魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2019-11-18 15:39:25	2019-11-18 15:40:24	59 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-hpdapp01-1	win7-sp1-x64-hpdapp01-1	KVM	2019-11-18 15:39:38	2019-11-18 15:40:24

魔盾分数
10.0 恶意的

文件详细信息

文件名	自动牌王.exe
文件大小	5124076 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
CRC32	B0C4821B
MD5	549ed1e97bce276c704329a7d2272642
SHA1	41089c16cb0f16a8510f18be278e5f5982793693
SHA256	eacfb7e4ee2fda43d1ce4d938fa9a2d05cc157c97439bc0598ab89ebae7b9020
SHA512	3828bc9cd525344e74a338d92f3f1dd4f6cdcff939aa478e8c31e70fdef98069ac13e0d477ae09130a5a65d7136f7d7390c6938ccf5fe76a4c2cf756b34f8c76
Ssdeep	98304:ej2hqA70X8lG4v54mk45SbWf+YFCOdlwu7XUU+jFsxhD8pkmqp6Snq:eKhr0X74Qaf+H0kQsS6l
PEiD	无匹配
Yara	DebuggerHiding__Thread () DebuggerTiming__Ticks (Detected timing ticks function) Check_FindWindowA_iat (it's checked if FindWindowA() is imported) anti_dbg (Detected self protection if being debugged) disable_dep (Bypass DEP) inject_thread (Detected code injection function with CreateRemoteThread in a remote process) network_tcp_socket (Detected network communications over RAW socket) network_dns (Detected network communications use DNS) network_ssl (Detected network communications over SSL) win_mutex (Create or check mutex) screenshot (Detected take screenshot function) create_process (Detection function for creating a new process) persistence (Detected function for installing itself for autorun at Windows startup) keylogger (Detected keylogger function) win_registry (Detected system registries modification function) change_win_registry (Change registries to affect system) win_files_operation (Affect private profile) win_hook (Detected hook table access function) win_private_profile (Detected private profile access function) Maldun_Anomoly_Combined_Activities_Logging_Persistence (Spotted postential abnormal behaviors, like logging and persistenc3) Maldun_Anomoly_Combined_Activities_5 (Spotted potential mallicious behaviors like logging and network communication) Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files) with_images (Detected the presence of an or several images) with_urls (Detected the presence of an or several urls) UPX (Detected UPX. Commonly used by RAT!) CRC32_poly_Constant (Look for CRC32 [poly]) CRC32_table (Look for CRC32 table) BLOWFISH_Constants (Look for Blowfish constants) MD5_Constants (Look for MD5 constants) RIPEMD160_Constants (Look for RIPEMD-160 constants) SHA1_Constants (Look for SHA1 constants) DES_sbox (Look for DES [sbox]) RijnDael_AES (Look for RijnDael AES) Borland (Detects Borland program) UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser () D1S1Gv11betaD1N () IsPE32 (Detected a 32bit PE sample) IsWindowsGUI (Detected a Windows GUI sample) IsPacked (Detected Entropy signature) HasOverlay (Detected Overlay signature) HasRichSignature (Detected Rich Signature)
VirusTotal	无此文件扫描结果

特征

创建RWX内存

通过进程尝试延迟分析任务

Process: taskkill.exe tried to sleep 60 seconds, actually delayed analysis time by 0 seconds

二进制文件可能包含加密或压缩数据

section: name: .rdata, entropy: 7.90, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00387000, virtual_size: 0x00386440

异常的多次引用终止程序实例

异常的多次调用CMD

Command: cmd /k regsvr32 /s c:\windows\zm.dll zm.dll

Command: cmd /k taskkill /f /t /im cmd.exe

魔盾安全Yara规则检测结果 - 高危

Warning: Bypass DEP

Warning: Detected code injection function with CreateRemoteThread in a remote process

Informational: Detected network communications over SSL

Warning: Detected function for installing itself for autorun at Windows startup

Critical: Spotted postential abnormal behaviors, like logging and persistenc3

Critical: Spotted potential mallicious behaviors like logging and network communication

Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files

Warning: Detected UPX. Commonly used by RAT!

Informational: Detected Overlay signature

运行截图

网络分析

无信息

静态分析

PE 信息

初始地址	0x00400000
入口地址	0x004e2895
声明校验值	0x00000000
实际校验值	0x004f262a
最低操作系统版本要求	4.0
编译时间	2019-11-13 19:27:22
载入哈希	9f6c26c964c9756b266f2859b18f52f0

版本信息

LegalCopyright:	\u4f5c\u8005\u7248\u6743\u6240\u6709 \u8bf7\u5c0a\u91cd\u5e76\u4f7f\u7528\u6b63\u7248
FileVersion:	1.0.0.0
Comments:	\u672c\u7a0b\u5e8f\u4f7f\u7528\u6613\u8bed\u8a00\u7f16\u5199(http://www.eyuyan.com)
ProductName:	\u6613\u8bed\u8a00\u7a0b\u5e8f
ProductVersion:	1.0.0.0
FileDescription:	\u6613\u8bed\u8a00\u7a0b\u5e8f
Translation:	0x0804 0x04b0

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x00102512	0x00103000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.54
.rdata	0x00104000	0x00386440	0x00387000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	7.90
.data	0x0048b000	0x0007634a	0x00045000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	4.15
.rsrc	0x00502000	0x00009250	0x0000a000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.66

覆盖

偏移量:	0x004da000
大小:	0x00008fec

导入

库 user32.dll:

• 0x504a04 - GetMenuItemCount

• 0x504a08 - RegisterWindowMessageA

• 0x504a0c - SetForegroundWindow

• 0x504a10 - GetMessagePos

• 0x504a14 - GetMessageTime

• 0x504a18 - DefWindowProcA

• 0x504a1c - RemovePropA

• 0x504a20 - CallWindowProcA

• 0x504a24 - IsIconic

• 0x504a28 - SetPropA

• 0x504a2c - GetClassLongA

• 0x504a30 - CreateWindowExA

• 0x504a34 - DestroyWindow

• 0x504a38 - GetMenuItemID

• 0x504a3c - GetSubMenu

• 0x504a40 - GetMenu

• 0x504a44 - RegisterClassA

• 0x504a48 - GetClassInfoA

• 0x504a4c - SystemParametersInfoA

• 0x504a50 - GetCapture

• 0x504a54 - GetTopWindow

• 0x504a58 - CopyRect

• 0x504a5c - GetClientRect

• 0x504a60 - AdjustWindowRectEx

• 0x504a64 - IsWindow

• 0x504a68 - SetActiveWindow

• 0x504a6c - GetSysColor

• 0x504a70 - MapWindowPoints

• 0x504a74 - UpdateWindow

• 0x504a78 - GetSysColorBrush

• 0x504a7c - GetPropA

• 0x504a80 - PostMessageA

• 0x504a84 - SendMessageA

• 0x504a88 - SetCursor

• 0x504a8c - EnableWindow

• 0x504a90 - GetWindowLongA

• 0x504a94 - IsWindowEnabled

• 0x504a98 - GetLastActivePopup

• 0x504a9c - GetParent

• 0x504aa0 - SetWindowsHookExA

• 0x504aa4 - GetCursorPos

• 0x504aa8 - PeekMessageA

• 0x504aac - IsWindowVisible

• 0x504ab0 - ValidateRect

• 0x504ab4 - CallNextHookEx

• 0x504ab8 - GetKeyState

• 0x504abc - GetActiveWindow

• 0x504ac0 - DispatchMessageA

• 0x504ac4 - TranslateMessage

• 0x504ac8 - GetMessageA

• 0x504acc - GetNextDlgTabItem

• 0x504ad0 - GetFocus

• 0x504ad4 - EnableMenuItem

• 0x504ad8 - CheckMenuItem

• 0x504adc - SetMenuItemBitmaps

• 0x504ae0 - ModifyMenuA

• 0x504ae4 - GetMenuState

• 0x504ae8 - LoadBitmapA

• 0x504aec - GetMenuCheckMarkDimensions

• 0x504af0 - RegisterClipboardFormatA

• 0x504af4 - UnhookWindowsHookEx

• 0x504af8 - UnregisterClassA

• 0x504afc - GetClassNameA

• 0x504b00 - PtInRect

• 0x504b04 - GetWindowRect

• 0x504b08 - wsprintfA

• 0x504b0c - MessageBoxA

• 0x504b10 - ReleaseDC

• 0x504b14 - ShowWindow

• 0x504b18 - SetWindowPos

• 0x504b1c - GetForegroundWindow

• 0x504b20 - GetDlgItem

• 0x504b24 - FindWindowA

• 0x504b28 - GetDlgCtrlID

• 0x504b2c - GetWindow

• 0x504b30 - GetDC

• 0x504b34 - SetCursorPos

• 0x504b38 - GetAncestor

• 0x504b3c - EnumWindows

• 0x504b40 - PostQuitMessage

• 0x504b44 - SetFocus

• 0x504b48 - GetSystemMetrics

• 0x504b4c - GetWindowPlacement

• 0x504b50 - EndDialog

• 0x504b54 - CreateDialogIndirectParamA

• 0x504b58 - DestroyMenu

• 0x504b5c - PostThreadMessageA

• 0x504b60 - LoadStringA

• 0x504b64 - WinHelpA

• 0x504b68 - LoadIconA

• 0x504b6c - ClientToScreen

• 0x504b70 - SetWindowTextA

• 0x504b74 - GetWindowTextA

• 0x504b78 - LoadCursorA

• 0x504b7c - TabbedTextOutA

• 0x504b80 - DrawTextA

• 0x504b84 - GrayStringA

• 0x504b88 - SendDlgItemMessageA

• 0x504b8c - IsDialogMessageA

• 0x504b90 - SetWindowLongA

库 kernel32.dll:

• 0x5047a8 - OpenProcess

• 0x5047ac - RtlFillMemory

• 0x5047b0 - Process32Next

• 0x5047b4 - CloseHandle

• 0x5047b8 - Process32First

• 0x5047bc - CreateToolhelp32Snapshot

• 0x5047c0 - ReadProcessMemory

• 0x5047c4 - LocalSize

• 0x5047c8 - MultiByteToWideChar

• 0x5047cc - WideCharToMultiByte

• 0x5047d0 - GetProcessHeap

• 0x5047d4 - ExitProcess

• 0x5047d8 - HeapAlloc

• 0x5047dc - HeapReAlloc

• 0x5047e0 - HeapFree

• 0x5047e4 - IsBadReadPtr

• 0x5047e8 - GetTickCount

• 0x5047ec - GetModuleFileNameA

• 0x5047f0 - GetLocalTime

• 0x5047f4 - VirtualQueryEx

• 0x5047f8 - Sleep

• 0x5047fc - LCMapStringA

• 0x504800 - GetUserDefaultLCID

• 0x504804 - GlobalFree

• 0x504808 - GlobalUnlock

• 0x50480c - GlobalLock

• 0x504810 - GlobalAlloc

• 0x504814 - DeleteFileA

• 0x504818 - ReadFile

• 0x50481c - SetFilePointer

• 0x504820 - GetFileSize

• 0x504824 - ResumeThread

• 0x504828 - GetWindowsDirectoryA

• 0x50482c - GetModuleHandleA

• 0x504830 - lstrcpyn

• 0x504834 - WritePrivateProfileStringA

• 0x504838 - FreeLibrary

• 0x50483c - LoadLibraryA

• 0x504840 - CreateFileA

• 0x504844 - WriteFile

• 0x504848 - RtlMoveMemory

• 0x50484c - GetProcAddress

• 0x504850 - DeviceIoControl

• 0x504854 - GetCurrentThreadId

• 0x504858 - GetCurrentThread

• 0x50485c - lstrcmpiA

• 0x504860 - lstrcmpA

• 0x504864 - GlobalDeleteAtom

• 0x504868 - lstrlenA

• 0x50486c - LocalAlloc

• 0x504870 - LocalFree

• 0x504874 - InitializeCriticalSection

• 0x504878 - TlsAlloc

• 0x50487c - DeleteCriticalSection

• 0x504880 - GlobalHandle

• 0x504884 - TlsFree

• 0x504888 - LeaveCriticalSection

• 0x50488c - GlobalReAlloc

• 0x504890 - EnterCriticalSection

• 0x504894 - TlsSetValue

• 0x504898 - LocalReAlloc

• 0x50489c - TlsGetValue

• 0x5048a0 - InterlockedDecrement

• 0x5048a4 - SetErrorMode

• 0x5048a8 - lstrcatA

• 0x5048ac - lstrcpyA

• 0x5048b0 - WriteProcessMemory

• 0x5048b4 - lstrcpynA

• 0x5048b8 - GetVersion

• 0x5048bc - MulDiv

• 0x5048c0 - GlobalFlags

• 0x5048c4 - InterlockedIncrement

• 0x5048c8 - SetLastError

• 0x5048cc - GetLastError

• 0x5048d0 - GlobalFindAtomA

• 0x5048d4 - GlobalAddAtomA

• 0x5048d8 - GlobalGetAtomNameA

• 0x5048dc - LockResource

• 0x5048e0 - LoadResource

• 0x5048e4 - FindResourceA

• 0x5048e8 - GetProcessVersion

• 0x5048ec - GetCurrentProcess

• 0x5048f0 - FlushFileBuffers

• 0x5048f4 - GetCPInfo

• 0x5048f8 - GetOEMCP

• 0x5048fc - GetCommandLineA

• 0x504900 - RtlUnwind

• 0x504904 - TerminateProcess

• 0x504908 - RaiseException

• 0x50490c - HeapSize

• 0x504910 - GetACP

• 0x504914 - SetHandleCount

• 0x504918 - GetStdHandle

• 0x50491c - GetFileType

• 0x504920 - GetStartupInfoA

• 0x504924 - FreeEnvironmentStringsA

• 0x504928 - FreeEnvironmentStringsW

• 0x50492c - GetEnvironmentStrings

• 0x504930 - GetEnvironmentStringsW

• 0x504934 - GetEnvironmentVariableA

• 0x504938 - GetVersionExA

• 0x50493c - HeapDestroy

• 0x504940 - HeapCreate

• 0x504944 - VirtualFree

• 0x504948 - VirtualAlloc

• 0x50494c - IsBadWritePtr

• 0x504950 - LCMapStringW

• 0x504954 - SetUnhandledExceptionFilter

• 0x504958 - GetStringTypeA

• 0x50495c - GetStringTypeW

• 0x504960 - IsBadCodePtr

• 0x504964 - SetStdHandle

库 gdi32.dll:

• 0x504738 - SaveDC

• 0x50473c - GetStockObject

• 0x504740 - SetBkColor

• 0x504744 - Rectangle

• 0x504748 - CreateFontIndirectA

• 0x50474c - SetBkMode

• 0x504750 - SetTextColor

• 0x504754 - TextOutA

• 0x504758 - DeleteObject

• 0x50475c - GetObjectA

• 0x504760 - Escape

• 0x504764 - ExtTextOutA

• 0x504768 - RectVisible

• 0x50476c - PtVisible

• 0x504770 - SetMapMode

• 0x504774 - SetViewportOrgEx

• 0x504778 - OffsetViewportOrgEx

• 0x50477c - SetViewportExtEx

• 0x504780 - ScaleViewportExtEx

• 0x504784 - RestoreDC

• 0x504788 - SetWindowExtEx

• 0x50478c - GetDeviceCaps

• 0x504790 - SelectObject

• 0x504794 - CreateBitmap

• 0x504798 - GetClipBox

• 0x50479c - ScaleWindowExtEx

• 0x5047a0 - DeleteDC

库 ws2_32.dll:

• 0x504ba8 - recv

• 0x504bac - select

• 0x504bb0 - setsockopt

• 0x504bb4 - send

• 0x504bb8 - inet_addr

• 0x504bbc - ntohs

库 atl.dll:

• 0x504714 - None

库 winspool.drv:

• 0x504b98 - OpenPrinterA

• 0x504b9c - ClosePrinter

• 0x504ba0 - DocumentPropertiesA

库 advapi32.dll:

• 0x5046f8 - RegCloseKey

• 0x5046fc - RegSetValueExA

• 0x504700 - RegCreateKeyExA

• 0x504704 - RegQueryValueExA

• 0x504708 - RegOpenKeyExA

• 0x50470c - RegOpenKeyA

库 comctl32.dll:

• 0x50471c - None

库 oledlg.dll:

• 0x5049fc - None

库 ole32.dll:

• 0x50496c - CoRevokeClassObject

• 0x504970 - CoRegisterMessageFilter

• 0x504974 - OleInitialize

• 0x504978 - OleUninitialize

• 0x50497c - CLSIDFromString

• 0x504980 - CoCreateInstance

• 0x504984 - OleRun

• 0x504988 - OleUninitialize

• 0x50498c - OleInitialize

• 0x504990 - CLSIDFromProgID

• 0x504994 - CLSIDFromString

• 0x504998 - CoCreateInstance

• 0x50499c - OleRun

• 0x5049a0 - OleFlushClipboard

• 0x5049a4 - OleIsCurrentClipboard

• 0x5049a8 - CoFreeUnusedLibraries

• 0x5049ac - CLSIDFromProgID

库 oleaut32.dll:

• 0x5049b4 - LoadTypeLib

• 0x5049b8 - VarR8FromBool

• 0x5049bc - VarR8FromCy

• 0x5049c0 - SafeArrayGetElemsize

• 0x5049c4 - SafeArrayUnaccessData

• 0x5049c8 - SafeArrayAccessData

• 0x5049cc - SafeArrayGetUBound

• 0x5049d0 - SafeArrayGetLBound

• 0x5049d4 - SafeArrayDestroy

• 0x5049d8 - VariantClear

• 0x5049dc - SysAllocString

• 0x5049e0 - SafeArrayCreate

• 0x5049e4 - RegisterTypeLib

• 0x5049e8 - SafeArrayGetDim

• 0x5049ec - VariantChangeType

• 0x5049f0 - VariantInit

• 0x5049f4 - LHashValOfNameSys

库 WINMM.dll:

• 0x504678 - midiStreamRestart

• 0x50467c - midiStreamClose

• 0x504680 - midiOutReset

• 0x504684 - midiStreamOut

• 0x504688 - midiOutPrepareHeader

• 0x50468c - midiStreamProperty

• 0x504690 - midiStreamOpen

• 0x504694 - midiOutUnprepareHeader

• 0x504698 - waveOutOpen

• 0x50469c - waveOutGetNumDevs

• 0x5046a0 - waveOutClose

• 0x5046a4 - waveOutReset

• 0x5046a8 - waveOutPause

• 0x5046ac - waveOutWrite

• 0x5046b0 - midiStreamStop

• 0x5046b4 - waveOutUnprepareHeader

• 0x5046b8 - waveOutPrepareHeader

库 WS2_32.dll:

• 0x5046d0 - inet_ntoa

• 0x5046d4 - WSACleanup

• 0x5046d8 - closesocket

• 0x5046dc - WSAAsyncSelect

• 0x5046e0 - ioctlsocket

• 0x5046e4 - recv

• 0x5046e8 - getpeername

• 0x5046ec - accept

• 0x5046f0 - recvfrom

库 KERNEL32.dll:

• 0x50417c - RaiseException

• 0x504180 - GetSystemTime

• 0x504184 - RtlUnwind

• 0x504188 - GetStartupInfoA

• 0x50418c - GetOEMCP

• 0x504190 - GetCPInfo

• 0x504194 - GetProcessVersion

• 0x504198 - SetErrorMode

• 0x50419c - GlobalFlags

• 0x5041a0 - GetCurrentThread

• 0x5041a4 - GetFileTime

• 0x5041a8 - TlsGetValue

• 0x5041ac - LocalReAlloc

• 0x5041b0 - TlsSetValue

• 0x5041b4 - TlsFree

• 0x5041b8 - GlobalHandle

• 0x5041bc - TlsAlloc

• 0x5041c0 - LocalAlloc

• 0x5041c4 - GlobalGetAtomNameA

• 0x5041c8 - GlobalAddAtomA

• 0x5041cc - GlobalFindAtomA

• 0x5041d0 - GlobalDeleteAtom

• 0x5041d4 - SetEndOfFile

• 0x5041d8 - UnlockFile

• 0x5041dc - LockFile

• 0x5041e0 - FlushFileBuffers

• 0x5041e4 - LocalFree

• 0x5041e8 - InterlockedDecrement

• 0x5041ec - InterlockedIncrement

• 0x5041f0 - HeapSize

• 0x5041f4 - GetACP

• 0x5041f8 - UnhandledExceptionFilter

• 0x5041fc - FreeEnvironmentStringsA

• 0x504200 - FreeEnvironmentStringsW

• 0x504204 - GetEnvironmentStrings

• 0x504208 - GetEnvironmentStringsW

• 0x50420c - SetHandleCount

• 0x504210 - GetStdHandle

• 0x504214 - GetEnvironmentVariableA

• 0x504218 - HeapDestroy

• 0x50421c - HeapCreate

• 0x504220 - VirtualFree

• 0x504224 - WideCharToMultiByte

• 0x504228 - GetVersion

• 0x50422c - GetTimeZoneInformation

• 0x504230 - SetLastError

• 0x504234 - MultiByteToWideChar

• 0x504238 - GetSystemDirectoryA

• 0x50423c - GetWindowsDirectoryA

• 0x504240 - OpenProcess

• 0x504244 - TerminateProcess

• 0x504248 - CreateToolhelp32Snapshot

• 0x50424c - Process32First

• 0x504250 - Process32Next

• 0x504254 - SetFileTime

• 0x504258 - DosDateTimeToFileTime

• 0x50425c - GetLocalTime

• 0x504260 - SystemTimeToFileTime

• 0x504264 - GetCurrentProcess

• 0x504268 - DuplicateHandle

• 0x50426c - GetFileType

• 0x504270 - SetEnvironmentVariableA

• 0x504274 - LCMapStringA

• 0x504278 - LCMapStringW

• 0x50427c - VirtualAlloc

• 0x504280 - IsBadWritePtr

• 0x504284 - SetUnhandledExceptionFilter

• 0x504288 - GetStringTypeA

• 0x50428c - GetStringTypeW

• 0x504290 - CompareStringA

• 0x504294 - CompareStringW

• 0x504298 - IsBadReadPtr

• 0x50429c - IsBadCodePtr

• 0x5042a0 - SetStdHandle

• 0x5042a4 - InterlockedExchange

• 0x5042a8 - GetFileSize

• 0x5042ac - SetFilePointer

• 0x5042b0 - FileTimeToLocalFileTime

• 0x5042b4 - FileTimeToSystemTime

• 0x5042b8 - lstrcpynA

• 0x5042bc - lstrcmpiA

• 0x5042c0 - lstrcmpA

• 0x5042c4 - IsDBCSLeadByte

• 0x5042c8 - CreateSemaphoreA

• 0x5042cc - ResumeThread

• 0x5042d0 - ReleaseSemaphore

• 0x5042d4 - EnterCriticalSection

• 0x5042d8 - LeaveCriticalSection

• 0x5042dc - GetProfileStringA

• 0x5042e0 - WriteFile

• 0x5042e4 - WaitForMultipleObjects

• 0x5042e8 - CreateFileA

• 0x5042ec - SetEvent

• 0x5042f0 - FindResourceA

• 0x5042f4 - LoadResource

• 0x5042f8 - LockResource

• 0x5042fc - ReadFile

• 0x504300 - lstrlenW

• 0x504304 - GetModuleFileNameA

• 0x504308 - GetCurrentThreadId

• 0x50430c - ExitProcess

• 0x504310 - GlobalSize

• 0x504314 - GlobalFree

• 0x504318 - DeleteCriticalSection

• 0x50431c - InitializeCriticalSection

• 0x504320 - lstrcatA

• 0x504324 - lstrlenA

• 0x504328 - WinExec

• 0x50432c - lstrcpyA

• 0x504330 - FindNextFileA

• 0x504334 - GlobalReAlloc

• 0x504338 - HeapFree

• 0x50433c - HeapReAlloc

• 0x504340 - GetProcessHeap

• 0x504344 - HeapAlloc

• 0x504348 - GetUserDefaultLCID

• 0x50434c - GetFullPathNameA

• 0x504350 - FreeLibrary

• 0x504354 - LoadLibraryA

• 0x504358 - GetLastError

• 0x50435c - GetVersionExA

• 0x504360 - WritePrivateProfileStringA

• 0x504364 - GetPrivateProfileStringA

• 0x504368 - CreateThread

• 0x50436c - CreateEventA

• 0x504370 - CloseHandle

• 0x504374 - WaitForSingleObject

• 0x504378 - CreateProcessA

• 0x50437c - GetTickCount

• 0x504380 - GetCommandLineA

• 0x504384 - MulDiv

• 0x504388 - GetProcAddress

• 0x50438c - GetModuleHandleA

• 0x504390 - GetVolumeInformationA

• 0x504394 - SetCurrentDirectoryA

• 0x504398 - GetCurrentDirectoryA

• 0x50439c - CreateDirectoryA

• 0x5043a0 - GetFileAttributesA

• 0x5043a4 - SetFileAttributesA

• 0x5043a8 - FindClose

• 0x5043ac - FindFirstFileA

• 0x5043b0 - GetTempPathA

• 0x5043b4 - GlobalUnlock

• 0x5043b8 - GlobalLock

• 0x5043bc - GlobalAlloc

• 0x5043c0 - Sleep

库 USER32.dll:

• 0x504400 - TabbedTextOutA

• 0x504404 - BeginPaint

• 0x504408 - GetWindowDC

• 0x50440c - GetWindowTextLengthA

• 0x504410 - DrawTextA

• 0x504414 - CallWindowProcA

• 0x504418 - RemovePropA

• 0x50441c - GetMessageTime

• 0x504420 - GetLastActivePopup

• 0x504424 - RegisterWindowMessageA

• 0x504428 - GetWindowPlacement

• 0x50442c - GrayStringA

• 0x504430 - DestroyWindow

• 0x504434 - CreateDialogIndirectParamA

• 0x504438 - EndDialog

• 0x50443c - EndPaint

• 0x504440 - GetPropA

• 0x504444 - UnhookWindowsHookEx

• 0x504448 - SetPropA

• 0x50444c - GetClassLongA

• 0x504450 - CallNextHookEx

• 0x504454 - SetWindowsHookExA

• 0x504458 - CreateWindowExA

• 0x50445c - GetMenuItemID

• 0x504460 - GetMenuItemCount

• 0x504464 - RegisterClassA

• 0x504468 - GetScrollPos

• 0x50446c - AdjustWindowRectEx

• 0x504470 - MapWindowPoints

• 0x504474 - SendDlgItemMessageA

• 0x504478 - WaitForInputIdle

• 0x50447c - wsprintfA

• 0x504480 - CloseClipboard

• 0x504484 - GetClipboardData

• 0x504488 - OpenClipboard

• 0x50448c - SetClipboardData

• 0x504490 - EmptyClipboard

• 0x504494 - GetSystemMetrics

• 0x504498 - GetCursorPos

• 0x50449c - MessageBoxA

• 0x5044a0 - SetWindowPos

• 0x5044a4 - SendMessageA

• 0x5044a8 - DestroyCursor

• 0x5044ac - SetParent

• 0x5044b0 - IsWindow

• 0x5044b4 - PostMessageA

• 0x5044b8 - GetTopWindow

• 0x5044bc - GetParent

• 0x5044c0 - GetFocus

• 0x5044c4 - GetClientRect

• 0x5044c8 - InvalidateRect

• 0x5044cc - UpdateWindow

• 0x5044d0 - EqualRect

• 0x5044d4 - GetWindowRect

• 0x5044d8 - SetForegroundWindow

• 0x5044dc - DestroyMenu

• 0x5044e0 - UnregisterClassA

• 0x5044e4 - ReleaseDC

• 0x5044e8 - IsRectEmpty

• 0x5044ec - FillRect

• 0x5044f0 - GetDC

• 0x5044f4 - SetCursor

• 0x5044f8 - LoadCursorA

• 0x5044fc - SetCursorPos

• 0x504500 - SetActiveWindow

• 0x504504 - GetSysColor

• 0x504508 - SetWindowLongA

• 0x50450c - GetWindowLongA

• 0x504510 - RedrawWindow

• 0x504514 - EnableWindow

• 0x504518 - IsWindowVisible

• 0x50451c - OffsetRect

• 0x504520 - PtInRect

• 0x504524 - DestroyIcon

• 0x504528 - IntersectRect

• 0x50452c - InflateRect

• 0x504530 - SetRect

• 0x504534 - SetScrollPos

• 0x504538 - SetScrollRange

• 0x50453c - GetScrollRange

• 0x504540 - SetCapture

• 0x504544 - GetCapture

• 0x504548 - ReleaseCapture

• 0x50454c - SetTimer

• 0x504550 - KillTimer

• 0x504554 - WinHelpA

• 0x504558 - LoadBitmapA

• 0x50455c - CopyRect

• 0x504560 - ChildWindowFromPointEx

• 0x504564 - ScreenToClient

• 0x504568 - GetMessagePos

• 0x50456c - SetWindowRgn

• 0x504570 - DestroyAcceleratorTable

• 0x504574 - GetWindow

• 0x504578 - GetActiveWindow

• 0x50457c - SetFocus

• 0x504580 - IsIconic

• 0x504584 - PeekMessageA

• 0x504588 - SetMenu

• 0x50458c - GetMenu

• 0x504590 - DeleteMenu

• 0x504594 - GetSystemMenu

• 0x504598 - DefWindowProcA

• 0x50459c - GetClassInfoA

• 0x5045a0 - IsZoomed

• 0x5045a4 - PostQuitMessage

• 0x5045a8 - CopyAcceleratorTableA

• 0x5045ac - GetKeyState

• 0x5045b0 - TranslateAcceleratorA

• 0x5045b4 - IsWindowEnabled

• 0x5045b8 - ShowWindow

• 0x5045bc - SystemParametersInfoA

• 0x5045c0 - LoadImageA

• 0x5045c4 - EnumDisplaySettingsA

• 0x5045c8 - ClientToScreen

• 0x5045cc - EnableMenuItem

• 0x5045d0 - GetSubMenu

• 0x5045d4 - GetDlgCtrlID

• 0x5045d8 - CreateAcceleratorTableA

• 0x5045dc - CreateMenu

• 0x5045e0 - ModifyMenuA

• 0x5045e4 - AppendMenuA

• 0x5045e8 - CreatePopupMenu

• 0x5045ec - DrawIconEx

• 0x5045f0 - CreateIconFromResource

• 0x5045f4 - CreateIconFromResourceEx

• 0x5045f8 - RegisterClipboardFormatA

• 0x5045fc - SetRectEmpty

• 0x504600 - DispatchMessageA

• 0x504604 - GetMessageA

• 0x504608 - WindowFromPoint

• 0x50460c - DrawFocusRect

• 0x504610 - DrawEdge

• 0x504614 - DrawFrameControl

• 0x504618 - TranslateMessage

• 0x50461c - LoadIconA

• 0x504620 - CharUpperA

• 0x504624 - GetDesktopWindow

• 0x504628 - GetClassNameA

• 0x50462c - GetWindowThreadProcessId

• 0x504630 - FindWindowA

• 0x504634 - GetDlgItem

• 0x504638 - GetWindowTextA

• 0x50463c - GetForegroundWindow

• 0x504640 - GetSysColorBrush

• 0x504644 - GetNextDlgTabItem

• 0x504648 - ScrollWindowEx

• 0x50464c - IsDialogMessageA

• 0x504650 - SetWindowTextA

• 0x504654 - MoveWindow

• 0x504658 - CheckMenuItem

• 0x50465c - SetMenuItemBitmaps

• 0x504660 - GetMenuState

• 0x504664 - GetMenuCheckMarkDimensions

• 0x504668 - LoadStringA

• 0x50466c - ValidateRect

• 0x504670 - IsChild

库 GDI32.dll:

• 0x504030 - LineTo

• 0x504034 - MoveToEx

• 0x504038 - ExcludeClipRect

• 0x50403c - GetClipBox

• 0x504040 - ScaleWindowExtEx

• 0x504044 - SetWindowExtEx

• 0x504048 - SetWindowOrgEx

• 0x50404c - ScaleViewportExtEx

• 0x504050 - SetViewportExtEx

• 0x504054 - OffsetViewportOrgEx

• 0x504058 - SetViewportOrgEx

• 0x50405c - SetMapMode

• 0x504060 - SetTextColor

• 0x504064 - SetROP2

• 0x504068 - SetPolyFillMode

• 0x50406c - SetBkMode

• 0x504070 - RestoreDC

• 0x504074 - SaveDC

• 0x504078 - GetTextExtentPoint32A

• 0x50407c - GetDeviceCaps

• 0x504080 - FillRgn

• 0x504084 - CreateRectRgn

• 0x504088 - CombineRgn

• 0x50408c - PatBlt

• 0x504090 - CreatePen

• 0x504094 - SelectObject

• 0x504098 - CreateBitmap

• 0x50409c - CreateCompatibleBitmap

• 0x5040a0 - GetPolyFillMode

• 0x5040a4 - GetStretchBltMode

• 0x5040a8 - GetROP2

• 0x5040ac - GetBkColor

• 0x5040b0 - GetBkMode

• 0x5040b4 - GetTextColor

• 0x5040b8 - CreateRoundRectRgn

• 0x5040bc - CreateEllipticRgn

• 0x5040c0 - PathToRegion

• 0x5040c4 - EndPath

• 0x5040c8 - BeginPath

• 0x5040cc - GetWindowOrgEx

• 0x5040d0 - GetViewportOrgEx

• 0x5040d4 - GetWindowExtEx

• 0x5040d8 - GetDIBits

• 0x5040dc - RealizePalette

• 0x5040e0 - SelectPalette

• 0x5040e4 - StretchBlt

• 0x5040e8 - CreatePalette

• 0x5040ec - GetSystemPaletteEntries

• 0x5040f0 - CreateDIBitmap

• 0x5040f4 - CreateSolidBrush

• 0x5040f8 - SelectClipRgn

• 0x5040fc - CreatePolygonRgn

• 0x504100 - GetClipRgn

• 0x504104 - SetStretchBltMode

• 0x504108 - CreateRectRgnIndirect

• 0x50410c - SetBkColor

• 0x504110 - ExtSelectClipRgn

• 0x504114 - GetViewportExtEx

• 0x504118 - PtVisible

• 0x50411c - RectVisible

• 0x504120 - TextOutA

• 0x504124 - ExtTextOutA

• 0x504128 - Escape

• 0x50412c - GetTextMetricsA

• 0x504130 - RoundRect

• 0x504134 - GetCurrentObject

• 0x504138 - DPtoLP

• 0x50413c - LPtoDP

• 0x504140 - Rectangle

• 0x504144 - Ellipse

• 0x504148 - CreateCompatibleDC

• 0x50414c - BitBlt

• 0x504150 - StartPage

• 0x504154 - StartDocA

• 0x504158 - DeleteDC

• 0x50415c - EndDoc

• 0x504160 - EndPage

• 0x504164 - GetObjectA

• 0x504168 - GetStockObject

• 0x50416c - CreateFontIndirectA

• 0x504170 - CreateDCA

• 0x504174 - DeleteObject

库 WINSPOOL.DRV:

• 0x5046c0 - ClosePrinter

• 0x5046c4 - DocumentPropertiesA

• 0x5046c8 - OpenPrinterA

库 ADVAPI32.dll:

• 0x504000 - RegOpenKeyExA

• 0x504004 - RegSetValueExA

• 0x504008 - RegCreateKeyA

• 0x50400c - RegDeleteValueA

• 0x504010 - RegDeleteKeyA

• 0x504014 - RegQueryValueA

• 0x504018 - RegCreateKeyExA

• 0x50401c - RegCloseKey

库 SHELL32.dll:

• 0x5043f0 - SHGetSpecialFolderPathA

• 0x5043f4 - Shell_NotifyIconA

• 0x5043f8 - ShellExecuteA

库 OLEAUT32.dll:

• 0x5043c8 - UnRegisterTypeLib

• 0x5043cc - LoadTypeLib

• 0x5043d0 - LHashValOfNameSys

• 0x5043d4 - RegisterTypeLib

• 0x5043d8 - SysAllocString

• 0x5043dc - VariantInit

• 0x5043e0 - VariantCopyInd

• 0x5043e4 - VariantChangeType

• 0x5043e8 - VariantClear

库 COMCTL32.dll:

• 0x504024 - None

• 0x504028 - ImageList_Destroy

库 comdlg32.dll:

• 0x504724 - GetSaveFileNameA

• 0x504728 - ChooseColorA

• 0x50472c - GetOpenFileNameA

• 0x504730 - GetFileTitleA

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息

执行的命令

cmd /k regsvr32 /s C:\Windows\zm.dll zm.dll
cmd /k taskkill /f /t /im cmd.exe
regsvr32 /s C:\Windows\zm.dll zm.dll
taskkill /f /t /im cmd.exe

创建的服务 无信息

启动的服务 无信息

进程

____________.exe PID: 2476, 上一级进程 PID: 2336

cmd.exe PID: 2540, 上一级进程 PID: 2476

cmd.exe PID: 2576, 上一级进程 PID: 2476

regsvr32.exe PID: 2668, 上一级进程 PID: 2540

taskkill.exe PID: 2704, 上一级进程 PID: 2576

访问的文件

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\test\AppData\Local\Temp\ws2_32.dll
C:\Windows\zm.dll
C:\
C:\Users\test\AppData\Local\Temp
C:\Users
C:\Users\test
C:\Users\test\AppData
C:\Users\test\AppData\Local
C:\Users\test\AppData\Local\Temp\regsvr32.*
C:\Users\test\AppData\Local\Temp\regsvr32
C:\ProgramData\Oracle\Java\javapath\regsvr32.*
C:\ProgramData\Oracle\Java\javapath\regsvr32
C:\Windows\System32\regsvr32.*
C:\Windows\System32\regsvr32.COM
C:\Windows\System32\regsvr32.exe
C:\Users\test\AppData\Local\Temp\taskkill.*
C:\Users\test\AppData\Local\Temp\taskkill
C:\ProgramData\Oracle\Java\javapath\taskkill.*
C:\ProgramData\Oracle\Java\javapath\taskkill
C:\Windows\System32\taskkill.*
C:\Windows\System32\taskkill.COM
C:\Windows\System32\taskkill.exe
\Device\KsecDD
C:\Windows\MFC42.DLL
C:\Windows\System32\mfc42.dll
C:\Windows\ODBC32.dll
C:\Windows\System32\odbc32.dll
C:\Windows\SysWOW64\zm.dll
C:\Windows\System32\zm.dll
C:\Windows\system\zm.dll
C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
C:\Windows\System32\wbem\zh-CN\wmiutils.dll.mui
C:\Windows\System32\wbem\zh-Hans\wmiutils.dll.mui
C:\Windows\System32\wbem\zh\wmiutils.dll.mui
C:\Windows\System32\wbem\en-US\wmiutils.dll.mui

读取的文件

C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Windows\zm.dll
C:\Windows\System32\mfc42.dll
C:\Windows\System32\odbc32.dll
C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
C:\Windows\System32\wbem\zh-CN\wmiutils.dll.mui
C:\Windows\System32\wbem\zh-Hans\wmiutils.dll.mui
C:\Windows\System32\wbem\zh\wmiutils.dll.mui
C:\Windows\System32\wbem\en-US\wmiutils.dll.mui

修改的文件

C:\Windows\zm.dll

删除的文件 无信息

注册表键

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CLASSES_ROOT\.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dll\(Default)
HKEY_CLASSES_ROOT\dllfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\AutoRegister
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\zm.dll
HKEY_CLASSES_ROOT\dm.dmsoft
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dm.dmsoft\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer\(Default)
HKEY_CLASSES_ROOT\CLSID
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_CURRENT_USER\Software\Classes\TypeLib
HKEY_CURRENT_USER\Software\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version
HKEY_CURRENT_USER\Software\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID
HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Software\Classes\AppID\taskkill.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_CURRENT_USER\Software\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-Hans
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-Hans
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_CURRENT_USER\Software\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\____________.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\Logging

读取的注册表键

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dll\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\zm.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-Hans
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-Hans
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\Logging

修改的注册表键

HKEY_CLASSES_ROOT\dm.dmsoft
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dm.dmsoft\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer\(Default)
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR\(Default)
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version
HKEY_CURRENT_USER\Software\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version

删除的注册表键 无信息

API解析

kernel32.dll.IsProcessorFeaturePresent
cryptbase.dll.SystemFunction036
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.VirtualProtectEx
ws2_32.dll.WSAStartup
kernel32.dll.lstrcpynA
kernel32.dll.RtlMoveMemory
kernel32.dll.VirtualAlloc
kernel32.dll.LoadLibraryA
kernel32.dll.GetProcAddress
kernel32.dll.VirtualProtect
kernel32.dll.VirtualFree
comctl32.dll.ImageList_Draw
gdi32.dll.BitBlt
msimg32.dll.TransparentBlt
msvcrt.dll.free
msvfw32.dll.DrawDibOpen
user32.dll.GetDC
kernel32.dll.MulDiv
kernel32.dll.FlushInstructionCache
kernel32.dll.GetCurrentProcess
kernel32.dll.GetTickCount
kernel32.dll.VirtualQuery
kernel32.dll.SetFilePointer
kernel32.dll.GlobalAlloc
kernel32.dll.GlobalLock
kernel32.dll.GlobalUnlock
kernel32.dll.GlobalReAlloc
kernel32.dll.GlobalFree
kernel32.dll.FindResourceA
kernel32.dll.LoadResource
kernel32.dll.LockResource
kernel32.dll.SizeofResource
kernel32.dll.FreeLibrary
kernel32.dll.GetModuleFileNameA
kernel32.dll.GetModuleHandleA
kernel32.dll.GetVersion
kernel32.dll.GetCurrentThreadId
kernel32.dll.CreateFileA
kernel32.dll.GetFileSize
kernel32.dll.CloseHandle
kernel32.dll.ReadFile
kernel32.dll.SetLastError
comctl32.dll.ImageList_GetIcon
comctl32.dll.ImageList_GetImageInfo
comctl32.dll.ImageList_GetIconSize
kernel32.dll.SetThreadUILanguage
kernel32.dll.CopyFileExW
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetConsoleInputExeNameW
kernel32.dll.Beep
kernel32.dll.FormatMessageA
kernel32.dll.LocalFree
kernel32.dll.IsBadReadPtr
kernel32.dll.CreateMutexA
kernel32.dll.GetSystemInfo
kernel32.dll.VirtualQueryEx
kernel32.dll.WriteFile
kernel32.dll.GetCurrentThread
kernel32.dll.WaitForMultipleObjects
kernel32.dll.SetEvent
kernel32.dll.GetLastError
kernel32.dll.ResumeThread
kernel32.dll.DeleteFileA
kernel32.dll.GetHandleInformation
kernel32.dll.GetSystemTime
kernel32.dll.TerminateThread
kernel32.dll.GetCurrentDirectoryA
kernel32.dll.VirtualFreeEx
kernel32.dll.WaitForSingleObject
kernel32.dll.GetExitCodeThread
kernel32.dll.CreateFileMappingA
kernel32.dll.MapViewOfFile
kernel32.dll.CreateEventA
kernel32.dll.UnmapViewOfFile
kernel32.dll.InterlockedExchange
kernel32.dll.Sleep
kernel32.dll.InterlockedIncrement
kernel32.dll.InterlockedDecrement
kernel32.dll.InitializeCriticalSection
kernel32.dll.DeleteCriticalSection
kernel32.dll.HeapDestroy
kernel32.dll.WideCharToMultiByte
kernel32.dll.lstrcatA
kernel32.dll.GetTempPathA
kernel32.dll.EnterCriticalSection
kernel32.dll.LeaveCriticalSection
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.Module32First
kernel32.dll.Module32Next
kernel32.dll.GetFileAttributesA
kernel32.dll.GetCurrentProcessId
kernel32.dll.OpenEventA
kernel32.dll.GetSystemDirectoryA
kernel32.dll.GetShortPathNameA
kernel32.dll.lstrlenA
kernel32.dll.MultiByteToWideChar
kernel32.dll.lstrlenW
kernel32.dll.GetVersionExA
kernel32.dll.WinExec
kernel32.dll.CopyFileA
kernel32.dll.MoveFileA
kernel32.dll.SetFileAttributesA
kernel32.dll.RemoveDirectoryA
kernel32.dll.CreateDirectoryA
kernel32.dll.SetThreadExecutionState
kernel32.dll.OpenProcess
kernel32.dll.ReadProcessMemory
kernel32.dll.FileTimeToSystemTime
kernel32.dll.GetThreadTimes
kernel32.dll.GetProcessTimes
kernel32.dll.Process32Next
kernel32.dll.Process32First
kernel32.dll.TerminateProcess
kernel32.dll.GetLocalTime
kernel32.dll.GetLogicalDriveStringsA
kernel32.dll.LoadLibraryExW
kernel32.dll.ExitThread
kernel32.dll.SetProcessAffinityMask
kernel32.dll.lstrcpyA
kernel32.dll.GetWindowsDirectoryA
kernel32.dll.InterlockedCompareExchange
kernel32.dll.GetThreadContext
kernel32.dll.SetThreadContext
kernel32.dll.SuspendThread
kernel32.dll.GetProcessAffinityMask
kernel32.dll.DeviceIoControl
kernel32.dll.GetPrivateProfileStringA
kernel32.dll.WritePrivateProfileStringA
kernel32.dll.LocalAlloc
kernel32.dll.OpenFileMappingA
advapi32.dll.AdjustTokenPrivileges
advapi32.dll.OpenProcessToken
advapi32.dll.RegDeleteKeyA
advapi32.dll.RegSetValueExA
advapi32.dll.GetTokenInformation
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExA
advapi32.dll.RegOpenKeyA
advapi32.dll.RegOpenKeyExA
advapi32.dll.RegDeleteValueA
advapi32.dll.LookupPrivilegeValueA
gdi32.dll.DeleteDC
gdi32.dll.CreateCompatibleDC
gdi32.dll.GetDeviceCaps
gdi32.dll.SetTextColor
gdi32.dll.CreateFontIndirectA
gdi32.dll.EnumFontFamiliesExA
gdi32.dll.GetPixel
gdi32.dll.CreateSolidBrush
gdi32.dll.SelectObject
gdi32.dll.GetObjectA
gdi32.dll.GetStockObject
gdi32.dll.SelectPalette
gdi32.dll.RealizePalette
gdi32.dll.GetDIBits
gdi32.dll.CreateCompatibleBitmap
gdi32.dll.SetDIBits
gdi32.dll.CreateRectRgn
gdi32.dll.CombineRgn
gdi32.dll.DeleteObject
gdi32.dll.CreatePen
gdi32.dll.MoveToEx
gdi32.dll.LineTo
gdi32.dll.SetBkMode
gdi32.dll.DPtoLP
gdi32.dll.CreateBitmap
gdi32.dll.GetMapMode
gdi32.dll.SetMapMode
gdi32.dll.SetBkColor
gdi32.dll.CreateDIBSection
gdi32.dll.ExtCreateRegion
gdi32.dll.CreateRoundRectRgn
gdi32.dll.CreateEllipticRgn
imm32.dll.ImmInstallIMEA
mfc42.dll.#818
mfc42.dll.#6880
mfc42.dll.#795
mfc42.dll.#6241
mfc42.dll.#567
mfc42.dll.#6453
mfc42.dll.#2379
mfc42.dll.#6805
mfc42.dll.#2864
mfc42.dll.#6671
mfc42.dll.#6478
mfc42.dll.#5265
mfc42.dll.#4376
mfc42.dll.#4853
mfc42.dll.#4998
mfc42.dll.#2514
mfc42.dll.#6052
mfc42.dll.#1775
mfc42.dll.#4425
mfc42.dll.#3597
mfc42.dll.#324
mfc42.dll.#4234
mfc42.dll.#3721
mfc42.dll.#6197
mfc42.dll.#3092
mfc42.dll.#2863
mfc42.dll.#6199
mfc42.dll.#4710
mfc42.dll.#5280
mfc42.dll.#3402
mfc42.dll.#2124
mfc42.dll.#5261
mfc42.dll.#1727
mfc42.dll.#3749
mfc42.dll.#5290
mfc42.dll.#5241
mfc42.dll.#6055
mfc42.dll.#6800
mfc42.dll.#6597
mfc42.dll.#465
mfc42.dll.#860
mfc42.dll.#539
mfc42.dll.#1601
mfc42.dll.#4278
mfc42.dll.#6779
mfc42.dll.#940
mfc42.dll.#355
mfc42.dll.#2515
mfc42.dll.#1116
mfc42.dll.#1176
mfc42.dll.#1575
mfc42.dll.#1577
mfc42.dll.#1182
mfc42.dll.#342
mfc42.dll.#1243
mfc42.dll.#1197
mfc42.dll.#1570
mfc42.dll.#1253
mfc42.dll.#1255
mfc42.dll.#1578
mfc42.dll.#600
mfc42.dll.#826
mfc42.dll.#269
mfc42.dll.#3499
mfc42.dll.#5683
mfc42.dll.#356
mfc42.dll.#924
mfc42.dll.#2770
mfc42.dll.#2781
mfc42.dll.#3178
mfc42.dll.#3181
mfc42.dll.#1980
mfc42.dll.#668
mfc42.dll.#3790
mfc42.dll.#5608
mfc42.dll.#2859
mfc42.dll.#941
mfc42.dll.#939
mfc42.dll.#535
mfc42.dll.#323
mfc42.dll.#1640
mfc42.dll.#2754
mfc42.dll.#2450
mfc42.dll.#640
mfc42.dll.#6143
mfc42.dll.#6883
mfc42.dll.#2764
mfc42.dll.#4129
mfc42.dll.#5710
mfc42.dll.#858
mfc42.dll.#2086
mfc42.dll.#6215
mfc42.dll.#6514
mfc42.dll.#641
mfc42.dll.#4432
mfc42.dll.#4627
mfc42.dll.#6691
mfc42.dll.#5277
mfc42.dll.#6614
mfc42.dll.#2446
mfc42.dll.#5260
mfc42.dll.#1725
mfc42.dll.#5065
mfc42.dll.#3748
mfc42.dll.#6376
mfc42.dll.#2055
mfc42.dll.#2648
mfc42.dll.#4441
mfc42.dll.#4837
mfc42.dll.#3798
mfc42.dll.#5281
mfc42.dll.#4353
mfc42.dll.#6374
mfc42.dll.#5163
mfc42.dll.#2385
mfc42.dll.#4407
mfc42.dll.#1776
mfc42.dll.#4078
mfc42.dll.#6054
mfc42.dll.#4108
mfc42.dll.#4960
mfc42.dll.#4963
mfc42.dll.#4524
mfc42.dll.#4529
mfc42.dll.#4526
mfc42.dll.#4543
mfc42.dll.#4545
mfc42.dll.#4531
mfc42.dll.#4889
mfc42.dll.#4720
mfc42.dll.#4347
mfc42.dll.#4340
mfc42.dll.#5076
mfc42.dll.#6817
mfc42.dll.#4892
mfc42.dll.#4370
mfc42.dll.#4899
mfc42.dll.#4588
mfc42.dll.#4589
mfc42.dll.#6835
mfc42.dll.#6856
mfc42.dll.#6845
mfc42.dll.#6812
mfc42.dll.#6815
mfc42.dll.#6816
mfc42.dll.#6858
mfc42.dll.#6846
mfc42.dll.#6847
mfc42.dll.#6867
mfc42.dll.#6859
mfc42.dll.#6832
mfc42.dll.#6855
mfc42.dll.#6823
mfc42.dll.#6857
mfc42.dll.#6807
mfc42.dll.#825
mfc42.dll.#6591
mfc42.dll.#6650
mfc42.dll.#6283
mfc42.dll.#6282
mfc42.dll.#540
mfc42.dll.#2818
mfc42.dll.#5861
mfc42.dll.#537
mfc42.dll.#6877
mfc42.dll.#389
mfc42.dll.#6059
mfc42.dll.#5207
mfc42.dll.#5356
mfc42.dll.#1988
mfc42.dll.#690
mfc42.dll.#541
mfc42.dll.#801
mfc42.dll.#823
mfc42.dll.#1168
mfc42.dll.#2725
mfc42.dll.#6354
mfc42.dll.#1131
mfc42.dll.#6467
mfc42.dll.#1132
mfc42.dll.#5500
mfc42.dll.#4202
mfc42.dll.#800
mfc42.dll.#561
mfc42.dll.#815
mfc42.dll.#3738
mfc42.dll.#4424
mfc42.dll.#4622
mfc42.dll.#4080
mfc42.dll.#3079
mfc42.dll.#3825
mfc42.dll.#3831
mfc42.dll.#3830
mfc42.dll.#2976
mfc42.dll.#3081
mfc42.dll.#2985
mfc42.dll.#3262
mfc42.dll.#3136
mfc42.dll.#4465
mfc42.dll.#3259
mfc42.dll.#3147
mfc42.dll.#2982
mfc42.dll.#5714
mfc42.dll.#5289
mfc42.dll.#5307
mfc42.dll.#4698
mfc42.dll.#4079
mfc42.dll.#5302
mfc42.dll.#5300
mfc42.dll.#3346
mfc42.dll.#2396
mfc42.dll.#5199
mfc42.dll.#1089
mfc42.dll.#3922
mfc42.dll.#5731
mfc42.dll.#2512
mfc42.dll.#2554
mfc42.dll.#4486
mfc42.dll.#6375
mfc42.dll.#4274
mfc42.dll.#3005
msvcrt.dll._findclose
msvcrt.dll._adjust_fdiv
msvcrt.dll._initterm
msvcrt.dll.??1type_info@@UAE@XZ
msvcrt.dll._onexit
msvcrt.dll.__CxxFrameHandler
msvcrt.dll.sprintf
msvcrt.dll.isalnum
msvcrt.dll.isxdigit
msvcrt.dll.toupper
msvcrt.dll.isdigit
msvcrt.dll.isalpha
msvcrt.dll._CIpow
msvcrt.dll.fclose
msvcrt.dll.strstr
msvcrt.dll.fread
msvcrt.dll.malloc
msvcrt.dll.ftell
msvcrt.dll.fseek
msvcrt.dll.fopen
msvcrt.dll._mbscmp
msvcrt.dll._strlwr
msvcrt.dll._splitpath
msvcrt.dll.getenv
msvcrt.dll.exit
msvcrt.dll.strtod
msvcrt.dll._iob
msvcrt.dll._snprintf
msvcrt.dll.abort
msvcrt.dll.isprint
msvcrt.dll.printf
msvcrt.dll.__CxxLongjmpUnwind
msvcrt.dll._setjmp3
msvcrt.dll.longjmp
msvcrt.dll.floor
msvcrt.dll._itoa
msvcrt.dll._wcsicmp
msvcrt.dll._memicmp
msvcrt.dll._strnicmp
msvcrt.dll.??0exception@@QAE@ABQBD@Z
msvcrt.dll.??1exception@@UAE@XZ
msvcrt.dll._CxxThrowException
msvcrt.dll.strlen
msvcrt.dll.??0exception@@QAE@ABV0@@Z
msvcrt.dll._purecall
msvcrt.dll._beginthreadex
msvcrt.dll.sscanf
msvcrt.dll.isspace
msvcrt.dll.memmove
msvcrt.dll.atoi
msvcrt.dll.rand
msvcrt.dll.srand
msvcrt.dll.fwrite
msvcrt.dll.fflush
msvcrt.dll.fputc
msvcrt.dll.getc
msvcrt.dll.fgets
msvcrt.dll.fscanf
msvcrt.dll.strncpy
msvcrt.dll.wcslen
msvcrt.dll.wcscpy
msvcrt.dll.__dllonexit
msvcrt.dll.__lconv_init
msvcrt.dll.?terminate@@YAXXZ
msvcrt.dll._except_handler3
msvcrt.dll.swprintf
msvcrt.dll.localtime
msvcrt.dll._strupr
msvcrt.dll.remove
msvcrt.dll.realloc
msvcrt.dll.strrchr
msvcrt.dll.wcsrchr
msvcrt.dll.strchr
msvcrt.dll.memchr
msvcrt.dll.time
msvcrt.dll.vsprintf
msvcrt.dll.atol
msvcrt.dll.strncmp
msvcrt.dll._ftol
msvcrt.dll.fprintf
msvcrt.dll._findfirst
msvcrt.dll._findnext
ole32.dll.CoSetProxyBlanket
ole32.dll.CoInitialize
ole32.dll.CoUninitialize
ole32.dll.CoCreateInstance
ole32.dll.CoInitializeSecurity
oleaut32.dll.#6
oleaut32.dll.#163
oleaut32.dll.#2
oleaut32.dll.#161
oleaut32.dll.#7
oleaut32.dll.#162
oleaut32.dll.#9
oleaut32.dll.#184
shell32.dll.SHGetPathFromIDListW
shell32.dll.SHBrowseForFolderW
user32.dll.GetWindow
user32.dll.GetForegroundWindow
user32.dll.SetWindowsHookExA
user32.dll.UnhookWindowsHookEx
user32.dll.MessageBoxA
user32.dll.CharNextA
user32.dll.GetWindowLongA
user32.dll.GetMessageA
user32.dll.SetTimer
user32.dll.SetWindowRgn
user32.dll.UpdateWindow
user32.dll.ShowWindow
user32.dll.SetClassLongA
user32.dll.GetClassLongA
user32.dll.SetWindowPos
user32.dll.SetWindowLongA
user32.dll.CreateWindowExA
user32.dll.IsWindow
user32.dll.GetSystemMenu
user32.dll.EnableMenuItem
user32.dll.DestroyWindow
user32.dll.TranslateAcceleratorA
user32.dll.CopyIcon
user32.dll.MapVirtualKeyExA
user32.dll.GetWindowPlacement
user32.dll.GetKeyState
user32.dll.GetActiveWindow
user32.dll.SetCursorPos
user32.dll.UnloadKeyboardLayout
user32.dll.FindWindowA
user32.dll.SendNotifyMessageA
user32.dll.ReleaseCapture
user32.dll.DestroyCursor
user32.dll.CallWindowProcA
user32.dll.SetWindowLongW
user32.dll.DispatchMessageA
user32.dll.TranslateMessage
user32.dll.ClientToScreen
user32.dll.GetClientRect
user32.dll.GetWindowRect
user32.dll.RegisterClassExA
user32.dll.LoadCursorA
user32.dll.UnregisterClassA
user32.dll.GetClassLongW
user32.dll.GetWindowLongW
user32.dll.InvalidateRect
user32.dll.DrawTextA
user32.dll.BeginPaint
user32.dll.EndPaint
user32.dll.SetRect
user32.dll.LoadImageA
user32.dll.FillRect
user32.dll.PostMessageA
user32.dll.DefWindowProcA
user32.dll.IsWindowVisible
user32.dll.SetWindowTextA
user32.dll.GetWindowTextA
user32.dll.PostQuitMessage
user32.dll.KillTimer
user32.dll.IsIconic
user32.dll.SendMessageA
user32.dll.EnableWindow
user32.dll.EnumWindows
user32.dll.GetClassNameA
user32.dll.GetParent
user32.dll.ReleaseDC
user32.dll.GetWindowDC
user32.dll.MessageBoxW
user32.dll.DrawTextW
user32.dll.SendMessageTimeoutA
user32.dll.GetDlgCtrlID
user32.dll.ScreenToClient
user32.dll.IsWindowEnabled
user32.dll.PtInRect
user32.dll.MapVirtualKeyA
user32.dll.AdjustWindowRectEx
user32.dll.GetMessageExtraInfo
user32.dll.SendInput
user32.dll.GetSystemMetrics
user32.dll.SystemParametersInfoA
user32.dll.GetCursorPos
user32.dll.GetDoubleClickTime
user32.dll.SetPropA
user32.dll.GetPropA
user32.dll.SetForegroundWindow
user32.dll.MoveWindow
user32.dll.IsZoomed
user32.dll.WindowFromPoint
user32.dll.AttachThreadInput
user32.dll.GetFocus
user32.dll.IsWindowUnicode
user32.dll.GetClassNameW
user32.dll.GetDesktopWindow
user32.dll.DrawTextExA
user32.dll.GetWindowThreadProcessId
user32.dll.FindWindowW
user32.dll.FindWindowExA
user32.dll.SetWindowTextW
user32.dll.GetClipboardData
user32.dll.OpenClipboard
user32.dll.EmptyClipboard
user32.dll.SetClipboardData
user32.dll.CloseClipboard
user32.dll.MsgWaitForMultipleObjects
user32.dll.GetIconInfo
user32.dll.DrawIcon
user32.dll.ClipCursor
user32.dll.GetKeyboardLayout
user32.dll.ExitWindowsEx
user32.dll.ChangeDisplaySettingsA
user32.dll.PostThreadMessageA
user32.dll.PeekMessageA
user32.dll.GetAsyncKeyState
user32.dll.RemovePropA
user32.dll.RedrawWindow
version.dll.GetFileVersionInfoSizeA
version.dll.GetFileVersionInfoA
version.dll.VerQueryValueA
winmm.dll.timeGetTime
winmm.dll.mciSendCommandA
winmm.dll.timeKillEvent
winmm.dll.timeSetEvent
ws2_32.dll.#8
ws2_32.dll.#16
ws2_32.dll.#20
ws2_32.dll.#17
ws2_32.dll.#14
ws2_32.dll.#52
ws2_32.dll.#23
ws2_32.dll.#11
ws2_32.dll.#9
ws2_32.dll.#4
ws2_32.dll.#111
ws2_32.dll.#115
ws2_32.dll.#116
ws2_32.dll.#3
ws2_32.dll.#7
ws2_32.dll.#19
ws2_32.dll.#21
zm.dll.DllRegisterServer
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegCreateKeyExW
advapi32.dll.RegSetValueExW
advapi32.dll.RegEnumKeyExW
kernel32.dll.RegDeleteKeyExW
oleaut32.dll.#500
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
winsta.dll.WinStationFreeMemory
winsta.dll.WinStationCloseServer
winsta.dll.WinStationOpenServerW
winsta.dll.WinStationFreeGAPMemory
winsta.dll.WinStationGetAllProcesses
winsta.dll.WinStationEnumerateProcesses
kernel32.dll.GetThreadPreferredUILanguages
kernel32.dll.SetThreadPreferredUILanguages
kernel32.dll.LocaleNameToLCID
kernel32.dll.GetLocaleInfoEx
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetSystemDefaultLocaleName
oleaut32.dll.#283
oleaut32.dll.#284
kernel32.dll.RegOpenKeyExW
ntdll.dll.EtwUnregisterTraceGuids
cryptsp.dll.CryptReleaseContext