魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2019-09-16 15:42:58 2019-09-16 15:45:15 137 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-hpdapp01-1 win7-sp1-x64-hpdapp01-1 KVM 2019-09-16 15:43:08 2019-09-16 15:45:16
魔盾分数

3.5

可疑的

文件详细信息

文件名 Notepad2-mod_4.2.25r998_x64_CN.exe
文件大小 3250480 字节
文件类型 PE32+ executable (GUI) x86-64, for MS Windows
CRC32 E7863F4D
MD5 0bc98e71e1bfed4e2dd6b25b1610c81f
SHA1 960cc16ae84b32bf9d82c0d6fb247c0035e4b3da
SHA256 94908e56b2c641041ec4dc750e5c60793af9355ccc8e7b45f9d0e247f6cc9919
SHA512 dd7e9748ec18e7a19ca5e47b9b0085e9130679f19850a2959fa3ec7a01fd74bdbdcb985630b202c0e8c6bed3c9dc67276e8eff6540100285e8cf9d325f068d2f
Ssdeep 49152:E3tK5KGuGYfjDuScm/PCZqZR/6AMOnOro/Tyh:6qScXFONyh
PEiD 无匹配
Yara
  • DebuggerTiming__PerformanceCounter ()
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • anti_dbg (Checks if being debugged)
  • screenshot (Detected take screenshot function)
  • create_process (Detection function for creating a new process)
  • keylogger (Detected keylogger function)
  • win_token (Affect system token)
  • win_files_operation (Affect private profile)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
  • with_urls (Detected the presence of an or several urls)
  • Borland (Detects Borland program)
  • powershell ()
  • IsPE64 (Detected 64bit PE signature)
  • IsWindowsGUI (Detected Windows GUI signature)
  • HasOverlay (Detected Overlay signature)
  • HasDigitalSignature (Detected Digital Signature)
  • HasDebugData (Detected Debug Data)
  • HasRichSignature (Detected Rich Signature)
VirusTotal VirusTotal链接
VirusTotal扫描时间: 2019-04-11 23:03:16
扫描结果: 1/67

特征

魔盾安全Yara规则检测结果 - 安全告警
文件已被至少一个VirusTotal上的反病毒引擎检测为病毒
eGambit: PE.Heur.InvalidSig

运行截图

网络分析

无信息

静态分析

PE 信息

初始地址 0x140000000
入口地址 0x140145314
声明校验值 0x00328db6
实际校验值 0x00328db6
最低操作系统版本要求 5.2
PDB路径 H:\progs\Compiling\notepad2-mod\bin\VS2017\Release_x64\Notepad2.pdb
编译时间 2017-08-06 16:34:34
载入哈希 c3d1385a8f588bad56cb559a9fe747c4

版本信息

LegalCopyright: \xa9 Florian Balmer 2004-2017
InternalName: Notepad2-mod
FileVersion: 4.2.25.998
CompanyName: Florian Balmer et al.
Comments: Notepad2-mod
ProductName: Notepad2-mod
ProductVersion: 4.2.25.998
FileDescription: Notepad2-mod
OriginalFilename: Notepad2.exe
Translation: 0x0804 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x001872d4 0x00187400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.56
.data 0x00189000 0x00033e8c 0x0002aa00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.86
.pdata 0x001bd000 0x0000c960 0x0000ca00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 6.13
.idata 0x001ca000 0x00003f4c 0x00004000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.78
.rsrc 0x001ce000 0x00150e7d 0x00151000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.24
.reloc 0x0031f000 0x00002348 0x00002400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 5.42

导入

库 COMCTL32.dll:
0x1401ca020 - ImageList_Destroy
0x1401ca028 - None
0x1401ca030 - ImageList_Create
0x1401ca038 - CreateStatusWindowW
0x1401ca040 - InitCommonControlsEx
0x1401ca048 - ImageList_AddMasked
库 SHLWAPI.dll:
0x1401ca798 - StrCpyW
0x1401ca7a0 - UrlEscapeW
0x1401ca7a8 - StrNCatW
0x1401ca7b0 - StrDupA
0x1401ca7b8 - PathGetDriveNumberW
0x1401ca7c0 - StrCmpNIW
0x1401ca7c8 - PathRelativePathToW
0x1401ca7d0 - PathIsPrefixW
0x1401ca7d8 - PathUnExpandEnvStringsW
0x1401ca7e0 - PathIsRootW
0x1401ca7e8 - PathCanonicalizeW
0x1401ca7f0 - PathIsRelativeW
0x1401ca7f8 - PathAppendW
0x1401ca800 - StrChrIW
0x1401ca808 - PathFindExtensionW
0x1401ca810 - PathCommonPrefixW
0x1401ca818 - StrCmpNIA
0x1401ca820 - StrStrW
0x1401ca828 - PathStripToRootW
0x1401ca830 - PathCompactPathExW
0x1401ca838 - StrFormatByteSizeW
0x1401ca840 - StrRChrW
0x1401ca848 - PathRenameExtensionW
0x1401ca850 - StrStrIW
0x1401ca858 - StrCatBuffW
0x1401ca860 - PathIsUNCW
0x1401ca868 - StrChrW
0x1401ca870 - StrTrimW
0x1401ca878 - PathFileExistsW
0x1401ca880 - SHAutoComplete
0x1401ca888 - PathRemoveFileSpecW
0x1401ca890 - PathFindFileNameW
0x1401ca898 - PathQuoteSpacesW
0x1401ca8a0 - StrTrimA
0x1401ca8a8 - StrCatW
0x1401ca8b0 - StrStrA
0x1401ca8b8 - StrCatBuffA
0x1401ca8c0 - StrCmpNA
0x1401ca8c8 - UrlUnescapeW
0x1401ca8d0 - StrChrA
0x1401ca8d8 - StrStrIA
0x1401ca8e0 - StrDupW
0x1401ca8e8 - StrCmpW
0x1401ca8f0 - StrCpyNW
0x1401ca8f8 - StrCmpIW
0x1401ca900 - StrChrIA
0x1401ca908 - StrRetToBufW
0x1401ca910 - PathMatchSpecW
0x1401ca918 - PathIsDirectoryW
0x1401ca920 - PathUnquoteSpacesW
库 KERNEL32.dll:
0x1401ca258 - CloseHandle
0x1401ca260 - CreateThread
0x1401ca268 - ResetEvent
0x1401ca270 - GetCurrentDirectoryW
0x1401ca278 - LocalFree
0x1401ca280 - lstrcpyW
0x1401ca288 - lstrcmpiW
0x1401ca290 - lstrcmpW
0x1401ca298 - ReadFile
0x1401ca2a0 - GetOEMCP
0x1401ca2a8 - GetCPInfo
0x1401ca2b0 - WriteFile
0x1401ca2b8 - SetEndOfFile
0x1401ca2c0 - lstrlenA
0x1401ca2c8 - CreateFileW
0x1401ca2d0 - lstrcmpA
0x1401ca2d8 - lstrcatA
0x1401ca2e0 - GetACP
0x1401ca2e8 - IsValidCodePage
0x1401ca2f0 - MultiByteToWideChar
0x1401ca2f8 - GetLastError
0x1401ca300 - GlobalSize
0x1401ca308 - lstrcpyA
0x1401ca310 - LocalSize
0x1401ca318 - GetProcAddress
0x1401ca320 - GlobalLock
0x1401ca328 - GetFileSize
0x1401ca330 - LCMapStringW
0x1401ca338 - lstrcpynA
0x1401ca340 - GetModuleHandleW
0x1401ca348 - WideCharToMultiByte
0x1401ca350 - lstrcmpiA
0x1401ca358 - GetTickCount
0x1401ca360 - GlobalUnlock
0x1401ca368 - SizeofResource
0x1401ca370 - GetLongPathNameW
0x1401ca378 - GetCurrentProcess
0x1401ca380 - ExpandEnvironmentStringsW
0x1401ca388 - GetPrivateProfileSectionW
0x1401ca390 - GetLocaleInfoW
0x1401ca398 - GetModuleHandleA
0x1401ca3a0 - FreeResource
0x1401ca3a8 - GetModuleFileNameW
0x1401ca3b0 - LoadResource
0x1401ca3b8 - FindResourceW
0x1401ca3c0 - GetWindowsDirectoryW
0x1401ca3c8 - WritePrivateProfileSectionW
0x1401ca3d0 - MulDiv
0x1401ca3d8 - GetStartupInfoW
0x1401ca3e0 - CompareFileTime
0x1401ca3e8 - FindFirstFileW
0x1401ca3f0 - SearchPathW
0x1401ca3f8 - GetCommandLineW
0x1401ca400 - SetErrorMode
0x1401ca408 - FindClose
0x1401ca410 - GlobalFree
0x1401ca418 - GetVersion
0x1401ca420 - SetFileAttributesW
0x1401ca428 - GetPrivateProfileStringW
0x1401ca430 - FindCloseChangeNotification
0x1401ca438 - LoadLibraryW
0x1401ca440 - GetLocalTime
0x1401ca448 - FindNextChangeNotification
0x1401ca450 - SetCurrentDirectoryW
0x1401ca458 - GetTimeFormatW
0x1401ca460 - CreateProcessW
0x1401ca468 - FreeLibrary
0x1401ca470 - GetDateFormatW
0x1401ca478 - ExitProcess
0x1401ca480 - GetModuleFileNameA
0x1401ca488 - GetStdHandle
0x1401ca490 - RaiseException
0x1401ca498 - RtlPcToFileHeader
0x1401ca4a0 - RtlUnwindEx
0x1401ca4a8 - TlsFree
0x1401ca4b0 - TlsSetValue
0x1401ca4b8 - TlsGetValue
0x1401ca4c0 - TlsAlloc
0x1401ca4c8 - InitializeCriticalSectionAndSpinCount
0x1401ca4d0 - SetLastError
0x1401ca4d8 - CompareStringW
0x1401ca4e0 - DecodePointer
0x1401ca4e8 - EncodePointer
0x1401ca4f0 - GetStringTypeW
0x1401ca4f8 - IsDebuggerPresent
0x1401ca500 - InitializeSListHead
0x1401ca508 - GetSystemTimeAsFileTime
0x1401ca510 - GetCurrentThreadId
0x1401ca518 - GetCurrentProcessId
0x1401ca520 - IsProcessorFeaturePresent
0x1401ca528 - TerminateProcess
0x1401ca530 - SetUnhandledExceptionFilter
0x1401ca538 - UnhandledExceptionFilter
0x1401ca540 - RtlVirtualUnwind
0x1401ca548 - RtlLookupFunctionEntry
0x1401ca550 - RtlCaptureContext
0x1401ca558 - LoadLibraryExW
0x1401ca560 - QueryPerformanceCounter
0x1401ca568 - DeleteCriticalSection
0x1401ca570 - QueryPerformanceFrequency
0x1401ca578 - LoadLibraryA
0x1401ca580 - InitializeCriticalSection
0x1401ca588 - LeaveCriticalSection
0x1401ca590 - EnterCriticalSection
0x1401ca598 - Sleep
0x1401ca5a0 - GetLocaleInfoA
0x1401ca5a8 - WriteConsoleW
0x1401ca5b0 - SetFilePointerEx
0x1401ca5b8 - GlobalAlloc
0x1401ca5c0 - lstrcatW
0x1401ca5c8 - SetEvent
0x1401ca5d0 - FormatMessageW
0x1401ca5d8 - CreateEventW
0x1401ca5e0 - ExitThread
0x1401ca5e8 - GetFileAttributesW
0x1401ca5f0 - LocalAlloc
0x1401ca5f8 - FindFirstChangeNotificationW
0x1401ca600 - WaitForSingleObject
0x1401ca608 - GetPrivateProfileIntW
0x1401ca610 - lstrcpynW
0x1401ca618 - lstrlenW
0x1401ca620 - WritePrivateProfileStringW
0x1401ca628 - GetModuleHandleExW
0x1401ca630 - HeapAlloc
0x1401ca638 - HeapFree
0x1401ca640 - HeapReAlloc
0x1401ca648 - GetFileType
0x1401ca650 - GetTimeZoneInformation
0x1401ca658 - IsValidLocale
0x1401ca660 - GetUserDefaultLCID
0x1401ca668 - EnumSystemLocalesW
0x1401ca670 - FindFirstFileExA
0x1401ca678 - FindNextFileA
0x1401ca680 - GetCommandLineA
0x1401ca688 - GetEnvironmentStringsW
0x1401ca690 - FreeEnvironmentStringsW
0x1401ca698 - SetEnvironmentVariableA
0x1401ca6a0 - SetStdHandle
0x1401ca6a8 - GetProcessHeap
0x1401ca6b0 - HeapSize
0x1401ca6b8 - GetConsoleMode
0x1401ca6c0 - FlushFileBuffers
0x1401ca6c8 - GetConsoleCP
0x1401ca6d0 - LockResource
库 USER32.dll:
0x1401ca930 - InvalidateRect
0x1401ca938 - ReleaseDC
0x1401ca940 - GetWindowLongW
0x1401ca948 - IsCharLowerW
0x1401ca950 - GetSystemMenu
0x1401ca958 - GetKeyState
0x1401ca960 - CharUpperW
0x1401ca968 - CharLowerW
0x1401ca970 - DestroyWindow
0x1401ca978 - CreateWindowExW
0x1401ca980 - wsprintfA
0x1401ca988 - GetActiveWindow
0x1401ca990 - OpenClipboard
0x1401ca998 - GetCapture
0x1401ca9a0 - CloseClipboard
0x1401ca9a8 - IsCharLowerA
0x1401ca9b0 - EmptyClipboard
0x1401ca9b8 - SetForegroundWindow
0x1401ca9c0 - SystemParametersInfoW
0x1401ca9c8 - CreateDialogIndirectParamW
0x1401ca9d0 - SetRect
0x1401ca9d8 - CharUpperBuffW
0x1401ca9e0 - GetClientRect
0x1401ca9e8 - GetMenuStringW
0x1401ca9f0 - IsWindowEnabled
0x1401ca9f8 - DialogBoxIndirectParamW
0x1401caa00 - MapWindowPoints
0x1401caa08 - GetMonitorInfoW
0x1401caa10 - SetWindowTextW
0x1401caa18 - GetSystemMetrics
0x1401caa20 - SetActiveWindow
0x1401caa28 - MonitorFromRect
0x1401caa30 - SetWindowPos
0x1401caa38 - GetDC
0x1401caa40 - GetMenu
0x1401caa48 - GetWindowRect
0x1401caa50 - FindWindowExW
0x1401caa58 - AdjustWindowRectEx
0x1401caa60 - DestroyCursor
0x1401caa68 - SetCapture
0x1401caa70 - GetCaretBlinkTime
0x1401caa78 - GetMessageW
0x1401caa80 - DefWindowProcW
0x1401caa88 - GetSysColor
0x1401caa90 - SetFocus
0x1401caa98 - CharNextW
0x1401caaa0 - GetClipboardData
0x1401caaa8 - LoadCursorW
0x1401caab0 - InsertMenuW
0x1401caab8 - SetClipboardData
0x1401caac0 - LoadMenuW
0x1401caac8 - IsClipboardFormatAvailable
0x1401caad0 - GetSysColorBrush
0x1401caad8 - CharLowerA
0x1401caae0 - IsCharAlphaNumericA
0x1401caae8 - ReleaseCapture
0x1401caaf0 - SetCursorPos
0x1401caaf8 - ChildWindowFromPoint
0x1401cab00 - IsCharUpperW
0x1401cab08 - GetCursorPos
0x1401cab10 - GetParent
0x1401cab18 - GetWindowTextLengthW
0x1401cab20 - PostMessageW
0x1401cab28 - GetFocus
0x1401cab30 - CheckRadioButton
0x1401cab38 - GetPropW
0x1401cab40 - MessageBoxExW
0x1401cab48 - SetWindowLongPtrW
0x1401cab50 - SendMessageW
0x1401cab58 - EndDialog
0x1401cab60 - RemovePropW
0x1401cab68 - MessageBeep
0x1401cab70 - GetWindowLongPtrW
0x1401cab78 - LoadStringW
0x1401cab80 - ShowWindow
0x1401cab88 - BeginDeferWindowPos
0x1401cab90 - DispatchMessageW
0x1401cab98 - wvsprintfW
0x1401caba0 - CharPrevW
0x1401caba8 - PeekMessageW
0x1401cabb0 - SetDlgItemTextW
0x1401cabb8 - GetDlgItemTextW
0x1401cabc0 - SendDlgItemMessageW
0x1401cabc8 - MessageBoxIndirectW
0x1401cabd0 - IsDlgButtonChecked
0x1401cabd8 - IsCharAlphaNumericW
0x1401cabe0 - SetPropW
0x1401cabe8 - TranslateMessage
0x1401cabf0 - LoadIconW
0x1401cabf8 - EndDeferWindowPos
0x1401cac00 - wsprintfW
0x1401cac08 - GetDlgItemInt
0x1401cac10 - GetDlgItem
0x1401cac18 - CheckDlgButton
0x1401cac20 - SetDlgItemInt
0x1401cac28 - LoadImageW
0x1401cac30 - EnableWindow
0x1401cac38 - ShowWindowAsync
0x1401cac40 - CheckMenuRadioItem
0x1401cac48 - IsWindowVisible
0x1401cac50 - EqualRect
0x1401cac58 - SetClipboardViewer
0x1401cac60 - MessageBoxW
0x1401cac68 - CopyImage
0x1401cac70 - ShowOwnedPopups
0x1401cac78 - ScreenToClient
0x1401cac80 - UnregisterClassW
0x1401cac88 - GetWindowPlacement
0x1401cac90 - LoadAcceleratorsW
0x1401cac98 - TrackPopupMenu
0x1401caca0 - GetSubMenu
0x1401caca8 - IsWindow
0x1401cacb0 - OffsetRect
0x1401cacb8 - SetTimer
0x1401cacc0 - IsDialogMessageW
0x1401cacc8 - ChangeClipboardChain
0x1401cacd0 - GetDlgCtrlID
0x1401cacd8 - ClientToScreen
0x1401cace0 - IsChild
0x1401cace8 - RegisterClassW
0x1401cacf0 - SetWindowPlacement
0x1401cacf8 - CountClipboardFormats
0x1401cad00 - GetDoubleClickTime
0x1401cad08 - SetMenuDefaultItem
0x1401cad10 - GetForegroundWindow
0x1401cad18 - EnumWindows
0x1401cad20 - DestroyMenu
0x1401cad28 - IntersectRect
0x1401cad30 - EndPaint
0x1401cad38 - BeginPaint
0x1401cad40 - PtInRect
0x1401cad48 - ShowCaret
0x1401cad50 - AppendMenuA
0x1401cad58 - SetWindowLongW
0x1401cad60 - DestroyCaret
0x1401cad68 - GetMessageTime
0x1401cad70 - GetKeyboardLayout
0x1401cad78 - TrackMouseEvent
0x1401cad80 - CreateCaret
0x1401cad88 - SetCaretPos
0x1401cad90 - RegisterClassExW
0x1401cad98 - MsgWaitForMultipleObjects
0x1401cada0 - GetScrollInfo
0x1401cada8 - NotifyWinEvent
0x1401cadb0 - HideCaret
0x1401cadb8 - GetUpdateRgn
0x1401cadc0 - RegisterClipboardFormatW
0x1401cadc8 - SetScrollInfo
0x1401cadd0 - DrawTextW
0x1401cadd8 - SystemParametersInfoA
0x1401cade0 - FrameRect
0x1401cade8 - CreateIconIndirect
0x1401cadf0 - DrawTextA
0x1401cadf8 - CreatePopupMenu
0x1401cae00 - GetIconInfo
0x1401cae08 - FillRect
0x1401cae10 - InflateRect
0x1401cae18 - MonitorFromPoint
0x1401cae20 - CallWindowProcW
0x1401cae28 - TranslateAcceleratorW
0x1401cae30 - GetMenuState
0x1401cae38 - TrackPopupMenuEx
0x1401cae40 - CheckMenuItem
0x1401cae48 - IsZoomed
0x1401cae50 - KillTimer
0x1401cae58 - PostQuitMessage
0x1401cae60 - EnableMenuItem
0x1401cae68 - RegisterWindowMessageW
0x1401cae70 - UpdateWindow
0x1401cae78 - IsIconic
0x1401cae80 - DrawAnimatedRects
0x1401cae88 - SetCursor
0x1401cae90 - DeferWindowPos
0x1401cae98 - GetClassNameW
库 GDI32.dll:
0x1401ca090 - GetTextExtentExPointA
0x1401ca098 - CreatePatternBrush
0x1401ca0a0 - Rectangle
0x1401ca0a8 - Polygon
0x1401ca0b0 - Ellipse
0x1401ca0b8 - CreateSolidBrush
0x1401ca0c0 - RoundRect
0x1401ca0c8 - IntersectClipRect
0x1401ca0d0 - CreateRectRgn
0x1401ca0d8 - CreateBitmap
0x1401ca0e0 - CombineRgn
0x1401ca0e8 - GetStockObject
0x1401ca0f0 - SetBkMode
0x1401ca0f8 - SetTextColor
0x1401ca100 - BitBlt
0x1401ca108 - TranslateCharsetInfo
0x1401ca110 - SetMapMode
0x1401ca118 - StretchBlt
0x1401ca120 - GetDeviceCaps
0x1401ca128 - EnumFontsW
0x1401ca130 - EndPage
0x1401ca138 - DPtoLP
0x1401ca140 - StartDocW
0x1401ca148 - ExtTextOutW
0x1401ca150 - SetTextAlign
0x1401ca158 - SetBkColor
0x1401ca160 - MoveToEx
0x1401ca168 - CreatePen
0x1401ca170 - LineTo
0x1401ca178 - DeleteDC
0x1401ca180 - GetTextMetricsW
0x1401ca188 - CreateFontW
0x1401ca190 - EndDoc
0x1401ca198 - StartPage
0x1401ca1a0 - GetTextExtentExPointW
0x1401ca1a8 - CreateCompatibleDC
0x1401ca1b0 - GetTextExtentPoint32A
0x1401ca1b8 - CreateDIBSection
0x1401ca1c0 - ExtTextOutA
0x1401ca1c8 - GetTextExtentPoint32W
0x1401ca1d0 - CreateCompatibleBitmap
0x1401ca1d8 - GetNearestColor
0x1401ca1e0 - GetObjectW
0x1401ca1e8 - DeleteObject
0x1401ca1f0 - SelectObject
0x1401ca1f8 - CreateFontIndirectW
库 COMDLG32.dll:
0x1401ca058 - ChooseFontW
0x1401ca060 - PageSetupDlgW
0x1401ca068 - PrintDlgW
0x1401ca070 - GetSaveFileNameW
0x1401ca078 - GetOpenFileNameW
0x1401ca080 - ChooseColorW
库 ADVAPI32.dll:
0x1401ca000 - GetTokenInformation
0x1401ca008 - OpenProcessToken
0x1401ca010 - IsTextUnicode
库 SHELL32.dll:
0x1401ca708 - ShellExecuteW
0x1401ca710 - SHBrowseForFolderW
0x1401ca718 - ShellExecuteExW
0x1401ca720 - SHGetPathFromIDListW
0x1401ca728 - SHGetDataFromIDListW
0x1401ca730 - SHGetDesktopFolder
0x1401ca738 - None
0x1401ca740 - SHAppBarMessage
0x1401ca748 - SHGetFolderPathW
0x1401ca750 - SHAddToRecentDocs
0x1401ca758 - SHGetSpecialFolderPathW
0x1401ca760 - DragQueryFileW
0x1401ca768 - Shell_NotifyIconW
0x1401ca770 - SHCreateDirectoryExW
0x1401ca778 - DragAcceptFiles
0x1401ca780 - DragFinish
0x1401ca788 - SHGetFileInfoW
库 ole32.dll:
0x1401caea8 - OleInitialize
0x1401caeb0 - OleUninitialize
0x1401caeb8 - CoCreateInstance
0x1401caec0 - CoTaskMemAlloc
0x1401caec8 - CoTaskMemFree
0x1401caed0 - DoDragDrop
0x1401caed8 - RegisterDragDrop
0x1401caee0 - RevokeDragDrop
0x1401caee8 - CLSIDFromProgID
0x1401caef0 - CoUninitialize
0x1401caef8 - CoInitialize
库 IMM32.dll:
0x1401ca208 - ImmNotifyIME
0x1401ca210 - ImmSetCompositionStringW
0x1401ca218 - ImmEscapeW
0x1401ca220 - ImmGetCompositionStringW
0x1401ca228 - ImmSetCompositionWindow
0x1401ca230 - ImmSetCompositionFontW
0x1401ca238 - ImmReleaseContext
0x1401ca240 - ImmGetContext
0x1401ca248 - ImmSetCandidateWindow
库 MSIMG32.dll:
0x1401ca6e0 - AlphaBlend
库 OLEAUT32.dll:
0x1401ca6f0 - SysFreeString
0x1401ca6f8 - SysAllocString

投放文件

无信息

行为分析

互斥量(Mutexes)
  • Local\MSCTF.Asm.MutexDefault1
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

Notepad2-mod_4.2.25r998_x64_CN.exe PID: 2488, 上一级进程 PID: 2332

访问的文件
  • C:\Users\test\AppData\Local\Temp\api-ms-win-core-localization-l1-2-1.DLL
  • C:\Windows\sysnative\api-ms-win-core-localization-l1-2-1.DLL
  • C:\Windows\system\api-ms-win-core-localization-l1-2-1.DLL
  • C:\Windows\api-ms-win-core-localization-l1-2-1.DLL
  • C:\ProgramData\Oracle\Java\javapath\api-ms-win-core-localization-l1-2-1.DLL
  • C:\Windows\sysnative\wbem\api-ms-win-core-localization-l1-2-1.DLL
  • C:\Windows\sysnative\WindowsPowerShell\v1.0\api-ms-win-core-localization-l1-2-1.DLL
  • C:\Program Files (x86)\WinRAR\api-ms-win-core-localization-l1-2-1.DLL
  • C:\Windows\sysnative\C_437.NLS
  • C:\Users\test\AppData\Local\Temp\Notepad2-mod_4.2.25r998_x64_CN.ini
  • C:\Users\test\AppData\Roaming\Notepad2-mod_4.2.25r998_x64_CN.ini
  • C:\Windows\sysnative\Notepad2-mod_4.2.25r998_x64_CN.ini
  • C:\Windows\system\Notepad2-mod_4.2.25r998_x64_CN.ini
  • C:\Windows\Notepad2-mod_4.2.25r998_x64_CN.ini
  • C:\ProgramData\Oracle\Java\javapath\Notepad2-mod_4.2.25r998_x64_CN.ini
  • C:\Windows\sysnative\wbem\Notepad2-mod_4.2.25r998_x64_CN.ini
  • C:\Windows\sysnative\WindowsPowerShell\v1.0\Notepad2-mod_4.2.25r998_x64_CN.ini
  • C:\Program Files (x86)\WinRAR\Notepad2-mod_4.2.25r998_x64_CN.ini
  • C:\Users\test\AppData\Local\Temp\Notepad2.ini
  • C:\Users\test\AppData\Roaming\Notepad2.ini
  • C:\Windows\sysnative\Notepad2.ini
  • C:\Windows\system\Notepad2.ini
  • C:\Windows\Notepad2.ini
  • C:\ProgramData\Oracle\Java\javapath\Notepad2.ini
  • C:\Windows\sysnative\wbem\Notepad2.ini
  • C:\Windows\sysnative\WindowsPowerShell\v1.0\Notepad2.ini
  • C:\Program Files (x86)\WinRAR\Notepad2.ini
  • C:\Windows\
  • \Device\KsecDD
  • C:\Windows\Fonts\staticcache.dat
读取的文件
  • C:\Windows\
  • \Device\KsecDD
  • C:\Windows\Fonts\staticcache.dat
修改的文件 无信息
删除的文件 无信息
注册表键
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\437
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_CURRENT_USER
  • HKEY_CURRENT_USER\Control Panel\Desktop
  • HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\Notepad2-mod_4.2.25r998_x64_CN.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
读取的注册表键
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\437
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • kernel32.dll.InitializeCriticalSectionEx
  • kernel32.dll.FlsAlloc
  • kernel32.dll.FlsSetValue
  • kernel32.dll.LCMapStringEx
  • kernel32.dll.FlsFree
  • kernel32.dll.FlsGetValue
  • kernel32.dll.InitOnceExecuteOnce
  • kernel32.dll.CreateEventExW
  • kernel32.dll.CreateSemaphoreW
  • kernel32.dll.CreateSemaphoreExW
  • kernel32.dll.CreateThreadpoolTimer
  • kernel32.dll.SetThreadpoolTimer
  • kernel32.dll.WaitForThreadpoolTimerCallbacks
  • kernel32.dll.CloseThreadpoolTimer
  • kernel32.dll.CreateThreadpoolWait
  • kernel32.dll.SetThreadpoolWait
  • kernel32.dll.CloseThreadpoolWait
  • kernel32.dll.FlushProcessWriteBuffers
  • kernel32.dll.FreeLibraryWhenCallbackReturns
  • kernel32.dll.GetCurrentProcessorNumber
  • kernel32.dll.CreateSymbolicLinkW
  • kernel32.dll.GetTickCount64
  • kernel32.dll.GetFileInformationByHandleEx
  • kernel32.dll.SetFileInformationByHandle
  • kernel32.dll.InitializeConditionVariable
  • kernel32.dll.WakeConditionVariable
  • kernel32.dll.WakeAllConditionVariable
  • kernel32.dll.SleepConditionVariableCS
  • kernel32.dll.InitializeSRWLock
  • kernel32.dll.AcquireSRWLockExclusive
  • kernel32.dll.TryAcquireSRWLockExclusive
  • kernel32.dll.ReleaseSRWLockExclusive
  • kernel32.dll.SleepConditionVariableSRW
  • kernel32.dll.CreateThreadpoolWork
  • kernel32.dll.SubmitThreadpoolWork
  • kernel32.dll.CloseThreadpoolWork
  • kernel32.dll.CompareStringEx
  • kernel32.dll.GetLocaleInfoEx
  • cryptbase.dll.SystemFunction036
  • user32.dll.SetLayeredWindowAttributes
  • gdi32.dll.GetLayout
  • gdi32.dll.GdiRealizationInfo
  • gdi32.dll.FontIsLinked
  • advapi32.dll.RegOpenKeyExW
  • advapi32.dll.RegQueryInfoKeyW
  • gdi32.dll.GetTextFaceAliasW
  • advapi32.dll.RegEnumValueW
  • advapi32.dll.RegCloseKey
  • advapi32.dll.RegQueryValueExW
  • advapi32.dll.RegQueryValueExA
  • advapi32.dll.RegEnumKeyExW
  • gdi32.dll.GetTextExtentExPointWPri
  • gdi32.dll.GetFontAssocStatus
  • uxtheme.dll.OpenThemeData
  • uxtheme.dll.IsAppThemed
  • comctl32.dll.RegisterClassNameW
  • uxtheme.dll.EnableThemeDialogTexture
  • ole32.dll.CoInitializeEx
  • ole32.dll.CoUninitialize
  • ole32.dll.CoRegisterInitializeSpy
  • ole32.dll.CoRevokeInitializeSpy
  • propsys.dll.#421
  • uxtheme.dll.BufferedPaintInit
  • uxtheme.dll.BufferedPaintRenderAnimation
  • uxtheme.dll.BeginBufferedAnimation
  • uxtheme.dll.EndBufferedAnimation
  • oleaut32.dll.SysAllocString
  • oleaut32.dll.SysStringLen
  • oleaut32.dll.SysFreeString