魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2018-03-23 20:08:59 | 2018-03-23 20:11:23 | 144 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-hpdapp03-1 | win7-sp1-x64-hpdapp03-1 | KVM | 2018-03-23 20:09:05 | 2018-03-23 20:11:22 |
| 魔盾分数 |
|---|
0.85正常的 |
文件详细信息
| 文件名 | 小沐.exe |
|---|---|
| 文件大小 | 815104 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| CRC32 | E4FB0589 |
| MD5 | cfe645c33f2f061b7269aa7ab5cd8697 |
| SHA1 | 2ab2e844c7d00125db52a9da187abb01dec2c9fb |
| SHA256 | 33a2d1876b0a989766788b5526cb7d08f112fd60e9a0305d3ef436a04aa3b4d8 |
| SHA512 | f40f0cebfba75a911a0769c89cd9831f33e9bc0e5908c3ea98e11cf805c3d4d1035de6d6667eca5f83b29bb2f923fd1231ae179e96c09596c563ac48a3b20b8d |
| Ssdeep | 12288:XJj8HBqI+O3l00NNyEAaYkvqEv5vUnxBhX8FIrs7AWNotF+2JSUW:XSht+O3l0aNrAFknvNUxBhXTWCv+ASUW |
| PEiD | 无匹配 |
| Yara | 无Yara规则匹配 |
| VirusTotal | 无此文件扫描结果 |
特征
发起了一些HTTP请求
url: http://b.appmo.cn/Public/Uploads/2018-03-01/5a974907e46dc.jpg
魔盾wping.org 域名信誉系统
Neutral: b.appmo.cn
运行截图
网络分析
访问主机记录
| 直接访问 | IP地址 | 国家名 |
|---|---|---|
| 否 | 122.114.3.37 | China |
域名解析
| 域名 | 响应 |
|---|---|
| b.appmo.cn |
A 122.114.3.37
CNAME 446421.vhost127.cnameaddress.top |
TCP连接
| IP地址 | 端口 |
|---|---|
| 122.114.3.37 | 80 |
UDP连接
| IP地址 | 端口 |
|---|---|
| 192.168.122.1 | 53 |
HTTP请求
| URL | HTTP数据 |
|---|---|
| http://b.appmo.cn/Public/Uploads/2018-03-01/5a974907e46dc.jpg | GET /Public/Uploads/2018-03-01/5a974907e46dc.jpg HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Accept: */* Host: b.appmo.cn Cache-Control: no-cache |
静态分析
PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x0046f975 |
| 声明校验值 | 0x00000000 |
| 实际校验值 | 0x000cde2d |
| 最低操作系统版本要求 | 4.0 |
| 编译时间 | 2018-03-23 14:06:30 |
| 载入哈希 | d40e35c64f4d464b2ba70d918b53862f |
| 图标 |  |
| 图标精确哈希值 | 19cf7ecbcd8b8eb3fbe82f5764197a21 |
| 图标相似性哈希值 | 2227aa2d08894438e497aa010f61dfdf |
版本信息
| LegalCopyright: | \x5c0f\x6c90 \x7248\x6743\x6240\x6709 |
| FileVersion: | 1.0.3.8 |
| CompanyName: | \x5c0f\x6c90 |
| Comments: | \x672c\x7a0b\x5e8f\x4f7f\x7528\x6613\x8bed\x8a00\x7f16\x5199(http://www.dywt.com.cn) |
| ProductName: | \x7f51\x5740\x76d1\x63a7 |
| ProductVersion: | 1.0.3.8 |
| FileDescription: | \x7f51\x5740\x76d1\x63a7 |
| Translation: | 0x0804 0x04b0 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x00091e63 | 0x00092000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.59 |
| .rdata | 0x00093000 | 0x00019d66 | 0x0001a000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.37 |
| .data | 0x000ad000 | 0x0003afe8 | 0x00013000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 5.26 |
| .rsrc | 0x000e8000 | 0x000060ec | 0x00007000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.68 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| TEXTINCLUDE | 0x000e8c18 | 0x00000151 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.25 | C source, ASCII text, with CRLF line terminators |
| TEXTINCLUDE | 0x000e8c18 | 0x00000151 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.25 | C source, ASCII text, with CRLF line terminators |
| TEXTINCLUDE | 0x000e8c18 | 0x00000151 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.25 | C source, ASCII text, with CRLF line terminators |
| RT_CURSOR | 0x000e9108 | 0x000000b4 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.74 | data |
| RT_CURSOR | 0x000e9108 | 0x000000b4 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.74 | data |
| RT_CURSOR | 0x000e9108 | 0x000000b4 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.74 | data |
| RT_CURSOR | 0x000e9108 | 0x000000b4 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.74 | data |
| RT_BITMAP | 0x000ea97c | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x000ea97c | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x000ea97c | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x000ea97c | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x000ea97c | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x000ea97c | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x000ea97c | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x000ea97c | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x000ea97c | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x000ea97c | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x000ea97c | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x000ea97c | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x000ea97c | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x000ea97c | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x000ea97c | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_ICON | 0x000eaed0 | 0x000010a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 2.23 | dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0 |
| RT_ICON | 0x000eaed0 | 0x000010a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 2.23 | dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0 |
| RT_ICON | 0x000eaed0 | 0x000010a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 2.23 | dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0 |
| RT_MENU | 0x000ebf84 | 0x00000284 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.28 | data |
| RT_MENU | 0x000ebf84 | 0x00000284 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.28 | data |
| RT_DIALOG | 0x000ed1cc | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.74 | data |
| RT_DIALOG | 0x000ed1cc | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.74 | data |
| RT_DIALOG | 0x000ed1cc | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.74 | data |
| RT_DIALOG | 0x000ed1cc | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.74 | data |
| RT_DIALOG | 0x000ed1cc | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.74 | data |
| RT_DIALOG | 0x000ed1cc | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.74 | data |
| RT_DIALOG | 0x000ed1cc | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.74 | data |
| RT_DIALOG | 0x000ed1cc | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.74 | data |
| RT_DIALOG | 0x000ed1cc | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.74 | data |
| RT_DIALOG | 0x000ed1cc | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.74 | data |
| RT_STRING | 0x000edc14 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x000edc14 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x000edc14 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x000edc14 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x000edc14 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x000edc14 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x000edc14 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x000edc14 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x000edc14 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x000edc14 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x000edc14 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_GROUP_CURSOR | 0x000edc60 | 0x00000022 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.25 | MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1 |
| RT_GROUP_CURSOR | 0x000edc60 | 0x00000022 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.25 | MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1 |
| RT_GROUP_CURSOR | 0x000edc60 | 0x00000022 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.25 | MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1 |
| RT_GROUP_ICON | 0x000edcac | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.02 | MS Windows icon resource - 1 icon, 16x16, 16 colors |
| RT_GROUP_ICON | 0x000edcac | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.02 | MS Windows icon resource - 1 icon, 16x16, 16 colors |
| RT_GROUP_ICON | 0x000edcac | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.02 | MS Windows icon resource - 1 icon, 16x16, 16 colors |
| RT_VERSION | 0x000edcc0 | 0x0000025c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.74 | data |
| RT_MANIFEST | 0x000edf1c | 0x000001cd | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.08 | XML 1.0 document, ASCII text, with very long lines, with no line terminators |
导入
库 RASAPI32.dll:
• 0x4933dc - RasHangUpA
• 0x4933e0 - RasGetConnectStatusA
库 KERNEL32.dll:
• 0x493174 - GetModuleHandleA
• 0x493178 - GetVolumeInformationA
• 0x49317c - SetCurrentDirectoryA
• 0x493180 - DeleteFileA
• 0x493184 - GetFileAttributesA
• 0x493188 - FindClose
• 0x49318c - FindFirstFileA
• 0x493190 - GetTempPathA
• 0x493194 - SetEndOfFile
• 0x493198 - UnlockFile
• 0x49319c - LockFile
• 0x4931a0 - FlushFileBuffers
• 0x4931a4 - SetFilePointer
• 0x4931a8 - GetCurrentProcess
• 0x4931ac - DuplicateHandle
• 0x4931b0 - lstrcpynA
• 0x4931b4 - SetLastError
• 0x4931b8 - IsBadCodePtr
• 0x4931bc - IsBadReadPtr
• 0x4931c0 - CompareStringW
• 0x4931c4 - CompareStringA
• 0x4931c8 - SetUnhandledExceptionFilter
• 0x4931cc - GetStringTypeW
• 0x4931d0 - GetStringTypeA
• 0x4931d4 - IsBadWritePtr
• 0x4931d8 - VirtualAlloc
• 0x4931dc - LCMapStringW
• 0x4931e0 - LCMapStringA
• 0x4931e4 - SetEnvironmentVariableA
• 0x4931e8 - VirtualFree
• 0x4931ec - HeapCreate
• 0x4931f0 - HeapDestroy
• 0x4931f4 - GetEnvironmentVariableA
• 0x4931f8 - GetStdHandle
• 0x4931fc - SetHandleCount
• 0x493200 - GetEnvironmentStringsW
• 0x493204 - GetEnvironmentStrings
• 0x493208 - FreeEnvironmentStringsW
• 0x49320c - FreeEnvironmentStringsA
• 0x493210 - UnhandledExceptionFilter
• 0x493214 - GetFileType
• 0x493218 - SetStdHandle
• 0x49321c - GetACP
• 0x493220 - HeapSize
• 0x493224 - GetTimeZoneInformation
• 0x493228 - FileTimeToSystemTime
• 0x49322c - GetTempFileNameA
• 0x493230 - CreateSemaphoreA
• 0x493234 - ResumeThread
• 0x493238 - ReleaseSemaphore
• 0x49323c - EnterCriticalSection
• 0x493240 - LeaveCriticalSection
• 0x493244 - GetProfileStringA
• 0x493248 - WriteFile
• 0x49324c - ReadFile
• 0x493250 - WaitForMultipleObjects
• 0x493254 - CreateFileA
• 0x493258 - SetEvent
• 0x49325c - FindResourceA
• 0x493260 - LoadResource
• 0x493264 - LockResource
• 0x493268 - GetModuleFileNameA
• 0x49326c - GetCurrentThreadId
• 0x493270 - ExitProcess
• 0x493274 - GlobalSize
• 0x493278 - GlobalFree
• 0x49327c - DeleteCriticalSection
• 0x493280 - InitializeCriticalSection
• 0x493284 - lstrcatA
• 0x493288 - lstrlenA
• 0x49328c - WinExec
• 0x493290 - lstrcpyA
• 0x493294 - FindNextFileA
• 0x493298 - GlobalReAlloc
• 0x49329c - HeapFree
• 0x4932a0 - HeapReAlloc
• 0x4932a4 - GetProcessHeap
• 0x4932a8 - HeapAlloc
• 0x4932ac - GetFullPathNameA
• 0x4932b0 - FreeLibrary
• 0x4932b4 - LoadLibraryA
• 0x4932b8 - GetLastError
• 0x4932bc - GetVersionExA
• 0x4932c0 - WritePrivateProfileStringA
• 0x4932c4 - CreateThread
• 0x4932c8 - CreateEventA
• 0x4932cc - Sleep
• 0x4932d0 - GlobalAlloc
• 0x4932d4 - GlobalLock
• 0x4932d8 - GetProcAddress
• 0x4932dc - TerminateProcess
• 0x4932e0 - GetLocalTime
• 0x4932e4 - GetSystemTime
• 0x4932e8 - RaiseException
• 0x4932ec - RtlUnwind
• 0x4932f0 - GetStartupInfoA
• 0x4932f4 - GetOEMCP
• 0x4932f8 - GetCPInfo
• 0x4932fc - GetProcessVersion
• 0x493300 - SetErrorMode
• 0x493304 - GlobalFlags
• 0x493308 - GetCurrentThread
• 0x49330c - GetFileTime
• 0x493310 - GetFileSize
• 0x493314 - TlsGetValue
• 0x493318 - LocalReAlloc
• 0x49331c - TlsSetValue
• 0x493320 - TlsFree
• 0x493324 - GlobalHandle
• 0x493328 - TlsAlloc
• 0x49332c - MulDiv
• 0x493330 - GetCommandLineA
• 0x493334 - GetTickCount
• 0x493338 - WaitForSingleObject
• 0x49333c - CloseHandle
• 0x493340 - FileTimeToLocalFileTime
• 0x493344 - FormatMessageA
• 0x493348 - LocalAlloc
• 0x49334c - lstrcmpA
• 0x493350 - GetVersion
• 0x493354 - GlobalGetAtomNameA
• 0x493358 - GlobalAddAtomA
• 0x49335c - GlobalFindAtomA
• 0x493360 - GlobalDeleteAtom
• 0x493364 - lstrcmpiA
• 0x493368 - GetThreadLocale
• 0x49336c - LocalFree
• 0x493370 - MultiByteToWideChar
• 0x493374 - WideCharToMultiByte
• 0x493378 - InterlockedDecrement
• 0x49337c - GlobalUnlock
• 0x493380 - InterlockedIncrement
库 USER32.dll:
• 0x4933f4 - SetClipboardData
• 0x4933f8 - EmptyClipboard
• 0x4933fc - GetSystemMetrics
• 0x493400 - GetCursorPos
• 0x493404 - MessageBoxA
• 0x493408 - MessageBeep
• 0x49340c - SetWindowPos
• 0x493410 - SendMessageA
• 0x493414 - DestroyCursor
• 0x493418 - SetParent
• 0x49341c - IsWindow
• 0x493420 - PostMessageA
• 0x493424 - GetTopWindow
• 0x493428 - GetParent
• 0x49342c - GetFocus
• 0x493430 - GetClientRect
• 0x493434 - InvalidateRect
• 0x493438 - ValidateRect
• 0x49343c - UpdateWindow
• 0x493440 - OpenClipboard
• 0x493444 - GetClipboardData
• 0x493448 - CloseClipboard
• 0x49344c - EqualRect
• 0x493450 - GetWindowRect
• 0x493454 - SetForegroundWindow
• 0x493458 - DestroyMenu
• 0x49345c - IsChild
• 0x493460 - ReleaseDC
• 0x493464 - IsRectEmpty
• 0x493468 - wsprintfA
• 0x49346c - GetDC
• 0x493470 - SetCursor
• 0x493474 - LoadCursorA
• 0x493478 - SetCursorPos
• 0x49347c - SetActiveWindow
• 0x493480 - GetSysColor
• 0x493484 - SetWindowLongA
• 0x493488 - GetWindowLongA
• 0x49348c - RedrawWindow
• 0x493490 - EnableWindow
• 0x493494 - IsWindowVisible
• 0x493498 - OffsetRect
• 0x49349c - PtInRect
• 0x4934a0 - DestroyIcon
• 0x4934a4 - IntersectRect
• 0x4934a8 - InflateRect
• 0x4934ac - SetRect
• 0x4934b0 - SetScrollPos
• 0x4934b4 - SetScrollRange
• 0x4934b8 - GetScrollRange
• 0x4934bc - SetCapture
• 0x4934c0 - GetCapture
• 0x4934c4 - ReleaseCapture
• 0x4934c8 - SetTimer
• 0x4934cc - KillTimer
• 0x4934d0 - WinHelpA
• 0x4934d4 - LoadBitmapA
• 0x4934d8 - CopyRect
• 0x4934dc - ChildWindowFromPointEx
• 0x4934e0 - ScreenToClient
• 0x4934e4 - GetMessagePos
• 0x4934e8 - SetWindowRgn
• 0x4934ec - DestroyAcceleratorTable
• 0x4934f0 - GetWindow
• 0x4934f4 - GetActiveWindow
• 0x4934f8 - SetFocus
• 0x4934fc - IsIconic
• 0x493500 - FillRect
• 0x493504 - SetPropA
• 0x493508 - PeekMessageA
• 0x49350c - SetMenu
• 0x493510 - GetMenu
• 0x493514 - DeleteMenu
• 0x493518 - GetSystemMenu
• 0x49351c - DefWindowProcA
• 0x493520 - GetClassInfoA
• 0x493524 - PostThreadMessageA
• 0x493528 - GetNextDlgGroupItem
• 0x49352c - GetSysColorBrush
• 0x493530 - LoadStringA
• 0x493534 - MapDialogRect
• 0x493538 - SetWindowContextHelpId
• 0x49353c - CharNextA
• 0x493540 - GetDesktopWindow
• 0x493544 - GetClassNameA
• 0x493548 - GetMenuCheckMarkDimensions
• 0x49354c - GetMenuState
• 0x493550 - SetMenuItemBitmaps
• 0x493554 - CheckMenuItem
• 0x493558 - MoveWindow
• 0x49355c - SetWindowTextA
• 0x493560 - TranslateMessage
• 0x493564 - LoadIconA
• 0x493568 - DrawFrameControl
• 0x49356c - DrawEdge
• 0x493570 - DrawFocusRect
• 0x493574 - WindowFromPoint
• 0x493578 - GetMessageA
• 0x49357c - DispatchMessageA
• 0x493580 - SetRectEmpty
• 0x493584 - RegisterClipboardFormatA
• 0x493588 - CreateIconFromResourceEx
• 0x49358c - CreateIconFromResource
• 0x493590 - DrawIconEx
• 0x493594 - CreatePopupMenu
• 0x493598 - AppendMenuA
• 0x49359c - ModifyMenuA
• 0x4935a0 - CreateMenu
• 0x4935a4 - CreateAcceleratorTableA
• 0x4935a8 - GetDlgCtrlID
• 0x4935ac - GetSubMenu
• 0x4935b0 - EnableMenuItem
• 0x4935b4 - ClientToScreen
• 0x4935b8 - EnumDisplaySettingsA
• 0x4935bc - LoadImageA
• 0x4935c0 - SystemParametersInfoA
• 0x4935c4 - ShowWindow
• 0x4935c8 - IsWindowEnabled
• 0x4935cc - TranslateAcceleratorA
• 0x4935d0 - GetKeyState
• 0x4935d4 - CopyAcceleratorTableA
• 0x4935d8 - PostQuitMessage
• 0x4935dc - IsZoomed
• 0x4935e0 - GetWindowTextA
• 0x4935e4 - GetWindowTextLengthA
• 0x4935e8 - CharUpperA
• 0x4935ec - GetWindowDC
• 0x4935f0 - BeginPaint
• 0x4935f4 - EndPaint
• 0x4935f8 - TabbedTextOutA
• 0x4935fc - DrawTextA
• 0x493600 - GrayStringA
• 0x493604 - GetDlgItem
• 0x493608 - DestroyWindow
• 0x49360c - CreateDialogIndirectParamA
• 0x493610 - EndDialog
• 0x493614 - GetNextDlgTabItem
• 0x493618 - GetWindowPlacement
• 0x49361c - RegisterWindowMessageA
• 0x493620 - GetForegroundWindow
• 0x493624 - GetLastActivePopup
• 0x493628 - GetMessageTime
• 0x49362c - RemovePropA
• 0x493630 - CallWindowProcA
• 0x493634 - GetPropA
• 0x493638 - UnhookWindowsHookEx
• 0x49363c - UnregisterClassA
• 0x493640 - GetClassLongA
• 0x493644 - CallNextHookEx
• 0x493648 - SetWindowsHookExA
• 0x49364c - CreateWindowExA
• 0x493650 - GetMenuItemID
• 0x493654 - GetMenuItemCount
• 0x493658 - RegisterClassA
• 0x49365c - GetScrollPos
• 0x493660 - AdjustWindowRectEx
• 0x493664 - MapWindowPoints
• 0x493668 - SendDlgItemMessageA
• 0x49366c - ScrollWindowEx
• 0x493670 - IsDialogMessageA
库 GDI32.dll:
• 0x493024 - SetBkColor
• 0x493028 - CreateRectRgnIndirect
• 0x49302c - SetStretchBltMode
• 0x493030 - GetClipRgn
• 0x493034 - CreatePolygonRgn
• 0x493038 - SelectClipRgn
• 0x49303c - DeleteObject
• 0x493040 - CreateDIBitmap
• 0x493044 - GetSystemPaletteEntries
• 0x493048 - CreatePalette
• 0x49304c - StretchBlt
• 0x493050 - SelectPalette
• 0x493054 - RealizePalette
• 0x493058 - GetDIBits
• 0x49305c - GetWindowExtEx
• 0x493060 - GetViewportOrgEx
• 0x493064 - GetWindowOrgEx
• 0x493068 - BeginPath
• 0x49306c - EndPath
• 0x493070 - PathToRegion
• 0x493074 - CreateEllipticRgn
• 0x493078 - CreateRoundRectRgn
• 0x49307c - GetTextColor
• 0x493080 - GetBkMode
• 0x493084 - GetBkColor
• 0x493088 - GetROP2
• 0x49308c - GetStretchBltMode
• 0x493090 - GetPolyFillMode
• 0x493094 - CreateCompatibleBitmap
• 0x493098 - CreateDCA
• 0x49309c - CreateBitmap
• 0x4930a0 - SelectObject
• 0x4930a4 - GetObjectA
• 0x4930a8 - CreatePen
• 0x4930ac - PatBlt
• 0x4930b0 - CombineRgn
• 0x4930b4 - CreateRectRgn
• 0x4930b8 - FillRgn
• 0x4930bc - CreateSolidBrush
• 0x4930c0 - GetStockObject
• 0x4930c4 - CreateFontIndirectA
• 0x4930c8 - EndPage
• 0x4930cc - EndDoc
• 0x4930d0 - DeleteDC
• 0x4930d4 - StartDocA
• 0x4930d8 - StartPage
• 0x4930dc - BitBlt
• 0x4930e0 - CreateCompatibleDC
• 0x4930e4 - Ellipse
• 0x4930e8 - Rectangle
• 0x4930ec - LPtoDP
• 0x4930f0 - DPtoLP
• 0x4930f4 - GetCurrentObject
• 0x4930f8 - RoundRect
• 0x4930fc - GetTextExtentPoint32A
• 0x493100 - GetDeviceCaps
• 0x493104 - SaveDC
• 0x493108 - RestoreDC
• 0x49310c - SetBkMode
• 0x493110 - SetPolyFillMode
• 0x493114 - SetROP2
• 0x493118 - SetTextColor
• 0x49311c - SetMapMode
• 0x493120 - SetViewportOrgEx
• 0x493124 - OffsetViewportOrgEx
• 0x493128 - SetViewportExtEx
• 0x49312c - ScaleViewportExtEx
• 0x493130 - SetWindowOrgEx
• 0x493134 - SetWindowExtEx
• 0x493138 - ScaleWindowExtEx
• 0x49313c - GetClipBox
• 0x493140 - ExcludeClipRect
• 0x493144 - MoveToEx
• 0x493148 - LineTo
• 0x49314c - GetMapMode
• 0x493150 - GetTextMetricsA
• 0x493154 - Escape
• 0x493158 - ExtTextOutA
• 0x49315c - TextOutA
• 0x493160 - RectVisible
• 0x493164 - PtVisible
• 0x493168 - GetViewportExtEx
• 0x49316c - ExtSelectClipRgn
库 WINMM.dll:
• 0x4936a4 - midiStreamRestart
• 0x4936a8 - waveOutUnprepareHeader
• 0x4936ac - waveOutPrepareHeader
• 0x4936b0 - waveOutWrite
• 0x4936b4 - waveOutPause
• 0x4936b8 - waveOutReset
• 0x4936bc - waveOutClose
• 0x4936c0 - waveOutGetNumDevs
• 0x4936c4 - waveOutOpen
• 0x4936c8 - midiOutUnprepareHeader
• 0x4936cc - midiStreamOpen
• 0x4936d0 - midiStreamProperty
• 0x4936d4 - midiOutPrepareHeader
• 0x4936d8 - midiStreamOut
• 0x4936dc - midiStreamStop
• 0x4936e0 - midiOutReset
• 0x4936e4 - midiStreamClose
库 WINSPOOL.DRV:
• 0x4936ec - OpenPrinterA
• 0x4936f0 - DocumentPropertiesA
• 0x4936f4 - ClosePrinter
库 ADVAPI32.dll:
• 0x493000 - RegCreateKeyExA
• 0x493004 - RegCloseKey
• 0x493008 - RegQueryValueA
• 0x49300c - RegSetValueExA
• 0x493010 - RegOpenKeyExA
库 SHELL32.dll:
• 0x4933e8 - ShellExecuteA
• 0x4933ec - Shell_NotifyIconA
库 ole32.dll:
• 0x493744 - CreateILockBytesOnHGlobal
• 0x493748 - CoFreeUnusedLibraries
• 0x49374c - CoRegisterMessageFilter
• 0x493750 - CoRevokeClassObject
• 0x493754 - OleFlushClipboard
• 0x493758 - OleIsCurrentClipboard
• 0x49375c - OleUninitialize
• 0x493760 - CLSIDFromString
• 0x493764 - StgCreateDocfileOnILockBytes
• 0x493768 - CoTaskMemFree
• 0x49376c - CoTaskMemAlloc
• 0x493770 - CLSIDFromProgID
• 0x493774 - OleInitialize
• 0x493778 - StgOpenStorageOnILockBytes
• 0x49377c - CoGetClassObject
库 OLEAUT32.dll:
• 0x493388 - SafeArrayUnaccessData
• 0x49338c - SafeArrayAccessData
• 0x493390 - SysAllocString
• 0x493394 - SafeArrayCreate
• 0x493398 - UnRegisterTypeLib
• 0x49339c - RegisterTypeLib
• 0x4933a0 - LoadTypeLib
• 0x4933a4 - OleCreateFontIndirect
• 0x4933a8 - SysFreeString
• 0x4933ac - SafeArrayGetLBound
• 0x4933b0 - SafeArrayGetUBound
• 0x4933b4 - VariantChangeType
• 0x4933b8 - VariantClear
• 0x4933bc - VariantCopy
• 0x4933c0 - SafeArrayGetElemsize
• 0x4933c4 - SysAllocStringByteLen
• 0x4933c8 - VariantTimeToSystemTime
• 0x4933cc - SysAllocStringLen
• 0x4933d0 - SysStringLen
• 0x4933d4 - SafeArrayGetDim
库 COMCTL32.dll:
• 0x493018 - ImageList_Destroy
• 0x49301c - None
库 oledlg.dll:
• 0x493784 - None
库 WS2_32.dll:
• 0x4936fc - inet_ntoa
• 0x493700 - recvfrom
• 0x493704 - ioctlsocket
• 0x493708 - WSAStartup
• 0x49370c - getpeername
• 0x493710 - accept
• 0x493714 - WSACleanup
• 0x493718 - select
• 0x49371c - send
• 0x493720 - closesocket
• 0x493724 - WSAAsyncSelect
• 0x493728 - recv
库 WININET.dll:
• 0x493678 - InternetCanonicalizeUrlA
• 0x49367c - InternetOpenA
• 0x493680 - InternetCloseHandle
• 0x493684 - InternetSetOptionA
• 0x493688 - InternetConnectA
• 0x49368c - InternetReadFile
• 0x493690 - HttpQueryInfoA
• 0x493694 - HttpSendRequestA
• 0x493698 - HttpOpenRequestA
• 0x49369c - InternetCrackUrlA
库 comdlg32.dll:
• 0x493730 - GetOpenFileNameA
• 0x493734 - ChooseColorA
• 0x493738 - GetFileTitleA
• 0x49373c - GetSaveFileNameA
投放文件
行为分析
互斥量(Mutexes)
- Local\MSCTF.Asm.MutexDefault1
执行的命令
无信息
创建的服务
无信息
启动的服务
无信息
进程
______.exe PID: 2036, 上一级进程 PID: 284
访问的文件
- C:\Windows\Fonts\staticcache.dat
读取的文件
- C:\Windows\Fonts\staticcache.dat
修改的文件
无信息
删除的文件
无信息
注册表键
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\______.exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_CURRENT_USER
- HKEY_CURRENT_USER\Keyboard Layout\Toggle
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
- HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
读取的注册表键
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- kernel32.dll.IsProcessorFeaturePresent
- cryptbase.dll.SystemFunction036
- comctl32.dll.RegisterClassNameW
- uxtheme.dll.OpenThemeData
- imm32.dll.ImmIsIME
- gdi32.dll.GetLayout
- gdi32.dll.GdiRealizationInfo
- gdi32.dll.FontIsLinked
- advapi32.dll.RegOpenKeyExW
- advapi32.dll.RegQueryInfoKeyW
- gdi32.dll.GetTextFaceAliasW
- advapi32.dll.RegEnumValueW
- advapi32.dll.RegCloseKey
- advapi32.dll.RegQueryValueExW
- advapi32.dll.RegQueryValueExA
- advapi32.dll.RegEnumKeyExW
- gdi32.dll.GetTextExtentExPointWPri
- urlmon.dll.#414
- uxtheme.dll.EnableThemeDialogTexture
- rasapi32.dll.RasConnectionNotificationW
- sechost.dll.NotifyServiceStatusChangeA
- ole32.dll.CoInitializeEx
- ole32.dll.CoUninitialize
- ole32.dll.CoRegisterInitializeSpy
- ole32.dll.CoRevokeInitializeSpy
- imm32.dll.ImmGetContext
- imm32.dll.ImmLockIMC
- imm32.dll.ImmUnlockIMC
- imm32.dll.ImmReleaseContext
- imm32.dll.ImmSetCompositionFontW
- imm32.dll.ImmGetCompositionWindow
- imm32.dll.ImmSetCompositionWindow
- uxtheme.dll.BufferedPaintInit
- uxtheme.dll.BeginBufferedPaint
- uxtheme.dll.EndBufferedPaint
- oleaut32.dll.SysAllocString
- oleaut32.dll.SysStringLen
- oleaut32.dll.SysFreeString