魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2019-05-13 11:24:57 | 2019-05-13 11:30:42 | 345 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-hpdapp01-7 | win7-sp1-x64-hpdapp01-7 | KVM | 2019-05-13 11:25:11 | 2019-05-13 11:30:45 |
| 魔盾分数 |
|---|
0.05正常的 |
文件详细信息
| 文件名 | LEAGUESKIN_9.9.7.zip |
|---|---|
| 文件大小 | 2153520 字节 |
| 文件类型 | Zip archive data, at least v2.0 to extract |
| CRC32 | 95E79D62 |
| MD5 | 41a8cd43f2157865f85d5608f24ff8e9 |
| SHA1 | fb0a6027ab448482cb27998d1805293d622cc937 |
| SHA256 | a2ed23b09cda8d8b965502b8642a949a058d611859d969fd3ae5468d97d2ff2e |
| SHA512 | 21e7153ca2174050a9fc3e7df962a34567136c44b7e53c614d70243e8e8f690d038c06415e3c7db75f8e27d59094de1e7d92770c00d1262586941054213c354d |
| Ssdeep | 49152:hF0QKMHOQl9i0hspYqdgDnAiKtunV5GYHgZeTvz9nBT7:D0Cusi06pYqWD1KtO5GYEeP9BT7 |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal | 无此文件扫描结果 |
特征
魔盾安全Yara检测结果 - 普通
Informational: Detected no presence of any attachment
Informational: Detected the presence of an or several images
Informational: Detected no presence of any url
运行截图
网络分析
访问主机记录
| 直接访问 | IP地址 | 国家名 |
|---|---|---|
| 否 | 52.158.209.219 | United States |
域名解析
| 域名 | 响应 |
|---|---|
| watson.microsoft.com |
A 52.158.209.219
CNAME legacy.watson.data.microsoft.com.akadns.net |
UDP连接
| IP地址 | 端口 |
|---|---|
| 192.168.122.1 | 53 |
静态分析
投放文件
行为分析
互斥量(Mutexes)
- Local\MSCTF.Asm.MutexDefault1
执行的命令
无信息
创建的服务
无信息
启动的服务
无信息
进程
cmd.exe PID: 608, 上一级进程 PID: 2496
LOLPRO 9.9.7.exe PID: 1572, 上一级进程 PID: 608
访问的文件
- C:\Users\test\AppData\Local\Temp\zip-tmp\LEAGUESKIN_9.9.7\LOLPRO 9.9.7.exe.2.Manifest
- C:\Users\test\AppData\Local\Temp\zip-tmp\LEAGUESKIN_9.9.7\LOLPRO 9.9.7.exe.3.Manifest
- C:\Users\test\AppData\Local\Temp\zip-tmp\LEAGUESKIN_9.9.7\LOLPRO 9.9.7.exe.Config
- C:\Users\test\AppData\Local\Temp\zip-tmp\LEAGUESKIN_9.9.7\LOLPRO 9.9.7.exe
- C:\Users\test\AppData\Local\Temp\zip-tmp\LEAGUESKIN_9.9.7\LOLPRO 9.9.7.exe.1000.Manifest
- C:\Users\test\AppData\Local\Temp\zip-tmp\LEAGUESKIN_9.9.7\LOLPRO 9.9.7CHS.dll
- C:\Users\test\AppData\Local\Temp\zip-tmp\LEAGUESKIN_9.9.7\LOLPRO 9.9.7LOC.dll
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Windows\Fonts\staticcache.dat
- C:\Users\test\AppData\Local\Temp\zip-tmp\LEAGUESKIN_9.9.7\Data.lol
- C:\Fraps\data\Default\Language.ini
- C:\
- C:\Fraps
- C:\Fraps\data
- C:\Fraps\data\Default
- C:\Fraps\data\Default\
- C:\Fraps\*.exe
- C:\Fraps\
- C:\Fraps\LOLPRO 9.9.7.exe
- C:\Fraps\data\
- C:\Fraps\data\80\
- C:\Fraps\data\80
- C:\Fraps\data\80\aatrox.jpg
- C:\Fraps\data\80\ahri.jpg
- C:\Fraps\data\80\akali.jpg
- C:\Fraps\data\80\alistar.jpg
- C:\Fraps\data\80\amumu.jpg
- C:\Fraps\data\80\anivia.jpg
- C:\Fraps\data\80\annie.jpg
- C:\Fraps\data\80\ashe.jpg
- C:\Fraps\data\80\aurelionsol.jpg
- C:\Fraps\data\80\azir.jpg
- C:\Fraps\data\80\bard.jpg
- C:\Fraps\data\80\blitzcrank.jpg
- C:\Fraps\data\80\brand.jpg
- C:\Fraps\data\80\braum.jpg
- C:\Fraps\data\80\caitlyn.jpg
- C:\Fraps\data\80\camille.jpg
- C:\Fraps\data\80\cassiopeia.jpg
- C:\Fraps\data\80\chogath.jpg
- C:\Fraps\data\80\corki.jpg
- C:\Fraps\data\80\darius.jpg
- C:\Fraps\data\80\diana.jpg
- C:\Fraps\data\80\draven.jpg
- C:\Fraps\data\80\drmundo.jpg
- C:\Fraps\data\80\ekko.jpg
- C:\Fraps\data\80\elise.jpg
- C:\Fraps\data\80\evelynn.jpg
- C:\Fraps\data\80\ezreal.jpg
- C:\Fraps\data\80\fiddlesticks.jpg
- C:\Fraps\data\80\fiora.jpg
- C:\Fraps\data\80\fizz.jpg
- C:\Fraps\data\80\galio.jpg
- C:\Fraps\data\80\gangplank.jpg
- C:\Fraps\data\80\garen.jpg
- C:\Fraps\data\80\gnar.jpg
- C:\Fraps\data\80\gragas.jpg
- C:\Fraps\data\80\graves.jpg
- C:\Fraps\data\80\hecarim.jpg
- C:\Fraps\data\80\heimerdinger.jpg
- C:\Fraps\data\80\illaoi.jpg
- C:\Fraps\data\80\irelia.jpg
- C:\Fraps\data\80\ivern.jpg
- C:\Fraps\data\80\janna.jpg
- C:\Fraps\data\80\jarvaniv.jpg
- C:\Fraps\data\80\jax.jpg
- C:\Fraps\data\80\jayce.jpg
- C:\Fraps\data\80\jhin.jpg
- C:\Fraps\data\80\jinx.jpg
- C:\Fraps\data\80\kaisa.jpg
- C:\Fraps\data\80\kalista.jpg
- C:\Fraps\data\80\karma.jpg
- C:\Fraps\data\80\karthus.jpg
- C:\Fraps\data\80\kassadin.jpg
- C:\Fraps\data\80\katarina.jpg
- C:\Fraps\data\80\kayle.jpg
- C:\Fraps\data\80\kayn.jpg
- C:\Fraps\data\80\kennen.jpg
- C:\Fraps\data\80\khazix.jpg
- C:\Fraps\data\80\kindred.jpg
- C:\Fraps\data\80\kled.jpg
- C:\Fraps\data\80\kogmaw.jpg
- C:\Fraps\data\80\leblanc.jpg
- C:\Fraps\data\80\leesin.jpg
- C:\Fraps\data\80\leona.jpg
- C:\Fraps\data\80\lissandra.jpg
- C:\Fraps\data\80\lucian.jpg
- C:\Fraps\data\80\lulu.jpg
- C:\Fraps\data\80\lux.jpg
- C:\Fraps\data\80\malphite.jpg
- C:\Fraps\data\80\malzahar.jpg
- C:\Fraps\data\80\maokai.jpg
- C:\Fraps\data\80\masteryi.jpg
- C:\Fraps\data\80\missfortune.jpg
- C:\Fraps\data\80\monkeyking.jpg
- C:\Fraps\data\80\mordekaiser.jpg
- C:\Fraps\data\80\morgana.jpg
- C:\Fraps\data\80\nami.jpg
- C:\Fraps\data\80\nasus.jpg
- C:\Fraps\data\80\nautilus.jpg
- C:\Fraps\data\80\nidalee.jpg
- C:\Fraps\data\80\nocturne.jpg
- C:\Fraps\data\80\nunu.jpg
- C:\Fraps\data\80\olaf.jpg
- C:\Fraps\data\80\orianna.jpg
- C:\Fraps\data\80\ornn.jpg
- C:\Fraps\data\80\pantheon.jpg
- C:\Fraps\data\80\poppy.jpg
- C:\Fraps\data\80\quinn.jpg
- C:\Fraps\data\80\rakan.jpg
- C:\Fraps\data\80\rammus.jpg
- C:\Fraps\data\80\reksai.jpg
- C:\Fraps\data\80\renekton.jpg
- C:\Fraps\data\80\rengar.jpg
- C:\Fraps\data\80\riven.jpg
- C:\Fraps\data\80\rumble.jpg
- C:\Fraps\data\80\ryze.jpg
- C:\Fraps\data\80\sejuani.jpg
- C:\Fraps\data\80\shaco.jpg
- C:\Fraps\data\80\shen.jpg
- C:\Fraps\data\80\shyvana.jpg
- C:\Fraps\data\80\singed.jpg
- C:\Fraps\data\80\sion.jpg
- C:\Fraps\data\80\sivir.jpg
- C:\Fraps\data\80\skarner.jpg
- C:\Fraps\data\80\sona.jpg
- C:\Fraps\data\80\soraka.jpg
- C:\Fraps\data\80\swain.jpg
- C:\Fraps\data\80\syndra.jpg
- C:\Fraps\data\80\tahmkench.jpg
- C:\Fraps\data\80\taliyah.jpg
- C:\Fraps\data\80\talon.jpg
- C:\Fraps\data\80\taric.jpg
- C:\Fraps\data\80\teemo.jpg
- C:\Fraps\data\80\thresh.jpg
- C:\Fraps\data\80\tristana.jpg
- C:\Fraps\data\80\trundle.jpg
- C:\Fraps\data\80\tryndamere.jpg
- C:\Fraps\data\80\twistedfate.jpg
- C:\Fraps\data\80\twitch.jpg
- C:\Fraps\data\80\udyr.jpg
- C:\Fraps\data\80\urgot.jpg
- C:\Fraps\data\80\varus.jpg
- C:\Fraps\data\80\vayne.jpg
- C:\Fraps\data\80\veigar.jpg
- C:\Fraps\data\80\velkoz.jpg
- C:\Fraps\data\80\vi.jpg
- C:\Fraps\data\80\viktor.jpg
- C:\Fraps\data\80\vladimir.jpg
读取的文件
- C:\Users\test\AppData\Local\Temp\zip-tmp\LEAGUESKIN_9.9.7\LOLPRO 9.9.7.exe.2.Manifest
- C:\Users\test\AppData\Local\Temp\zip-tmp\LEAGUESKIN_9.9.7\LOLPRO 9.9.7.exe.3.Manifest
- C:\Users\test\AppData\Local\Temp\zip-tmp\LEAGUESKIN_9.9.7\LOLPRO 9.9.7.exe.Config
- C:\Users\test\AppData\Local\Temp\zip-tmp\LEAGUESKIN_9.9.7\LOLPRO 9.9.7.exe
- C:\Users\test\AppData\Local\Temp\zip-tmp\LEAGUESKIN_9.9.7\LOLPRO 9.9.7.exe.1000.Manifest
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Windows\Fonts\staticcache.dat
- C:\Users\test\AppData\Local\Temp\zip-tmp\LEAGUESKIN_9.9.7\Data.lol
修改的文件
- C:\Fraps\data\Default\Language.ini
- C:\Fraps\LOLPRO 9.9.7.exe
- C:\Fraps\data\80\aatrox.jpg
- C:\Fraps\data\80\ahri.jpg
- C:\Fraps\data\80\akali.jpg
- C:\Fraps\data\80\alistar.jpg
- C:\Fraps\data\80\amumu.jpg
- C:\Fraps\data\80\anivia.jpg
- C:\Fraps\data\80\annie.jpg
- C:\Fraps\data\80\ashe.jpg
- C:\Fraps\data\80\aurelionsol.jpg
- C:\Fraps\data\80\azir.jpg
- C:\Fraps\data\80\bard.jpg
- C:\Fraps\data\80\blitzcrank.jpg
- C:\Fraps\data\80\brand.jpg
- C:\Fraps\data\80\braum.jpg
- C:\Fraps\data\80\caitlyn.jpg
- C:\Fraps\data\80\camille.jpg
- C:\Fraps\data\80\cassiopeia.jpg
- C:\Fraps\data\80\chogath.jpg
- C:\Fraps\data\80\corki.jpg
- C:\Fraps\data\80\darius.jpg
- C:\Fraps\data\80\diana.jpg
- C:\Fraps\data\80\draven.jpg
- C:\Fraps\data\80\drmundo.jpg
- C:\Fraps\data\80\ekko.jpg
- C:\Fraps\data\80\elise.jpg
- C:\Fraps\data\80\evelynn.jpg
- C:\Fraps\data\80\ezreal.jpg
- C:\Fraps\data\80\fiddlesticks.jpg
- C:\Fraps\data\80\fiora.jpg
- C:\Fraps\data\80\fizz.jpg
- C:\Fraps\data\80\galio.jpg
- C:\Fraps\data\80\gangplank.jpg
- C:\Fraps\data\80\garen.jpg
- C:\Fraps\data\80\gnar.jpg
- C:\Fraps\data\80\gragas.jpg
- C:\Fraps\data\80\graves.jpg
- C:\Fraps\data\80\hecarim.jpg
- C:\Fraps\data\80\heimerdinger.jpg
- C:\Fraps\data\80\illaoi.jpg
- C:\Fraps\data\80\irelia.jpg
- C:\Fraps\data\80\ivern.jpg
- C:\Fraps\data\80\janna.jpg
- C:\Fraps\data\80\jarvaniv.jpg
- C:\Fraps\data\80\jax.jpg
- C:\Fraps\data\80\jayce.jpg
- C:\Fraps\data\80\jhin.jpg
- C:\Fraps\data\80\jinx.jpg
- C:\Fraps\data\80\kaisa.jpg
- C:\Fraps\data\80\kalista.jpg
- C:\Fraps\data\80\karma.jpg
- C:\Fraps\data\80\karthus.jpg
- C:\Fraps\data\80\kassadin.jpg
- C:\Fraps\data\80\katarina.jpg
- C:\Fraps\data\80\kayle.jpg
- C:\Fraps\data\80\kayn.jpg
- C:\Fraps\data\80\kennen.jpg
- C:\Fraps\data\80\khazix.jpg
- C:\Fraps\data\80\kindred.jpg
- C:\Fraps\data\80\kled.jpg
- C:\Fraps\data\80\kogmaw.jpg
- C:\Fraps\data\80\leblanc.jpg
- C:\Fraps\data\80\leesin.jpg
- C:\Fraps\data\80\leona.jpg
- C:\Fraps\data\80\lissandra.jpg
- C:\Fraps\data\80\lucian.jpg
- C:\Fraps\data\80\lulu.jpg
- C:\Fraps\data\80\lux.jpg
- C:\Fraps\data\80\malphite.jpg
- C:\Fraps\data\80\malzahar.jpg
- C:\Fraps\data\80\maokai.jpg
- C:\Fraps\data\80\masteryi.jpg
- C:\Fraps\data\80\missfortune.jpg
- C:\Fraps\data\80\monkeyking.jpg
- C:\Fraps\data\80\mordekaiser.jpg
- C:\Fraps\data\80\morgana.jpg
- C:\Fraps\data\80\nami.jpg
- C:\Fraps\data\80\nasus.jpg
- C:\Fraps\data\80\nautilus.jpg
- C:\Fraps\data\80\nidalee.jpg
- C:\Fraps\data\80\nocturne.jpg
- C:\Fraps\data\80\nunu.jpg
- C:\Fraps\data\80\olaf.jpg
- C:\Fraps\data\80\orianna.jpg
- C:\Fraps\data\80\ornn.jpg
- C:\Fraps\data\80\pantheon.jpg
- C:\Fraps\data\80\poppy.jpg
- C:\Fraps\data\80\quinn.jpg
- C:\Fraps\data\80\rakan.jpg
- C:\Fraps\data\80\rammus.jpg
- C:\Fraps\data\80\reksai.jpg
- C:\Fraps\data\80\renekton.jpg
- C:\Fraps\data\80\rengar.jpg
- C:\Fraps\data\80\riven.jpg
- C:\Fraps\data\80\rumble.jpg
- C:\Fraps\data\80\ryze.jpg
- C:\Fraps\data\80\sejuani.jpg
- C:\Fraps\data\80\shaco.jpg
- C:\Fraps\data\80\shen.jpg
- C:\Fraps\data\80\shyvana.jpg
- C:\Fraps\data\80\singed.jpg
- C:\Fraps\data\80\sion.jpg
- C:\Fraps\data\80\sivir.jpg
- C:\Fraps\data\80\skarner.jpg
- C:\Fraps\data\80\sona.jpg
- C:\Fraps\data\80\soraka.jpg
- C:\Fraps\data\80\swain.jpg
- C:\Fraps\data\80\syndra.jpg
- C:\Fraps\data\80\tahmkench.jpg
- C:\Fraps\data\80\taliyah.jpg
- C:\Fraps\data\80\talon.jpg
- C:\Fraps\data\80\taric.jpg
- C:\Fraps\data\80\teemo.jpg
- C:\Fraps\data\80\thresh.jpg
- C:\Fraps\data\80\tristana.jpg
- C:\Fraps\data\80\trundle.jpg
- C:\Fraps\data\80\tryndamere.jpg
- C:\Fraps\data\80\twistedfate.jpg
- C:\Fraps\data\80\twitch.jpg
- C:\Fraps\data\80\udyr.jpg
- C:\Fraps\data\80\urgot.jpg
- C:\Fraps\data\80\varus.jpg
- C:\Fraps\data\80\vayne.jpg
- C:\Fraps\data\80\veigar.jpg
- C:\Fraps\data\80\velkoz.jpg
- C:\Fraps\data\80\vi.jpg
- C:\Fraps\data\80\viktor.jpg
- C:\Fraps\data\80\vladimir.jpg
删除的文件
无信息
注册表键
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetConnectDisconnect
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsHistory
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-Hans
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-Hans
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\LOLPRO 9.9.7.exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_CURRENT_USER
- HKEY_CURRENT_USER\Keyboard Layout\Toggle
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg 2
读取的注册表键
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetConnectDisconnect
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsHistory
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-Hans
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-Hans
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- kernel32.dll.FlsAlloc
- kernel32.dll.FlsGetValue
- kernel32.dll.FlsSetValue
- kernel32.dll.FlsFree
- kernel32.dll.IsProcessorFeaturePresent
- kernel32.dll.CreateActCtxW
- kernel32.dll.ReleaseActCtx
- kernel32.dll.ActivateActCtx
- kernel32.dll.DeactivateActCtx
- user32.dll.NotifyWinEvent
- kernel32.dll.GetUserDefaultUILanguage
- kernel32.dll.GetSystemDefaultUILanguage
- comctl32.dll.InitCommonControlsEx
- shell32.dll.InitNetworkAddressControl
- comctl32.dll.RegisterClassNameW
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle
- uxtheme.dll.EnableThemeDialogTexture
- user32.dll.GetSystemMetrics
- user32.dll.MonitorFromWindow
- user32.dll.MonitorFromRect
- user32.dll.MonitorFromPoint
- user32.dll.EnumDisplayMonitors
- user32.dll.EnumDisplayDevicesW
- user32.dll.GetMonitorInfoW
- ole32.dll.CoInitializeEx
- ole32.dll.CoUninitialize
- cryptbase.dll.SystemFunction036
- ole32.dll.CoRegisterInitializeSpy
- ole32.dll.CoRevokeInitializeSpy
- gdi32.dll.GetLayout
- gdi32.dll.GdiRealizationInfo
- gdi32.dll.FontIsLinked
- advapi32.dll.RegOpenKeyExW
- advapi32.dll.RegQueryInfoKeyW
- gdi32.dll.GetTextFaceAliasW
- advapi32.dll.RegEnumValueW
- advapi32.dll.RegCloseKey
- advapi32.dll.RegQueryValueExW
- advapi32.dll.RegQueryValueExA
- advapi32.dll.RegEnumKeyExW
- gdi32.dll.GdiIsMetaPrintDC