魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2021-04-22 00:19:30	2021-04-22 00:21:35	125 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-shaapp03-1	win7-sp1-x64-shaapp03-1	KVM	2021-04-22 00:19:30	2021-04-22 00:21:36

魔盾分数
3.6 可疑的

文件详细信息

文件名	SDLPAL.exe
文件大小	2695168 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
CRC32	90169727
MD5	feed82c50bd530dc20b3616b4c53e27f
SHA1	c342b7b9a420d23b8c0acd08069ce5349909eee8
SHA256	4b9f0f7a0d02b38b24fcb3dea37cd5ea502eff91b4eacc89d272c8627e66671b
SHA512	e3e6ef5d04fe2728abf517866b7a372bbe68c294df875efea1f3de3efdb7ddf2f494d2fffb6aff1fdc35041b0c6b889d8bef5c1a02edbb1a92a810ebddc5e110
Ssdeep	49152:iE46YYKwne5DVlv8CfJwx2hni0UkpNo8eq5LfpbNSVrNow:P4tYfne5DvvlfJwx2RiYpNo8eq5Lfpb8
PEiD	无匹配
Yara	CRC32_poly_Constant (Look for CRC32 [poly]) CRC32_table (Look for CRC32 table) MD5_Constants (Look for MD5 constants) with_images (Detected the presence of an or several images) with_urls (Detected the presence of an or several urls) IsPE32 (Detected a 32bit PE sample) IsWindowsGUI (Detected a Windows GUI sample) HasRichSignature (Detected Rich Signature) DebuggerTiming__Ticks (Detected timing ticks function) screenshot (Detected take screenshot function) create_process (Detection function for creating a new process) keylogger (Detected keylogger function) win_registry (Detected system registries modification function) change_win_registry (Change registries to affect system) win_files_operation (Affect private profile) win_hook (Detected hook table access function) win_private_profile (Detected private profile access function) Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
VirusTotal	VirusTotal查询失败

特征

魔盾安全Yara规则检测结果 - 安全告警

Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files

对一个无法找到的进程进行重复搜索，可能希望以startbrowser=1选项运行

检测到网络活动但没有显示在API日志中

ip: 23.218.94.163

domain: acroipm.adobe.com

运行截图

网络分析

域名解析

域名	响应
acroipm.adobe.com	CNAME acroipm.adobe.com.edgesuite.net A 104.116.243.153 CNAME a1983.dscd.akamai.net A 104.116.243.72

TCP连接

IP地址	端口
104.116.243.72	80

UDP连接

IP地址	端口
192.168.122.1	53

HTTP请求

URL	HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache

静态分析

PE 信息

初始地址	0x00400000
入口地址	0x005a5c61
声明校验值	0x00000000
实际校验值	0x0029f143
最低操作系统版本要求	4.0
编译时间	2014-08-17 09:36:14
载入哈希	d1c09ab3829c8ccaa9e6f55c716e7ba5
图标
图标精确哈希值	fce954e5cfffc89323cc41ec9dbace58
图标相似性哈希值	cf9008ba697d9968e23be33cae1a2032

版本信息

LegalCopyright:	\xe7\xe6 \xe7\xe6\xe6\xe6
FileVersion:	1.5.0.1
CompanyName:	\xe7\xe6
Comments:	\xe7\xe6\xe5\xe4,\xe6\xe8\xe4\xe7
ProductName:	\xe4\xe5\xe5\xe4\xe498\xe6\xe6\xe7\xe5\xe5\xe4\xe6\xe5\xe6\xe7\xe4\xe7
ProductVersion:	1.5.0.1
FileDescription:	\xe4\xe5\xe5\xe4\xe498\xe6\xe6\xe7\xe5\xe5\xe4\xe6\xe5\xe6\xe7\xe4\xe7
Translation:	0x0804 0x04b0

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x001cd8f2	0x001ce000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.33
.rdata	0x001cf000	0x000a2de6	0x000a3000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.25
.data	0x00272000	0x0005630a	0x00016000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	5.55
.rsrc	0x002c9000	0x000093a4	0x0000a000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.45

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
TEXTINCLUDE	0x002ca160	0x00000151	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.25	C source, ASCII text, with CRLF line terminators
TEXTINCLUDE	0x002ca160	0x00000151	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.25	C source, ASCII text, with CRLF line terminators
TEXTINCLUDE	0x002ca160	0x00000151	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.25	C source, ASCII text, with CRLF line terminators
WAVE	0x002ca2b4	0x00001448	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	6.35	RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 22050 Hz
RT_CURSOR	0x002cc01c	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.43	AmigaOS bitmap font
RT_CURSOR	0x002cc01c	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.43	AmigaOS bitmap font
RT_CURSOR	0x002cc01c	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.43	AmigaOS bitmap font
RT_CURSOR	0x002cc01c	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.43	AmigaOS bitmap font
RT_CURSOR	0x002cc01c	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.43	AmigaOS bitmap font
RT_CURSOR	0x002cc01c	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.43	AmigaOS bitmap font
RT_CURSOR	0x002cc01c	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.43	AmigaOS bitmap font
RT_CURSOR	0x002cc01c	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.43	AmigaOS bitmap font
RT_CURSOR	0x002cc01c	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.43	AmigaOS bitmap font
RT_BITMAP	0x002cec7c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x002cec7c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x002cec7c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x002cec7c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x002cec7c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x002cec7c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x002cec7c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x002cec7c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x002cec7c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x002cec7c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x002cec7c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x002cec7c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x002cec7c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x002cec7c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x002cec7c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x002cec7c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x002cec7c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x002cec7c	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_ICON	0x002cf1d0	0x00000a68	LANG_NEUTRAL	SUBLANG_NEUTRAL	2.05	dBase IV DBT of \200.DBF, blocks size 0, block length 2560, next free block index 40, next free block 64767, next used block 3204448256
RT_ICON	0x002cf1d0	0x00000a68	LANG_NEUTRAL	SUBLANG_NEUTRAL	2.05	dBase IV DBT of \200.DBF, blocks size 0, block length 2560, next free block index 40, next free block 64767, next used block 3204448256
RT_ICON	0x002cf1d0	0x00000a68	LANG_NEUTRAL	SUBLANG_NEUTRAL	2.05	dBase IV DBT of \200.DBF, blocks size 0, block length 2560, next free block index 40, next free block 64767, next used block 3204448256
RT_MENU	0x002cfc44	0x00000284	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.28	data
RT_MENU	0x002cfc44	0x00000284	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.28	data
RT_DIALOG	0x002d157c	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x002d157c	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x002d157c	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x002d157c	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x002d157c	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x002d157c	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x002d157c	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x002d157c	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x002d157c	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x002d157c	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x002d157c	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x002d157c	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x002d157c	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x002d157c	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_STRING	0x002d2034	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x002d2034	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x002d2034	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x002d2034	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x002d2034	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x002d2034	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x002d2034	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x002d2034	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x002d2034	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x002d2034	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x002d2034	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x002d2034	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_GROUP_CURSOR	0x002d20e4	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x002d20e4	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x002d20e4	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x002d20e4	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x002d20e4	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x002d20e4	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x002d20e4	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x002d20e4	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_ICON	0x002d2130	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.02	MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_GROUP_ICON	0x002d2130	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.02	MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_GROUP_ICON	0x002d2130	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.02	MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_VERSION	0x002d2144	0x00000260	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.02	data

导入

库 MSVFW32.dll:

• 0x5cf3fc - DrawDibDraw

库 AVIFIL32.dll:

• 0x5cf01c - AVIStreamInfoA

• 0x5cf020 - AVIStreamGetFrame

库 KERNEL32.dll:

• 0x5cf1e0 - HeapDestroy

• 0x5cf1e4 - HeapCreate

• 0x5cf1e8 - VirtualFree

• 0x5cf1ec - SetEnvironmentVariableA

• 0x5cf1f0 - LCMapStringA

• 0x5cf1f4 - LCMapStringW

• 0x5cf1f8 - VirtualAlloc

• 0x5cf1fc - IsBadWritePtr

• 0x5cf200 - GetEnvironmentVariableA

• 0x5cf204 - GetStringTypeA

• 0x5cf208 - GetStringTypeW

• 0x5cf20c - SetUnhandledExceptionFilter

• 0x5cf210 - CompareStringA

• 0x5cf214 - CompareStringW

• 0x5cf218 - IsBadReadPtr

• 0x5cf21c - IsBadCodePtr

• 0x5cf220 - GetStdHandle

• 0x5cf224 - SetHandleCount

• 0x5cf228 - GetEnvironmentStringsW

• 0x5cf22c - GetEnvironmentStrings

• 0x5cf230 - FreeEnvironmentStringsW

• 0x5cf234 - FreeEnvironmentStringsA

• 0x5cf238 - UnhandledExceptionFilter

• 0x5cf23c - CloseHandle

• 0x5cf240 - GetFileType

• 0x5cf244 - SetStdHandle

• 0x5cf248 - GetACP

• 0x5cf24c - HeapSize

• 0x5cf250 - TerminateProcess

• 0x5cf254 - GetLocalTime

• 0x5cf258 - GetSystemTime

• 0x5cf25c - GetTimeZoneInformation

• 0x5cf260 - RaiseException

• 0x5cf264 - RtlUnwind

• 0x5cf268 - GetStartupInfoA

• 0x5cf26c - GetOEMCP

• 0x5cf270 - GetCPInfo

• 0x5cf274 - GetProcessVersion

• 0x5cf278 - SetErrorMode

• 0x5cf27c - GetProfileIntA

• 0x5cf280 - GlobalFlags

• 0x5cf284 - GetCurrentThread

• 0x5cf288 - GetFileTime

• 0x5cf28c - GetFileSize

• 0x5cf290 - TlsGetValue

• 0x5cf294 - LocalReAlloc

• 0x5cf298 - TlsSetValue

• 0x5cf29c - TlsFree

• 0x5cf2a0 - GlobalHandle

• 0x5cf2a4 - TlsAlloc

• 0x5cf2a8 - LocalAlloc

• 0x5cf2ac - lstrcmpA

• 0x5cf2b0 - GetVersion

• 0x5cf2b4 - GlobalGetAtomNameA

• 0x5cf2b8 - GlobalAddAtomA

• 0x5cf2bc - GlobalFindAtomA

• 0x5cf2c0 - GlobalDeleteAtom

• 0x5cf2c4 - lstrcmpiA

• 0x5cf2c8 - SetEndOfFile

• 0x5cf2cc - UnlockFile

• 0x5cf2d0 - LockFile

• 0x5cf2d4 - FlushFileBuffers

• 0x5cf2d8 - SetFilePointer

• 0x5cf2dc - WaitForSingleObject

• 0x5cf2e0 - GetCurrentProcess

• 0x5cf2e4 - DuplicateHandle

• 0x5cf2e8 - lstrcpynA

• 0x5cf2ec - SetLastError

• 0x5cf2f0 - FileTimeToLocalFileTime

• 0x5cf2f4 - FileTimeToSystemTime

• 0x5cf2f8 - FormatMessageA

• 0x5cf2fc - LocalFree

• 0x5cf300 - MultiByteToWideChar

• 0x5cf304 - WideCharToMultiByte

• 0x5cf308 - InterlockedDecrement

• 0x5cf30c - InterlockedIncrement

• 0x5cf310 - CreateSemaphoreA

• 0x5cf314 - ResumeThread

• 0x5cf318 - ReleaseSemaphore

• 0x5cf31c - EnterCriticalSection

• 0x5cf320 - LeaveCriticalSection

• 0x5cf324 - GetProfileStringA

• 0x5cf328 - WriteFile

• 0x5cf32c - ReadFile

• 0x5cf330 - GetLastError

• 0x5cf334 - WaitForMultipleObjects

• 0x5cf338 - CreateFileA

• 0x5cf33c - SetEvent

• 0x5cf340 - FindResourceA

• 0x5cf344 - LoadResource

• 0x5cf348 - LockResource

• 0x5cf34c - GetModuleFileNameA

• 0x5cf350 - GetCurrentThreadId

• 0x5cf354 - ExitProcess

• 0x5cf358 - GlobalSize

• 0x5cf35c - GlobalFree

• 0x5cf360 - DeleteCriticalSection

• 0x5cf364 - InitializeCriticalSection

• 0x5cf368 - lstrcatA

• 0x5cf36c - WinExec

• 0x5cf370 - lstrcpyA

• 0x5cf374 - FindNextFileA

• 0x5cf378 - GlobalReAlloc

• 0x5cf37c - HeapFree

• 0x5cf380 - HeapReAlloc

• 0x5cf384 - GetProcessHeap

• 0x5cf388 - HeapAlloc

• 0x5cf38c - GetFullPathNameA

• 0x5cf390 - FreeLibrary

• 0x5cf394 - LoadLibraryA

• 0x5cf398 - lstrlenA

• 0x5cf39c - lstrlenW

• 0x5cf3a0 - GetVersionExA

• 0x5cf3a4 - WritePrivateProfileStringA

• 0x5cf3a8 - CreateThread

• 0x5cf3ac - CreateEventA

• 0x5cf3b0 - Sleep

• 0x5cf3b4 - GlobalAlloc

• 0x5cf3b8 - GlobalLock

• 0x5cf3bc - GlobalUnlock

• 0x5cf3c0 - FindFirstFileA

• 0x5cf3c4 - FindClose

• 0x5cf3c8 - GetFileAttributesA

• 0x5cf3cc - CopyFileA

• 0x5cf3d0 - GetCurrentDirectoryA

• 0x5cf3d4 - SetCurrentDirectoryA

• 0x5cf3d8 - GetVolumeInformationA

• 0x5cf3dc - GetModuleHandleA

• 0x5cf3e0 - GetProcAddress

• 0x5cf3e4 - MulDiv

• 0x5cf3e8 - GetCommandLineA

• 0x5cf3ec - GetTickCount

库 USER32.dll:

• 0x5cf424 - LoadStringA

• 0x5cf428 - wvsprintfA

• 0x5cf42c - GetDesktopWindow

• 0x5cf430 - GetClassNameA

• 0x5cf434 - GetMenuCheckMarkDimensions

• 0x5cf438 - SetMenuItemBitmaps

• 0x5cf43c - CheckMenuItem

• 0x5cf440 - IsDialogMessageA

• 0x5cf444 - ScrollWindowEx

• 0x5cf448 - SendDlgItemMessageA

• 0x5cf44c - MapWindowPoints

• 0x5cf450 - AdjustWindowRectEx

• 0x5cf454 - ScrollWindow

• 0x5cf458 - GetScrollInfo

• 0x5cf45c - SetScrollInfo

• 0x5cf460 - ShowScrollBar

• 0x5cf464 - GetScrollPos

• 0x5cf468 - RegisterClassA

• 0x5cf46c - CreateWindowExA

• 0x5cf470 - GetClassLongA

• 0x5cf474 - RemovePropA

• 0x5cf478 - GetMessageTime

• 0x5cf47c - GetLastActivePopup

• 0x5cf480 - GetForegroundWindow

• 0x5cf484 - RegisterWindowMessageA

• 0x5cf488 - GetWindowPlacement

• 0x5cf48c - EndDialog

• 0x5cf490 - CreateDialogIndirectParamA

• 0x5cf494 - DestroyWindow

• 0x5cf498 - GetDlgItem

• 0x5cf49c - EndPaint

• 0x5cf4a0 - BeginPaint

• 0x5cf4a4 - CharUpperA

• 0x5cf4a8 - GetWindowTextLengthA

• 0x5cf4ac - GetNextDlgTabItem

• 0x5cf4b0 - GetDoubleClickTime

• 0x5cf4b4 - ClipCursor

• 0x5cf4b8 - GetWindowTextA

• 0x5cf4bc - SetWindowTextA

• 0x5cf4c0 - GetMenuItemCount

• 0x5cf4c4 - GetMenuItemID

• 0x5cf4c8 - GetMenuStringA

• 0x5cf4cc - GetMenuState

• 0x5cf4d0 - GetTabbedTextExtentA

• 0x5cf4d4 - DrawStateA

• 0x5cf4d8 - GrayStringA

• 0x5cf4dc - TabbedTextOutA

• 0x5cf4e0 - WindowFromDC

• 0x5cf4e4 - EnumChildWindows

• 0x5cf4e8 - GetWindowDC

• 0x5cf4ec - UnhookWindowsHookEx

• 0x5cf4f0 - CallNextHookEx

• 0x5cf4f4 - SetWindowsHookExA

• 0x5cf4f8 - FrameRect

• 0x5cf4fc - GetPropA

• 0x5cf500 - MoveWindow

• 0x5cf504 - CallWindowProcA

• 0x5cf508 - SetPropA

• 0x5cf50c - DrawTextA

• 0x5cf510 - GetCursor

• 0x5cf514 - SystemParametersInfoA

• 0x5cf518 - TranslateMessage

• 0x5cf51c - LoadIconA

• 0x5cf520 - GetSysColorBrush

• 0x5cf524 - DrawFocusRect

• 0x5cf528 - WindowFromPoint

• 0x5cf52c - GetMessageA

• 0x5cf530 - DispatchMessageA

• 0x5cf534 - SetRectEmpty

• 0x5cf538 - RegisterClipboardFormatA

• 0x5cf53c - CreateIconFromResourceEx

• 0x5cf540 - CreateIconFromResource

• 0x5cf544 - DrawIconEx

• 0x5cf548 - CreatePopupMenu

• 0x5cf54c - AppendMenuA

• 0x5cf550 - ModifyMenuA

• 0x5cf554 - CreateMenu

• 0x5cf558 - CreateAcceleratorTableA

• 0x5cf55c - GetDlgCtrlID

• 0x5cf560 - GetSubMenu

• 0x5cf564 - EnableMenuItem

• 0x5cf568 - ClientToScreen

• 0x5cf56c - EnumDisplaySettingsA

• 0x5cf570 - LoadImageA

• 0x5cf574 - ShowWindow

• 0x5cf578 - IsWindowEnabled

• 0x5cf57c - TranslateAcceleratorA

• 0x5cf580 - GetKeyState

• 0x5cf584 - CopyAcceleratorTableA

• 0x5cf588 - PostQuitMessage

• 0x5cf58c - IsZoomed

• 0x5cf590 - GetSystemMenu

• 0x5cf594 - DeleteMenu

• 0x5cf598 - GetClassInfoA

• 0x5cf59c - DefWindowProcA

• 0x5cf5a0 - GetMenu

• 0x5cf5a4 - SetMenu

• 0x5cf5a8 - PeekMessageA

• 0x5cf5ac - IsIconic

• 0x5cf5b0 - SetFocus

• 0x5cf5b4 - GetActiveWindow

• 0x5cf5b8 - GetWindow

• 0x5cf5bc - DestroyAcceleratorTable

• 0x5cf5c0 - SetWindowRgn

• 0x5cf5c4 - GetMessagePos

• 0x5cf5c8 - ScreenToClient

• 0x5cf5cc - ChildWindowFromPointEx

• 0x5cf5d0 - CopyRect

• 0x5cf5d4 - LoadBitmapA

• 0x5cf5d8 - WinHelpA

• 0x5cf5dc - KillTimer

• 0x5cf5e0 - SetTimer

• 0x5cf5e4 - ReleaseCapture

• 0x5cf5e8 - GetCapture

• 0x5cf5ec - SetCapture

• 0x5cf5f0 - GetScrollRange

• 0x5cf5f4 - SetScrollRange

• 0x5cf5f8 - SetScrollPos

• 0x5cf5fc - InflateRect

• 0x5cf600 - SetRect

• 0x5cf604 - IntersectRect

• 0x5cf608 - DestroyIcon

• 0x5cf60c - PtInRect

• 0x5cf610 - OffsetRect

• 0x5cf614 - IsWindowVisible

• 0x5cf618 - EnableWindow

• 0x5cf61c - RedrawWindow

• 0x5cf620 - GetWindowLongA

• 0x5cf624 - SetWindowLongA

• 0x5cf628 - GetSysColor

• 0x5cf62c - SetActiveWindow

• 0x5cf630 - SetCursorPos

• 0x5cf634 - LoadCursorA

• 0x5cf638 - SetCursor

• 0x5cf63c - GetDC

• 0x5cf640 - FillRect

• 0x5cf644 - InvertRect

• 0x5cf648 - IsRectEmpty

• 0x5cf64c - ReleaseDC

• 0x5cf650 - IsChild

• 0x5cf654 - TrackPopupMenu

• 0x5cf658 - DestroyMenu

• 0x5cf65c - SetForegroundWindow

• 0x5cf660 - GetWindowRect

• 0x5cf664 - DrawEdge

• 0x5cf668 - EqualRect

• 0x5cf66c - UpdateWindow

• 0x5cf670 - ValidateRect

• 0x5cf674 - InvalidateRect

• 0x5cf678 - GetClientRect

• 0x5cf67c - GetFocus

• 0x5cf680 - GetParent

• 0x5cf684 - GetTopWindow

• 0x5cf688 - PostMessageA

• 0x5cf68c - IsWindow

• 0x5cf690 - SetParent

• 0x5cf694 - DestroyCursor

• 0x5cf698 - SendMessageA

• 0x5cf69c - SetWindowPos

• 0x5cf6a0 - MessageBeep

• 0x5cf6a4 - MessageBoxA

• 0x5cf6a8 - GetCursorPos

• 0x5cf6ac - GetSystemMetrics

• 0x5cf6b0 - IsClipboardFormatAvailable

• 0x5cf6b4 - EmptyClipboard

• 0x5cf6b8 - SetClipboardData

• 0x5cf6bc - OpenClipboard

• 0x5cf6c0 - GetClipboardData

• 0x5cf6c4 - CloseClipboard

• 0x5cf6c8 - wsprintfA

• 0x5cf6cc - DrawFrameControl

• 0x5cf6d0 - UnregisterClassA

库 GDI32.dll:

• 0x5cf060 - Escape

• 0x5cf064 - GetTextMetricsA

• 0x5cf068 - AbortDoc

• 0x5cf06c - CreateFontA

• 0x5cf070 - SetBrushOrgEx

• 0x5cf074 - SetDIBitsToDevice

• 0x5cf078 - SetPolyFillMode

• 0x5cf07c - SetROP2

• 0x5cf080 - SetMapMode

• 0x5cf084 - SetViewportOrgEx

• 0x5cf088 - OffsetViewportOrgEx

• 0x5cf08c - SetViewportExtEx

• 0x5cf090 - ScaleViewportExtEx

• 0x5cf094 - OffsetWindowOrgEx

• 0x5cf098 - SetWindowExtEx

• 0x5cf09c - ScaleWindowExtEx

• 0x5cf0a0 - GetClipBox

• 0x5cf0a4 - ExcludeClipRect

• 0x5cf0a8 - MoveToEx

• 0x5cf0ac - ExtTextOutA

• 0x5cf0b0 - EndPath

• 0x5cf0b4 - GetTextColor

• 0x5cf0b8 - CreateDIBitmap

• 0x5cf0bc - ExtSelectClipRgn

• 0x5cf0c0 - GetViewportExtEx

• 0x5cf0c4 - CopyMetaFileA

• 0x5cf0c8 - TextOutA

• 0x5cf0cc - RectVisible

• 0x5cf0d0 - PtVisible

• 0x5cf0d4 - CreatePenIndirect

• 0x5cf0d8 - RestoreDC

• 0x5cf0dc - SaveDC

• 0x5cf0e0 - SetWindowOrgEx

• 0x5cf0e4 - SetTextColor

• 0x5cf0e8 - SetBkMode

• 0x5cf0ec - SetBkColor

• 0x5cf0f0 - CreateRectRgnIndirect

• 0x5cf0f4 - CreateDIBSection

• 0x5cf0f8 - SetPixel

• 0x5cf0fc - SetStretchBltMode

• 0x5cf100 - GetClipRgn

• 0x5cf104 - CreatePolygonRgn

• 0x5cf108 - SelectClipRgn

• 0x5cf10c - LineTo

• 0x5cf110 - DeleteObject

• 0x5cf114 - GetBkMode

• 0x5cf118 - GetBkColor

• 0x5cf11c - GetROP2

• 0x5cf120 - GetStretchBltMode

• 0x5cf124 - GetPolyFillMode

• 0x5cf128 - CreateCompatibleBitmap

• 0x5cf12c - CreateDCA

• 0x5cf130 - CreateBrushIndirect

• 0x5cf134 - CreateBitmap

• 0x5cf138 - CreatePatternBrush

• 0x5cf13c - SelectObject

• 0x5cf140 - GetObjectA

• 0x5cf144 - CreatePen

• 0x5cf148 - PatBlt

• 0x5cf14c - GetSystemPaletteEntries

• 0x5cf150 - CreatePalette

• 0x5cf154 - StretchBlt

• 0x5cf158 - PathToRegion

• 0x5cf15c - SelectPalette

• 0x5cf160 - RealizePalette

• 0x5cf164 - GetDIBits

• 0x5cf168 - GetWindowExtEx

• 0x5cf16c - GetViewportOrgEx

• 0x5cf170 - GetWindowOrgEx

• 0x5cf174 - CreateEllipticRgn

• 0x5cf178 - BeginPath

• 0x5cf17c - EndDoc

• 0x5cf180 - FillRgn

• 0x5cf184 - CreateRectRgn

• 0x5cf188 - CombineRgn

• 0x5cf18c - CreateSolidBrush

• 0x5cf190 - GetStockObject

• 0x5cf194 - CreateFontIndirectA

• 0x5cf198 - EndPage

• 0x5cf19c - GetDeviceCaps

• 0x5cf1a0 - GetTextExtentPoint32A

• 0x5cf1a4 - RoundRect

• 0x5cf1a8 - GetCurrentObject

• 0x5cf1ac - DPtoLP

• 0x5cf1b0 - LPtoDP

• 0x5cf1b4 - Rectangle

• 0x5cf1b8 - Ellipse

• 0x5cf1bc - SetPixelV

• 0x5cf1c0 - CreateCompatibleDC

• 0x5cf1c4 - GetPixel

• 0x5cf1c8 - BitBlt

• 0x5cf1cc - StartPage

• 0x5cf1d0 - StartDocA

• 0x5cf1d4 - DeleteDC

• 0x5cf1d8 - CreateRoundRectRgn

库 WINMM.dll:

• 0x5cf6d8 - midiStreamRestart

• 0x5cf6dc - midiStreamClose

• 0x5cf6e0 - midiOutReset

• 0x5cf6e4 - midiStreamStop

• 0x5cf6e8 - midiStreamOut

• 0x5cf6ec - midiOutPrepareHeader

• 0x5cf6f0 - midiStreamProperty

• 0x5cf6f4 - midiStreamOpen

• 0x5cf6f8 - midiOutUnprepareHeader

• 0x5cf6fc - waveOutOpen

• 0x5cf700 - waveOutGetNumDevs

• 0x5cf704 - waveOutClose

• 0x5cf708 - waveOutReset

• 0x5cf70c - waveOutPause

• 0x5cf710 - waveOutWrite

• 0x5cf714 - waveOutPrepareHeader

• 0x5cf718 - waveOutUnprepareHeader

• 0x5cf71c - PlaySoundA

库 MSIMG32.dll:

• 0x5cf3f4 - GradientFill

库 WINSPOOL.DRV:

• 0x5cf724 - ClosePrinter

• 0x5cf728 - DocumentPropertiesA

• 0x5cf72c - OpenPrinterA

库 comdlg32.dll:

• 0x5cf75c - GetFileTitleA

• 0x5cf760 - PrintDlgA

• 0x5cf764 - GetSaveFileNameA

• 0x5cf768 - GetOpenFileNameA

• 0x5cf76c - ChooseColorA

库 ADVAPI32.dll:

• 0x5cf000 - RegCreateKeyExA

• 0x5cf004 - RegQueryValueA

• 0x5cf008 - RegSetValueExA

• 0x5cf00c - RegOpenKeyExA

• 0x5cf010 - RegQueryValueExA

• 0x5cf014 - RegCloseKey

库 SHELL32.dll:

• 0x5cf418 - Shell_NotifyIconA

• 0x5cf41c - ShellExecuteA

库 ole32.dll:

• 0x5cf774 - OleDuplicateData

• 0x5cf778 - RevokeDragDrop

• 0x5cf77c - CoLockObjectExternal

• 0x5cf780 - DoDragDrop

• 0x5cf784 - OleGetClipboard

• 0x5cf788 - OleIsCurrentClipboard

• 0x5cf78c - OleFlushClipboard

• 0x5cf790 - OleSetClipboard

• 0x5cf794 - CoTaskMemFree

• 0x5cf798 - ReleaseStgMedium

• 0x5cf79c - OleInitialize

• 0x5cf7a0 - CreateStreamOnHGlobal

• 0x5cf7a4 - OleUninitialize

• 0x5cf7a8 - CLSIDFromString

• 0x5cf7ac - CoTaskMemAlloc

库 OLEAUT32.dll:

• 0x5cf404 - VarDateFromStr

• 0x5cf408 - LoadTypeLib

• 0x5cf40c - RegisterTypeLib

• 0x5cf410 - UnRegisterTypeLib

库 COMCTL32.dll:

• 0x5cf028 - ImageList_Draw

• 0x5cf02c - _TrackMouseEvent

• 0x5cf030 - ImageList_GetImageCount

• 0x5cf034 - ImageList_AddMasked

• 0x5cf038 - ImageList_GetIcon

• 0x5cf03c - ImageList_SetBkColor

• 0x5cf040 - None

• 0x5cf044 - ImageList_Destroy

• 0x5cf048 - ImageList_Create

• 0x5cf04c - ImageList_Read

• 0x5cf050 - ImageList_DrawIndirect

• 0x5cf054 - ImageList_Duplicate

• 0x5cf058 - ImageList_GetImageInfo

库 WS2_32.dll:

• 0x5cf734 - inet_ntoa

• 0x5cf738 - WSACleanup

• 0x5cf73c - closesocket

• 0x5cf740 - WSAAsyncSelect

• 0x5cf744 - accept

• 0x5cf748 - getpeername

• 0x5cf74c - recv

• 0x5cf750 - ioctlsocket

• 0x5cf754 - recvfrom

投放文件

无信息

行为分析

互斥量(Mutexes)

Local\MSCTF.Asm.MutexDefault1

执行的命令 无信息

创建的服务 无信息

启动的服务 无信息

进程

SDLPAL.exe PID: 2500, 上一级进程 PID: 2164

访问的文件

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Fonts\staticcache.dat
C:\Users\test\AppData\Local\Temp\\xe4\xbb\x99\xe5\x89\x9198\xe7\x89\x88\xe5\xa4\x96\xe7\xbd\xae\xe5\x9d\x90\xe6\xa0\x87.ini

读取的文件

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Fonts\staticcache.dat

修改的文件 无信息

删除的文件 无信息

注册表键

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\System
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragScrollInset
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragScrollDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragScrollInterval
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\WheelScrollLines
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\SDLPAL.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804

读取的注册表键

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragScrollInset
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragScrollDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragScrollInterval
HKEY_CURRENT_USER\Control Panel\Desktop\WheelScrollLines
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext

修改的注册表键 无信息

删除的注册表键 无信息

API解析

kernel32.dll.IsProcessorFeaturePresent
cryptbase.dll.SystemFunction036
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
gdi32.dll.GetTextExtentExPointWPri
comctl32.dll.InitCommonControlsEx
comctl32.dll.RegisterClassNameW
user32.dll.NotifyWinEvent
gdi32.dll.GetFontAssocStatus
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
oleaut32.dll.SysAllocString
oleaut32.dll.SysStringLen
oleaut32.dll.SysFreeString
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.Process32First
kernel32.dll.Process32Next
kernel32.dll.CloseHandle
user32.dll.EnumWindows
user32.dll.IsWindowVisible
user32.dll.GetWindowTextA
user32.dll.GetClassNameA
user32.dll.GetWindowThreadProcessId