魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2018-07-20 21:01:35 | 2018-07-20 21:04:03 | 148 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-hpdapp03-1 | win7-sp1-x64-hpdapp03-1 | KVM | 2018-07-20 21:01:42 | 2018-07-20 21:04:02 |
| 魔盾分数 |
|---|
6.4恶意的 |
文件详细信息
| 文件名 | 吾爱破解.vmp.exe |
|---|---|
| 文件大小 | 1679360 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| CRC32 | 9A9D71E0 |
| MD5 | 1603cc6410587bc1b5c6d8fd7bc64ace |
| SHA1 | 11326106d8127dff22a624017a37d3642da1ca8e |
| SHA256 | 592e4f3f6144e8e196c7a0d677260a40c20d5867dce4425d5b96f2f9ebb7c928 |
| SHA512 | d0d2b354dc52429383b1dca1006a3fea9408def3dbc77bb1653f8ffd2a18742a30292663aa256453b177ac6902c04cfc9ea36a5e70eb5bcc8c18a8550198cd0d |
| Ssdeep | 24576:RdEH4C3koGuw5cPVfyC0aGjCMRWnnyd+oe2gZOxJr5adq78u3Ytv23jRt59UDMNs:LEYC0oGuwLO90WncVgwPf78nK/59UD |
| PEiD | 无匹配 |
| Yara | 无Yara规则匹配 |
| VirusTotal | 无此文件扫描结果 |
特征
创建RWX内存
二进制文件可能包含加密或压缩数据
section: name: .vmp1, entropy: 7.93, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00194000, virtual_size: 0x00193dd0
从文件自身的二进制镜像中读取数据
self_read: process: ____________.vmp.exe, pid: 1780, offset: 0x00000000, length: 0x00000040
self_read: process: ____________.vmp.exe, pid: 1780, offset: 0x00000120, length: 0x00000020
self_read: process: ____________.vmp.exe, pid: 1780, offset: 0x000001a3, length: 0x00080000
投放了一个或多个可疑文件
suspicious: c:\users\test\appdata\local\temp\rr.bat
suspicious: c:\users\test\appdata\local\temp\rr.bat
可执行文件可能使用VMProtect打包
section: {'name': '.vmp0', 'characteristics': 'IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'virtual_address': '0x0015b000', 'size_of_data': '0x00000000', 'entropy': '0.00', 'virtual_size': '0x000e9db7', 'characteristics_raw': '0xe0000060'}
尝试阻止Cuckoo线程以防止恶意行为被记录
尝试断开连接或更改Cuckoo监控的Windows功能
unhook: function_name: SetWindowLongA, type: modification
unhook: function_name: SetWindowLongW, type: modification
运行截图
网络分析
静态分析
PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x0068eb6a |
| 声明校验值 | 0x00000000 |
| 实际校验值 | 0x001a7023 |
| 最低操作系统版本要求 | 5.0 |
| 编译时间 | 2018-07-20 20:09:15 |
| 载入哈希 | 67ee596a6f7fee31d7f01217bfc36337 |
| 图标 |  |
| 图标精确哈希值 | a55a8999e37cd63594151b381b4c903f |
| 图标相似性哈希值 | 236d0920251f5d4a64fc6f516392f3ce |
版本信息
| LegalCopyright: | \x4f5c\x8005\x7248\x6743\x6240\x6709 \x8bf7\x5c0a\x91cd\x5e76\x4f7f\x7528\x6b63\x7248 |
| FileVersion: | 1.0.0.0 |
| Comments: | \x672c\x7a0b\x5e8f\x4f7f\x7528\x6613\x8bed\x8a00\x7f16\x5199(http://www.eyuyan.com) |
| ProductName: | Dev. |
| ProductVersion: | 1.0.0.0 |
| FileDescription: | \x6613\x8bed\x8a00\x7a0b\x5e8f |
| Translation: | 0x0804 0x04b0 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x000b1c26 | 0x00000000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 0.00 |
| .rdata | 0x000b3000 | 0x0005755e | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 0.00 |
| .data | 0x0010b000 | 0x0004f72a | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .vmp0 | 0x0015b000 | 0x000e9db7 | 0x00000000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .vmp1 | 0x00245000 | 0x00193dd0 | 0x00194000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 7.93 |
| .rsrc | 0x003d9000 | 0x000040f5 | 0x00005000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.44 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| RT_ICON | 0x003dbbf4 | 0x000010a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 6.72 | data |
| RT_ICON | 0x003dbbf4 | 0x000010a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 6.72 | data |
| RT_ICON | 0x003dbbf4 | 0x000010a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 6.72 | data |
| RT_ICON | 0x003dbbf4 | 0x000010a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 6.72 | data |
| RT_GROUP_ICON | 0x003dccd4 | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.02 | MS Windows icon resource - 1 icon, 16x16, 16 colors |
| RT_GROUP_ICON | 0x003dccd4 | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.02 | MS Windows icon resource - 1 icon, 16x16, 16 colors |
| RT_GROUP_ICON | 0x003dccd4 | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.02 | MS Windows icon resource - 1 icon, 16x16, 16 colors |
| RT_VERSION | 0x003dcce8 | 0x00000240 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.77 | data |
| RT_MANIFEST | 0x003dcf28 | 0x000001cd | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.08 | XML 1.0 document, ASCII text, with very long lines, with no line terminators |
导入
库 WINMM.dll:
• 0x694000 - midiStreamClose
库 WS2_32.dll:
• 0x694008 - WSACleanup
库 KERNEL32.dll:
• 0x694010 - GetVersionExA
• 0x694014 - GetVersion
• 0x694018 - GlobalFindAtomA
库 USER32.dll:
• 0x694020 - IntersectRect
库 GDI32.dll:
• 0x694028 - GetStretchBltMode
库 WINSPOOL.DRV:
• 0x694030 - DocumentPropertiesA
库 ADVAPI32.dll:
• 0x694038 - RegCloseKey
库 SHELL32.dll:
• 0x694040 - SHGetSpecialFolderPathA
库 ole32.dll:
• 0x694048 - OleUninitialize
库 OLEAUT32.dll:
• 0x694050 - UnRegisterTypeLib
库 COMCTL32.dll:
• 0x694058 - None
库 comdlg32.dll:
• 0x694060 - GetFileTitleA
库 KERNEL32.dll:
• 0x694068 - GetModuleFileNameW
库 KERNEL32.dll:
• 0x694070 - GetModuleHandleA
• 0x694074 - LoadLibraryA
• 0x694078 - LocalAlloc
• 0x69407c - LocalFree
• 0x694080 - GetModuleFileNameA
• 0x694084 - ExitProcess
投放文件
rr.bat
| 文件名 | rr.bat |
|---|---|
| 相关文件 |
|
| 文件大小 | 12144 bytes |
| 文件类型 | PE32+ executable (native) x86-64, for MS Windows |
| MD5 | dad20e4603919391341db0d925c901db |
| SHA1 | 7bc9eb4e384860955415b95c1e1c18ad099e7b96 |
| SHA256 | e0d319c43a12f927d0630056aeef89d654d550bd1f2a9d096c30565f72fcefa8 |
| SHA512 | 380af0b3ec63f41aec4c94f1030a584a8a73bc0f5f9bc70849211012e0a254ac3478b52ab92a1be3e4cefb2809695d345d48e33194e7242e5b3bc57b8498f00c |
| Ssdeep | 192:qUW6VaGwODiSl9TYhhKG53+ebCfjpQpkqs1I5ZgjlNc:RW6VarOTlXG5JbCN1M6j0 |
| VirusTotal | 搜索相关分析 |
行为分析
互斥量(Mutexes)
- Local\MSCTF.Asm.MutexDefault1
执行的命令
无信息
创建的服务
无信息
启动的服务
无信息
进程
____________.vmp.exe PID: 1780, 上一级进程 PID: 1896
访问的文件
- C:\Users\test\AppData\Local\Temp\____________.vmp.exe
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Users\test\AppData\Local\Temp\?\xe7\xb5\xaf
- C:\Users\test\AppData\Local\Temp\kernel32.dll
- C:\Users\test\AppData\Local\Temp\shlwapi.dll
- C:\Users\test\AppData\Local\Temp\ntdll.dll
- C:\
- C:\Users\test\AppData\Local\Temp\rr.bat
- C:\Windows\Fonts\staticcache.dat
读取的文件
- C:\Users\test\AppData\Local\Temp\____________.vmp.exe
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Users\test\AppData\Local\Temp\?\xe7\xb5\xaf
- C:\Windows\Fonts\staticcache.dat
修改的文件
- C:\Users\test\AppData\Local\Temp\rr.bat
删除的文件
无信息
注册表键
- HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\____________.vmp.exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_CURRENT_USER
- HKEY_CURRENT_USER\Keyboard Layout\Toggle
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\\xe5\xbe\xae\xe8\xbd\xaf\xe9\x9b\x85\xe9\xbb\x91
读取的注册表键
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- kernel32.dll.FlsAlloc
- kernel32.dll.FlsGetValue
- kernel32.dll.FlsSetValue
- kernel32.dll.FlsFree
- kernel32.dll.IsProcessorFeaturePresent
- cryptbase.dll.SystemFunction036
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle
- d3d9.dll.Direct3DCreate9
- kernel32.dll.lstrcpynA
- kernel32.dll.RtlMoveMemory
- kernel32.dll.VirtualAlloc
- kernel32.dll.LoadLibraryA
- kernel32.dll.GetProcAddress
- kernel32.dll.VirtualProtect
- kernel32.dll.VirtualFree
- comctl32.dll.ImageList_Draw
- gdi32.dll.BitBlt
- msimg32.dll.TransparentBlt
- msvcrt.dll.free
- msvfw32.dll.DrawDibOpen
- user32.dll.GetDC
- kernel32.dll.MulDiv
- kernel32.dll.FlushInstructionCache
- kernel32.dll.GetCurrentProcess
- kernel32.dll.GetTickCount
- kernel32.dll.VirtualQuery
- kernel32.dll.SetFilePointer
- kernel32.dll.GlobalAlloc
- kernel32.dll.GlobalLock
- kernel32.dll.GlobalUnlock
- kernel32.dll.GlobalReAlloc
- kernel32.dll.GlobalFree
- kernel32.dll.FindResourceA
- kernel32.dll.LoadResource
- kernel32.dll.LockResource
- kernel32.dll.SizeofResource
- kernel32.dll.FreeLibrary
- kernel32.dll.GetModuleFileNameA
- kernel32.dll.GetModuleHandleA
- kernel32.dll.GetVersion
- kernel32.dll.GetCurrentThreadId
- kernel32.dll.CreateFileA
- kernel32.dll.GetFileSize
- kernel32.dll.CloseHandle
- kernel32.dll.ReadFile
- kernel32.dll.SetLastError
- comctl32.dll.ImageList_GetIcon
- comctl32.dll.ImageList_GetImageInfo
- comctl32.dll.ImageList_GetIconSize
- gdi32.dll.SetWindowExtEx
- gdi32.dll.SetWindowOrgEx
- gdi32.dll.SetMapMode
- gdi32.dll.SelectClipPath
- gdi32.dll.EndPath
- gdi32.dll.BeginPath
- gdi32.dll.TextOutA
- gdi32.dll.GetClipRgn
- gdi32.dll.GetPixel
- gdi32.dll.CreatePatternBrush
- gdi32.dll.CreateFontIndirectA
- gdi32.dll.SetViewportOrgEx
- gdi32.dll.GetStockObject
- gdi32.dll.GetTextExtentPoint32A
- gdi32.dll.CreateRoundRectRgn
- gdi32.dll.CreateFontA
- gdi32.dll.SetViewportExtEx
- gdi32.dll.SelectClipRgn
- gdi32.dll.SelectObject
- gdi32.dll.CreateCompatibleDC
- gdi32.dll.DeleteDC
- gdi32.dll.OffsetRgn
- gdi32.dll.CombineRgn
- gdi32.dll.CreateRectRgn
- gdi32.dll.CreatePen
- gdi32.dll.ExtCreateRegion
- gdi32.dll.DeleteObject
- gdi32.dll.Rectangle
- gdi32.dll.SetPixel
- gdi32.dll.PtInRegion
- gdi32.dll.SetTextColor
- gdi32.dll.SetBkMode
- gdi32.dll.PatBlt
- gdi32.dll.CreateDIBSection
- gdi32.dll.GetObjectA
- gdi32.dll.CreateCompatibleBitmap
- gdi32.dll.GetTextExtentPointA
- gdi32.dll.ExtTextOutA
- gdi32.dll.ExtTextOutW
- gdi32.dll.SetBkColor
- gdi32.dll.GetTextColor
- gdi32.dll.CreateSolidBrush
- msvcrt.dll.??3@YAXPAX@Z
- msvcrt.dll.__CxxFrameHandler
- msvcrt.dll.??2@YAPAXI@Z
- msvcrt.dll._ftol
- msvcrt.dll._mbsstr
- msvcrt.dll._mbscmp
- msvcrt.dll.__dllonexit
- msvcrt.dll.malloc
- msvcrt.dll._initterm
- msvcrt.dll._adjust_fdiv
- msvcrt.dll._onexit
- msvcrt.dll.memcpy
- msvfw32.dll.DrawDibDraw
- msvfw32.dll.DrawDibClose
- user32.dll.SetWindowsHookExA
- user32.dll.UnhookWindowsHookEx
- user32.dll.CallNextHookEx
- user32.dll.GetClassNameA
- user32.dll.IsWindow
- user32.dll.EnumThreadWindows
- user32.dll.EnumChildWindows
- user32.dll.LockWindowUpdate
- user32.dll.DestroyIcon
- user32.dll.DrawStateA
- user32.dll.ShowWindow
- user32.dll.GetMenuItemID
- user32.dll.GetWindowRgn
- user32.dll.SetMenu
- user32.dll.GetMenu
- user32.dll.GetSubMenu
- user32.dll.TrackPopupMenu
- user32.dll.CreateWindowExA
- user32.dll.DestroyWindow
- user32.dll.GetWindowInfo
- user32.dll.SetWindowPos
- user32.dll.GetClassLongA
- user32.dll.ScreenToClient
- user32.dll.SystemParametersInfoA
- user32.dll.GetSystemMetrics
- user32.dll.MenuItemFromPoint
- user32.dll.GetMenuItemRect
- user32.dll.GetMenuItemCount
- user32.dll.SetMenuItemInfoA
- user32.dll.IsMenu
- user32.dll.GetUpdateRect
- user32.dll.EqualRect
- user32.dll.ShowScrollBar
- user32.dll.SetWindowRgn
- user32.dll.WindowFromDC
- user32.dll.MoveWindow
- user32.dll.GetSysColor
- user32.dll.EnableScrollBar
- user32.dll.GetScrollBarInfo
- user32.dll.GetCapture
- user32.dll.SetScrollPos
- user32.dll.SetScrollInfo
- user32.dll.GetScrollRange
- user32.dll.GetScrollPos
- user32.dll.GetScrollInfo
- user32.dll.ReleaseDC
- user32.dll.GetWindowDC
- user32.dll.GetDCEx
- user32.dll.EndPaint
- user32.dll.BeginPaint
- user32.dll.GetWindowLongW
- user32.dll.SetWindowLongW
- user32.dll.SetWindowLongA
- user32.dll.ClientToScreen
- user32.dll.FindWindowExA
- user32.dll.GetMenuItemInfoA
- user32.dll.GetParent
- user32.dll.GetComboBoxInfo
- user32.dll.TrackMouseEvent
- user32.dll.GetIconInfo
- user32.dll.GetClientRect
- user32.dll.GetFocus
- user32.dll.InflateRect
- user32.dll.InvalidateRect
- user32.dll.SetPropA
- user32.dll.RemovePropA
- user32.dll.CallWindowProcA
- user32.dll.GetPropA
- user32.dll.SetTimer
- user32.dll.OffsetRect
- user32.dll.KillTimer
- user32.dll.EnableWindow
- user32.dll.GetWindowLongA
- user32.dll.SetRectEmpty
- user32.dll.DrawIconEx
- user32.dll.GetWindowTextA
- user32.dll.DrawTextA
- user32.dll.IsRectEmpty
- user32.dll.IsIconic
- user32.dll.IsZoomed
- user32.dll.GetSystemMenu
- user32.dll.GetMenuState
- user32.dll.ReleaseCapture
- user32.dll.GetMessageA
- user32.dll.SetScrollRange
- user32.dll.DispatchMessageA
- user32.dll.SetRect
- user32.dll.IsWindowVisible
- user32.dll.RegisterClassExA
- user32.dll.DefWindowProcA
- user32.dll.IsWindowEnabled
- user32.dll.SendMessageA
- user32.dll.GetCursorPos
- user32.dll.LoadCursorA
- user32.dll.SetCursor
- user32.dll.GetWindowRect
- user32.dll.PtInRect
- user32.dll.SetCapture
- user32.dll.UpdateLayeredWindow
- user32.dll.SetLayeredWindowAttributes
- dciman32.dll.DCIOpenProvider
- dciman32.dll.DCICloseProvider
- dciman32.dll.DCICreatePrimary
- dciman32.dll.DCIEndAccess
- dciman32.dll.DCIBeginAccess
- dciman32.dll.DCIDestroy
- kernel32.dll.GetCurrentProcessId
- kernel32.dll.ReadProcessMemory
- shlwapi.dll.StrToIntExA
- kernel32.dll.lstrlenA
- ntdll.dll.RtlCompareMemory
- kernel32.dll.RtlFillMemory
- kernel32.dll.DeleteCriticalSection
- kernel32.dll.LeaveCriticalSection
- kernel32.dll.EnterCriticalSection
- kernel32.dll.InitializeCriticalSection
- kernel32.dll.LocalAlloc
- kernel32.dll.WideCharToMultiByte
- kernel32.dll.GetThreadLocale
- kernel32.dll.GetStartupInfoA
- kernel32.dll.GetLocaleInfoA
- kernel32.dll.GetCommandLineA
- kernel32.dll.ExitProcess
- kernel32.dll.WriteFile
- kernel32.dll.UnhandledExceptionFilter
- kernel32.dll.RtlUnwind
- kernel32.dll.RaiseException
- kernel32.dll.GetStdHandle
- user32.dll.GetKeyboardType
- user32.dll.MessageBoxA
- user32.dll.CharNextA
- advapi32.dll.RegQueryValueExA
- advapi32.dll.RegOpenKeyExA
- advapi32.dll.RegCloseKey
- kernel32.dll.TlsSetValue
- kernel32.dll.TlsGetValue
- kernel32.dll.TlsFree
- kernel32.dll.TlsAlloc
- kernel32.dll.LocalFree
- kernel32.dll.WriteProcessMemory
- kernel32.dll.VirtualFreeEx
- kernel32.dll.VirtualAllocEx
- kernel32.dll.SetThreadContext
- kernel32.dll.ResumeThread
- kernel32.dll.GetThreadContext
- kernel32.dll.FreeResource
- kernel32.dll.FindResourceW
- kernel32.dll.CreateProcessA
- kernel32.dll.CreateFileW
- comctl32.dll.RegisterClassNameW
- uxtheme.dll.EnableThemeDialogTexture
- uxtheme.dll.OpenThemeData
- gdi32.dll.GetLayout
- gdi32.dll.GdiRealizationInfo
- gdi32.dll.FontIsLinked
- advapi32.dll.RegOpenKeyExW
- advapi32.dll.RegQueryInfoKeyW
- gdi32.dll.GetTextFaceAliasW
- advapi32.dll.RegEnumValueW
- advapi32.dll.RegQueryValueExW
- advapi32.dll.RegEnumKeyExW
- gdi32.dll.GetTextExtentExPointWPri
- ole32.dll.CoInitializeEx
- ole32.dll.CoUninitialize
- ole32.dll.CoRegisterInitializeSpy
- ole32.dll.CoRevokeInitializeSpy
- user32.dll.MonitorFromWindow
- user32.dll.MonitorFromRect
- user32.dll.MonitorFromPoint
- user32.dll.EnumDisplayMonitors
- user32.dll.GetMonitorInfoA
- gdi32.dll.GetFontAssocStatus
- oleaut32.dll.SysAllocString
- oleaut32.dll.SysStringLen
- oleaut32.dll.SysFreeString
- gdi32.dll.GdiIsMetaPrintDC