dll.RegEnumValueW
- advapi32.dll.RegCloseKey
- advapi32.dll.RegQueryValueExW
- advapi32.dll.RegQueryValueExA
- advapi32.dll.RegEnumKeyExW
- gdi32.dll.GdiIsMetaPrintDC
- uxtheme.dll.GetThemeTextMetrics
- uxtheme.dll.GetThemeTextExtent
- gdi32.dll.GetTextExtentExPointWPri
- uxtheme.dll.GetThemeBackgroundExtent
- ole32.dll.CoInitializeEx
- ole32.dll.CoUninitialize
- ole32.dll.CoRegisterInitializeSpy
- ole32.dll.CoRevokeInitializeSpy
- uxtheme.dll.IsThemeActive
- uxtheme.dll.CloseThemeData
- uxtheme.dll.DrawThemeBackground
- uxtheme.dll.DrawThemeIcon
- uxtheme.dll.DrawThemeText
- uxtheme.dll.BufferedPaintInit
- uxtheme.dll.BufferedPaintRenderAnimation
- uxtheme.dll.BeginBufferedAnimation
- uxtheme.dll.IsThemeBackgroundPartiallyTransparent
- uxtheme.dll.DrawThemeParentBackground
- uxtheme.dll.GetThemePartSize
- uxtheme.dll.GetThemeBackgroundContentRect
- uxtheme.dll.EndBufferedAnimation
- uxtheme.dll.GetThemeTransitionDuration