魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2018-05-22 11:38:48 2018-05-22 11:41:05 137 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp01-1 win7-sp1-x64-shaapp01-1 KVM 2018-05-22 11:38:48 2018-05-22 11:41:05
魔盾分数

0.35

正常的

文件详细信息

文件名 winspool.drv
文件大小 150016 字节
文件类型 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
CRC32 15777F51
MD5 9f5eee5fb93bd84e50c34b052641772d
SHA1 286160bc2db9448fa7adf9c1b0638cfc024a9141
SHA256 246730b6019d9bde8dfa9f5592cc9499838a321fa68afcbdefcbfe8251252fa7
SHA512 03d690cf1bcb9a26475a858b815ac5f6572b62c8f4ee2297e76c69646313e3de658f9499d661f3e40d6e6ce2c78fb2adb2125f84965b71d980f7d20e804b2260
Ssdeep 3072:J92N8kNEd1C4SdplwNGsI0n3wcskhMDgA8FfYuAbkiN:JMbQ1CRp2p3wcsO4gAWYuq1
PEiD 无匹配
Yara
  • IsPE32 ()
  • IsDLL ()
  • IsWindowsGUI ()
  • HasDebugData (DebugData Check)
  • HasRichSignature (Rich Signature Check)
  • DebuggerCheck__QueryInfo ()
  • win_mutex (Create or check mutex)
  • win_registry (Affect system registries)
  • win_files_operation (Affect private profile)
  • without_urls (Rule to detect the no presence of any url)
  • without_attachments (Rule to detect the no presence of any attachment)
  • MSVisualCv8DLLhsmallsig2 ()
  • without_images (Rule to detect the no presence of any image)
  • MS_Visual_Cpp_v8_DLL_h_small_sig2_additional ()
  • MS_Visual_Cpp_v8_DLL_h_small_sig2 ()
  • Visual_Cpp_2003_DLL_Microsoft ()
VirusTotal VirusTotal链接
VirusTotal扫描时间: 2017-09-28 17:18:45
扫描结果: 0/65

特征

创建RWX内存

运行截图

网络分析

无信息

静态分析

PE 信息

初始地址 0x72f40000
入口地址 0x72f41445
声明校验值 0x00028886
实际校验值 0x00028886
最低操作系统版本要求 5.2
PDB路径 winspool.pdb
编译时间 2007-02-17 23:32:05
载入哈希 1bb98a0d72f46be3503f55ba5bc72e82
导出DLL库名称 WINSPOOL.DRV

版本信息

LegalCopyright: (C) Microsoft Corporation. All rights reserved.
InternalName: winspool.drv
FileVersion: 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)
CompanyName: Microsoft Corporation
ProductName: Microsoft(R) Windows(R) Operating System
ProductVersion: 5.2.3790.3959
FileDescription: Windows Spooler Driver
OriginalFilename: winspool.drv
Translation: 0x0804 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x00020f79 0x00021000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.37
.data 0x00022000 0x000019e4 0x00001800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 1.59
.rsrc 0x00024000 0x000007a4 0x00000800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.38
.reloc 0x00025000 0x000015a0 0x00001600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 6.72

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_DIALOG 0x00024160 0x000000d4 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.46 data
RT_STRING 0x0002429c 0x00000088 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.80 data
RT_STRING 0x0002429c 0x00000088 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.80 data
RT_MESSAGETABLE 0x00024324 0x000000d0 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.98 data
RT_VERSION 0x000243f4 0x000003b0 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.55 data

导入

库 msvcrt.dll:
0x72f41000 - wcslen
0x72f41004 - _except_handler3
0x72f41008 - wcschr
0x72f4100c - _vsnwprintf
0x72f41010 - _wcsnicmp
0x72f41014 - wcsncmp
0x72f41018 - wcsncpy
0x72f4101c - wcsrchr
0x72f41020 - wcspbrk
0x72f41024 - wcscmp
0x72f41028 - ??3@YAXPAX@Z
0x72f4102c - ??2@YAPAXI@Z
0x72f41030 - free
0x72f41034 - _initterm
0x72f41038 - _adjust_fdiv
0x72f4103c - malloc
0x72f41040 - memmove
0x72f41044 - _wcsicmp
库 ntdll.dll:
0x72f4104c - NtQueryInformationProcess
0x72f41050 - NtFsControlFile
库 GDI32.dll:
0x72f41058 - CreateDCW
0x72f4105c - DeleteDC
0x72f41060 - GetDeviceCaps
库 KERNEL32.dll:
0x72f41068 - GetProcAddress
0x72f4106c - LoadLibraryW
0x72f41070 - SetLastError
0x72f41074 - GetModuleFileNameW
0x72f41078 - GetSystemDirectoryW
0x72f4107c - DeleteCriticalSection
0x72f41080 - InitializeCriticalSectionAndSpinCount
0x72f41084 - DisableThreadLibraryCalls
0x72f41088 - LocalFree
0x72f4108c - WriteFile
0x72f41090 - LeaveCriticalSection
0x72f41094 - EnterCriticalSection
0x72f41098 - GetCurrentProcessId
0x72f4109c - CloseHandle
0x72f410a0 - DeactivateActCtx
0x72f410a4 - LoadLibraryExW
0x72f410a8 - ActivateActCtx
0x72f410ac - SetEvent
0x72f410b0 - CreateThread
0x72f410b4 - CreateEventW
0x72f410b8 - ReleaseActCtx
0x72f410bc - GetFileAttributesW
0x72f410c0 - GetFullPathNameW
0x72f410c4 - InterlockedIncrement
0x72f410c8 - InterlockedDecrement
0x72f410cc - LocalAlloc
0x72f410d0 - GetFileType
0x72f410d4 - GetLastError
0x72f410d8 - lstrcmpiW
0x72f410dc - VirtualFree
0x72f410e0 - VirtualAlloc
0x72f410e4 - GetNativeSystemInfo
0x72f410e8 - LoadLibraryA
0x72f410ec - GetVersionExW
0x72f410f0 - lstrcmpW
0x72f410f4 - GetTickCount
0x72f410f8 - CreateActCtxW
0x72f410fc - WaitForSingleObject
0x72f41100 - InterlockedCompareExchange
0x72f41104 - Sleep
0x72f41108 - ReleaseMutex
0x72f4110c - FreeLibrary
0x72f41110 - GetSystemWindowsDirectoryW
0x72f41114 - CreateMutexW
0x72f41118 - ProcessIdToSessionId
0x72f4111c - OpenEventW
0x72f41120 - lstrlenW
0x72f41124 - MultiByteToWideChar
0x72f41128 - WideCharToMultiByte
0x72f4112c - GetModuleHandleW
0x72f41130 - FormatMessageW
0x72f41134 - SearchPathW
0x72f41138 - GetCurrentDirectoryW
0x72f4113c - FindClose
0x72f41140 - FindFirstFileW
0x72f41144 - ResetEvent
0x72f41148 - GlobalFree
0x72f4114c - GlobalAlloc
0x72f41150 - DnsHostnameToComputerNameW
0x72f41154 - GetTempFileNameW
0x72f41158 - GetTempPathW
0x72f4115c - GetFileSize
0x72f41160 - SetEndOfFile
0x72f41164 - DelayLoadFailureHook
0x72f41168 - SetFilePointer
0x72f4116c - DeleteFileW
0x72f41170 - HeapDestroy
0x72f41174 - HeapAlloc
0x72f41178 - HeapCreate
0x72f4117c - HeapFree
0x72f41180 - QueryPerformanceCounter
0x72f41184 - GetCurrentThreadId
0x72f41188 - GetSystemTimeAsFileTime
0x72f4118c - TerminateProcess
0x72f41190 - GetCurrentProcess
0x72f41194 - UnhandledExceptionFilter
0x72f41198 - SetUnhandledExceptionFilter
0x72f4119c - HeapSetInformation
0x72f411a0 - MapViewOfFile
0x72f411a4 - UnmapViewOfFile
0x72f411a8 - CreateFileMappingW
0x72f411ac - CreateDirectoryW
0x72f411b0 - GetSystemInfo
0x72f411b4 - CopyFileW
0x72f411b8 - CreateProcessW
0x72f411bc - CreateFileW
0x72f411c0 - ReadFile
库 RPCRT4.dll:
0x72f411c8 - RpcMgmtIsServerListening
0x72f411cc - RpcStringFreeW
0x72f411d0 - RpcBindingSetAuthInfoExW
0x72f411d4 - RpcBindingFromStringBindingW
0x72f411d8 - RpcStringBindingComposeW
0x72f411dc - RpcSmDestroyClientContext
0x72f411e0 - RpcBindingFree
0x72f411e4 - I_RpcExceptionFilter
0x72f411e8 - NdrClientCall2
库 ADVAPI32.dll:
0x72f411f0 - RegCloseKey
0x72f411f4 - DeregisterEventSource
0x72f411f8 - ReportEventW
0x72f411fc - RegisterEventSourceW
0x72f41200 - OpenSCManagerW
0x72f41204 - OpenServiceW
0x72f41208 - QueryServiceConfigW
0x72f4120c - CloseServiceHandle
0x72f41210 - RegOpenCurrentUser
0x72f41214 - RegEnumValueW
0x72f41218 - RegEnumKeyExW
0x72f4121c - RegDeleteKeyW
0x72f41220 - RegOpenKeyExW
0x72f41224 - IsValidSecurityDescriptor
0x72f41228 - InitializeSecurityDescriptor
0x72f4122c - GetSecurityDescriptorOwner
0x72f41230 - SetSecurityDescriptorOwner
0x72f41234 - GetSecurityDescriptorGroup
0x72f41238 - SetSecurityDescriptorGroup
0x72f4123c - GetSecurityDescriptorDacl
0x72f41240 - SetSecurityDescriptorDacl
0x72f41244 - GetSecurityDescriptorSacl
0x72f41248 - SetSecurityDescriptorSacl
0x72f4124c - GetSecurityDescriptorLength
0x72f41250 - MakeSelfRelativeSD
0x72f41254 - RegQueryValueExW
0x72f41258 - RegDeleteValueW
0x72f4125c - RegCreateKeyExW
0x72f41260 - RegSetValueExW
库 USER32.dll:
0x72f41268 - GetDesktopWindow
0x72f4126c - GetWindowLongW
0x72f41270 - EndDialog
0x72f41274 - BringWindowToTop
0x72f41278 - SetWindowLongW
0x72f4127c - SendDlgItemMessageW
0x72f41280 - GetDlgItemTextW
0x72f41284 - MessageBoxW
0x72f41288 - GetForegroundWindow
0x72f4128c - SendNotifyMessageW
0x72f41290 - AllowSetForegroundWindow
0x72f41294 - IsWindow
0x72f41298 - GetFocus
0x72f4129c - GetMessageW
0x72f412a0 - LoadStringW
0x72f412a4 - GetProcessWindowStation
0x72f412a8 - GetUserObjectInformationW
0x72f412ac - FindWindowW
0x72f412b0 - DialogBoxParamW
0x72f412b4 - PostMessageW
0x72f412b8 - GetGUIThreadInfo
0x72f412bc - GetParent
0x72f412c0 - WinHelpW
0x72f412c4 - GetWindow
0x72f412c8 - GetLastActivePopup
0x72f412cc - EnableWindow
0x72f412d0 - SetFocus
0x72f412d4 - SetForegroundWindow
0x72f412d8 - PeekMessageW
0x72f412dc - DispatchMessageW
0x72f412e0 - TranslateMessage
0x72f412e4 - MsgWaitForMultipleObjects

导出

序列 地址 名称
107 0x72f57794 ADVANCEDSETUPDIALOG
108 0x72f52709 AbortPrinter
109 0x72f55f83 AddFormA
110 0x72f4e711 AddFormW
111 0x72f56e9c AddJobA
112 0x72f48dd5 AddJobW
113 0x72f561d4 AddMonitorA
114 0x72f51301 AddMonitorW
115 0x72f5606b AddPortA
116 0x72f56497 AddPortExA
117 0x72f4f69c AddPortExW
118 0x72f53c39 AddPortW
119 0x72f55750 AddPrintProcessorA
120 0x72f50bc1 AddPrintProcessorW
121 0x72f56351 AddPrintProvidorA
122 0x72f4f35e AddPrintProvidorW
123 0x72f5509e AddPrinterA
124 0x72f5515f AddPrinterConnectionA
125 0x72f53060 AddPrinterConnectionW
126 0x72f5554f AddPrinterDriverA
127 0x72f55415 AddPrinterDriverExA
128 0x72f50596 AddPrinterDriverExW
129 0x72f50a3d AddPrinterDriverW
130 0x72f52d13 AddPrinterW
131 0x72f576a3 AdvancedDocumentPropertiesA
132 0x72f53829 AdvancedDocumentPropertiesW
133 0x72f57794 AdvancedSetupDialog
134 0x72f4525d ClosePrinter
135 0x72f4df11 CloseSpoolFileHandle
136 0x72f4de21 CommitSpoolData
137 0x72f560c3 ConfigurePortA
138 0x72f53ed9 ConfigurePortW
139 0x72f4fc0b ConnectToPrinterDlg
140 0x72f54e44 ConvertAnsiDevModeToUnicodeDevmode
141 0x72f569fe ConvertUnicodeDevModeToAnsiDevmode
142 0x72f4f0a6 CreatePrinterIC
143 0x72f46d79 DEVICECAPABILITIES
144 0x72f55e27 DEVICEMODE
145 0x72f55fcb DeleteFormA
146 0x72f4e811 DeleteFormW
147 0x72f56251 DeleteMonitorA
148 0x72f513d1 DeleteMonitorW
149 0x72f5611b DeletePortA
150 0x72f54131 DeletePortW
151 0x72f562c8 DeletePrintProcessorA
152 0x72f51481 DeletePrintProcessorW
153 0x72f56420 DeletePrintProvidorA
154 0x72f51531 DeletePrintProvidorW
155 0x72f503c9 DeletePrinter
156 0x72f55195 DeletePrinterConnectionA
157 0x72f53119 DeletePrinterConnectionW
158 0x72f5586b DeletePrinterDataA
159 0x72f558a5 DeletePrinterDataExA
160 0x72f4e371 DeletePrinterDataExW
161 0x72f4e2c1 DeletePrinterDataW
162 0x72f555ea DeletePrinterDriverA
163 0x72f5556d DeletePrinterDriverExA
164 0x72f50a5b DeletePrinterDriverExW
165 0x72f50b11 DeletePrinterDriverW
166 0x72f4f249 DeletePrinterIC
167 0x72f558fd DeletePrinterKeyA
168 0x72f4e429 DeletePrinterKeyW
169 0x72f51869 DevQueryPrint
170 0x72f51901 DevQueryPrintEx
171 0x72f46d79 DeviceCapabilities
172 0x72f46d79 DeviceCapabilitiesA
173 0x72f46e56 DeviceCapabilitiesW
174 0x72f55e27 DeviceMode
175 0x72f4c8da DevicePropertySheets
176 0x72f42cc9 DocumentEvent
177 0x72f46c78 DocumentPropertiesA
178 0x72f46509 DocumentPropertiesW
179 0x72f465dd DocumentPropertySheets
180 0x72f4c301 EXTDEVICEMODE
181 0x72f4875c EndDocPrinter
182 0x72f49217 EndPagePrinter
183 0x72f57847 EnumFormsA
184 0x72f468b1 EnumFormsW
185 0x72f56b2a EnumJobsA
186 0x72f5025d EnumJobsW
187 0x72f5794e EnumMonitorsA
188 0x72f4ec19 EnumMonitorsW
189 0x72f578aa EnumPortsA
190 0x72f4eb29 EnumPortsW
191 0x72f56df9 EnumPrintProcessorDatatypesA
192 0x72f4db21 EnumPrintProcessorDatatypesW
193 0x72f56cdd EnumPrintProcessorsA
194 0x72f50c81 EnumPrintProcessorsW
195 0x72f57479 EnumPrinterDataA
196 0x72f57573 EnumPrinterDataExA
197 0x72f4e0d1 EnumPrinterDataExW
198 0x72f4dfc9 EnumPrinterDataW
199 0x72f4c632 EnumPrinterDriversA
200 0x72f4984d EnumPrinterDriversW
225 0x72f56888 EnumPrinterKeyA
233 0x72f4e1e9 EnumPrinterKeyW
234 0x72f4c536 EnumPrintersA
235 0x72f4822f EnumPrintersW
236 0x72f4c301 ExtDeviceMode
237 0x72f47958 FindClosePrinterChangeNotification
238 0x72f47ee4 FindFirstPrinterChangeNotification
239 0x72f47ba8 FindNextPrinterChangeNotification
240 0x72f4dbe9 FlushPrinter
241 0x72f47e56 FreePrinterNotifyInfo
201 0x72f57aef GetDefaultPrinterA
203 0x72f48399 GetDefaultPrinterW
242 0x72f577da GetFormA
243 0x72f4e8f1 GetFormW
244 0x72f56a9c GetJobA
245 0x72f48a5a GetJobW
246 0x72f56d80 GetPrintProcessorDirectoryA
247 0x72f50d61 GetPrintProcessorDirectoryW
248 0x72f47737 GetPrinterA
249 0x72f56eed GetPrinterDataA
250 0x72f57181 GetPrinterDataExA
251 0x72f49739 GetPrinterDataExW
252 0x72f453c7 GetPrinterDataW
253 0x72f47616 GetPrinterDriverA
254 0x72f56be7 GetPrinterDriverDirectoryA
255 0x72f467e9 GetPrinterDriverDirectoryW
256 0x72f46206 GetPrinterDriverW
257 0x72f45d7c GetPrinterW
258 0x72f4dd51 GetSpoolFileHandle
259 0x72f56661 IsValidDevmodeA
260 0x72f495cc IsValidDevmodeW
261 0x72f4741a OpenPrinterA
262 0x72f45862 OpenPrinterW
104 0x72f5f1d0 PerfClose
105 0x72f5f0c7 PerfCollect
106 0x72f5efb0 PerfOpen
263 0x72f4f1b9 PlayGdiScriptOnPrinterIC
264 0x72f56173 PrinterMessageBoxA
265 0x72f4f353 PrinterMessageBoxW
266 0x72f534d9 PrinterProperties
267 0x72f49667 QueryColorProfile
268 0x72f4f2d1 QueryRemoteFonts
269 0x72f4f86b QuerySpoolMode
270 0x72f49413 ReadPrinter
271 0x72f54f05 ResetPrinterA
272 0x72f47a5f ResetPrinterW
273 0x72f4888c ScheduleJob
274 0x72f4896b SeekPrinter
275 0x72f4f771 SetAllocFailCount
202 0x72f56680 SetDefaultPrinterA
204 0x72f58d83 SetDefaultPrinterW
276 0x72f56004 SetFormA
277 0x72f4ea29 SetFormW
278 0x72f54fb4 SetJobA
279 0x72f49129 SetJobW
280 0x72f565c7 SetPortA
281 0x72f4f961 SetPortW
282 0x72f551cb SetPrinterA
283 0x72f55937 SetPrinterDataA
284 0x72f559be SetPrinterDataExA
285 0x72f4e591 SetPrinterDataExW
286 0x72f4e4d9 SetPrinterDataW
287 0x72f4d51d SetPrinterW
288 0x72f4e661 SplDriverUnloadComplete
289 0x72f52ac1 SpoolerDevQueryPrintW
290 0x72f49add SpoolerInit
291 0x72f53041 SpoolerPrinterEvent
292 0x72f579f2 StartDocDlgA
293 0x72f515c9 StartDocDlgW
294 0x72f55807 StartDocPrinterA
295 0x72f48bd0 StartDocPrinterW
296 0x72f49368 StartPagePrinter
297 0x72f58690 WaitForPrinterChange
298 0x72f48514 WritePrinter
299 0x72f4fa31 XcvDataW
100 0x72f4f859
101 0x72f587e1
102 0x72f588fd
103 0x72f58999
205 0x72f492cb
206 0x72f55661
207 0x72f4d919
208 0x72f556fb
209 0x72f4d9d1
210 0x72f56c71
211 0x72f4da69
212 0x72f4646f
213 0x72f463a6
214 0x72f46336
215 0x72f50f9a
216 0x72f57b62
217 0x72f5ba49
218 0x72f50182
219 0x72f54211
220 0x72f54309
221 0x72f54401
222 0x72f4fc69
223 0x72f57d96
224 0x72f52c95
226 0x72f5e471
227 0x72f5e495
228 0x72f5e5d2
229 0x72f54759
230 0x72f544f9
231 0x72f54661
232 0x72f4d7c9

投放文件

无信息

行为分析

互斥量(Mutexes)
  • Local\MSCTF.Asm.MutexDefault1
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

rundll32.exe PID: 1808, 上一级进程 PID: 1872

访问的文件
  • C:\Users\test\AppData\Local\Temp\winspool.drv.dll
  • C:\Users\test\AppData\Local\Temp\winspool.drv.dll.123.Manifest
  • C:\Users\test\AppData\Local\Temp\winspool.drv.dll.124.Manifest
  • C:\Users\test\AppData\Local\Temp\winspool.drv.dll.2.Manifest
  • C:\Windows\SysWOW64\rundll32.exe
  • C:\Windows\Fonts\staticcache.dat
  • \Device\KsecDD
  • C:\Windows\Globalization\Sorting\sortdefault.nls
读取的文件
  • C:\Users\test\AppData\Local\Temp\winspool.drv.dll
  • C:\Users\test\AppData\Local\Temp\winspool.drv.dll.123.Manifest
  • C:\Users\test\AppData\Local\Temp\winspool.drv.dll.124.Manifest
  • C:\Users\test\AppData\Local\Temp\winspool.drv.dll.2.Manifest
  • C:\Windows\SysWOW64\rundll32.exe
  • C:\Windows\Fonts\staticcache.dat
  • \Device\KsecDD
  • C:\Windows\Globalization\Sorting\sortdefault.nls
修改的文件 无信息
删除的文件 无信息
注册表键
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\winspool.drv.dll
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\rundll32.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_CURRENT_USER
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
读取的注册表键
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\winspool.drv.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • gdi32.dll.GetLayout
  • gdi32.dll.GdiRealizationInfo
  • gdi32.dll.FontIsLinked
  • advapi32.dll.RegOpenKeyExW
  • advapi32.dll.RegQueryInfoKeyW
  • gdi32.dll.GetTextFaceAliasW
  • advapi32.dll.RegEnumValueW
  • advapi32.dll.RegCloseKey
  • advapi32.dll.RegQueryValueExW
  • advapi32.dll.RegQueryValueExA
  • advapi32.dll.RegEnumKeyExW
  • gdi32.dll.GetTextExtentExPointWPri
  • ole32.dll.CoInitializeEx
  • ole32.dll.CoUninitialize
  • cryptbase.dll.SystemFunction036
  • ole32.dll.CoRegisterInitializeSpy
  • ole32.dll.CoRevokeInitializeSpy
  • kernel32.dll.SortGetHandle
  • kernel32.dll.SortCloseHandle
  • oleaut32.dll.SysAllocString
  • oleaut32.dll.SysStringLen
  • oleaut32.dll.SysFreeString
  • oleaut32.dll.#500