魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2019-09-16 19:21:43 2019-09-16 19:23:56 133 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-hpdapp01-1 win7-sp1-x64-hpdapp01-1 KVM 2019-09-16 19:21:48 2019-09-16 19:23:57
魔盾分数

10.0

Malicious

文件详细信息

文件名 UU补丁.exe
文件大小 434176 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 DD9D9B3B
MD5 eee5a11a4b742416f1c189f480687527
SHA1 f015f1399174f17d348a89ee26a21ec25bb2c909
SHA256 4ac5a55ebef653cfd41f36b696a8989951d7b23a898a437d52332523ac38c50f
SHA512 057cc99a22b83c2b8d4d38fbea413ae91ffaafde332d32e069f5ad89f7debe41f67534ffc778627e9f76db2d919b3eb3f9496307fd7df184d2a31daa03ebb2b7
Ssdeep 6144:K1wx4dR9YyHMvnJ0ch/HqWWmBMtSJsewDNhWNcDbHuJ1Mv5/pFe7f9l:a9l4PUmBi1eNcDbOJi5pFU
PEiD 无匹配
Yara
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • screenshot (Detected take screenshot function)
  • create_process (Detection function for creating a new process)
  • keylogger (Detected keylogger function)
  • win_registry (Detected system registries modification function)
  • change_win_registry (Change registries to affect system)
  • win_files_operation (Affect private profile)
  • win_hook (Detected hook table access function)
  • win_private_profile (Detected private profile access function)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
  • IsPE32 (Detected 32bit PE signature)
  • IsWindowsGUI (Detected Windows GUI signature)
  • IsPacked (Detected Entropy signature)
  • HasRichSignature (Detected Rich Signature)
VirusTotal VirusTotal链接
VirusTotal扫描时间: 2019-07-13 22:00:56
扫描结果: 24/71

特征

创建RWX内存
二进制文件可能包含加密或压缩数据
section: name: .vmp1, entropy: 7.98, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00068000, virtual_size: 0x00067346
对一个无法找到的进程进行重复搜索,可能希望以startbrowser=1选项运行
魔盾安全Yara规则检测结果 - 安全告警
可执行文件可能使用VMProtect打包
section: {'name': '.vmp0', 'characteristics': 'IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ', 'virtual_address': '0x000fc000', 'size_of_data': '0x00000000', 'entropy': '0.00', 'virtual_size': '0x0000b04c', 'characteristics_raw': '0x60000060'}
对一些具体的运行中的进程呈现出兴趣
process: IMECMNT.EXE
process: winlogon.exe
文件已被至少一个VirusTotal上的反病毒引擎检测为病毒
Bkav: HW32.Packed.
Cylance: Unsafe
K7GW: Adware ( 004b942f1 )
K7AntiVirus: Adware ( 004b942f1 )
Invincea: heuristic
Symantec: ML.Attribute.HighConfidence
APEX: Malicious
Rising: Trojan.Generic@ML.97 (RDML:mzpWJFMg2O6mkYgiXzotIA)
Endgame: malicious (high confidence)
Sophos: Mal/VMProtBad-A
Comodo: TrojWare.Win32.Agent.ISVQ@5mbonp
McAfee-GW-Edition: BehavesLike.Win32.Backdoor.gc
Trapmine: malicious.moderate.ml.score
FireEye: Generic.mg.eee5a11a4b742416
SentinelOne: DFI - Malicious PE
MaxSecure: Trojan.Malware.300983.susgen
Microsoft: Trojan:Win32/Wacatac.B!ml
AhnLab-V3: Packed/Win32.Vmpbad.C90402
Acronis: suspicious
ESET-NOD32: a variant of Win32/Packed.FlyStudio.AA potentially unwanted
eGambit: Trojan.Generic
GData: Win32.Trojan.Kryptik.HK@susp
Cybereason: malicious.99174f
CrowdStrike: win/malicious_confidence_100% (D)

运行截图

网络分析

无信息

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x0050e648
声明校验值 0x00000000
实际校验值 0x000707fb
最低操作系统版本要求 4.0
编译时间 2019-06-01 10:48:51
载入哈希 edf5455b5fa78167909eadcaf8d3b394

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0008885a 0x00000000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 0.00
.rdata 0x0008a000 0x0002e106 0x00000000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 0.00
.data 0x000b9000 0x000420ca 0x00000000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.vmp0 0x000fc000 0x0000b04c 0x00000000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 0.00
.vmp1 0x00108000 0x00067346 0x00068000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.98
.rsrc 0x00170000 0x0000140e 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 2.59

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_DIALOG 0x001712e0 0x000000e2 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_DIALOG 0x001712e0 0x000000e2 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_DIALOG 0x001712e0 0x000000e2 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_GROUP_CURSOR 0x001713ec 0x00000022 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_GROUP_CURSOR 0x001713ec 0x00000022 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None
RT_GROUP_CURSOR 0x001713ec 0x00000022 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.00 None

导入

库 WINMM.dll:
0x522c90 - midiStreamOut
0x522c94 - midiOutPrepareHeader
0x522c98 - waveOutWrite
0x522c9c - waveOutPause
0x522ca0 - waveOutReset
0x522ca4 - waveOutClose
0x522ca8 - waveOutGetNumDevs
0x522cac - waveOutOpen
0x522cb0 - midiOutUnprepareHeader
0x522cb4 - midiStreamOpen
0x522cb8 - midiStreamProperty
0x522cbc - midiStreamStop
0x522cc0 - midiOutReset
0x522cc4 - midiStreamClose
0x522cc8 - midiStreamRestart
0x522ccc - waveOutUnprepareHeader
0x522cd0 - waveOutPrepareHeader
库 WS2_32.dll:
0x522cd8 - WSAAsyncSelect
0x522cdc - closesocket
0x522ce0 - WSACleanup
0x522ce4 - inet_ntoa
0x522ce8 - recvfrom
0x522cec - ioctlsocket
0x522cf0 - recv
0x522cf4 - accept
0x522cf8 - getpeername
库 KERNEL32.dll:
0x522d00 - SetLastError
0x522d04 - GetTimeZoneInformation
0x522d08 - GetVersion
0x522d0c - UnhandledExceptionFilter
0x522d10 - GetACP
0x522d14 - HeapSize
0x522d18 - RaiseException
0x522d1c - GetLocalTime
0x522d20 - GetSystemTime
0x522d24 - RtlUnwind
0x522d28 - GetStartupInfoA
0x522d2c - GetOEMCP
0x522d30 - GetCPInfo
0x522d34 - GetProcessVersion
0x522d38 - SetErrorMode
0x522d3c - GlobalFlags
0x522d40 - GetCurrentThread
0x522d44 - GetFileTime
0x522d48 - TlsGetValue
0x522d4c - LocalReAlloc
0x522d50 - TlsSetValue
0x522d54 - TlsFree
0x522d58 - GlobalHandle
0x522d5c - TlsAlloc
0x522d60 - LocalAlloc
0x522d64 - lstrcmpA
0x522d68 - GlobalGetAtomNameA
0x522d6c - GlobalAddAtomA
0x522d70 - GlobalFindAtomA
0x522d74 - GlobalDeleteAtom
0x522d78 - lstrcmpiA
0x522d7c - SetEndOfFile
0x522d80 - UnlockFile
0x522d84 - LockFile
0x522d88 - FlushFileBuffers
0x522d8c - DuplicateHandle
0x522d90 - lstrcpynA
0x522d94 - FileTimeToLocalFileTime
0x522d98 - FileTimeToSystemTime
0x522d9c - LocalFree
0x522da0 - InterlockedDecrement
0x522da4 - InterlockedIncrement
0x522da8 - OpenProcess
0x522dac - TerminateProcess
0x522db0 - GetFileSize
0x522db4 - SetFilePointer
0x522db8 - CreateToolhelp32Snapshot
0x522dbc - Process32First
0x522dc0 - Process32Next
0x522dc4 - GetCurrentProcess
0x522dc8 - GetWindowsDirectoryA
0x522dcc - GetSystemDirectoryA
0x522dd0 - CreateSemaphoreA
0x522dd4 - ResumeThread
0x522dd8 - ReleaseSemaphore
0x522ddc - EnterCriticalSection
0x522de0 - LeaveCriticalSection
0x522de4 - GetProfileStringA
0x522de8 - WriteFile
0x522dec - WaitForMultipleObjects
0x522df0 - CreateFileA
0x522df4 - SetEvent
0x522df8 - FindResourceA
0x522dfc - LoadResource
0x522e00 - LockResource
0x522e04 - ReadFile
0x522e08 - GetModuleFileNameA
0x522e0c - WideCharToMultiByte
0x522e10 - MultiByteToWideChar
0x522e14 - GetCurrentThreadId
0x522e18 - ExitProcess
0x522e1c - GlobalSize
0x522e20 - GlobalFree
0x522e24 - DeleteCriticalSection
0x522e28 - InterlockedExchange
0x522e2c - InitializeCriticalSection
0x522e30 - lstrcatA
0x522e34 - lstrlenA
0x522e38 - WinExec
0x522e3c - lstrcpyA
0x522e40 - FindNextFileA
0x522e44 - GlobalReAlloc
0x522e48 - HeapFree
0x522e4c - HeapReAlloc
0x522e50 - GetProcessHeap
0x522e54 - HeapAlloc
0x522e58 - GetFullPathNameA
0x522e5c - FreeLibrary
0x522e60 - LoadLibraryA
0x522e64 - GetLastError
0x522e68 - GetVersionExA
0x522e6c - WritePrivateProfileStringA
0x522e70 - CreateThread
0x522e74 - CreateEventA
0x522e78 - Sleep
0x522e7c - GlobalAlloc
0x522e80 - GlobalLock
0x522e84 - GlobalUnlock
0x522e88 - GetTempPathA
0x522e8c - FindFirstFileA
0x522e90 - FindClose
0x522e94 - GetFileAttributesA
0x522e98 - SetCurrentDirectoryA
0x522e9c - GetVolumeInformationA
0x522ea0 - GetModuleHandleA
0x522ea4 - GetProcAddress
0x522ea8 - MulDiv
0x522eac - GetCommandLineA
0x522eb0 - GetTickCount
0x522eb4 - CreateProcessA
0x522eb8 - WaitForSingleObject
0x522ebc - CloseHandle
0x522ec0 - FreeEnvironmentStringsA
0x522ec4 - FreeEnvironmentStringsW
0x522ec8 - GetEnvironmentStrings
0x522ecc - GetEnvironmentStringsW
0x522ed0 - SetHandleCount
0x522ed4 - GetStdHandle
0x522ed8 - GetFileType
0x522edc - GetEnvironmentVariableA
0x522ee0 - HeapDestroy
0x522ee4 - HeapCreate
0x522ee8 - VirtualFree
0x522eec - SetEnvironmentVariableA
0x522ef0 - LCMapStringA
0x522ef4 - LCMapStringW
0x522ef8 - VirtualAlloc
0x522efc - IsBadWritePtr
0x522f00 - SetUnhandledExceptionFilter
0x522f04 - GetStringTypeA
0x522f08 - GetStringTypeW
0x522f0c - CompareStringA
0x522f10 - CompareStringW
0x522f14 - IsBadReadPtr
0x522f18 - IsBadCodePtr
0x522f1c - SetStdHandle
库 USER32.dll:
0x522f24 - GetMenu
0x522f28 - SetMenu
0x522f2c - PeekMessageA
0x522f30 - GetSysColorBrush
0x522f34 - CopyAcceleratorTableA
0x522f38 - GetKeyState
0x522f3c - TranslateAcceleratorA
0x522f40 - IsWindowEnabled
0x522f44 - ShowWindow
0x522f48 - SystemParametersInfoA
0x522f4c - LoadImageA
0x522f50 - EnumDisplaySettingsA
0x522f54 - ClientToScreen
0x522f58 - EnableMenuItem
0x522f5c - GetSubMenu
0x522f60 - GetDlgCtrlID
0x522f64 - CreateAcceleratorTableA
0x522f68 - CreateMenu
0x522f6c - ModifyMenuA
0x522f70 - AppendMenuA
0x522f74 - CreatePopupMenu
0x522f78 - DrawIconEx
0x522f7c - CreateIconFromResource
0x522f80 - CreateIconFromResourceEx
0x522f84 - RegisterClipboardFormatA
0x522f88 - SetRectEmpty
0x522f8c - IsIconic
0x522f90 - SetFocus
0x522f94 - GetActiveWindow
0x522f98 - GetWindow
0x522f9c - DestroyAcceleratorTable
0x522fa0 - SetWindowRgn
0x522fa4 - GetMessagePos
0x522fa8 - ScreenToClient
0x522fac - ChildWindowFromPointEx
0x522fb0 - DispatchMessageA
0x522fb4 - LoadBitmapA
0x522fb8 - WinHelpA
0x522fbc - KillTimer
0x522fc0 - SetTimer
0x522fc4 - ReleaseCapture
0x522fc8 - GetCapture
0x522fcc - SetCapture
0x522fd0 - LoadStringA
0x522fd4 - GetScrollRange
0x522fd8 - SetScrollRange
0x522fdc - SetScrollPos
0x522fe0 - SetRect
0x522fe4 - InflateRect
0x522fe8 - IntersectRect
0x522fec - DestroyIcon
0x522ff0 - PtInRect
0x522ff4 - DeleteMenu
0x522ff8 - IsWindowVisible
0x522ffc - EnableWindow
0x523000 - RedrawWindow
0x523004 - GetWindowLongA
0x523008 - SetWindowLongA
0x52300c - GetSysColor
0x523010 - SetActiveWindow
0x523014 - SetCursorPos
0x523018 - LoadCursorA
0x52301c - SetCursor
0x523020 - GetDC
0x523024 - FillRect
0x523028 - IsRectEmpty
0x52302c - ReleaseDC
0x523030 - IsChild
0x523034 - DestroyMenu
0x523038 - SetForegroundWindow
0x52303c - GetWindowRect
0x523040 - EqualRect
0x523044 - UpdateWindow
0x523048 - ValidateRect
0x52304c - InvalidateRect
0x523050 - GetClientRect
0x523054 - GetFocus
0x523058 - GetParent
0x52305c - GetTopWindow
0x523060 - PostMessageA
0x523064 - IsWindow
0x523068 - SetParent
0x52306c - DestroyCursor
0x523070 - SendMessageA
0x523074 - SetWindowPos
0x523078 - MessageBoxA
0x52307c - GetCursorPos
0x523080 - GetSystemMetrics
0x523084 - EmptyClipboard
0x523088 - SetClipboardData
0x52308c - OpenClipboard
0x523090 - GetClipboardData
0x523094 - CloseClipboard
0x523098 - wsprintfA
0x52309c - WaitForInputIdle
0x5230a0 - GetSystemMenu
0x5230a4 - GetMessageA
0x5230a8 - WindowFromPoint
0x5230ac - DrawFocusRect
0x5230b0 - DrawEdge
0x5230b4 - TranslateMessage
0x5230b8 - LoadIconA
0x5230bc - GetForegroundWindow
0x5230c0 - GetDesktopWindow
0x5230c4 - GetClassNameA
0x5230c8 - GetWindowThreadProcessId
0x5230cc - FindWindowA
0x5230d0 - GetDlgItem
0x5230d4 - GetWindowTextA
0x5230d8 - DefWindowProcA
0x5230dc - GetClassInfoA
0x5230e0 - IsZoomed
0x5230e4 - OffsetRect
0x5230e8 - PostQuitMessage
0x5230ec - CopyRect
0x5230f0 - UnregisterClassA
0x5230f4 - DrawFrameControl
0x5230f8 - GetWindowTextLengthA
0x5230fc - CharUpperA
0x523100 - GetWindowDC
0x523104 - BeginPaint
0x523108 - EndPaint
0x52310c - TabbedTextOutA
0x523110 - DrawTextA
0x523114 - GrayStringA
0x523118 - DestroyWindow
0x52311c - CreateDialogIndirectParamA
0x523120 - EndDialog
0x523124 - GetNextDlgTabItem
0x523128 - GetWindowPlacement
0x52312c - RegisterWindowMessageA
0x523130 - GetLastActivePopup
0x523134 - GetMessageTime
0x523138 - RemovePropA
0x52313c - CallWindowProcA
0x523140 - GetPropA
0x523144 - UnhookWindowsHookEx
0x523148 - SetPropA
0x52314c - GetClassLongA
0x523150 - CallNextHookEx
0x523154 - SetWindowsHookExA
0x523158 - CreateWindowExA
0x52315c - GetMenuItemID
0x523160 - GetMenuItemCount
0x523164 - RegisterClassA
0x523168 - GetScrollPos
0x52316c - AdjustWindowRectEx
0x523170 - MapWindowPoints
0x523174 - SendDlgItemMessageA
0x523178 - ScrollWindowEx
0x52317c - IsDialogMessageA
0x523180 - SetWindowTextA
0x523184 - MoveWindow
0x523188 - CheckMenuItem
0x52318c - SetMenuItemBitmaps
0x523190 - GetMenuState
0x523194 - GetMenuCheckMarkDimensions
库 GDI32.dll:
0x52319c - ExtSelectClipRgn
0x5231a0 - LineTo
0x5231a4 - MoveToEx
0x5231a8 - CreateBitmap
0x5231ac - SelectObject
0x5231b0 - GetObjectA
0x5231b4 - CreatePen
0x5231b8 - PatBlt
0x5231bc - CombineRgn
0x5231c0 - CreateRectRgn
0x5231c4 - FillRgn
0x5231c8 - CreateSolidBrush
0x5231cc - GetStockObject
0x5231d0 - CreateFontIndirectA
0x5231d4 - EndPage
0x5231d8 - EndDoc
0x5231dc - DeleteDC
0x5231e0 - StartDocA
0x5231e4 - StartPage
0x5231e8 - BitBlt
0x5231ec - Ellipse
0x5231f0 - Rectangle
0x5231f4 - LPtoDP
0x5231f8 - DPtoLP
0x5231fc - GetCurrentObject
0x523200 - RoundRect
0x523204 - GetTextExtentPoint32A
0x523208 - GetDeviceCaps
0x52320c - ExcludeClipRect
0x523210 - GetClipBox
0x523214 - ScaleWindowExtEx
0x523218 - SetWindowExtEx
0x52321c - SetWindowOrgEx
0x523220 - ScaleViewportExtEx
0x523224 - SetViewportExtEx
0x523228 - OffsetViewportOrgEx
0x52322c - SetViewportOrgEx
0x523230 - GetViewportExtEx
0x523234 - PtVisible
0x523238 - RectVisible
0x52323c - TextOutA
0x523240 - ExtTextOutA
0x523244 - Escape
0x523248 - GetTextMetricsA
0x52324c - CreateDCA
0x523250 - CreateCompatibleBitmap
0x523254 - GetPolyFillMode
0x523258 - GetStretchBltMode
0x52325c - GetROP2
0x523260 - GetBkColor
0x523264 - GetBkMode
0x523268 - GetTextColor
0x52326c - CreateRoundRectRgn
0x523270 - CreateEllipticRgn
0x523274 - PathToRegion
0x523278 - EndPath
0x52327c - BeginPath
0x523280 - GetWindowOrgEx
0x523284 - GetViewportOrgEx
0x523288 - GetWindowExtEx
0x52328c - GetDIBits
0x523290 - SetMapMode
0x523294 - SetTextColor
0x523298 - SetROP2
0x52329c - SetPolyFillMode
0x5232a0 - SetBkMode
0x5232a4 - RestoreDC
0x5232a8 - SaveDC
0x5232ac - RealizePalette
0x5232b0 - SelectPalette
0x5232b4 - StretchBlt
0x5232b8 - CreatePalette
0x5232bc - GetSystemPaletteEntries
0x5232c0 - CreateDIBitmap
0x5232c4 - DeleteObject
0x5232c8 - SelectClipRgn
0x5232cc - CreatePolygonRgn
0x5232d0 - SetStretchBltMode
0x5232d4 - CreateRectRgnIndirect
0x5232d8 - CreateCompatibleDC
0x5232dc - GetClipRgn
0x5232e0 - SetBkColor
库 WINSPOOL.DRV:
0x5232e8 - OpenPrinterA
0x5232ec - DocumentPropertiesA
0x5232f0 - ClosePrinter
库 ADVAPI32.dll:
0x5232f8 - RegOpenKeyExA
0x5232fc - RegSetValueExA
0x523300 - RegQueryValueA
0x523304 - RegCreateKeyExA
0x523308 - RegCloseKey
库 SHELL32.dll:
0x523310 - SHGetSpecialFolderPathA
0x523314 - ShellExecuteA
0x523318 - Shell_NotifyIconA
库 ole32.dll:
0x523320 - CLSIDFromString
0x523324 - OleUninitialize
0x523328 - OleInitialize
库 OLEAUT32.dll:
0x523330 - LoadTypeLib
0x523334 - RegisterTypeLib
0x523338 - UnRegisterTypeLib
库 COMCTL32.dll:
0x523340 - None
0x523344 - ImageList_Destroy
库 comdlg32.dll:
0x52334c - ChooseColorA
0x523350 - GetFileTitleA
0x523354 - GetSaveFileNameA
0x523358 - GetOpenFileNameA
库 KERNEL32.dll:
0x523360 - GetModuleFileNameW
库 KERNEL32.dll:
0x523368 - GetModuleHandleA
0x52336c - LoadLibraryA
0x523370 - LocalAlloc
0x523374 - LocalFree
0x523378 - GetModuleFileNameA
0x52337c - ExitProcess

投放文件

无信息

行为分析

互斥量(Mutexes)
  • Local\MSCTF.Asm.MutexDefault1
执行的命令
  • C:\Users\test\AppData\Local\Temp\bin\uu.exe
创建的服务 无信息
启动的服务 无信息

进程

UU______.exe PID: 2472, 上一级进程 PID: 2332

访问的文件
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\test\AppData\Local\Temp\kernel32.DLL
  • C:\Users\test\AppData\Local\Temp\advapi32.dll
  • C:\Users\test\AppData\Local\Temp\advpack.dll
  • C:\Users\test\AppData\Local\Temp\user32.DLL
  • C:\Windows\Fonts\staticcache.dat
读取的文件
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\Fonts\staticcache.dat
修改的文件 无信息
删除的文件 无信息
注册表键
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\UU______.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_CURRENT_USER
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
读取的注册表键
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • kernel32.dll.IsProcessorFeaturePresent
  • cryptbase.dll.SystemFunction036
  • kernel32.dll.SortGetHandle
  • kernel32.dll.SortCloseHandle
  • comctl32.dll.RegisterClassNameW
  • uxtheme.dll.EnableThemeDialogTexture
  • uxtheme.dll.OpenThemeData
  • kernel32.dll.GetCurrentProcess
  • advapi32.dll.OpenProcessToken
  • advapi32.dll.LookupPrivilegeValueA
  • advapi32.dll.AdjustTokenPrivileges
  • kernel32.dll.CloseHandle
  • kernel32.dll.GetCurrentProcessId
  • kernel32.dll.OpenProcess
  • advpack.dll.IsNTAdmin
  • advapi32.dll.CheckTokenMembership
  • kernel32.dll.CreateToolhelp32Snapshot
  • kernel32.dll.Process32First
  • kernel32.dll.Process32Next
  • kernel32.dll.TerminateProcess
  • kernel32.dll.CreateWaitableTimerA
  • kernel32.dll.SetWaitableTimer
  • user32.dll.MsgWaitForMultipleObjects
  • gdi32.dll.GetLayout
  • gdi32.dll.GdiRealizationInfo
  • gdi32.dll.FontIsLinked
  • advapi32.dll.RegOpenKeyExW
  • advapi32.dll.RegQueryInfoKeyW
  • gdi32.dll.GetTextFaceAliasW
  • advapi32.dll.RegEnumValueW
  • advapi32.dll.RegCloseKey
  • advapi32.dll.RegQueryValueExW
  • advapi32.dll.RegQueryValueExA
  • advapi32.dll.RegEnumKeyExW
  • gdi32.dll.GetTextExtentExPointWPri
  • gdi32.dll.GetFontAssocStatus
  • ole32.dll.CoInitializeEx
  • ole32.dll.CoUninitialize
  • ole32.dll.CoRegisterInitializeSpy
  • ole32.dll.CoRevokeInitializeSpy
  • oleaut32.dll.SysAllocString
  • oleaut32.dll.SysStringLen
  • oleaut32.dll.SysFreeString