魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2019-11-18 17:20:44 2019-11-18 17:23:01 137 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-hpdapp01-1 win7-sp1-x64-hpdapp01-1 KVM 2019-11-18 17:20:52 2019-11-18 17:23:02
魔盾分数

10.0

恶意的

文件详细信息

文件名 dragon.exe
文件大小 4046654 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 E44663FA
MD5 d556b343ffb45a8c1ac53da54303895d
SHA1 032821c210fcee7dcc7d7567a85b457eb4e840c3
SHA256 06aa1501aca895658d9a0d654af162a00b6b9df3488c82803145487c4aeb79bb
SHA512 9d8c64f7e7782833434d11fe3afc2fa0c6231f9499ad0c1c21adc4f5d7014861d766c644e945645409f6394cc33ab74a7bb1a52b9fb2f2dc0573727af4efa955
Ssdeep 98304:p5YZt2C1zSKFpJl/Oy68MgcAGcZAGCJbch5o:p031TZlGyQKK1beK
PEiD 无匹配
Yara
  • DebuggerTiming__PerformanceCounter ()
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • anti_dbg (Detected self protection if being debugged)
  • network_ssl (Detected network communications over SSL)
  • screenshot (Detected take screenshot function)
  • create_process (Detection function for creating a new process)
  • escalate_priv (Detected escalate priviledges function)
  • win_registry (Detected system registries modification function)
  • win_token (Affect system token)
  • win_files_operation (Affect private profile)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
  • with_urls (Detected the presence of an or several urls)
  • CRC32_poly_Constant (Look for CRC32 [poly])
  • RIPEMD160_Constants (Look for RIPEMD-160 constants)
  • SHA1_Constants (Look for SHA1 constants)
  • IsPE32 (Detected a 32bit PE sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
  • IsPacked (Detected Entropy signature)
  • HasOverlay (Detected Overlay signature)
  • HasDebugData (Detected Debug Data)
  • HasRichSignature (Detected Rich Signature)
VirusTotal 无此文件扫描结果

特征

创建RWX内存
可能进行了时间有效期检查,检查本地时间后过早退出
在加密调用中发现至少一个IP地址,域名,或文件名
ioc: 3.91
多次尝试建立挂起的进程
网络活动包含了一个以上的不重复的用户代理
Process: dragon.exe
User-Agent:
Process: dragon.exe
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
Process: bar.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Process: bar.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
对一些具体的运行中的进程呈现出兴趣
process: winlogon.exe
对一个无法找到的进程进行重复搜索,可能希望以startbrowser=1选项运行
从文件自身的二进制镜像中读取数据
self_read: process: dragon.exe, pid: 2476, offset: 0x00000000, length: 0x00000007
self_read: process: dragon.exe, pid: 2476, offset: 0x00000000, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x00000007, length: 0x001ffff0
self_read: process: dragon.exe, pid: 2476, offset: 0x00001ff0, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x00003fe0, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x00005fd0, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x00007fc0, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x00009fb0, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x0000bfa0, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x0000df90, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x0000ff80, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x00011f70, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x00013f60, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x00015f50, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x00017f40, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x00019f30, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x0001bf20, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x0001df10, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x0001ff00, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x00021ef0, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x00023ee0, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x00025ed0, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x00027ec0, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x00029eb0, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x0002bea0, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x0002de90, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x0002fe80, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x00031e70, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x00033e60, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x00035e50, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x00037e40, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x00039e30, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x0003be20, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x0003de10, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x0003fe00, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x00041df0, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x00043de0, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x00045dd0, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x00047dc0, length: 0x00002000
self_read: process: dragon.exe, pid: 2476, offset: 0x00048e00, length: 0x00000031
self_read: process: dragon.exe, pid: 2476, offset: 0x00048e19, length: 0x00392e98
self_read: process: dragon.exe, pid: 2476, offset: 0x003dbf36, length: 0x00000008
self_read: process: dragon.exe, pid: 2736, offset: 0x00000000, length: 0x0007a400
self_read: process: dragon.exe, pid: 2932, offset: 0x00000000, length: 0x0007a600
创建一个隐藏文件或系统文件
file: C:\Users\test\AppData\Local\Temp\8D0A5F62C5F14045A614F341ADB3C1CE\
file: C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F979\
一个进程创建了一个隐藏窗口
Process: csrss.exe -> cmd.exe
异常的多次调用CMD
Command: cmd.exe /c timeout /t 1 & del /q /f "c:\windows\e5b9decadef4467db3e37ddcce30f979\csrss.exe"
魔盾安全Yara规则检测结果 - 安全告警
Informational: Detected network communications over SSL
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
Informational: Detected Overlay signature
Informational: Detected Debug Data
生成可疑网络流量,可能被用来进行恶意活动
signature: ET POLICY PE EXE or DLL Windows file download HTTP
signature: ET TROJAN Generic .bin download from Dotted Quad
signature: ET DNS Query to a *.top domain - Likely Hostile
signature: ET POLICY Unsupported/Fake Windows NT Version 5.0
在一个远程进程中注入代码(CreateRemoteThread)
执行了一个进程并在其中注入代码(可能是在解包过程中)
通过进程尝试长时间延迟分析任务
Process: dragon.exe tried to sleep 1907 seconds, actually delayed analysis time by 0 seconds
Process: bar.exe tried to sleep 125 seconds, actually delayed analysis time by 0 seconds
一个进程将本机信息传递到一个远程主机
Beacon: bar.exe: mac=52:54:00:FF:13:A8&system=Windows 7&ip=180.170.208.83&machine=test-PC&verify=52:54:00:FF:13:A8

运行截图

网络分析

无信息

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x0041d759
声明校验值 0x00000000
实际校验值 0x003e656b
最低操作系统版本要求 5.1
PDB路径 D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
编译时间 2019-04-28 04:03:27
载入哈希 00be6e6c4f9e287672c8301b72bdabf3

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0002e854 0x0002ea00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.69
.rdata 0x00030000 0x00009a9c 0x00009c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.13
.data 0x0003a000 0x000213d0 0x00000c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 3.25
.gfids 0x0005c000 0x000000e8 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 2.11
.rsrc 0x0005d000 0x0000d478 0x0000d600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 6.85
.reloc 0x0006b000 0x00001fcc 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 6.65

覆盖

偏移量: 0x0006cfcc
大小: 0x0036ef72

导入

库 KERNEL32.dll:
0x430000 - GetLastError
0x430004 - SetLastError
0x430008 - GetCurrentProcess
0x43000c - DeviceIoControl
0x430010 - SetFileTime
0x430014 - CloseHandle
0x430018 - CreateDirectoryW
0x43001c - RemoveDirectoryW
0x430020 - CreateFileW
0x430024 - DeleteFileW
0x430028 - CreateHardLinkW
0x43002c - GetShortPathNameW
0x430030 - GetLongPathNameW
0x430034 - MoveFileW
0x430038 - GetFileType
0x43003c - GetStdHandle
0x430040 - WriteFile
0x430044 - ReadFile
0x430048 - FlushFileBuffers
0x43004c - SetEndOfFile
0x430050 - SetFilePointer
0x430054 - SetFileAttributesW
0x430058 - GetFileAttributesW
0x43005c - FindClose
0x430060 - FindFirstFileW
0x430064 - FindNextFileW
0x430068 - GetVersionExW
0x43006c - GetCurrentDirectoryW
0x430070 - GetFullPathNameW
0x430074 - FoldStringW
0x430078 - GetModuleFileNameW
0x43007c - GetModuleHandleW
0x430080 - FindResourceW
0x430084 - FreeLibrary
0x430088 - GetProcAddress
0x43008c - GetCurrentProcessId
0x430090 - ExitProcess
0x430094 - SetThreadExecutionState
0x430098 - Sleep
0x43009c - LoadLibraryW
0x4300a0 - GetSystemDirectoryW
0x4300a4 - CompareStringW
0x4300a8 - AllocConsole
0x4300ac - FreeConsole
0x4300b0 - AttachConsole
0x4300b4 - WriteConsoleW
0x4300b8 - GetProcessAffinityMask
0x4300bc - CreateThread
0x4300c0 - SetThreadPriority
0x4300c4 - InitializeCriticalSection
0x4300c8 - EnterCriticalSection
0x4300cc - LeaveCriticalSection
0x4300d0 - DeleteCriticalSection
0x4300d4 - SetEvent
0x4300d8 - ResetEvent
0x4300dc - ReleaseSemaphore
0x4300e0 - WaitForSingleObject
0x4300e4 - CreateEventW
0x4300e8 - CreateSemaphoreW
0x4300ec - GetSystemTime
0x4300f0 - SystemTimeToTzSpecificLocalTime
0x4300f4 - TzSpecificLocalTimeToSystemTime
0x4300f8 - SystemTimeToFileTime
0x4300fc - FileTimeToLocalFileTime
0x430100 - LocalFileTimeToFileTime
0x430104 - FileTimeToSystemTime
0x430108 - GetCPInfo
0x43010c - IsDBCSLeadByte
0x430110 - MultiByteToWideChar
0x430114 - WideCharToMultiByte
0x430118 - GlobalAlloc
0x43011c - GetTickCount
0x430120 - LockResource
0x430124 - GlobalLock
0x430128 - GlobalUnlock
0x43012c - GlobalFree
0x430130 - LoadResource
0x430134 - SizeofResource
0x430138 - SetCurrentDirectoryW
0x43013c - GetExitCodeProcess
0x430140 - GetLocalTime
0x430144 - MapViewOfFile
0x430148 - UnmapViewOfFile
0x43014c - CreateFileMappingW
0x430150 - OpenFileMappingW
0x430154 - GetCommandLineW
0x430158 - SetEnvironmentVariableW
0x43015c - ExpandEnvironmentStringsW
0x430160 - GetTempPathW
0x430164 - MoveFileExW
0x430168 - GetLocaleInfoW
0x43016c - GetTimeFormatW
0x430170 - GetDateFormatW
0x430174 - GetNumberFormatW
0x430178 - SetFilePointerEx
0x43017c - GetConsoleMode
0x430180 - GetConsoleCP
0x430184 - HeapSize
0x430188 - SetStdHandle
0x43018c - GetProcessHeap
0x430190 - RaiseException
0x430194 - GetSystemInfo
0x430198 - VirtualProtect
0x43019c - VirtualQuery
0x4301a0 - LoadLibraryExA
0x4301a4 - IsProcessorFeaturePresent
0x4301a8 - IsDebuggerPresent
0x4301ac - UnhandledExceptionFilter
0x4301b0 - SetUnhandledExceptionFilter
0x4301b4 - GetStartupInfoW
0x4301b8 - QueryPerformanceCounter
0x4301bc - GetCurrentThreadId
0x4301c0 - GetSystemTimeAsFileTime
0x4301c4 - InitializeSListHead
0x4301c8 - TerminateProcess
0x4301cc - RtlUnwind
0x4301d0 - EncodePointer
0x4301d4 - InitializeCriticalSectionAndSpinCount
0x4301d8 - TlsAlloc
0x4301dc - TlsGetValue
0x4301e0 - TlsSetValue
0x4301e4 - TlsFree
0x4301e8 - LoadLibraryExW
0x4301ec - QueryPerformanceFrequency
0x4301f0 - GetModuleHandleExW
0x4301f4 - GetModuleFileNameA
0x4301f8 - GetACP
0x4301fc - HeapFree
0x430200 - HeapAlloc
0x430204 - HeapReAlloc
0x430208 - GetStringTypeW
0x43020c - LCMapStringW
0x430210 - FindFirstFileExA
0x430214 - FindNextFileA
0x430218 - IsValidCodePage
0x43021c - GetOEMCP
0x430220 - GetCommandLineA
0x430224 - GetEnvironmentStringsW
0x430228 - FreeEnvironmentStringsW
0x43022c - DecodePointer
库 gdiplus.dll:
0x430234 - GdiplusShutdown
0x430238 - GdiplusStartup
0x43023c - GdipCreateHBITMAPFromBitmap
0x430240 - GdipCreateBitmapFromStreamICM
0x430244 - GdipCreateBitmapFromStream
0x430248 - GdipDisposeImage
0x43024c - GdipCloneImage
0x430250 - GdipFree
0x430254 - GdipAlloc

投放文件

无信息

行为分析

互斥量(Mutexes)
  • DefaultTabtip-MainUI
  • Local\MSCTF.Asm.MutexDefault1
  • f8f7e534-79d3-4f63-8e14-3470fd76dd8d1919wan
  • b92c7679-9cb7-4e18-ba41-5b83ecc12db91919wan
  • CommLogDbgStrMutex
  • 3f667cfb39d99d20f26f61e687c60e16ab3b80879731a3dd52b3fe22714547f2
  • Global\da0ec303522e4d216b9e67578651645234c8e4decc2cd8fe
  • 3f667cfb39d99d20f26f61e687c60e160cbdd40edb43225452b3fe22714547f2
  • Global\da0ec303522e4d21d088738b36610e062dc4db32e4e774c2
执行的命令
  • C:\Program Files (x86)\dragon\dragon.exe
  • C:\Program Files (x86)\dragon\dragonUpdate.exe
  • xck.exe
  • csrss.exe
  • bar.exe
  • cmd.exe /c timeout /t 1 & del /Q /F "C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F979\csrss.exe"
  • svchost.exe
  • timeout /t 1
创建的服务 无信息
启动的服务 无信息

进程

dragon.exe PID: 2476, 上一级进程 PID: 2336

dragon.exe PID: 2736, 上一级进程 PID: 2476

dragonUpdate.exe PID: 2840, 上一级进程 PID: 2736

dragon.exe PID: 2932, 上一级进程 PID: 2840

xck.exe PID: 2684, 上一级进程 PID: 2932

csrss.exe PID: 2568, 上一级进程 PID: 2932

bar.exe PID: 2728, 上一级进程 PID: 2932

svchost.exe PID: 2712, 上一级进程 PID: 2728

cmd.exe PID: 1964, 上一级进程 PID: 2568

timeout.exe PID: 1872, 上一级进程 PID: 1964

访问的文件
  • C:\Users\test\AppData\Local\Temp\<pi-ms-win-core-synch-l1-2-0.DLL
  • C:\Windows\System32\<pi-ms-win-core-synch-l1-2-0.DLL
  • C:\Windows\system\<pi-ms-win-core-synch-l1-2-0.DLL
  • C:\Windows\<pi-ms-win-core-synch-l1-2-0.DLL
  • C:\ProgramData\Oracle\Java\javapath\<pi-ms-win-core-synch-l1-2-0.DLL
  • C:\Windows\System32\wbem\<pi-ms-win-core-synch-l1-2-0.DLL
  • C:\Windows\System32\WindowsPowerShell\v1.0\<pi-ms-win-core-synch-l1-2-0.DLL
  • C:\Program Files (x86)\WinRAR\<pi-ms-win-core-synch-l1-2-0.DLL
  • C:\Users\test\AppData\Local\Temp\<pi-ms-win-core-fibers-l1-1-1.DLL
  • C:\Windows\System32\<pi-ms-win-core-fibers-l1-1-1.DLL
  • C:\Windows\system\<pi-ms-win-core-fibers-l1-1-1.DLL
  • C:\Windows\<pi-ms-win-core-fibers-l1-1-1.DLL
  • C:\ProgramData\Oracle\Java\javapath\<pi-ms-win-core-fibers-l1-1-1.DLL
  • C:\Windows\System32\wbem\<pi-ms-win-core-fibers-l1-1-1.DLL
  • C:\Windows\System32\WindowsPowerShell\v1.0\<pi-ms-win-core-fibers-l1-1-1.DLL
  • C:\Program Files (x86)\WinRAR\<pi-ms-win-core-fibers-l1-1-1.DLL
  • C:\Users\test\AppData\Local\Temp\<pi-ms-win-core-localization-l1-2-1.DLL
  • C:\Windows\System32\<pi-ms-win-core-localization-l1-2-1.DLL
  • C:\Windows\system\<pi-ms-win-core-localization-l1-2-1.DLL
  • C:\Windows\<pi-ms-win-core-localization-l1-2-1.DLL
  • C:\ProgramData\Oracle\Java\javapath\<pi-ms-win-core-localization-l1-2-1.DLL
  • C:\Windows\System32\wbem\<pi-ms-win-core-localization-l1-2-1.DLL
  • C:\Windows\System32\WindowsPowerShell\v1.0\<pi-ms-win-core-localization-l1-2-1.DLL
  • C:\Program Files (x86)\WinRAR\<pi-ms-win-core-localization-l1-2-1.DLL
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\test\AppData\Local\Temp\DXGIDebug.dll
  • C:\Users\test\AppData\Local\Temp\lpk.dll
  • C:\Users\test\AppData\Local\Temp\usp10.dll
  • C:\Users\test\AppData\Local\Temp\clbcatq.dll
  • C:\Users\test\AppData\Local\Temp\comres.dll
  • C:\Users\test\AppData\Local\Temp\ws2_32.dll
  • C:\Users\test\AppData\Local\Temp\ws2help.dll
  • C:\Users\test\AppData\Local\Temp\psapi.dll
  • C:\Users\test\AppData\Local\Temp\ieframe.dll
  • C:\Users\test\AppData\Local\Temp\ntshrui.dll
  • C:\Users\test\AppData\Local\Temp\atl.dll
  • C:\Users\test\AppData\Local\Temp\setupapi.dll
  • C:\Users\test\AppData\Local\Temp\apphelp.dll
  • C:\Users\test\AppData\Local\Temp\userenv.dll
  • C:\Users\test\AppData\Local\Temp\netapi32.dll
  • C:\Users\test\AppData\Local\Temp\shdocvw.dll
  • C:\Users\test\AppData\Local\Temp\crypt32.dll
  • C:\Users\test\AppData\Local\Temp\msasn1.dll
  • C:\Users\test\AppData\Local\Temp\cryptui.dll
  • C:\Users\test\AppData\Local\Temp\wintrust.dll
  • C:\Users\test\AppData\Local\Temp\shell32.dll
  • C:\Users\test\AppData\Local\Temp\secur32.dll
  • C:\Users\test\AppData\Local\Temp\cabinet.dll
  • C:\Users\test\AppData\Local\Temp\oleaccrc.dll
  • C:\Users\test\AppData\Local\Temp\ntmarta.dll
  • C:\Users\test\AppData\Local\Temp\profapi.dll
  • C:\Users\test\AppData\Local\Temp\WindowsCodecs.dll
  • C:\Users\test\AppData\Local\Temp\srvcli.dll
  • C:\Users\test\AppData\Local\Temp\cscapi.dll
  • C:\Users\test\AppData\Local\Temp\slc.dll
  • C:\Users\test\AppData\Local\Temp\imageres.dll
  • C:\Users\test\AppData\Local\Temp\dnsapi.DLL
  • C:\Users\test\AppData\Local\Temp\iphlpapi.DLL
  • C:\Users\test\AppData\Local\Temp\WINNSI.DLL
  • C:\Users\test\AppData\Local\Temp\netutils.dll
  • C:\Users\test\AppData\Local\Temp\mpr.dll
  • C:\Users\test\AppData\Local\Temp\devrtl.dll
  • C:\Users\test\AppData\Local\Temp\propsys.dll
  • C:\Users\test\AppData\Local\Temp\mlang.dll
  • C:\Users\test\AppData\Local\Temp\samcli.dll
  • C:\Users\test\AppData\Local\Temp\samlib.dll
  • C:\Users\test\AppData\Local\Temp\wkscli.dll
  • C:\Users\test\AppData\Local\Temp\dfscli.dll
  • C:\Users\test\AppData\Local\Temp\browcli.dll
  • C:\Users\test\AppData\Local\Temp\rasadhlp.dll
  • C:\Users\test\AppData\Local\Temp\dhcpcsvc6.dll
  • C:\Users\test\AppData\Local\Temp\dhcpcsvc.dll
  • C:\Users\test\AppData\Local\Temp\XmlLite.dll
  • C:\Users\test\AppData\Local\Temp\linkinfo.dll
  • C:\Users\test\AppData\Local\Temp\cryptsp.dll
  • C:\Users\test\AppData\Local\Temp\RpcRtRemote.dll
  • C:\Users\test\AppData\Local\Temp\aclui.dll
  • C:\Users\test\AppData\Local\Temp\dsrole.dll
  • C:\Users\test\AppData\Local\Temp\peerdist.dll
  • \Device\KsecDD
  • C:\Users\test\AppData\Local\Temp\dragon.exe
  • C:\Windows\win.ini
  • C:\Windows\SysWOW64\shell32.dll
  • C:\Program Files (x86)
  • C:\Program Files (x86)\dragon
  • C:\Program Files (x86)\dragon\__tmp_rar_sfx_access_check_4881806
  • C:\Program Files (x86)\dragon\by.dll
  • C:\Program Files (x86)\dragon\dragon.exe
  • C:\Program Files (x86)\dragon\dragonUpdate.exe
  • C:\Program Files (x86)\dragon\libcurl.dll
  • C:\Program Files (x86)\dragon\libdock.dll
  • C:\Program Files (x86)\dragon\libeay32.dll
  • C:\Program Files (x86)\dragon\msvcp120.dll
  • C:\Program Files (x86)\dragon\msvcp120d.dll
  • C:\Program Files (x86)\dragon\msvcr120.dll
  • C:\Program Files (x86)\dragon\msvcr120d.dll
  • C:\Program Files (x86)\dragon\ssleay32.dll
  • C:\Program Files (x86)\dragon\zlibwapi.dll
  • \??\MountPointManager
  • C:\Users\test\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-1.DLL
  • C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-1.DLL
  • C:\Windows\system\api-ms-win-appmodel-runtime-l1-1-1.DLL
  • C:\Windows\api-ms-win-appmodel-runtime-l1-1-1.DLL
  • C:\ProgramData\Oracle\Java\javapath\api-ms-win-appmodel-runtime-l1-1-1.DLL
  • C:\Windows\System32\wbem\api-ms-win-appmodel-runtime-l1-1-1.DLL
  • C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-appmodel-runtime-l1-1-1.DLL
  • C:\Program Files (x86)\WinRAR\api-ms-win-appmodel-runtime-l1-1-1.DLL
  • C:\Users\test\AppData\Local\Temp\ext-ms-win-kernel32-package-current-l1-1-0.DLL
  • C:\Windows\System32\tzres.dll
  • C:\usr\local\ssl\openssl.cnf
  • C:\Users\test\AppData\Local\Temp\8D0A5F62C5F14045A614F341ADB3C1CE\
  • C:\Program Files (x86)\dragon\logs\2019_07\
  • C:\Program Files (x86)\dragon\logs
  • C:\Program Files (x86)\dragon\logs\2019_07
  • C:\Program Files (x86)\dragon\logs\2019_07\2019-07-21-18.log
  • C:\Program Files (x86)\dragon\UpdateFileTemp\
  • C:\Program Files (x86)\dragon\UpdateFileTemp\dragon.exe
  • C:\Program Files (x86)\dragon\UpdateFileTemp\*.*
  • C:\Program Files (x86)\dragon\UpdateFileTemp
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F979\
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F979\xck.exe
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F979\csrss.exe
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F979\cdn.DLL
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F979\xly.DLL
  • C:\Program Files (x86)\dragon\CommLogOpt.ini
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F979\bar.exe
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F979\api-ms-win-core-fibers-l1-1-1.DLL
  • C:\Windows\sysnative\api-ms-win-core-fibers-l1-1-1.DLL
  • C:\Windows\system\api-ms-win-core-fibers-l1-1-1.DLL
  • C:\Windows\api-ms-win-core-fibers-l1-1-1.DLL
  • C:\ProgramData\Oracle\Java\javapath\api-ms-win-core-fibers-l1-1-1.DLL
  • C:\Windows\sysnative\wbem\api-ms-win-core-fibers-l1-1-1.DLL
  • C:\Windows\sysnative\WindowsPowerShell\v1.0\api-ms-win-core-fibers-l1-1-1.DLL
  • C:\Program Files (x86)\WinRAR\api-ms-win-core-fibers-l1-1-1.DLL
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F979\api-ms-win-core-localization-l1-2-1.DLL
  • C:\Windows\sysnative\api-ms-win-core-localization-l1-2-1.DLL
  • C:\Windows\system\api-ms-win-core-localization-l1-2-1.DLL
  • C:\Windows\api-ms-win-core-localization-l1-2-1.DLL
  • C:\ProgramData\Oracle\Java\javapath\api-ms-win-core-localization-l1-2-1.DLL
  • C:\Windows\sysnative\wbem\api-ms-win-core-localization-l1-2-1.DLL
  • C:\Windows\sysnative\WindowsPowerShell\v1.0\api-ms-win-core-localization-l1-2-1.DLL
  • C:\Program Files (x86)\WinRAR\api-ms-win-core-localization-l1-2-1.DLL
  • C:\Windows\sysnative\usosvcEx.dll
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F979\api-ms-win-appmodel-runtime-l1-1-1.DLL
  • C:\Windows\sysnative\api-ms-win-appmodel-runtime-l1-1-1.DLL
  • C:\Windows\sysnative\wbem\api-ms-win-appmodel-runtime-l1-1-1.DLL
  • C:\Windows\sysnative\WindowsPowerShell\v1.0\api-ms-win-appmodel-runtime-l1-1-1.DLL
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F979\ext-ms-win-kernel32-package-current-l1-1-0.DLL
  • C:\Windows\sysnative\ext-ms-win-kernel32-package-current-l1-1-0.DLL
  • C:\Windows\system\ext-ms-win-kernel32-package-current-l1-1-0.DLL
  • C:\Windows\ext-ms-win-kernel32-package-current-l1-1-0.DLL
  • C:\ProgramData\Oracle\Java\javapath\ext-ms-win-kernel32-package-current-l1-1-0.DLL
  • C:\Windows\sysnative\wbem\ext-ms-win-kernel32-package-current-l1-1-0.DLL
  • C:\Windows\sysnative\WindowsPowerShell\v1.0\ext-ms-win-kernel32-package-current-l1-1-0.DLL
  • C:\Program Files (x86)\WinRAR\ext-ms-win-kernel32-package-current-l1-1-0.DLL
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F979\kernel32.dll
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F9794928529
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F9794928529\....\
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F9794928529\....\TemporaryFile
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F9794928529\TemporaryFile
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F9794928529\*.*
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F9794928529\TemporaryFile\*.*
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F9794928529\TemporaryFile\TemporaryFile
  • C:\Windows\SysWOW64\msscript.ocx
  • C:\Windows\System32\wbem\wbemdisp.tlb
  • C:\Windows\SysWOW64\stdole2.tlb
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F979\wininet.dll
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F979
  • C:\Windows
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F979\timeout.*
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F979\timeout
  • C:\ProgramData\Oracle\Java\javapath\timeout.*
  • C:\ProgramData\Oracle\Java\javapath\timeout
  • C:\Windows\System32\timeout.*
  • C:\Windows\System32\timeout.COM
  • C:\Windows\System32\timeout.exe
  • C:\
读取的文件
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • \Device\KsecDD
  • C:\Users\test\AppData\Local\Temp\dragon.exe
  • C:\Windows\win.ini
  • C:\Windows\SysWOW64\shell32.dll
  • C:\Program Files (x86)\dragon\__tmp_rar_sfx_access_check_4881806
  • C:\Users\test\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-1.DLL
  • C:\Users\test\AppData\Local\Temp\ext-ms-win-kernel32-package-current-l1-1-0.DLL
  • C:\Windows\System32\tzres.dll
  • C:\usr\local\ssl\openssl.cnf
  • C:\Program Files (x86)\dragon\by.dll
  • C:\Program Files (x86)\dragon\dragon.exe
  • C:\Program Files (x86)\dragon\dragonUpdate.exe
  • C:\Program Files (x86)\dragon\libcurl.dll
  • C:\Program Files (x86)\dragon\libdock.dll
  • C:\Program Files (x86)\dragon\libeay32.dll
  • C:\Program Files (x86)\dragon\msvcp120.dll
  • C:\Program Files (x86)\dragon\msvcp120d.dll
  • C:\Program Files (x86)\dragon\msvcr120.dll
  • C:\Program Files (x86)\dragon\msvcr120d.dll
  • C:\Program Files (x86)\dragon\ssleay32.dll
  • C:\Program Files (x86)\dragon\zlibwapi.dll
  • C:\Program Files (x86)\dragon\UpdateFileTemp\dragon.exe
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F979\xck.exe
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F979\csrss.exe
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F979\cdn.DLL
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F979\xly.DLL
  • C:\Program Files (x86)\dragon\CommLogOpt.ini
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F979\bar.exe
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F9794928529\....\
  • C:\Windows\SysWOW64\msscript.ocx
  • C:\Windows\System32\wbem\wbemdisp.tlb
  • C:\Windows\SysWOW64\stdole2.tlb
修改的文件
  • C:\Program Files (x86)\dragon\__tmp_rar_sfx_access_check_4881806
  • C:\Program Files (x86)\dragon\by.dll
  • C:\Program Files (x86)\dragon\dragon.exe
  • C:\Program Files (x86)\dragon\dragonUpdate.exe
  • C:\Program Files (x86)\dragon\libcurl.dll
  • C:\Program Files (x86)\dragon\libdock.dll
  • C:\Program Files (x86)\dragon\libeay32.dll
  • C:\Program Files (x86)\dragon\msvcp120.dll
  • C:\Program Files (x86)\dragon\msvcp120d.dll
  • C:\Program Files (x86)\dragon\msvcr120.dll
  • C:\Program Files (x86)\dragon\msvcr120d.dll
  • C:\Program Files (x86)\dragon\ssleay32.dll
  • C:\Program Files (x86)\dragon\zlibwapi.dll
  • C:\Program Files (x86)\dragon\logs\2019_07\2019-07-21-18.log
  • C:\Program Files (x86)\dragon\UpdateFileTemp\dragon.exe
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F979\xck.exe
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F979\csrss.exe
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F979\cdn.DLL
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F979\xly.DLL
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F979\bar.exe
  • C:\Windows\sysnative\usosvcEx.dll
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F9794928529\....\TemporaryFile
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F9794928529\TemporaryFile
删除的文件
  • C:\Program Files (x86)\dragon\__tmp_rar_sfx_access_check_4881806
  • C:\Program Files (x86)\dragon\UpdateFileTemp\dragon.exe
  • C:\Program Files (x86)\dragon\UpdateFileTemp
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F9794928529\TemporaryFile\TemporaryFile
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F9794928529\TemporaryFile
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F9794928529
  • C:\Windows\E5B9DECADEF4467DB3E37DDCCE30F979\csrss.exe
注册表键
  • HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
  • HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_CURRENT_USER
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
  • HKEY_LOCAL_MACHINE\Software\Policies
  • HKEY_CURRENT_USER\Software\Policies
  • HKEY_CURRENT_USER\Software
  • HKEY_LOCAL_MACHINE\Software
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Append Completion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Always Use Tab
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
  • HKEY_CLASSES_ROOT\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
  • HKEY_CLASSES_ROOT\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Client\(Default)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\dragon.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Data
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Generation
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Data
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Generation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\dragon.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\dragonUpdate.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Hintsoft\PubwinClient
  • HKEY_LOCAL_MACHINE\SOFTWARE\Hintsoft\pubwin
  • HKEY_LOCAL_MACHINE\SOFTWARE\Sicent\wx2004Clt
  • HKEY_LOCAL_MACHINE\SOFTWARE\MpSoft\smenu
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jingzu
  • HKEY_LOCAL_MACHINE\SOFTWARE\iCafe8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Goyoo\i8desk
  • HKEY_LOCAL_MACHINE\SOFTWARE\Hintsoft1\XunShanPro
  • HKEY_LOCAL_MACHINE\SOFTWARE\SyncExpertNetBar
  • HKEY_LOCAL_MACHINE\SOFTWARE\EYOOCLIENTSTATUS
  • HKEY_LOCAL_MACHINE\SOFTWARE\Richtech
  • HKEY_LOCAL_MACHINE\SOFTWARE\\xef\xbe\xba\xef\xbe\xbc\xef\xbf\x96\xef\xbf\x9d\xef\xbf\x8b\xef\xbe\xb3\xef\xbf\x8d\xef\xbf\xb8\xef\xbf\x90\xef\xbf\x85\xef\xbf\x8f\xef\xbe\xa2\xef\xbe\xbc\xef\xbe\xbc\xef\xbf\x8a\xef\xbf\xb5\xef\xbf\x93\xef\xbf\x90\xef\xbf\x8f\xef\xbf\x9e\xef\xbe\xb9\xef\xbe\xab\xef\xbf\x8b\xef\xbe\xbe\\xef\xbf\x8d\xef\xbf\xb8\xef\xbf\x8e\xef\xbe\xac\xef\xbe\xb4\xef\xbf\xb3\xef\xbf\x8a\xef\xbe\xa6\xef\xbf\xb2\xef\xbf\xb2\xef\xbf\xb2\xef\xbe\xbd\xef\xbf\x93\xef\xbf\xa9\xef\xbf\x80\xef\xbf\x96\xef\xbf\x86\xef\xbe\xbd\xef\xbf\x8c\xef\xbe\xa8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Sicent\WxAdv
  • HKEY_LOCAL_MACHINE\SOFTWARE\Grabsun\Netsense
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\svcVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Version
  • HKEY_LOCAL_MACHINE\SOFTWARE\Macromedia\FlashPlayer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Macromedia\FlashPlayer\CurrentVersion
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\csrss.exe
  • HKEY_CURRENT_USER\Software\Classes
  • HKEY_CURRENT_USER\Software\Classes\TypeLib
  • HKEY_CURRENT_USER\Software\Classes\TypeLib\{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}\1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}\1.0\0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}\1.0\0\win32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}\1.0\0\win32\(Default)
  • HKEY_CURRENT_USER\Software\Classes\CLSID
  • HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings\JITDebug
  • HKEY_CURRENT_USER\Software\Classes\Winmgmts
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\Scripting\Default Namespace
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
  • HKEY_CURRENT_USER\Software\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-Hans
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-Hans
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
  • HKEY_CURRENT_USER\Software\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
  • HKEY_CURRENT_USER\Software\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
  • HKEY_CURRENT_USER\Software\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\409
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32\(Default)
  • HKEY_CURRENT_USER\Software\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
  • HKEY_CURRENT_USER\Software\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
  • HKEY_CURRENT_USER\Software\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
  • HKEY_CURRENT_USER\Software\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
  • HKEY_CURRENT_USER\Software\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\svchost.exe
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
读取的注册表键
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Append Completion
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Always Use Tab
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Client\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Data
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Generation
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Data
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Generation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\svcVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Version
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Macromedia\FlashPlayer\CurrentVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}\1.0\0\win32\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings\JITDebug
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\Scripting\Default Namespace
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-Hans
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-Hans
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • kernel32.dll.InitializeCriticalSectionEx
  • kernel32.dll.FlsAlloc
  • kernel32.dll.FlsSetValue
  • kernel32.dll.FlsGetValue
  • kernel32.dll.LCMapStringEx
  • kernel32.dll.SetDllDirectoryW
  • kernel32.dll.SortGetHandle
  • kernel32.dll.SortCloseHandle
  • ole32.dll.OleInitialize
  • cryptbase.dll.SystemFunction036
  • comctl32.dll.InitCommonControlsEx
  • kernel32.dll.IsProcessorFeaturePresent
  • user32.dll.GetWindowInfo
  • user32.dll.GetAncestor
  • user32.dll.GetMonitorInfoA
  • user32.dll.EnumDisplayMonitors
  • user32.dll.EnumDisplayDevicesA
  • gdi32.dll.ExtTextOutW
  • gdi32.dll.GdiIsMetaPrintDC
  • shell32.dll.SHGetMalloc
  • ole32.dll.CoGetMalloc
  • user32.dll.LoadIconW
  • user32.dll.LoadBitmapW
  • ole32.dll.CreateStreamOnHGlobal
  • windowscodecs.dll.DllGetClassObject
  • kernel32.dll.WerRegisterMemoryBlock
  • gdi32.dll.GetObjectW
  • user32.dll.GetDC
  • gdi32.dll.GetDeviceCaps
  • user32.dll.ReleaseDC
  • user32.dll.DialogBoxParamW
  • comctl32.dll.RegisterClassNameW
  • uxtheme.dll.EnableThemeDialogTexture
  • uxtheme.dll.OpenThemeData
  • uxtheme.dll.SetWindowTheme
  • imm32.dll.ImmIsIME
  • user32.dll.GetWindowRect
  • user32.dll.GetClientRect
  • user32.dll.GetWindowTextW
  • user32.dll.SetWindowTextW
  • user32.dll.GetSystemMetrics
  • user32.dll.GetWindow
  • user32.dll.SendMessageW
  • user32.dll.SendDlgItemMessageW
  • user32.dll.GetDlgItem
  • user32.dll.GetClassNameW
  • user32.dll.FindWindowExW
  • shlwapi.dll.SHAutoComplete
  • ole32.dll.CoCreateInstance
  • comctl32.dll.#320
  • comctl32.dll.#324
  • comctl32.dll.#411
  • comctl32.dll.#410
  • ole32.dll.CLSIDFromString
  • user32.dll.PeekMessageW
  • user32.dll.GetMessageW
  • user32.dll.TranslateMessage
  • user32.dll.DispatchMessageW
  • advapi32.dll.RegOpenKeyExW
  • advapi32.dll.RegQueryValueExW
  • advapi32.dll.RegCloseKey
  • comctl32.dll.#413
  • user32.dll.GetDlgItemTextW
  • user32.dll.SetFocus
  • ole32.dll.CoInitializeEx
  • ole32.dll.CoUninitialize
  • ole32.dll.CoRegisterInitializeSpy
  • ole32.dll.CoRevokeInitializeSpy
  • imm32.dll.ImmGetContext
  • imm32.dll.ImmGetDefaultIMEWnd
  • imm32.dll.ImmReleaseContext
  • user32.dll.LoadStringW
  • user32.dll.ShowWindow
  • user32.dll.SetDlgItemTextW
  • user32.dll.GetWindowLongW
  • user32.dll.SetWindowLongW
  • user32.dll.CharUpperW
  • shell32.dll.ShellExecuteExW
  • setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
  • setupapi.dll.CM_Get_Device_Interface_List_ExW
  • comctl32.dll.#386
  • user32.dll.EnableWindow
  • user32.dll.EndDialog
  • comctl32.dll.#412
  • comctl32.dll.#388
  • gdi32.dll.DeleteObject
  • ole32.dll.OleUninitialize
  • oleaut32.dll.#500
  • ext-ms-win-kernel32-package-current-l1-1-0.dll.GetCurrentPackageId
  • advapi32.dll.UnregisterTraceGuids
  • comctl32.dll.#321
  • kernel32.dll.FlsFree
  • kernel32.dll.CreateEventExW
  • kernel32.dll.CreateSemaphoreExW
  • kernel32.dll.SetThreadStackGuarantee
  • kernel32.dll.CreateThreadpoolTimer
  • kernel32.dll.SetThreadpoolTimer
  • kernel32.dll.WaitForThreadpoolTimerCallbacks
  • kernel32.dll.CloseThreadpoolTimer
  • kernel32.dll.CreateThreadpoolWait
  • kernel32.dll.SetThreadpoolWait
  • kernel32.dll.CloseThreadpoolWait
  • kernel32.dll.FlushProcessWriteBuffers
  • kernel32.dll.FreeLibraryWhenCallbackReturns
  • kernel32.dll.GetCurrentProcessorNumber
  • kernel32.dll.GetLogicalProcessorInformation
  • kernel32.dll.CreateSymbolicLinkW
  • kernel32.dll.EnumSystemLocalesEx
  • kernel32.dll.CompareStringEx
  • kernel32.dll.GetDateFormatEx
  • kernel32.dll.GetLocaleInfoEx
  • kernel32.dll.GetTimeFormatEx
  • kernel32.dll.GetUserDefaultLocaleName
  • kernel32.dll.IsValidLocaleName
  • kernel32.dll.GetTickCount64
  • cryptsp.dll.CryptAcquireContextA
  • cryptsp.dll.CryptCreateHash
  • cryptsp.dll.CryptHashData
  • cryptsp.dll.CryptGetHashParam
  • cryptsp.dll.CryptDestroyHash
  • cryptsp.dll.CryptReleaseContext
  • kernel32.dll.WaitForSingleObject
  • kernel32.dll.SetEvent
  • kernel32.dll.GetTickCount
  • kernel32.dll.GetPrivateProfileStringA
  • kernel32.dll.CreateFileA
  • kernel32.dll.WriteFile
  • kernel32.dll.CloseHandle
  • kernel32.dll.GetCurrentProcessId
  • kernel32.dll.CreateDirectoryA
  • kernel32.dll.CreateProcessA
  • kernel32.dll.CreateThread
  • kernel32.dll.Sleep
  • kernel32.dll.GetModuleFileNameA
  • kernel32.dll.SetEnvironmentVariableA
  • kernel32.dll.CompareStringW
  • kernel32.dll.SetEndOfFile
  • kernel32.dll.SetStdHandle
  • kernel32.dll.IsValidLocale
  • kernel32.dll.EnumSystemLocalesA
  • kernel32.dll.GetLocaleInfoA
  • kernel32.dll.GetUserDefaultLCID
  • kernel32.dll.GetStringTypeW
  • kernel32.dll.QueryPerformanceCounter
  • kernel32.dll.GetEnvironmentStringsW
  • kernel32.dll.FreeEnvironmentStringsW
  • kernel32.dll.FlushFileBuffers
  • kernel32.dll.GetConsoleMode
  • kernel32.dll.GetConsoleCP
  • kernel32.dll.GetStartupInfoW
  • kernel32.dll.SetHandleCount
  • kernel32.dll.HeapSize
  • kernel32.dll.HeapDestroy
  • kernel32.dll.HeapCreate
  • kernel32.dll.GetLocaleInfoW
  • kernel32.dll.LoadLibraryW
  • kernel32.dll.InitializeCriticalSectionAndSpinCount
  • kernel32.dll.FreeLibrary
  • kernel32.dll.DeleteFileA
  • kernel32.dll.GlobalAlloc
  • kernel32.dll.GlobalFree
  • kernel32.dll.GetLastError
  • kernel32.dll.IsValidCodePage
  • kernel32.dll.GetOEMCP
  • kernel32.dll.TlsFree
  • kernel32.dll.TlsSetValue
  • kernel32.dll.TlsGetValue
  • kernel32.dll.TlsAlloc
  • kernel32.dll.GetTimeZoneInformation
  • kernel32.dll.IsDebuggerPresent
  • kernel32.dll.SetUnhandledExceptionFilter
  • kernel32.dll.UnhandledExceptionFilter
  • kernel32.dll.GetModuleFileNameW
  • kernel32.dll.GetStdHandle
  • kernel32.dll.GetFileType
  • kernel32.dll.WriteConsoleW
  • kernel32.dll.WideCharToMultiByte
  • kernel32.dll.InterlockedIncrement
  • kernel32.dll.InterlockedDecrement
  • kernel32.dll.InterlockedExchange
  • kernel32.dll.MultiByteToWideChar
  • kernel32.dll.InitializeCriticalSection
  • kernel32.dll.DeleteCriticalSection
  • kernel32.dll.EnterCriticalSection
  • kernel32.dll.LeaveCriticalSection
  • kernel32.dll.GetVersionExA
  • kernel32.dll.GetCurrentProcess
  • kernel32.dll.GetProcAddress
  • kernel32.dll.GetModuleHandleA
  • kernel32.dll.GetSystemInfo
  • kernel32.dll.VirtualQuery
  • kernel32.dll.CreateToolhelp32Snapshot
  • kernel32.dll.Module32First
  • kernel32.dll.Module32Next
  • kernel32.dll.CreateFileW
  • kernel32.dll.Process32First
  • kernel32.dll.Process32Next
  • kernel32.dll.LoadLibraryA
  • kernel32.dll.OutputDebugStringA
  • kernel32.dll.ReadFile
  • kernel32.dll.CreateMutexA
  • kernel32.dll.OpenEventA
  • kernel32.dll.OpenFileMappingA
  • kernel32.dll.MapViewOfFile
  • kernel32.dll.ReleaseMutex
  • kernel32.dll.UnmapViewOfFile
  • kernel32.dll.GetLocalTime
  • kernel32.dll.GetCurrentThreadId
  • kernel32.dll.GetPrivateProfileIntA
  • kernel32.dll.HeapAlloc
  • kernel32.dll.GetProcessHeap
  • kernel32.dll.HeapFree
  • kernel32.dll.CreateEventA
  • kernel32.dll.GetTempPathA
  • kernel32.dll.TerminateProcess
  • kernel32.dll.CreateFileMappingA
  • kernel32.dll.SetLastError
  • kernel32.dll.GetACP
  • kernel32.dll.FormatMessageA
  • kernel32.dll.SetFilePointer
  • kernel32.dll.GetFileAttributesA
  • kernel32.dll.ResumeThread
  • kernel32.dll.GetModuleHandleW
  • kernel32.dll.GetSystemTimeAsFileTime
  • kernel32.dll.RaiseException
  • kernel32.dll.RtlUnwind
  • kernel32.dll.GetTimeFormatA
  • kernel32.dll.GetDateFormatA
  • kernel32.dll.ExitProcess
  • kernel32.dll.ExitThread
  • kernel32.dll.GetCommandLineA
  • kernel32.dll.LCMapStringW
  • kernel32.dll.GetCPInfo
  • kernel32.dll.HeapReAlloc
  • kernel32.dll.MoveFileA
  • advapi32.dll.InitializeSecurityDescriptor
  • advapi32.dll.SetSecurityDescriptorDacl
  • advapi32.dll.RegOpenKeyExA
  • advapi32.dll.RegQueryValueExA
  • advapi32.dll.AllocateAndInitializeSid
  • advapi32.dll.FreeSid
  • advapi32.dll.GetLengthSid
  • advapi32.dll.InitializeAcl
  • advapi32.dll.AddAccessAllowedAce
  • iphlpapi.dll.GetAdaptersInfo
  • shell32.dll.SHGetSpecialFolderPathA
  • shlwapi.dll.PathFileExistsA
  • user32.dll.wsprintfA
  • user32.dll.LoadStringA
  • wininet.dll.InternetCloseHandle
  • wininet.dll.InternetReadFile
  • wininet.dll.InternetGetCookieA
  • wininet.dll.HttpQueryInfoA
  • wininet.dll.HttpSendRequestA
  • wininet.dll.HttpAddRequestHeadersA
  • wininet.dll.HttpOpenRequestA
  • wininet.dll.InternetConnectA
  • wininet.dll.InternetSetOptionA
  • wininet.dll.InternetOpenA
  • wininet.dll.InternetCrackUrlA
  • ws2_32.dll.#57
  • ws2_32.dll.#16
  • ws2_32.dll.#19
  • ws2_32.dll.#1
  • ws2_32.dll.#12
  • ws2_32.dll.#21
  • ws2_32.dll.#2
  • ws2_32.dll.#10
  • ws2_32.dll.#18
  • ws2_32.dll.#9
  • ws2_32.dll.#11
  • ws2_32.dll.#51
  • ws2_32.dll.#4
  • ws2_32.dll.#3
  • ws2_32.dll.#23
  • ws2_32.dll.#115
  • ws2_32.dll.#14
  • ws2_32.dll.#8
  • ws2_32.dll.#17
  • ws2_32.dll.#151
  • ws2_32.dll.#20
  • ws2_32.dll.#116
  • ws2_32.dll.#15
  • ws2_32.dll.#52
  • ws2_32.dll.#5
  • ws2_32.dll.#13
  • kernel32.dll.IsWow64Process
  • kernel32.dll.GetNativeSystemInfo
  • ntdll.dll.RtlGetNtVersionNumbers
  • rasapi32.dll.RasConnectionNotificationW
  • sechost.dll.NotifyServiceStatusChangeA
  • comctl32.dll.#332
  • rpcrt4.dll.RpcBindingFree
  • kernel32.dll.UnlockFile
  • kernel32.dll.LockFile
  • kernel32.dll.DuplicateHandle
  • kernel32.dll.lstrcpynA
  • kernel32.dll.FileTimeToSystemTime
  • kernel32.dll.CreateSemaphoreA
  • kernel32.dll.ReleaseSemaphore
  • kernel32.dll.GetProfileStringA
  • kernel32.dll.WaitForMultipleObjects
  • kernel32.dll.IsBadCodePtr
  • kernel32.dll.IsBadReadPtr
  • kernel32.dll.CompareStringA
  • kernel32.dll.IsBadWritePtr
  • kernel32.dll.VirtualAlloc
  • kernel32.dll.LCMapStringA
  • kernel32.dll.VirtualFree
  • kernel32.dll.GetEnvironmentVariableA
  • kernel32.dll.GetEnvironmentStrings
  • kernel32.dll.FreeEnvironmentStringsA
  • kernel32.dll.FindResourceA
  • kernel32.dll.LoadResource
  • kernel32.dll.LockResource
  • kernel32.dll.lstrlenW
  • kernel32.dll.RemoveDirectoryA
  • kernel32.dll.GlobalSize
  • kernel32.dll.lstrcatA
  • kernel32.dll.lstrlenA
  • kernel32.dll.WinExec
  • kernel32.dll.lstrcpyA
  • kernel32.dll.FindNextFileA
  • kernel32.dll.GlobalReAlloc
  • kernel32.dll.GetFullPathNameA
  • kernel32.dll.WritePrivateProfileStringA
  • kernel32.dll.GlobalLock
  • kernel32.dll.GlobalUnlock
  • kernel32.dll.FindFirstFileA
  • kernel32.dll.FindClose
  • kernel32.dll.SetCurrentDirectoryA
  • kernel32.dll.GetVolumeInformationA
  • kernel32.dll.MulDiv
  • kernel32.dll.GetSystemTime
  • kernel32.dll.GetStartupInfoA
  • kernel32.dll.GetProcessVersion
  • kernel32.dll.SetErrorMode
  • kernel32.dll.GlobalFlags
  • kernel32.dll.GetCurrentThread
  • kernel32.dll.GetFileTime
  • kernel32.dll.GetFileSize
  • kernel32.dll.LocalReAlloc
  • kernel32.dll.GlobalHandle
  • kernel32.dll.LocalAlloc
  • kernel32.dll.FileTimeToLocalFileTime
  • kernel32.dll.LocalFree
  • kernel32.dll.GetStringTypeA
  • kernel32.dll.lstrcmpA
  • kernel32.dll.GetVersion
  • kernel32.dll.GlobalGetAtomNameA
  • kernel32.dll.GlobalAddAtomA
  • kernel32.dll.GlobalFindAtomA
  • kernel32.dll.GlobalDeleteAtom
  • kernel32.dll.lstrcmpiA
  • advapi32.dll.RegQueryValueA
  • advapi32.dll.RegSetValueExA
  • advapi32.dll.RegCreateKeyExA
  • comctl32.dll.#17
  • comctl32.dll.ImageList_Destroy
  • comdlg32.dll.GetFileTitleA
  • comdlg32.dll.GetSaveFileNameA
  • comdlg32.dll.GetOpenFileNameA
  • comdlg32.dll.ChooseColorA
  • gdi32.dll.SelectPalette
  • gdi32.dll.RealizePalette
  • gdi32.dll.GetDIBits
  • gdi32.dll.GetWindowExtEx
  • gdi32.dll.GetViewportOrgEx
  • gdi32.dll.GetWindowOrgEx
  • gdi32.dll.BeginPath
  • gdi32.dll.EndPath
  • gdi32.dll.PathToRegion
  • gdi32.dll.CreateEllipticRgn
  • gdi32.dll.CreateRoundRectRgn
  • gdi32.dll.GetTextColor
  • gdi32.dll.GetBkMode
  • gdi32.dll.GetBkColor
  • gdi32.dll.GetROP2
  • gdi32.dll.GetStretchBltMode
  • gdi32.dll.GetPolyFillMode
  • gdi32.dll.CreateCompatibleBitmap
  • gdi32.dll.CreateDCA
  • gdi32.dll.CreateBitmap
  • gdi32.dll.SelectObject
  • gdi32.dll.CreatePen
  • gdi32.dll.PatBlt
  • gdi32.dll.CombineRgn
  • gdi32.dll.CreateRectRgn
  • gdi32.dll.FillRgn
  • gdi32.dll.CreateSolidBrush
  • gdi32.dll.CreateFontIndirectA
  • gdi32.dll.GetStockObject
  • gdi32.dll.GetObjectA
  • gdi32.dll.EndPage
  • gdi32.dll.EndDoc
  • gdi32.dll.DeleteDC
  • gdi32.dll.StartDocA
  • gdi32.dll.StartPage
  • gdi32.dll.BitBlt
  • gdi32.dll.CreateRectRgnIndirect
  • gdi32.dll.Ellipse
  • gdi32.dll.Rectangle
  • gdi32.dll.StretchBlt
  • gdi32.dll.DPtoLP
  • gdi32.dll.GetCurrentObject
  • gdi32.dll.RoundRect
  • gdi32.dll.GetTextExtentPoint32A
  • gdi32.dll.SaveDC
  • gdi32.dll.RestoreDC
  • gdi32.dll.SetBkMode
  • gdi32.dll.SetPolyFillMode
  • gdi32.dll.SetROP2
  • gdi32.dll.SetTextColor
  • gdi32.dll.SetMapMode
  • gdi32.dll.SetViewportOrgEx
  • gdi32.dll.OffsetViewportOrgEx
  • gdi32.dll.SetViewportExtEx
  • gdi32.dll.ScaleViewportExtEx
  • gdi32.dll.SetWindowOrgEx
  • gdi32.dll.SetWindowExtEx
  • gdi32.dll.ScaleWindowExtEx
  • gdi32.dll.GetClipBox
  • gdi32.dll.ExcludeClipRect
  • gdi32.dll.MoveToEx
  • gdi32.dll.LineTo
  • gdi32.dll.ExtSelectClipRgn
  • gdi32.dll.CreatePalette
  • gdi32.dll.GetSystemPaletteEntries
  • gdi32.dll.CreateDIBitmap
  • gdi32.dll.SelectClipRgn
  • gdi32.dll.CreatePolygonRgn
  • gdi32.dll.GetClipRgn
  • gdi32.dll.SetStretchBltMode
  • gdi32.dll.LPtoDP
  • gdi32.dll.SetBkColor
  • gdi32.dll.CreateCompatibleDC
  • gdi32.dll.GetTextMetricsA
  • gdi32.dll.Escape
  • gdi32.dll.ExtTextOutA
  • gdi32.dll.TextOutA
  • gdi32.dll.RectVisible
  • gdi32.dll.PtVisible
  • gdi32.dll.GetViewportExtEx
  • ole32.dll.CLSIDFromProgID
  • ole32.dll.OleRun
  • oleaut32.dll.#9
  • oleaut32.dll.#12
  • oleaut32.dll.#19
  • oleaut32.dll.#20
  • oleaut32.dll.#17
  • oleaut32.dll.#24
  • oleaut32.dll.#23
  • oleaut32.dll.#25
  • oleaut32.dll.#11
  • oleaut32.dll.#8
  • oleaut32.dll.#2
  • oleaut32.dll.#163
  • oleaut32.dll.#165
  • oleaut32.dll.#161
  • oleaut32.dll.#186
  • rasapi32.dll.RasHangUpA
  • rasapi32.dll.RasGetConnectStatusA
  • shell32.dll.ShellExecuteA
  • shell32.dll.Shell_NotifyIconA
  • user32.dll.OpenClipboard
  • user32.dll.SetClipboardData
  • user32.dll.EmptyClipboard
  • user32.dll.GetCursorPos
  • user32.dll.MessageBoxA
  • user32.dll.SetWindowPos
  • user32.dll.SendMessageA
  • user32.dll.DestroyCursor
  • user32.dll.SetParent
  • user32.dll.IsWindow
  • user32.dll.PostMessageA
  • user32.dll.GetTopWindow
  • user32.dll.GetParent
  • user32.dll.GetFocus
  • user32.dll.InvalidateRect
  • user32.dll.ValidateRect
  • user32.dll.UpdateWindow
  • user32.dll.GetClipboardData
  • user32.dll.CloseClipboard
  • user32.dll.EqualRect
  • user32.dll.SetForegroundWindow
  • user32.dll.DestroyMenu
  • user32.dll.IsChild
  • user32.dll.IsRectEmpty
  • user32.dll.SetCursor
  • user32.dll.LoadCursorA
  • user32.dll.SetCursorPos
  • user32.dll.SetActiveWindow
  • user32.dll.GetSysColor
  • user32.dll.SetWindowLongA
  • user32.dll.GetWindowLongA
  • user32.dll.RedrawWindow
  • user32.dll.IsWindowVisible
  • user32.dll.OffsetRect
  • user32.dll.PtInRect
  • user32.dll.DestroyIcon
  • user32.dll.IntersectRect
  • user32.dll.InflateRect
  • user32.dll.SetRect
  • user32.dll.SetScrollPos
  • user32.dll.SetScrollRange
  • user32.dll.GetScrollRange
  • user32.dll.SetCapture
  • user32.dll.GetCapture
  • user32.dll.ReleaseCapture
  • user32.dll.SetTimer
  • user32.dll.KillTimer
  • user32.dll.WinHelpA
  • user32.dll.LoadBitmapA
  • user32.dll.CopyRect
  • user32.dll.ChildWindowFromPointEx
  • user32.dll.ScreenToClient
  • user32.dll.GetMessagePos
  • user32.dll.SetWindowRgn
  • user32.dll.DestroyAcceleratorTable
  • user32.dll.GetActiveWindow
  • user32.dll.FillRect
  • user32.dll.RegisterWindowMessageA
  • user32.dll.IsIconic
  • user32.dll.PeekMessageA
  • user32.dll.SetMenu
  • user32.dll.GetMenu
  • user32.dll.DeleteMenu
  • user32.dll.GetSystemMenu
  • user32.dll.DefWindowProcA
  • user32.dll.GetSysColorBrush
  • user32.dll.GetDesktopWindow
  • user32.dll.GetClassNameA
  • user32.dll.GetMenuCheckMarkDimensions
  • user32.dll.GetMenuState
  • user32.dll.SetMenuItemBitmaps
  • user32.dll.CheckMenuItem
  • user32.dll.MoveWindow
  • user32.dll.IsDialogMessageA
  • user32.dll.ScrollWindowEx
  • user32.dll.SetWindowTextA
  • user32.dll.LoadIconA
  • user32.dll.DrawFrameControl
  • user32.dll.DrawEdge
  • user32.dll.DrawFocusRect
  • user32.dll.WindowFromPoint
  • user32.dll.GetMessageA
  • user32.dll.DispatchMessageA
  • user32.dll.SetRectEmpty
  • user32.dll.RegisterClipboardFormatA
  • user32.dll.CreateIconFromResourceEx
  • user32.dll.CreateIconFromResource
  • user32.dll.DrawIconEx
  • user32.dll.CreatePopupMenu
  • user32.dll.AppendMenuA
  • user32.dll.ModifyMenuA
  • user32.dll.CreateMenu
  • user32.dll.CreateAcceleratorTableA
  • user32.dll.GetDlgCtrlID
  • user32.dll.GetSubMenu
  • user32.dll.EnableMenuItem
  • user32.dll.ClientToScreen
  • user32.dll.EnumDisplaySettingsA
  • user32.dll.LoadImageA
  • user32.dll.SystemParametersInfoA
  • user32.dll.IsWindowEnabled
  • user32.dll.TranslateAcceleratorA
  • user32.dll.GetKeyState
  • user32.dll.CopyAcceleratorTableA
  • user32.dll.PostQuitMessage
  • user32.dll.IsZoomed
  • user32.dll.GetClassInfoA
  • user32.dll.GetWindowTextA
  • user32.dll.GetWindowTextLengthA
  • user32.dll.CharUpperA
  • user32.dll.GetWindowDC
  • user32.dll.BeginPaint
  • user32.dll.EndPaint
  • user32.dll.TabbedTextOutA
  • user32.dll.DrawTextA
  • user32.dll.GrayStringA
  • user32.dll.DestroyWindow
  • user32.dll.CreateDialogIndirectParamA
  • user32.dll.GetNextDlgTabItem
  • user32.dll.GetWindowPlacement
  • user32.dll.UnregisterClassA
  • user32.dll.GetForegroundWindow
  • user32.dll.GetLastActivePopup
  • user32.dll.GetMessageTime
  • user32.dll.RemovePropA
  • user32.dll.CallWindowProcA
  • user32.dll.GetPropA
  • user32.dll.UnhookWindowsHookEx
  • user32.dll.SetPropA
  • user32.dll.GetClassLongA
  • user32.dll.CallNextHookEx
  • user32.dll.SetWindowsHookExA
  • user32.dll.CreateWindowExA
  • user32.dll.GetMenuItemID
  • user32.dll.GetMenuItemCount
  • user32.dll.RegisterClassA
  • user32.dll.GetScrollPos
  • user32.dll.AdjustWindowRectEx
  • user32.dll.MapWindowPoints
  • user32.dll.SendDlgItemMessageA
  • wininet.dll.InternetCanonicalizeUrlA
  • winmm.dll.waveOutUnprepareHeader
  • winmm.dll.waveOutPrepareHeader
  • winmm.dll.waveOutWrite
  • winmm.dll.waveOutPause
  • winmm.dll.waveOutReset
  • winmm.dll.waveOutClose
  • winmm.dll.midiStreamRestart
  • winmm.dll.waveOutGetNumDevs
  • winmm.dll.waveOutOpen
  • winmm.dll.midiOutUnprepareHeader
  • winmm.dll.midiStreamOpen
  • winmm.dll.midiStreamProperty
  • winmm.dll.midiOutPrepareHeader
  • winmm.dll.midiStreamOut
  • winmm.dll.midiStreamStop
  • winmm.dll.midiOutReset
  • winmm.dll.midiStreamClose
  • winspool.drv.OpenPrinterA
  • winspool.drv.DocumentPropertiesA
  • winspool.drv.ClosePrinter
  • ws2_32.dll.#101
  • sxs.dll.SxsOleAut32RedirectTypeLibrary
  • advapi32.dll.RegOpenKeyW
  • advapi32.dll.RegQueryValueW
  • sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid
  • advapi32.dll.RegCreateKeyA
  • ole32.dll.CreateBindCtx
  • ole32.dll.MkParseDisplayName
  • oleaut32.dll.#6
  • kernel32.dll.GetThreadPreferredUILanguages
  • kernel32.dll.SetThreadPreferredUILanguages
  • kernel32.dll.LocaleNameToLCID
  • kernel32.dll.LCIDToLocaleName
  • kernel32.dll.GetSystemDefaultLocaleName
  • ole32.dll.BindMoniker
  • advapi32.dll.RegEnumKeyW
  • oleaut32.dll.#283
  • oleaut32.dll.#284
  • kernel32.dll.lstrcpyn
  • kernel32.dll.RtlMoveMemory
  • msvcrt.dll._strnicmp
  • msvcrt.dll.__CxxFrameHandler
  • msvcrt.dll.memmove
  • msvcrt.dll.malloc
  • msvcrt.dll.free
  • msvcrt.dll._stricmp
  • msvcrt.dll.modf
  • msvcrt.dll.strchr
  • msvcrt.dll.sprintf
  • msvcrt.dll.strncmp
  • msvcrt.dll.toupper
  • msvcrt.dll.strncpy
  • msvcrt.dll.tolower
  • msvcrt.dll.strtod
  • msvcrt.dll.??3@YAXPAX@Z
  • msvcrt.dll.atoi
  • msvcrt.dll._ftol
  • kernel32.dll.LocalSize
  • kernel32.dll.GetThreadContext
  • kernel32.dll.ReadProcessMemory
  • ntdll.dll.ZwUnmapViewOfSection
  • kernel32.dll.VirtualAllocEx
  • kernel32.dll.WriteProcessMemory
  • kernel32.dll.VirtualProtectEx
  • kernel32.dll.SetThreadContext
  • ntdll.dll.EtwUnregisterTraceGuids
  • kernel32.dll.SetThreadUILanguage
  • kernel32.dll.CopyFileExW
  • kernel32.dll.SetConsoleInputExeNameW