魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2020-01-18 17:25:47	2020-01-18 17:26:42	55 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-hpdapp01-1	win7-sp1-x64-hpdapp01-1	KVM	2020-01-18 17:25:57	2020-01-18 17:26:43

魔盾分数
10.0 恶意的

文件详细信息

文件名	龙心3.2.exe
文件大小	5324800 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
CRC32	394D7A95
MD5	9c43009170a5be92550790bc5f4a9008
SHA1	37bfeba51358c760d50790a66465a739cb5a2f3f
SHA256	2307ed3aca857fc8905a8a5e5353807eeb81a2b54188a317c08bab94b6c4835e
SHA512	a654c03383c44c280d701ad9c8d019f164bceeda9a3fb00be74c4002a214ce2c53c8696f58a6a9ce1b205c3fea7d15647feeef12c6eb0c159b832ec1d7f203d6
Ssdeep	98304:p0XPEVo77cRVy6Vzfht58oPEXM/c0fYd6pN0kX6t58oPEXd8Tha4MTX7icCjP:rVdzfRPEXM/cNd6pGkiPEXdHi
PEiD	无匹配
Yara	vmdetect (Possibly employs anti-virtualization techniques) anti_dbg (Detected self protection if being debugged) win_mutex (Create or check mutex) screenshot (Detected take screenshot function) create_process (Detection function for creating a new process) win_registry (Detected system registries modification function) win_files_operation (Affect private profile) Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files) CRC32_poly_Constant (Look for CRC32 [poly]) CRC32_table (Look for CRC32 table) IsPE32 (Detected a 32bit PE sample) IsWindowsGUI (Detected a Windows GUI sample) IsPacked (Detected Entropy signature) HasRichSignature (Detected Rich Signature)
VirusTotal	无此文件扫描结果

特征

创建RWX内存

二进制文件可能包含加密或压缩数据

section: name: VProtect, entropy: 7.25, characteristics: IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00059000, virtual_size: 0x00059000

section: name: VProtect, entropy: 7.98, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x004a5000, virtual_size: 0x004a7000

样本投放可执行文件到临时目录

从文件自身的二进制镜像中读取数据

self_read: process: ______3.2.exe, pid: 2640, offset: 0x00000000, length: 0x00000040

self_read: process: ______3.2.exe, pid: 2640, offset: 0x00000000, length: 0x00514000

self_read: process: ______3.2.exe, pid: 2640, offset: 0x00000100, length: 0x00000020

self_read: process: ______3.2.exe, pid: 2640, offset: 0x00000183, length: 0x00080000

魔盾安全Yara规则检测结果 - 安全告警

Informational: Possibly employs anti-virtualization techniques

Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files

异常的二进制特征

anomaly: Found duplicated section names

尝试断开连接或更改沙箱进程监控的Windows功能

unhook: function_name: SetWindowLongA, type: modification

unhook: function_name: SetWindowLongW, type: modification

检测到样本尝试模糊或欺骗文件类型

尝试修改Windows桌面进程以防止隐藏文件被显示

运行截图

网络分析

无信息

静态分析

PE 信息

初始地址	0x00400000
入口地址	0x009717d0
声明校验值	0x00000000
实际校验值	0x00519d37
最低操作系统版本要求	4.0
编译时间	2006-04-01 18:05:04
载入哈希	bcdf97b0527c6a145dad664bc1dd6b1c

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x0056e8f4	0x00001000	IMAGE_SCN_MEM_READ	4.83
VProtect	0x00570000	0x00059000	0x00059000	IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	7.25
VProtect	0x005c9000	0x004a7000	0x004a5000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	7.98
VProtect	0x00a70000	0x00002000	0x00002000	IMAGE_SCN_MEM_READ	0.71
VProtect	0x00a72000	0x00012000	0x00012000	IMAGE_SCN_MEM_READ	3.14

导入

库 iphlpapi.dll:

• 0xe71000 - GetAdaptersInfo

库 WINMM.dll:

• 0xe71008 - midiStreamProperty

库 WS2_32.dll:

• 0xe71010 - recv

库 KERNEL32.dll:

• 0xe71018 - GetACP

库 USER32.dll:

• 0xe71020 - GetMenuCheckMarkDimensions

库 GDI32.dll:

• 0xe71028 - DeleteObject

库 WINSPOOL.DRV:

• 0xe71030 - ClosePrinter

库 ADVAPI32.dll:

• 0xe71038 - RegCloseKey

库 SHELL32.dll:

• 0xe71040 - ShellExecuteA

库 ole32.dll:

• 0xe71048 - OleInitialize

库 OLEAUT32.dll:

• 0xe71050 - SafeArrayUnaccessData

库 COMCTL32.dll:

• 0xe71058 - ImageList_Destroy

库 comdlg32.dll:

• 0xe71060 - GetOpenFileNameA

库 KERNEL32.dll:

• 0x975034 - GetProcessHeap

• 0x975038 - Sleep

• 0x97503c - ReadFile

• 0x975040 - CreateFileW

• 0x975044 - lstrcatA

• 0x975048 - SetThreadPriority

• 0x97504c - GetHandleInformation

• 0x975050 - GetLastError

• 0x975054 - SetLastError

• 0x975058 - VirtualAlloc

• 0x97505c - CopyFileA

• 0x975060 - LoadLibraryA

• 0x975064 - GetModuleFileNameA

• 0x975068 - GetModuleHandleA

• 0x97506c - IsDebuggerPresent

• 0x975070 - VirtualFree

• 0x975074 - SuspendThread

• 0x975078 - DeleteFileA

• 0x97507c - CreateThread

• 0x975080 - InterlockedDecrement

• 0x975084 - TerminateThread

• 0x975088 - GetProcAddress

• 0x97508c - VirtualProtect

• 0x975090 - lstrlenW

• 0x975094 - GetPrivateProfileIntW

• 0x975098 - VirtualProtectEx

• 0x97509c - UnhandledExceptionFilter

• 0x9750a0 - TerminateProcess

• 0x9750a4 - RtlUnwind

• 0x9750a8 - GetModuleHandleW

• 0x9750ac - OutputDebugStringW

• 0x9750b0 - SetUnhandledExceptionFilter

• 0x9750b4 - WaitForSingleObject

• 0x9750b8 - SetHandleInformation

• 0x9750bc - HeapFree

• 0x9750c0 - GetCurrentProcess

• 0x9750c4 - HeapAlloc

• 0x9750c8 - lstrlenA

• 0x9750cc - CreateMutexW

• 0x9750d0 - GetFileSize

• 0x9750d4 - CreateFileA

• 0x9750d8 - CloseHandle

• 0x9750dc - ExitProcess

库 USER32.dll:

• 0x975104 - LoadCursorW

• 0x975108 - BeginPaint

• 0x97510c - GetDC

• 0x975110 - RegisterClassExW

• 0x975114 - KillTimer

• 0x975118 - EndPaint

• 0x97511c - UnregisterClassW

• 0x975120 - DefWindowProcW

• 0x975124 - MessageBoxA

• 0x975128 - LoadStringW

• 0x97512c - UpdateWindow

• 0x975130 - PeekMessageW

• 0x975134 - CreateWindowExW

• 0x975138 - GetSystemMetrics

• 0x97513c - SetTimer

• 0x975140 - DispatchMessageW

• 0x975144 - DestroyWindow

• 0x975148 - ShowWindow

库 GDI32.dll:

• 0x975014 - DeleteObject

• 0x975018 - SelectObject

• 0x97501c - CreateCompatibleDC

• 0x975020 - BitBlt

• 0x975024 - DeleteDC

• 0x975028 - CreateSolidBrush

• 0x97502c - CreateDIBitmap

库 ADVAPI32.dll:

• 0x975000 - RegCloseKey

库 SHELL32.dll:

• 0x9750f4 - DragQueryFileW

库 ole32.dll:

• 0x975160 - CoInitialize

库 PSAPI.DLL:

• 0x9750ec - GetModuleFileNameExW

库 imagehlp.dll:

• 0x975158 - CheckSumMappedFile

库 COMCTL32.dll:

• 0x975008 - InitCommonControlsEx

• 0x97500c - ImageList_GetIconSize

库 SHLWAPI.dll:

• 0x9750fc - PathFindExtensionW

库 WS2_32.dll:

• 0x975150 - send

库 MSWSOCK.dll:

• 0x9750e4 - AcceptEx

投放文件

无信息

行为分析

互斥量(Mutexes)

EC89625D-9516-4892-B681-9CA5BB4538C1
DBWinMutex
Local\MSCTF.Asm.MutexDefault1

执行的命令 无信息

创建的服务 无信息

启动的服务 无信息

进程

______3.2.exe PID: 2640, 上一级进程 PID: 2336

访问的文件

C:\Users\test\AppData\Local\Temp\lpk.dll
C:\Users\test\AppData\Local\Temp\______3.2.exe
C:\Users\test\AppData\Local\Temp\usp10.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\test\AppData\Local\Temp\?\xe7\xb8\xb2
C:\Windows\Fonts\staticcache.dat
C:\Users\test\AppData\Local\Temp\user32.DLL
C:\Users\test\AppData\Local\Temp\user32.dll
C:\H\xe9\x85\x8d\xe7\xbd\xae.ini
C:\
C:\Users\test\AppData\Local\Temp\ymbug.dll
C:\Users\test\AppData\Local\Temp\imageres.dll
C:\Windows\System32\imageres.dll
C:\Windows\System32\zh-CN\imageres.dll.mui
C:\Windows\sysnative\zh-CN\imageres.dll.mui
C:\Windows\System32\zh-Hans\imageres.dll.mui
C:\Windows\System32\zh\imageres.dll.mui
C:\Windows\System32\en-US\imageres.dll.mui

读取的文件

C:\Users\test\AppData\Local\Temp\lpk.dll
C:\Users\test\AppData\Local\Temp\usp10.dll
C:\Users\test\AppData\Local\Temp\______3.2.exe
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\test\AppData\Local\Temp\?\xe7\xb8\xb2
C:\Windows\Fonts\staticcache.dat
C:\Users\test\AppData\Local\Temp\ymbug.dll
C:\Windows\System32\imageres.dll
C:\Windows\System32\zh-CN\imageres.dll.mui
C:\Windows\sysnative\zh-CN\imageres.dll.mui
C:\Windows\System32\zh-Hans\imageres.dll.mui
C:\Windows\System32\zh\imageres.dll.mui
C:\Windows\System32\en-US\imageres.dll.mui

修改的文件

C:\Users\test\AppData\Local\Temp\______3.2.exe

删除的文件

C:\Users\test\AppData\Local\Temp\lpk.dll
C:\Users\test\AppData\Local\Temp\usp10.dll

注册表键

HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\______3.2.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

读取的注册表键

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

修改的注册表键

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden

删除的注册表键 无信息

API解析

user32.dll.MessageBoxTimeoutA
user32.dll.MessageBoxTimeoutW
iphlpapi.dll.GetAdaptersInfo
winmm.dll.midiStreamOut
winmm.dll.midiOutPrepareHeader
winmm.dll.waveOutUnprepareHeader
winmm.dll.waveOutPrepareHeader
winmm.dll.waveOutRestart
winmm.dll.waveOutWrite
winmm.dll.waveOutPause
winmm.dll.waveOutReset
winmm.dll.waveOutClose
winmm.dll.waveOutGetNumDevs
winmm.dll.waveOutOpen
winmm.dll.midiStreamStop
winmm.dll.midiOutReset
winmm.dll.midiStreamClose
winmm.dll.midiStreamRestart
winmm.dll.midiOutUnprepareHeader
winmm.dll.midiStreamOpen
winmm.dll.midiStreamProperty
ws2_32.dll.#116
ws2_32.dll.#12
ws2_32.dll.#3
ws2_32.dll.#5
ws2_32.dll.#1
ws2_32.dll.#14
ws2_32.dll.#101
ws2_32.dll.#17
ws2_32.dll.#10
ws2_32.dll.#16
kernel32.dll.QueryPerformanceFrequency
kernel32.dll.QueryPerformanceCounter
kernel32.dll.GetTimeZoneInformation
kernel32.dll.GetVersion
kernel32.dll.WideCharToMultiByte
kernel32.dll.InterlockedDecrement
kernel32.dll.InterlockedIncrement
kernel32.dll.CreateMutexA
kernel32.dll.ReleaseMutex
kernel32.dll.TerminateThread
kernel32.dll.SuspendThread
kernel32.dll.SetLastError
kernel32.dll.FreeEnvironmentStringsA
kernel32.dll.UnhandledExceptionFilter
kernel32.dll.HeapSize
kernel32.dll.RaiseException
kernel32.dll.GetLocalTime
kernel32.dll.GetSystemTime
kernel32.dll.RtlUnwind
kernel32.dll.GetStartupInfoA
kernel32.dll.GetOEMCP
kernel32.dll.GetCPInfo
kernel32.dll.GetProcessVersion
kernel32.dll.SetErrorMode
kernel32.dll.GlobalFlags
kernel32.dll.GetCurrentThread
kernel32.dll.GetFileTime
kernel32.dll.TlsGetValue
kernel32.dll.LocalReAlloc
kernel32.dll.TlsSetValue
kernel32.dll.TlsFree
kernel32.dll.GlobalHandle
kernel32.dll.TlsAlloc
kernel32.dll.LocalAlloc
kernel32.dll.lstrcmpA
kernel32.dll.GlobalGetAtomNameA
kernel32.dll.GlobalAddAtomA
kernel32.dll.GlobalFindAtomA
kernel32.dll.GlobalDeleteAtom
kernel32.dll.lstrcmpiA
kernel32.dll.SetEndOfFile
kernel32.dll.UnlockFile
kernel32.dll.LockFile
kernel32.dll.FlushFileBuffers
kernel32.dll.DuplicateHandle
kernel32.dll.lstrcpynA
kernel32.dll.FileTimeToLocalFileTime
kernel32.dll.FileTimeToSystemTime
kernel32.dll.LocalFree
kernel32.dll.MultiByteToWideChar
kernel32.dll.OpenProcess
kernel32.dll.TerminateProcess
kernel32.dll.GetCurrentProcess
kernel32.dll.GetFileSize
kernel32.dll.SetFilePointer
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.Process32First
kernel32.dll.Process32Next
kernel32.dll.CreateSemaphoreA
kernel32.dll.ResumeThread
kernel32.dll.ReleaseSemaphore
kernel32.dll.EnterCriticalSection
kernel32.dll.LeaveCriticalSection
kernel32.dll.GetProfileStringA
kernel32.dll.WriteFile
kernel32.dll.ReadFile
kernel32.dll.WaitForMultipleObjects
kernel32.dll.CreateFileA
kernel32.dll.DeviceIoControl
kernel32.dll.SetEvent
kernel32.dll.FindResourceA
kernel32.dll.LoadResource
kernel32.dll.LockResource
kernel32.dll.lstrlenW
kernel32.dll.GetModuleFileNameA
kernel32.dll.GetCurrentThreadId
kernel32.dll.ExitProcess
kernel32.dll.GlobalSize
kernel32.dll.GlobalFree
kernel32.dll.DeleteCriticalSection
kernel32.dll.InitializeCriticalSection
kernel32.dll.lstrcatA
kernel32.dll.lstrlenA
kernel32.dll.WinExec
kernel32.dll.lstrcpyA
kernel32.dll.FindNextFileA
kernel32.dll.GlobalReAlloc
kernel32.dll.InterlockedExchange
kernel32.dll.HeapFree
kernel32.dll.HeapReAlloc
kernel32.dll.GetProcessHeap
kernel32.dll.HeapAlloc
kernel32.dll.GetUserDefaultLCID
kernel32.dll.GetFullPathNameA
kernel32.dll.FreeLibrary
kernel32.dll.LoadLibraryA
kernel32.dll.GetLastError
kernel32.dll.GetVersionExA
kernel32.dll.WritePrivateProfileStringA
kernel32.dll.GetPrivateProfileStringA
kernel32.dll.CreateThread
kernel32.dll.CreateEventA
kernel32.dll.Sleep
kernel32.dll.GlobalAlloc
kernel32.dll.GlobalLock
kernel32.dll.GlobalUnlock
kernel32.dll.FindFirstFileA
kernel32.dll.FindClose
kernel32.dll.SetFileAttributesA
kernel32.dll.GetFileAttributesA
kernel32.dll.DeleteFileA
kernel32.dll.CreateDirectoryA
kernel32.dll.GetCurrentDirectoryA
kernel32.dll.SetCurrentDirectoryA
kernel32.dll.GetVolumeInformationA
kernel32.dll.GetModuleHandleA
kernel32.dll.GetProcAddress
kernel32.dll.MulDiv
kernel32.dll.GetCommandLineA
kernel32.dll.GetTickCount
kernel32.dll.CreateProcessA
kernel32.dll.WaitForSingleObject
kernel32.dll.CloseHandle
kernel32.dll.FreeEnvironmentStringsW
kernel32.dll.GetEnvironmentStrings
kernel32.dll.GetEnvironmentStringsW
kernel32.dll.SetHandleCount
kernel32.dll.GetStdHandle
kernel32.dll.GetFileType
kernel32.dll.GetEnvironmentVariableA
kernel32.dll.HeapDestroy
kernel32.dll.HeapCreate
kernel32.dll.VirtualFree
kernel32.dll.SetEnvironmentVariableA
kernel32.dll.LCMapStringA
kernel32.dll.LCMapStringW
kernel32.dll.VirtualAlloc
kernel32.dll.IsBadWritePtr
kernel32.dll.SetUnhandledExceptionFilter
kernel32.dll.GetStringTypeA
kernel32.dll.GetStringTypeW
kernel32.dll.CompareStringA
kernel32.dll.CompareStringW
kernel32.dll.IsBadReadPtr
kernel32.dll.IsBadCodePtr
kernel32.dll.SetStdHandle
kernel32.dll.GetACP
user32.dll.GetActiveWindow
user32.dll.SetFocus
user32.dll.GetWindow
user32.dll.DestroyAcceleratorTable
user32.dll.SetWindowRgn
user32.dll.GetMessagePos
user32.dll.ScreenToClient
user32.dll.ChildWindowFromPointEx
user32.dll.CopyRect
user32.dll.GetSysColorBrush
user32.dll.IsIconic
user32.dll.PeekMessageA
user32.dll.SetMenu
user32.dll.GetMenu
user32.dll.DeleteMenu
user32.dll.GetSystemMenu
user32.dll.DefWindowProcA
user32.dll.GetClassInfoA
user32.dll.IsZoomed
user32.dll.PostQuitMessage
user32.dll.CopyAcceleratorTableA
user32.dll.GetKeyState
user32.dll.TranslateAcceleratorA
user32.dll.IsWindowEnabled
user32.dll.ShowWindow
user32.dll.SystemParametersInfoA
user32.dll.LoadImageA
user32.dll.EnumDisplaySettingsA
user32.dll.ClientToScreen
user32.dll.EnableMenuItem
user32.dll.GetSubMenu
user32.dll.GetDlgCtrlID
user32.dll.CreateAcceleratorTableA
user32.dll.CreateMenu
user32.dll.ModifyMenuA
user32.dll.AppendMenuA
user32.dll.CreatePopupMenu
user32.dll.DrawIconEx
user32.dll.LoadBitmapA
user32.dll.WinHelpA
user32.dll.KillTimer
user32.dll.SetTimer
user32.dll.ReleaseCapture
user32.dll.GetCapture
user32.dll.SetCapture
user32.dll.GetScrollRange
user32.dll.SetScrollRange
user32.dll.SetScrollPos
user32.dll.SetRect
user32.dll.InflateRect
user32.dll.IntersectRect
user32.dll.DestroyIcon
user32.dll.PtInRect
user32.dll.OffsetRect
user32.dll.IsWindowVisible
user32.dll.LoadStringA
user32.dll.EnableWindow
user32.dll.RedrawWindow
user32.dll.GetWindowLongA
user32.dll.SetWindowLongA
user32.dll.GetSysColor
user32.dll.SetActiveWindow
user32.dll.SetCursorPos
user32.dll.LoadCursorA
user32.dll.SetCursor
user32.dll.GetDC
user32.dll.FillRect
user32.dll.IsRectEmpty
user32.dll.ReleaseDC
user32.dll.IsChild
user32.dll.DestroyMenu
user32.dll.SetForegroundWindow
user32.dll.GetWindowRect
user32.dll.EqualRect
user32.dll.UpdateWindow
user32.dll.ValidateRect
user32.dll.InvalidateRect
user32.dll.GetClientRect
user32.dll.GetFocus
user32.dll.GetParent
user32.dll.GetTopWindow
user32.dll.PostMessageA
user32.dll.IsWindow
user32.dll.SetParent
user32.dll.DestroyCursor
user32.dll.SendMessageA
user32.dll.SetWindowPos
user32.dll.MessageBoxA
user32.dll.GetCursorPos
user32.dll.GetSystemMetrics
user32.dll.EmptyClipboard
user32.dll.SetClipboardData
user32.dll.OpenClipboard
user32.dll.GetClipboardData
user32.dll.CloseClipboard
user32.dll.wsprintfA
user32.dll.WaitForInputIdle
user32.dll.CreateIconFromResource
user32.dll.CreateIconFromResourceEx
user32.dll.RegisterClipboardFormatA
user32.dll.DispatchMessageA
user32.dll.GetMessageA
user32.dll.WindowFromPoint
user32.dll.DrawFocusRect
user32.dll.DrawEdge
user32.dll.DrawFrameControl
user32.dll.LoadIconA
user32.dll.TranslateMessage
user32.dll.GetDesktopWindow
user32.dll.GetClassNameA
user32.dll.GetWindowThreadProcessId
user32.dll.FindWindowA
user32.dll.GetDlgItem
user32.dll.FindWindowExA
user32.dll.GetWindowTextA
user32.dll.EnumWindows
user32.dll.GetForegroundWindow
user32.dll.UnregisterClassA
user32.dll.SetRectEmpty
user32.dll.GetWindowTextLengthA
user32.dll.CharUpperA
user32.dll.GetWindowDC
user32.dll.BeginPaint
user32.dll.EndPaint
user32.dll.TabbedTextOutA
user32.dll.DrawTextA
user32.dll.GrayStringA
user32.dll.DestroyWindow
user32.dll.CreateDialogIndirectParamA
user32.dll.EndDialog
user32.dll.GetNextDlgTabItem
user32.dll.GetWindowPlacement
user32.dll.RegisterWindowMessageA
user32.dll.GetLastActivePopup
user32.dll.GetMessageTime
user32.dll.RemovePropA
user32.dll.CallWindowProcA
user32.dll.GetPropA
user32.dll.UnhookWindowsHookEx
user32.dll.SetPropA
user32.dll.GetClassLongA
user32.dll.CallNextHookEx
user32.dll.SetWindowsHookExA
user32.dll.CreateWindowExA
user32.dll.GetMenuItemID
user32.dll.GetMenuItemCount
user32.dll.RegisterClassA
user32.dll.GetScrollPos
user32.dll.AdjustWindowRectEx
user32.dll.MapWindowPoints
user32.dll.SendDlgItemMessageA
user32.dll.ScrollWindowEx
user32.dll.IsDialogMessageA
user32.dll.SetWindowTextA
user32.dll.MoveWindow
user32.dll.CheckMenuItem
user32.dll.SetMenuItemBitmaps
user32.dll.GetMenuState
user32.dll.GetMenuCheckMarkDimensions
gdi32.dll.GetViewportExtEx
gdi32.dll.ExtSelectClipRgn
gdi32.dll.LineTo
gdi32.dll.MoveToEx
gdi32.dll.EndPage
gdi32.dll.EndDoc
gdi32.dll.DeleteDC
gdi32.dll.StartDocA
gdi32.dll.StartPage
gdi32.dll.BitBlt
gdi32.dll.CreateCompatibleDC
gdi32.dll.Ellipse
gdi32.dll.Rectangle
gdi32.dll.LPtoDP
gdi32.dll.DPtoLP
gdi32.dll.GetCurrentObject
gdi32.dll.RoundRect
gdi32.dll.GetTextExtentPoint32A
gdi32.dll.GetDeviceCaps
gdi32.dll.SelectClipRgn
gdi32.dll.CreatePolygonRgn
gdi32.dll.GetClipRgn
gdi32.dll.SetStretchBltMode
gdi32.dll.CreateRectRgnIndirect
gdi32.dll.SetBkColor
gdi32.dll.ExcludeClipRect
gdi32.dll.GetClipBox
gdi32.dll.ScaleWindowExtEx
gdi32.dll.SetWindowExtEx
gdi32.dll.SetWindowOrgEx
gdi32.dll.ScaleViewportExtEx
gdi32.dll.SetViewportExtEx
gdi32.dll.OffsetViewportOrgEx
gdi32.dll.SetViewportOrgEx
gdi32.dll.PtVisible
gdi32.dll.RectVisible
gdi32.dll.TextOutA
gdi32.dll.ExtTextOutA
gdi32.dll.Escape
gdi32.dll.GetTextMetricsA
gdi32.dll.GetObjectA
gdi32.dll.GetStockObject
gdi32.dll.CreateFontIndirectA
gdi32.dll.CreateSolidBrush
gdi32.dll.FillRgn
gdi32.dll.CreateRectRgn
gdi32.dll.CombineRgn
gdi32.dll.PatBlt
gdi32.dll.CreatePen
gdi32.dll.SelectObject
gdi32.dll.CreateBitmap
gdi32.dll.CreateDCA
gdi32.dll.CreateCompatibleBitmap
gdi32.dll.GetPolyFillMode
gdi32.dll.GetStretchBltMode
gdi32.dll.GetROP2
gdi32.dll.GetBkColor
gdi32.dll.GetBkMode
gdi32.dll.SetMapMode
gdi32.dll.SetTextColor
gdi32.dll.SetROP2
gdi32.dll.SetPolyFillMode
gdi32.dll.SetBkMode
gdi32.dll.RestoreDC
gdi32.dll.SaveDC
gdi32.dll.GetTextColor
gdi32.dll.CreateRoundRectRgn
gdi32.dll.CreateEllipticRgn
gdi32.dll.PathToRegion
gdi32.dll.EndPath
gdi32.dll.BeginPath
gdi32.dll.GetWindowOrgEx
gdi32.dll.GetViewportOrgEx
gdi32.dll.GetWindowExtEx
gdi32.dll.GetDIBits
gdi32.dll.RealizePalette
gdi32.dll.SelectPalette
gdi32.dll.StretchBlt
gdi32.dll.CreatePalette
gdi32.dll.GetSystemPaletteEntries
gdi32.dll.CreateDIBitmap
gdi32.dll.DeleteObject
winspool.drv.OpenPrinterA
winspool.drv.DocumentPropertiesA
winspool.drv.ClosePrinter
advapi32.dll.RegOpenKeyExA
advapi32.dll.RegSetValueExA
advapi32.dll.RegCreateKeyA
advapi32.dll.RegQueryValueA
advapi32.dll.RegCreateKeyExA
advapi32.dll.RegCloseKey
shell32.dll.Shell_NotifyIconA
shell32.dll.ShellExecuteA
ole32.dll.CLSIDFromProgID
ole32.dll.OleRun
ole32.dll.CoCreateInstance
ole32.dll.CLSIDFromString
ole32.dll.OleUninitialize
ole32.dll.OleInitialize
oleaut32.dll.#12
oleaut32.dll.#9
oleaut32.dll.#10
oleaut32.dll.#19
oleaut32.dll.#20
oleaut32.dll.#17
oleaut32.dll.#186
oleaut32.dll.#161
oleaut32.dll.#165
oleaut32.dll.#163
oleaut32.dll.#26
oleaut32.dll.#15
oleaut32.dll.#16
oleaut32.dll.#2
oleaut32.dll.#8
oleaut32.dll.#11
oleaut32.dll.#25
oleaut32.dll.#23
oleaut32.dll.#24
comctl32.dll.#17
comctl32.dll.ImageList_Destroy
comdlg32.dll.ChooseColorA
comdlg32.dll.GetFileTitleA
comdlg32.dll.GetSaveFileNameA
comdlg32.dll.GetOpenFileNameA
kernel32.dll.IsProcessorFeaturePresent
cryptbase.dll.SystemFunction036
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.RtlMoveMemory
kernel32.dll.VirtualProtect
comctl32.dll.ImageList_Draw
msimg32.dll.TransparentBlt
msvcrt.dll.free
msvfw32.dll.DrawDibOpen
kernel32.dll.FlushInstructionCache
kernel32.dll.VirtualQuery
kernel32.dll.SizeofResource
comctl32.dll.ImageList_GetIcon
comctl32.dll.ImageList_GetImageInfo
comctl32.dll.ImageList_GetIconSize
gdi32.dll.SelectClipPath
gdi32.dll.GetPixel
gdi32.dll.CreatePatternBrush
gdi32.dll.CreateFontA
gdi32.dll.OffsetRgn
gdi32.dll.ExtCreateRegion
gdi32.dll.SetPixel
gdi32.dll.PtInRegion
gdi32.dll.CreateDIBSection
gdi32.dll.GetTextExtentPointA
gdi32.dll.ExtTextOutW
msvcrt.dll.??3@YAXPAX@Z
msvcrt.dll.__CxxFrameHandler
msvcrt.dll.??2@YAPAXI@Z
msvcrt.dll._ftol
msvcrt.dll._mbsstr
msvcrt.dll._mbscmp
msvcrt.dll.__dllonexit
msvcrt.dll.malloc
msvcrt.dll._initterm
msvcrt.dll._adjust_fdiv
msvcrt.dll._onexit
msvcrt.dll.memcpy
msvfw32.dll.DrawDibDraw
msvfw32.dll.DrawDibClose
user32.dll.EnumThreadWindows
user32.dll.EnumChildWindows
user32.dll.LockWindowUpdate
user32.dll.DrawStateA
user32.dll.GetWindowRgn
user32.dll.TrackPopupMenu
user32.dll.GetWindowInfo
user32.dll.MenuItemFromPoint
user32.dll.GetMenuItemRect
user32.dll.SetMenuItemInfoA
user32.dll.IsMenu
user32.dll.GetUpdateRect
user32.dll.ShowScrollBar
user32.dll.WindowFromDC
user32.dll.EnableScrollBar
user32.dll.GetScrollBarInfo
user32.dll.SetScrollInfo
user32.dll.GetScrollInfo
user32.dll.GetDCEx
user32.dll.GetWindowLongW
user32.dll.SetWindowLongW
user32.dll.GetMenuItemInfoA
user32.dll.GetComboBoxInfo
user32.dll.TrackMouseEvent
user32.dll.GetIconInfo
user32.dll.RegisterClassExA
user32.dll.UpdateLayeredWindow
user32.dll.SetLayeredWindowAttributes
dciman32.dll.DCIOpenProvider
dciman32.dll.DCICloseProvider
dciman32.dll.DCICreatePrimary
dciman32.dll.DCIEndAccess
dciman32.dll.DCIBeginAccess
dciman32.dll.DCIDestroy
comctl32.dll.RegisterClassNameW
uxtheme.dll.OpenThemeData
imm32.dll.ImmIsIME
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegQueryValueExW
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
gdi32.dll.GetTextExtentExPointWPri
uxtheme.dll.EnableThemeDialogTexture
user32.dll.GetMenuStringA
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
user32.dll.MonitorFromWindow
user32.dll.MonitorFromRect
user32.dll.MonitorFromPoint
user32.dll.EnumDisplayMonitors
user32.dll.GetMonitorInfoA
gdi32.dll.GetFontAssocStatus
oleaut32.dll.SysAllocString
oleaut32.dll.SysStringLen
oleaut32.dll.SysFreeString
oleaut32.dll.#500