魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2017-07-06 14:51:14 | 2017-07-06 14:53:38 | 144 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-hpdapp03-2 | win7-sp1-x64-hpdapp03-2 | KVM | 2017-07-06 14:51:23 | 2017-07-06 14:53:38 |
| 魔盾分数 |
|---|
0.5正常的 |
文件详细信息
| 文件名 | 电脑版.exe |
|---|---|
| 文件大小 | 2158661 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| CRC32 | 28904FA8 |
| MD5 | 5db16db4bd3e4f7c5525b35e05fdc30a |
| SHA1 | f7837515dd42ebd1a95ecbf03860cff6cdc15017 |
| SHA256 | 1495ae049c3d2c5c35f878e7c1141317056b38a64e8643fc9222e655a3473884 |
| SHA512 | 2bd12e0f2f366489c62000341ee6985ce3a2280887e7c6966b3ad9af4eef6e3fc912341494c78101bb3515fe929648da7e5dd5a88a849b93f72b4618f3d6870f |
| Ssdeep | 24576:xLLh787WyfMVXsDoNocHY/IGWAv1HwOM+B96/:teiySsDPc4/IGWUS+B96/ |
| PEiD | 无匹配 |
| Yara | 无Yara规则匹配 |
| VirusTotal |
VirusTotal链接 VirusTotal扫描时间: 2017-07-06 04:40:40 扫描结果: 3/62 |
特征
文件已被至少一个VirusTotal上的反病毒引擎检测为病毒
Symantec: Trojan.Gen.8!cloud
Paloalto: generic.ml
Qihoo-360: Win32/Trojan.377
运行截图
网络分析
静态分析
PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x0040d110 |
| 声明校验值 | 0x00000000 |
| 实际校验值 | 0x00216929 |
| 最低操作系统版本要求 | 4.0 |
| PDB路径 | C:\Users\LOVE\Desktop\\xd0\xc2\xbd\xa8\xce\xc4\xbc\xfe\xbc\xd0\0000\Debug\0000.pdb |
| 编译时间 | 2016-11-24 17:12:14 |
| 载入哈希 | 01384a7681b1df5c993f1df05c4b8504 |
| 图标 |  |
| 图标精确哈希值 | 84f501aa9863ee009d14c301c6b156b9 |
| 图标相似性哈希值 | 44c0873ae2755ce7b1ff8a84af95fd38 |
版本信息
| LegalCopyright: | |
| InternalName: | |
| FileVersion: | |
| CompanyName: | |
| PrivateBuild: | |
| LegalTrademarks: | |
| Comments: | |
| ProductName: | |
| SpecialBuild: | |
| ProductVersion: | |
| FileDescription: | |
| OriginalFilename: | |
| Translation: | 0x0804 0x04b0 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x0015a880 | 0x0015b000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 4.45 |
| .rdata | 0x0015c000 | 0x0001652e | 0x00017000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 3.62 |
| .data | 0x00173000 | 0x0000f8a1 | 0x0000c000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 4.34 |
| .idata | 0x00183000 | 0x00004b1f | 0x00005000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 4.82 |
| .rsrc | 0x00188000 | 0x0007cbe3 | 0x0007d000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.16 |
| .reloc | 0x00205000 | 0x0000df1b | 0x0000e000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 5.91 |
覆盖
| 偏移量: | 0x0020f000 |
| 大小: | 0x00000045 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| RT_CURSOR | 0x001eebe8 | 0x000000b4 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.74 | data |
| RT_CURSOR | 0x001eebe8 | 0x000000b4 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.74 | data |
| RT_BITMAP | 0x001ef5c0 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x001ef5c0 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x001ef5c0 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x001ef5c0 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_ICON | 0x001ee5b0 | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.55 | Macintosh HFS Extended version 12287 data (spared blocks) (unclean) last mounted by: 'H+/\', created: Mon Jun 20 08:59:43 2078, last modified: Mon Jun 20 00:59:43 2078, block size: 0, number of blocks: 0, free blocks: 0 |
| RT_ICON | 0x001ee5b0 | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.55 | Macintosh HFS Extended version 12287 data (spared blocks) (unclean) last mounted by: 'H+/\', created: Mon Jun 20 08:59:43 2078, last modified: Mon Jun 20 00:59:43 2078, block size: 0, number of blocks: 0, free blocks: 0 |
| RT_ICON | 0x001ee5b0 | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.55 | Macintosh HFS Extended version 12287 data (spared blocks) (unclean) last mounted by: 'H+/\', created: Mon Jun 20 08:59:43 2078, last modified: Mon Jun 20 00:59:43 2078, block size: 0, number of blocks: 0, free blocks: 0 |
| RT_ICON | 0x001ee5b0 | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.55 | Macintosh HFS Extended version 12287 data (spared blocks) (unclean) last mounted by: 'H+/\', created: Mon Jun 20 08:59:43 2078, last modified: Mon Jun 20 00:59:43 2078, block size: 0, number of blocks: 0, free blocks: 0 |
| RT_ICON | 0x001ee5b0 | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.55 | Macintosh HFS Extended version 12287 data (spared blocks) (unclean) last mounted by: 'H+/\', created: Mon Jun 20 08:59:43 2078, last modified: Mon Jun 20 00:59:43 2078, block size: 0, number of blocks: 0, free blocks: 0 |
| RT_ICON | 0x001ee5b0 | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.55 | Macintosh HFS Extended version 12287 data (spared blocks) (unclean) last mounted by: 'H+/\', created: Mon Jun 20 08:59:43 2078, last modified: Mon Jun 20 00:59:43 2078, block size: 0, number of blocks: 0, free blocks: 0 |
| RT_ICON | 0x001ee5b0 | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.55 | Macintosh HFS Extended version 12287 data (spared blocks) (unclean) last mounted by: 'H+/\', created: Mon Jun 20 08:59:43 2078, last modified: Mon Jun 20 00:59:43 2078, block size: 0, number of blocks: 0, free blocks: 0 |
| RT_ICON | 0x001ee5b0 | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.55 | Macintosh HFS Extended version 12287 data (spared blocks) (unclean) last mounted by: 'H+/\', created: Mon Jun 20 08:59:43 2078, last modified: Mon Jun 20 00:59:43 2078, block size: 0, number of blocks: 0, free blocks: 0 |
| RT_ICON | 0x001ee5b0 | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.55 | Macintosh HFS Extended version 12287 data (spared blocks) (unclean) last mounted by: 'H+/\', created: Mon Jun 20 08:59:43 2078, last modified: Mon Jun 20 00:59:43 2078, block size: 0, number of blocks: 0, free blocks: 0 |
| RT_ICON | 0x001ee5b0 | 0x00000468 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.55 | Macintosh HFS Extended version 12287 data (spared blocks) (unclean) last mounted by: 'H+/\', created: Mon Jun 20 08:59:43 2078, last modified: Mon Jun 20 00:59:43 2078, block size: 0, number of blocks: 0, free blocks: 0 |
| RT_DIALOG | 0x001ef2b0 | 0x000000e2 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.39 | data |
| RT_DIALOG | 0x001ef2b0 | 0x000000e2 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.39 | data |
| RT_STRING | 0x001effd8 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x001effd8 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x001effd8 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x001effd8 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x001effd8 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x001effd8 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x001effd8 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x001effd8 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x001effd8 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x001effd8 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x001effd8 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_GROUP_CURSOR | 0x001eeca0 | 0x00000022 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.25 | MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1 |
| RT_GROUP_ICON | 0x001eea18 | 0x00000092 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.99 | MS Windows icon resource - 10 icons, 48x48 |
| RT_VERSION | 0x00188af0 | 0x00000274 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.12 | data |
| RT_MANIFEST | 0x00188d68 | 0x000001ff | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.93 | XML 1.0 document, ASCII text, with CRLF line terminators |
导入
库 KERNEL32.dll:
• 0x5842f0 - InterlockedExchange
• 0x5842f4 - CopyFileA
• 0x5842f8 - GetSystemDirectoryA
• 0x5842fc - GetModuleFileNameA
• 0x584300 - GetModuleHandleA
• 0x584304 - CloseHandle
• 0x584308 - ReadFile
• 0x58430c - SetFilePointer
• 0x584310 - CreateFileA
• 0x584314 - WriteFile
• 0x584318 - GetCurrentThreadId
• 0x58431c - GetCurrentThread
• 0x584320 - lstrcmpiA
• 0x584324 - lstrcmpA
• 0x584328 - GlobalDeleteAtom
• 0x58432c - GlobalAlloc
• 0x584330 - GlobalLock
• 0x584334 - WaitForSingleObject
• 0x584338 - SetEvent
• 0x58433c - SuspendThread
• 0x584340 - CreateEventA
• 0x584344 - lstrlenA
• 0x584348 - FreeResource
• 0x58434c - LoadResource
• 0x584350 - FindResourceA
• 0x584354 - LockResource
• 0x584358 - GlobalFree
• 0x58435c - GlobalUnlock
• 0x584360 - GetLastError
• 0x584364 - GetProcAddress
• 0x584368 - lstrcpyA
• 0x58436c - GlobalFindAtomA
• 0x584370 - GlobalAddAtomA
• 0x584374 - GlobalGetAtomNameA
• 0x584378 - lstrcatA
• 0x58437c - GetVersion
• 0x584380 - FreeLibrary
• 0x584384 - LoadLibraryA
• 0x584388 - SetThreadPriority
• 0x58438c - GetThreadPriority
• 0x584390 - ResumeThread
• 0x584394 - SetLastError
• 0x584398 - MulDiv
• 0x58439c - lstrcpynA
• 0x5843a0 - LocalFree
• 0x5843a4 - LocalAlloc
• 0x5843a8 - InitializeCriticalSection
• 0x5843ac - TlsAlloc
• 0x5843b0 - DeleteCriticalSection
• 0x5843b4 - GlobalHandle
• 0x5843b8 - GetLocaleInfoW
• 0x5843bc - SetEnvironmentVariableA
• 0x5843c0 - GetVersionExA
• 0x5843c4 - GetUserDefaultLCID
• 0x5843c8 - EnumSystemLocalesA
• 0x5843cc - GetLocaleInfoA
• 0x5843d0 - IsValidCodePage
• 0x5843d4 - IsValidLocale
• 0x5843d8 - SetStdHandle
• 0x5843dc - IsBadCodePtr
• 0x5843e0 - GetStringTypeW
• 0x5843e4 - GetStringTypeA
• 0x5843e8 - SetConsoleCtrlHandler
• 0x5843ec - CompareStringW
• 0x5843f0 - CompareStringA
• 0x5843f4 - LCMapStringW
• 0x5843f8 - LCMapStringA
• 0x5843fc - VirtualAlloc
• 0x584400 - HeapReAlloc
• 0x584404 - HeapAlloc
• 0x584408 - VirtualFree
• 0x58440c - Sleep
• 0x584410 - HeapCreate
• 0x584414 - HeapDestroy
• 0x584418 - GetFileType
• 0x58441c - SetHandleCount
• 0x584420 - GetEnvironmentStringsW
• 0x584424 - GetEnvironmentStrings
• 0x584428 - FreeEnvironmentStringsW
• 0x58442c - FreeEnvironmentStringsA
• 0x584430 - UnhandledExceptionFilter
• 0x584434 - SetUnhandledExceptionFilter
• 0x584438 - HeapFree
• 0x58443c - FatalAppExitA
• 0x584440 - GetACP
• 0x584444 - OutputDebugStringA
• 0x584448 - GetStdHandle
• 0x58444c - DebugBreak
• 0x584450 - ExitThread
• 0x584454 - CreateThread
• 0x584458 - HeapValidate
• 0x58445c - GetCommandLineA
• 0x584460 - GetStartupInfoA
• 0x584464 - RaiseException
• 0x584468 - GetLocalTime
• 0x58446c - GetSystemTime
• 0x584470 - GetTimeZoneInformation
• 0x584474 - TerminateProcess
• 0x584478 - ExitProcess
• 0x58447c - RtlUnwind
• 0x584480 - SetFileAttributesA
• 0x584484 - SystemTimeToFileTime
• 0x584488 - LocalFileTimeToFileTime
• 0x58448c - GetFileSize
• 0x584490 - FormatMessageA
• 0x584494 - GetDiskFreeSpaceA
• 0x584498 - GetFileTime
• 0x58449c - SetFileTime
• 0x5844a0 - GetTempFileNameA
• 0x5844a4 - GetFileAttributesA
• 0x5844a8 - GetShortPathNameA
• 0x5844ac - GetThreadLocale
• 0x5844b0 - GetStringTypeExA
• 0x5844b4 - GetFullPathNameA
• 0x5844b8 - GetVolumeInformationA
• 0x5844bc - FindFirstFileA
• 0x5844c0 - FindClose
• 0x5844c4 - DeleteFileA
• 0x5844c8 - MoveFileA
• 0x5844cc - SetEndOfFile
• 0x5844d0 - UnlockFile
• 0x5844d4 - LockFile
• 0x5844d8 - FlushFileBuffers
• 0x5844dc - GetCurrentProcess
• 0x5844e0 - DuplicateHandle
• 0x5844e4 - SetErrorMode
• 0x5844e8 - GetOEMCP
• 0x5844ec - GetCPInfo
• 0x5844f0 - SizeofResource
• 0x5844f4 - GetProfileIntA
• 0x5844f8 - VirtualProtect
• 0x5844fc - FileTimeToLocalFileTime
• 0x584500 - FileTimeToSystemTime
• 0x584504 - IsBadReadPtr
• 0x584508 - IsBadWritePtr
• 0x58450c - IsBadStringPtrA
• 0x584510 - IsBadStringPtrW
• 0x584514 - GetProcessVersion
• 0x584518 - MultiByteToWideChar
• 0x58451c - WideCharToMultiByte
• 0x584520 - InterlockedIncrement
• 0x584524 - GetCurrentDirectoryA
• 0x584528 - WritePrivateProfileStringA
• 0x58452c - GetPrivateProfileStringA
• 0x584530 - GetPrivateProfileIntA
• 0x584534 - InterlockedDecrement
• 0x584538 - GlobalFlags
• 0x58453c - TlsGetValue
• 0x584540 - LocalReAlloc
• 0x584544 - TlsSetValue
• 0x584548 - EnterCriticalSection
• 0x58454c - GlobalReAlloc
• 0x584550 - LeaveCriticalSection
• 0x584554 - TlsFree
库 USER32.dll:
• 0x584644 - GetClipboardFormatNameA
• 0x584648 - LoadStringA
• 0x58464c - OemToCharA
• 0x584650 - CharToOemA
• 0x584654 - UnpackDDElParam
• 0x584658 - ReuseDDElParam
• 0x58465c - DestroyMenu
• 0x584660 - TranslateAcceleratorA
• 0x584664 - LoadAcceleratorsA
• 0x584668 - GetWindowThreadProcessId
• 0x58466c - WaitMessage
• 0x584670 - ReleaseCapture
• 0x584674 - CheckMenuRadioItem
• 0x584678 - GetMenuContextHelpId
• 0x58467c - SetMenuContextHelpId
• 0x584680 - LoadMenuIndirectA
• 0x584684 - LoadMenuA
• 0x584688 - RemoveMenu
• 0x58468c - ModifyMenuA
• 0x584690 - InsertMenuA
• 0x584694 - GetSubMenu
• 0x584698 - GetMenuItemInfoA
• 0x58469c - GetMenuStringA
• 0x5846a0 - GetMenuState
• 0x5846a4 - GetMenuItemID
• 0x5846a8 - GetMenuItemCount
• 0x5846ac - GetMenuDefaultItem
• 0x5846b0 - SetMenuDefaultItem
• 0x5846b4 - EnableMenuItem
• 0x5846b8 - CheckMenuItem
• 0x5846bc - AppendMenuA
• 0x5846c0 - DeleteMenu
• 0x5846c4 - IsMenu
• 0x5846c8 - CreatePopupMenu
• 0x5846cc - CreateMenu
• 0x5846d0 - ScrollDC
• 0x5846d4 - GrayStringA
• 0x5846d8 - GetTabbedTextExtentA
• 0x5846dc - DrawTextA
• 0x5846e0 - DrawFocusRect
• 0x5846e4 - DrawFrameControl
• 0x5846e8 - DrawEdge
• 0x5846ec - DrawStateA
• 0x5846f0 - DrawIcon
• 0x5846f4 - InvertRect
• 0x5846f8 - FrameRect
• 0x5846fc - FillRect
• 0x584700 - ExcludeUpdateRgn
• 0x584704 - WindowFromDC
• 0x584708 - GetSysColorBrush
• 0x58470c - SubtractRect
• 0x584710 - UnionRect
• 0x584714 - InflateRect
• 0x584718 - SetRectEmpty
• 0x58471c - SetRect
• 0x584720 - PtInRect
• 0x584724 - IsRectEmpty
• 0x584728 - CloseWindow
• 0x58472c - LoadCursorA
• 0x584730 - PostThreadMessageA
• 0x584734 - MapDialogRect
• 0x584738 - GetWindowContextHelpId
• 0x58473c - SetWindowContextHelpId
• 0x584740 - SendNotifyMessageA
• 0x584744 - GetForegroundWindow
• 0x584748 - SetForegroundWindow
• 0x58474c - ShowCaret
• 0x584750 - HideCaret
• 0x584754 - SetCaretPos
• 0x584758 - GetCaretPos
• 0x58475c - CreateCaret
• 0x584760 - GetClipboardViewer
• 0x584764 - GetClipboardOwner
• 0x584768 - GetOpenClipboardWindow
• 0x58476c - OpenClipboard
• 0x584770 - SetClipboardViewer
• 0x584774 - ChangeClipboardChain
• 0x584778 - FlashWindow
• 0x58477c - WindowFromPoint
• 0x584780 - SetParent
• 0x584784 - FindWindowA
• 0x584788 - ChildWindowFromPointEx
• 0x58478c - ChildWindowFromPoint
• 0x584790 - ShowScrollBar
• 0x584794 - GetNextDlgTabItem
• 0x584798 - GetNextDlgGroupItem
• 0x58479c - DlgDirSelectComboBoxExA
• 0x5847a0 - DlgDirSelectExA
• 0x5847a4 - DlgDirListComboBoxA
• 0x5847a8 - DlgDirListA
• 0x5847ac - GetDesktopWindow
• 0x5847b0 - SetCapture
• 0x5847b4 - KillTimer
• 0x5847b8 - SetTimer
• 0x5847bc - EnableScrollBar
• 0x5847c0 - RedrawWindow
• 0x5847c4 - GetAsyncKeyState
• 0x5847c8 - GetDCEx
• 0x5847cc - ShowOwnedPopups
• 0x5847d0 - IsWindowVisible
• 0x5847d4 - ValidateRgn
• 0x5847d8 - InvalidateRgn
• 0x5847dc - InvalidateRect
• 0x5847e0 - GetUpdateRgn
• 0x5847e4 - GetUpdateRect
• 0x5847e8 - UpdateWindow
• 0x5847ec - ReleaseDC
• 0x5847f0 - GetWindowDC
• 0x5847f4 - GetDC
• 0x5847f8 - EndPaint
• 0x5847fc - BeginPaint
• 0x584800 - ClientToScreen
• 0x584804 - BringWindowToTop
• 0x584808 - GetWindowRgn
• 0x58480c - SetWindowRgn
• 0x584810 - ArrangeIconicWindows
• 0x584814 - IsZoomed
• 0x584818 - HiliteMenuItem
• 0x58481c - GetSystemMenu
• 0x584820 - DrawMenuBar
• 0x584824 - SetMenu
• 0x584828 - GetMenu
• 0x58482c - ShowWindow
• 0x584830 - MoveWindow
• 0x584834 - SetWindowTextA
• 0x584838 - IsDialogMessageA
• 0x58483c - ScrollWindowEx
• 0x584840 - IsDlgButtonChecked
• 0x584844 - SetDlgItemTextA
• 0x584848 - SetDlgItemInt
• 0x58484c - GetDlgItemTextA
• 0x584850 - GetDlgItemInt
• 0x584854 - CheckRadioButton
• 0x584858 - CheckDlgButton
• 0x58485c - LoadIconA
• 0x584860 - SendDlgItemMessageA
• 0x584864 - GetClientRect
• 0x584868 - MapWindowPoints
• 0x58486c - GetSysColor
• 0x584870 - SetFocus
• 0x584874 - AdjustWindowRectEx
• 0x584878 - ScreenToClient
• 0x58487c - EqualRect
• 0x584880 - DeferWindowPos
• 0x584884 - BeginDeferWindowPos
• 0x584888 - CopyRect
• 0x58488c - EndDeferWindowPos
• 0x584890 - ScrollWindow
• 0x584894 - GetScrollInfo
• 0x584898 - SetScrollInfo
• 0x58489c - GetScrollRange
• 0x5848a0 - SetScrollRange
• 0x5848a4 - GetScrollPos
• 0x5848a8 - SetScrollPos
• 0x5848ac - GetTopWindow
• 0x5848b0 - IsChild
• 0x5848b4 - GetWindow
• 0x5848b8 - GetCapture
• 0x5848bc - WinHelpA
• 0x5848c0 - wsprintfA
• 0x5848c4 - GetClassInfoA
• 0x5848c8 - RegisterClassA
• 0x5848cc - TrackPopupMenu
• 0x5848d0 - SetWindowPlacement
• 0x5848d4 - GetWindowTextLengthA
• 0x5848d8 - GetWindowTextA
• 0x5848dc - DefWindowProcA
• 0x5848e0 - GetClassNameA
• 0x5848e4 - GetDlgCtrlID
• 0x5848e8 - CreateWindowExA
• 0x5848ec - GetClassLongA
• 0x5848f0 - SetPropA
• 0x5848f4 - UnhookWindowsHookEx
• 0x5848f8 - GetPropA
• 0x5848fc - CallWindowProcA
• 0x584900 - RemovePropA
• 0x584904 - GetMessageTime
• 0x584908 - GetMessagePos
• 0x58490c - SetWindowLongA
• 0x584910 - SetWindowPos
• 0x584914 - RegisterWindowMessageA
• 0x584918 - OffsetRect
• 0x58491c - IntersectRect
• 0x584920 - SystemParametersInfoA
• 0x584924 - IsIconic
• 0x584928 - GetWindowPlacement
• 0x58492c - GetWindowRect
• 0x584930 - EndDialog
• 0x584934 - GetActiveWindow
• 0x584938 - SetActiveWindow
• 0x58493c - CreateDialogIndirectParamA
• 0x584940 - DestroyWindow
• 0x584944 - GetDlgItem
• 0x584948 - TabbedTextOutA
• 0x58494c - SetCursorPos
• 0x584950 - DestroyCursor
• 0x584954 - GetDialogBaseUnits
• 0x584958 - CharUpperA
• 0x58495c - DestroyIcon
• 0x584960 - LockWindowUpdate
• 0x584964 - PostMessageA
• 0x584968 - IsWindow
• 0x58496c - GetMenuCheckMarkDimensions
• 0x584970 - LoadBitmapA
• 0x584974 - SetMenuItemBitmaps
• 0x584978 - GetFocus
• 0x58497c - GetMessageA
• 0x584980 - TranslateMessage
• 0x584984 - DispatchMessageA
• 0x584988 - GetKeyState
• 0x58498c - CallNextHookEx
• 0x584990 - ValidateRect
• 0x584994 - PeekMessageA
• 0x584998 - GetCursorPos
• 0x58499c - SetWindowsHookExA
• 0x5849a0 - GetWindowLongA
• 0x5849a4 - GetParent
• 0x5849a8 - GetLastActivePopup
• 0x5849ac - IsWindowEnabled
• 0x5849b0 - SendMessageA
• 0x5849b4 - EnableWindow
• 0x5849b8 - SetCursor
• 0x5849bc - PostQuitMessage
• 0x5849c0 - MessageBoxA
• 0x5849c4 - GetSystemMetrics
• 0x5849c8 - OpenIcon
• 0x5849cc - UnregisterClassA
库 GDI32.dll:
• 0x583f28 - MoveToEx
• 0x583f2c - ExtCreatePen
• 0x583f30 - CreatePenIndirect
• 0x583f34 - CreatePen
• 0x583f38 - GetObjectType
• 0x583f3c - UnrealizeObject
• 0x583f40 - GetStockObject
• 0x583f44 - GetObjectA
• 0x583f48 - SetBkColor
• 0x583f4c - SetTextColor
• 0x583f50 - GetClipBox
• 0x583f54 - GetDCOrgEx
• 0x583f58 - ExtTextOutA
• 0x583f5c - CloseEnhMetaFile
• 0x583f60 - CreateEnhMetaFileA
• 0x583f64 - CloseMetaFile
• 0x583f68 - CreateMetaFileA
• 0x583f6c - CreateBitmap
• 0x583f70 - CreateHatchBrush
• 0x583f74 - CreateBrushIndirect
• 0x583f78 - CreatePatternBrush
• 0x583f7c - CreateDIBPatternBrushPt
• 0x583f80 - CreateFontIndirectA
• 0x583f84 - CreateFontA
• 0x583f88 - CreateBitmapIndirect
• 0x583f8c - SetBitmapBits
• 0x583f90 - GetBitmapBits
• 0x583f94 - SetBitmapDimensionEx
• 0x583f98 - GetBitmapDimensionEx
• 0x583f9c - CreateCompatibleBitmap
• 0x583fa0 - CreateDiscardableBitmap
• 0x583fa4 - CreatePalette
• 0x583fa8 - CreateHalftonePalette
• 0x583fac - GetPaletteEntries
• 0x583fb0 - SetPaletteEntries
• 0x583fb4 - AnimatePalette
• 0x583fb8 - GetNearestPaletteIndex
• 0x583fbc - ResizePalette
• 0x583fc0 - CreateRectRgn
• 0x583fc4 - CreateRectRgnIndirect
• 0x583fc8 - CreateEllipticRgn
• 0x583fcc - CreateEllipticRgnIndirect
• 0x583fd0 - CreatePolygonRgn
• 0x583fd4 - CreatePolyPolygonRgn
• 0x583fd8 - CreateRoundRectRgn
• 0x583fdc - PathToRegion
• 0x583fe0 - ExtCreateRegion
• 0x583fe4 - GetRegionData
• 0x583fe8 - SetRectRgn
• 0x583fec - CombineRgn
• 0x583ff0 - EqualRgn
• 0x583ff4 - OffsetRgn
• 0x583ff8 - GetRgnBox
• 0x583ffc - PtInRegion
• 0x584000 - RectInRegion
• 0x584004 - CreateDCA
• 0x584008 - CreateICA
• 0x58400c - CreateCompatibleDC
• 0x584010 - GetDeviceCaps
• 0x584014 - GetBrushOrgEx
• 0x584018 - SetBrushOrgEx
• 0x58401c - EnumObjects
• 0x584020 - SelectObject
• 0x584024 - GetNearestColor
• 0x584028 - RealizePalette
• 0x58402c - UpdateColors
• 0x584030 - GetBkColor
• 0x584034 - GetBkMode
• 0x584038 - GetPolyFillMode
• 0x58403c - GetROP2
• 0x584040 - GetStretchBltMode
• 0x584044 - GetTextColor
• 0x584048 - GetMapMode
• 0x58404c - GetViewportOrgEx
• 0x584050 - GetViewportExtEx
• 0x584054 - GetWindowOrgEx
• 0x584058 - GetWindowExtEx
• 0x58405c - DPtoLP
• 0x584060 - LPtoDP
• 0x584064 - FillRgn
• 0x584068 - FrameRgn
• 0x58406c - InvertRgn
• 0x584070 - PaintRgn
• 0x584074 - PtVisible
• 0x584078 - RectVisible
• 0x58407c - GetCurrentPositionEx
• 0x584080 - Arc
• 0x584084 - Polyline
• 0x584088 - Chord
• 0x58408c - Ellipse
• 0x584090 - Pie
• 0x584094 - Polygon
• 0x584098 - PolyPolygon
• 0x58409c - Rectangle
• 0x5840a0 - RoundRect
• 0x5840a4 - PatBlt
• 0x5840a8 - BitBlt
• 0x5840ac - StretchBlt
• 0x5840b0 - GetPixel
• 0x5840b4 - SetPixel
• 0x5840b8 - FloodFill
• 0x5840bc - ExtFloodFill
• 0x5840c0 - TextOutA
• 0x5840c4 - GetTextExtentPoint32A
• 0x5840c8 - GetTextAlign
• 0x5840cc - GetTextFaceA
• 0x5840d0 - GetTextMetricsA
• 0x5840d4 - GetTextCharacterExtra
• 0x5840d8 - GetCharWidthA
• 0x5840dc - GetAspectRatioFilterEx
• 0x5840e0 - Escape
• 0x5840e4 - SetBoundsRect
• 0x5840e8 - GetBoundsRect
• 0x5840ec - ResetDCA
• 0x5840f0 - GetOutlineTextMetricsA
• 0x5840f4 - GetCharABCWidthsA
• 0x5840f8 - GetFontData
• 0x5840fc - GetKerningPairsA
• 0x584100 - GetGlyphOutlineA
• 0x584104 - StartDocA
• 0x584108 - StartPage
• 0x58410c - EndPage
• 0x584110 - SetAbortProc
• 0x584114 - AbortDoc
• 0x584118 - EndDoc
• 0x58411c - MaskBlt
• 0x584120 - PlgBlt
• 0x584124 - SetPixelV
• 0x584128 - AngleArc
• 0x58412c - GetArcDirection
• 0x584130 - PolyPolyline
• 0x584134 - GetColorAdjustment
• 0x584138 - GetCurrentObject
• 0x58413c - PolyBezier
• 0x584140 - DrawEscape
• 0x584144 - ExtEscape
• 0x584148 - GetCharABCWidthsFloatA
• 0x58414c - GetCharWidthFloatA
• 0x584150 - AbortPath
• 0x584154 - BeginPath
• 0x584158 - CloseFigure
• 0x58415c - EndPath
• 0x584160 - FillPath
• 0x584164 - FlattenPath
• 0x584168 - GetMiterLimit
• 0x58416c - GetPath
• 0x584170 - SetMiterLimit
• 0x584174 - StrokeAndFillPath
• 0x584178 - StrokePath
• 0x58417c - WidenPath
• 0x584180 - GdiComment
• 0x584184 - PlayEnhMetaFile
• 0x584188 - DeleteDC
• 0x58418c - SaveDC
• 0x584190 - StretchDIBits
• 0x584194 - PlayMetaFile
• 0x584198 - EnumMetaFile
• 0x58419c - PlayMetaFileRecord
• 0x5841a0 - ExtSelectClipRgn
• 0x5841a4 - SelectClipPath
• 0x5841a8 - GetClipRgn
• 0x5841ac - DeleteObject
• 0x5841b0 - PolyBezierTo
• 0x5841b4 - SetColorAdjustment
• 0x5841b8 - PolylineTo
• 0x5841bc - PolyDraw
• 0x5841c0 - SetArcDirection
• 0x5841c4 - ArcTo
• 0x5841c8 - SetMapperFlags
• 0x5841cc - SetTextCharacterExtra
• 0x5841d0 - SetTextJustification
• 0x5841d4 - SetTextAlign
• 0x5841d8 - LineTo
• 0x5841dc - CreateSolidBrush
• 0x5841e0 - OffsetClipRgn
• 0x5841e4 - IntersectClipRect
• 0x5841e8 - ExcludeClipRect
• 0x5841ec - SelectClipRgn
• 0x5841f0 - ScaleWindowExtEx
• 0x5841f4 - SetWindowExtEx
• 0x5841f8 - OffsetWindowOrgEx
• 0x5841fc - SetWindowOrgEx
• 0x584200 - ScaleViewportExtEx
• 0x584204 - SetViewportExtEx
• 0x584208 - OffsetViewportOrgEx
• 0x58420c - SetViewportOrgEx
• 0x584210 - SetMapMode
• 0x584214 - SetStretchBltMode
• 0x584218 - SetROP2
• 0x58421c - SetPolyFillMode
• 0x584220 - SetBkMode
• 0x584224 - SelectPalette
• 0x584228 - RestoreDC
库 comdlg32.dll:
• 0x584ae8 - GetFileTitleA
• 0x584aec - GetOpenFileNameA
• 0x584af0 - GetSaveFileNameA
• 0x584af4 - ChooseColorA
库 WINSPOOL.DRV:
• 0x584ab0 - OpenPrinterA
• 0x584ab4 - DocumentPropertiesA
• 0x584ab8 - ClosePrinter
库 ADVAPI32.dll:
• 0x583dec - RegOpenKeyExA
• 0x583df0 - GetFileSecurityA
• 0x583df4 - SetFileSecurityA
• 0x583df8 - RegQueryValueA
• 0x583dfc - RegSetValueA
• 0x583e00 - RegCreateKeyA
• 0x583e04 - RegEnumKeyA
• 0x583e08 - RegOpenKeyA
• 0x583e0c - RegDeleteKeyA
• 0x583e10 - GetUserNameA
• 0x583e14 - RegCloseKey
• 0x583e18 - RegSetValueExA
• 0x583e1c - RegCreateKeyExA
• 0x583e20 - RegQueryValueExA
• 0x583e24 - RegDeleteValueA
库 SHELL32.dll:
• 0x5845fc - SHGetFileInfoA
• 0x584600 - DragQueryFileA
• 0x584604 - DragFinish
• 0x584608 - DragAcceptFiles
• 0x58460c - ShellExecuteExA
• 0x584610 - ExtractIconA
库 COMCTL32.dll:
• 0x583e60 - ImageList_EndDrag
• 0x583e64 - ImageList_DragMove
• 0x583e68 - ImageList_SetDragCursorImage
• 0x583e6c - ImageList_DragShowNolock
• 0x583e70 - ImageList_GetDragImage
• 0x583e74 - ImageList_DragEnter
• 0x583e78 - ImageList_DragLeave
• 0x583e7c - ImageList_BeginDrag
• 0x583e80 - None
• 0x583e84 - None
• 0x583e88 - PropertySheetA
• 0x583e8c - DestroyPropertySheetPage
• 0x583e90 - CreatePropertySheetPageA
• 0x583e94 - None
• 0x583e98 - ImageList_Destroy
• 0x583e9c - ImageList_Create
• 0x583ea0 - ImageList_LoadImageA
• 0x583ea4 - ImageList_Merge
• 0x583ea8 - ImageList_Read
• 0x583eac - ImageList_Write
• 0x583eb0 - None
• 0x583eb4 - ImageList_GetImageCount
• 0x583eb8 - ImageList_Add
• 0x583ebc - ImageList_AddMasked
• 0x583ec0 - ImageList_Remove
• 0x583ec4 - ImageList_Replace
• 0x583ec8 - ImageList_ReplaceIcon
• 0x583ecc - ImageList_GetIcon
• 0x583ed0 - ImageList_Draw
• 0x583ed4 - ImageList_SetBkColor
• 0x583ed8 - ImageList_GetBkColor
• 0x583edc - ImageList_SetOverlayImage
• 0x583ee0 - ImageList_GetImageInfo
投放文件
行为分析
互斥量(Mutexes)
- Local\MSCTF.Asm.MutexDefault1
执行的命令
无信息
创建的服务
无信息
启动的服务
无信息
进程
_________.exe PID: 2528, 上一级进程 PID: 2400
访问的文件
- C:\Windows\AFX.INI
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Windows\Fonts\staticcache.dat
读取的文件
- C:\Windows\AFX.INI
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Windows\Fonts\staticcache.dat
修改的文件
无信息
删除的文件
无信息
注册表键
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\_________.exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_CURRENT_USER
- HKEY_CURRENT_USER\Keyboard Layout\Toggle
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
读取的注册表键
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- kernel32.dll.IsProcessorFeaturePresent
- comctl32.dll.InitCommonControlsEx
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle
- user32.dll.GetSystemMetrics
- user32.dll.MonitorFromWindow
- user32.dll.MonitorFromRect
- user32.dll.MonitorFromPoint
- user32.dll.EnumDisplayMonitors
- user32.dll.GetMonitorInfoA
- ole32.dll.CoInitializeEx
- ole32.dll.CoUninitialize
- cryptbase.dll.SystemFunction036
- ole32.dll.CoRegisterInitializeSpy
- ole32.dll.CoRevokeInitializeSpy
- gdi32.dll.GetLayout
- gdi32.dll.GdiRealizationInfo
- gdi32.dll.FontIsLinked
- advapi32.dll.RegOpenKeyExW
- advapi32.dll.RegQueryInfoKeyW
- gdi32.dll.GetTextFaceAliasW
- advapi32.dll.RegEnumValueW
- advapi32.dll.RegCloseKey
- advapi32.dll.RegQueryValueExW
- advapi32.dll.RegQueryValueExA
- advapi32.dll.RegEnumKeyExW
- gdi32.dll.GetTextExtentExPointWPri
- gdi32.dll.GdiIsMetaPrintDC