魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2020-02-19 06:32:24 | 2020-02-19 06:34:45 | 141 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-hpdapp01-1 | win7-sp1-x64-hpdapp01-1 | KVM | 2020-02-19 06:32:28 | 2020-02-19 06:34:46 |
| 魔盾分数 |
|---|
10.0Malicious |
文件详细信息
| 文件名 | calc.bin |
|---|---|
| 文件大小 | 306688 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| CRC32 | A68003F0 |
| MD5 | a13640956112ceb3434a3d5dae200fea |
| SHA1 | 7bf0eefce9a6a516bb1496be2a503a1a239c3dd9 |
| SHA256 | 596110c32767001526818ebecb23c93d69099b61b6d99de422842ecec9f82a5c |
| SHA512 | 1b58ee9cde7c14a5762301e40d365de31adf90c63865a8753da898a22c812749a4c3e5ea066a1e526651afaf5e3dbee1d247e0b8dbba768a76a87e6587733bd6 |
| Ssdeep | 6144:6pxAqj6pALFNB0lF1ZaxyDXz/mczEe0lfBLau4qTYLklysta1:SxR+ALFNB0lcmXJzEe0lfBv4qTEklRa1 |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal |
VirusTotal链接 VirusTotal扫描时间: 2020-02-18 22:26:32 扫描结果: 18/70 |
特征
创建RWX内存
魔盾安全Yara检测结果 - 普通
二进制文件可能包含加密或压缩数据
section: name: .rsrc, entropy: 7.98, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x0004a000, virtual_size: 0x00049f90
多次尝试建立挂起的进程
从磁盘上删除自身的原始二进制
执行了一个进程并在其中注入代码(可能是在解包过程中)
在一个远程进程中注入代码(CreateRemoteThread)
强制将一个创建的进程加载为另一个不相关进程的子进程
process: C:\Windows\sysnative\control.exe, PID 2892
将自己装载到Windows开机自动启动项目
key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\audisjob
data: C:\Users\test\AppData\Roaming\Microsoft\DDORdraw\apiMbrkr.exe
创建或设置一个超长字节的注册表键,可能被用来存储二进制或恶意软件配置文件
regkeyval: HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\44A0939D-D32E-1666-7DB8-B7AA016CDB7E\Client64
regkeyval: HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\44A0939D-D32E-1666-7DB8-B7AA016CDB7E\Client32
通过进程尝试长时间延迟分析任务
Process: control.exe tried to sleep 7470021 seconds, actually delayed analysis time by 0 seconds
Process: rundll32.exe tried to sleep 3735010 seconds, actually delayed analysis time by 0 seconds
Process: explorer.exe tried to sleep 3735010 seconds, actually delayed analysis time by 0 seconds
导致魔盾ATP内核模块奔溃,请将错误信息报告至: support@maldun.com
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b815a from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e2 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b815b from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b815c from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b815d from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b815e from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b815f from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b8160 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b8161 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b8162 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b8163 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b8164 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b8165 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b8166 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b8167 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b8168 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b8169 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b816a from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b816b from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b816c from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b816d from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b816e from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b816f from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b8170 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b8171 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b8172 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b8173 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b8174 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b8175 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b8176 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b8177 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b8178 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b8179 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b817a from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b817b from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b817c from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b817d from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b817e from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b817f from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b8180 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b8181 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b8182 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b8183 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b8184 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b8185 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b8186 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x211e0 in cuckoomon itself while accessing 0x6b8187 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x21224 in cuckoomon itself while accessing 0x6b815a from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x21226 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b815b from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x21240 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b815c from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b815d from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b815e from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b815f from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b8160 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b8161 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b8162 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b8163 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b8164 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b8165 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b8166 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b8167 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b8168 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b8169 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b816a from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b816b from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b816c from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b816d from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b816e from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b816f from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b8170 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b8171 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b8172 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b8173 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b8174 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b8175 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b8176 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b8177 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b8178 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b8179 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b817a from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b817b from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b817c from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b817d from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b817e from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b817f from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b8180 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b8181 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b8182 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b8183 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b8184 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b8185 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b8186 from hook RtlDispatchException
pid: 2700
message: Exception reported at offset 0x2123e in cuckoomon itself while accessing 0x6b8187 from hook RtlDispatchException
文件已被至少一个VirusTotal上的反病毒引擎检测为病毒
Cylance: Unsafe
Sangfor: Malware
Invincea: heuristic
Symantec: ML.Attribute.HighConfidence
APEX: Malicious
Paloalto: generic.ml
Rising: Malware.Heuristic!ET#90% (RDMK:cmRtazqzoal55vYvLrqhc0fcuKvn)
McAfee-GW-Edition: BehavesLike.Win32.Ransomware.dc
Trapmine: malicious.high.ml.score
FireEye: Generic.mg.a13640956112ceb3
SentinelOne: DFI - Malicious PE
Microsoft: TrojanSpy:Win32/Ursnif.BM!MTB
Endgame: malicious (high confidence)
Acronis: suspicious
VBA32: Trojan.FakeAV.01657
eGambit: Unsafe.AI_Score_99%
CrowdStrike: win/malicious_confidence_60% (D)
Qihoo-360: HEUR/QVM20.1.56DF.Malware.Gen
运行截图
网络分析
静态分析
PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x00401000 |
| 声明校验值 | 0x00000000 |
| 实际校验值 | 0x00057c08 |
| 最低操作系统版本要求 | 4.0 |
| 编译时间 | 2005-09-12 23:10:35 |
| 载入哈希 | a0699b5c3dd5c8e072ae44081080bb55 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x0000038f | 0x00000400 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 5.32 |
| .rdata | 0x00002000 | 0x00000264 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 2.92 |
| .data | 0x00003000 | 0x0000006e | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 1.28 |
| .rsrc | 0x00004000 | 0x00049f90 | 0x0004a000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 7.98 |
导入
库 kernel32.dll:
• 0x402000 - ExitProcess
• 0x402004 - GetModuleHandleA
• 0x402008 - VirtualAlloc
• 0x40200c - GetCommandLineA
• 0x402010 - LoadLibraryExA
库 user32.dll:
• 0x402018 - LoadCursorA
• 0x40201c - DispatchMessageA
• 0x402020 - GetMessageA
• 0x402024 - GetSystemMetrics
• 0x402028 - MessageBoxA
• 0x40202c - CreateWindowExA
• 0x402030 - LoadIconA
• 0x402034 - SendMessageA
• 0x402038 - SetMenu
• 0x40203c - PostQuitMessage
• 0x402040 - LoadMenuA
• 0x402044 - TranslateMessage
• 0x402048 - RegisterClassExA
• 0x40204c - UpdateWindow
• 0x402050 - DefWindowProcA
• 0x402054 - ShowWindow
投放文件
行为分析
互斥量(Mutexes)
- {207B80BC-FFF3-52F1-8954-A3A6CDC8873A}
- Local\{E04E71CD-BF34-12BB-4914-63668D8847FA}
- Local\{5AA35ED7-F11A-9C57-4B2E-B590AF42B9C4}
- Local\{18225C52-973E-0A4B-E1CC-BBDEA5C01FF2}
- {DCD7F867-8B91-6EB9-F5D0-EF82F90493D6}
- Local\!PrivacIE!SharedMemory!Mutex
- {FC850C45-2B29-8E2C-95F0-8FA2992433F6}
- {44ADF9B6-D3D7-16FB-7DB8-B7AA016CDB7E}
执行的命令
- C:\Windows\system32\control.exe /?
- "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
- %SystemRoot%\system32\rundll32.exe Shell32.dll,Control_RunDLL /?
创建的服务
无信息
启动的服务
无信息
进程
calc.bin PID: 2700, 上一级进程 PID: 2352
control.exe PID: 2892, 上一级进程 PID: 2700
iexplore.exe PID: 2040, 上一级进程 PID: 2028
explorer.exe PID: 1688, 上一级进程 PID: 1624
rundll32.exe PID: 256, 上一级进程 PID: 2892
访问的文件
- \??\mailslot\sla8c
- C:\Users\test\AppData\Local\Temp\calc.bin
- C:\Windows\sysnative\C_1252.NLS
- C:\Windows\sysnative\*.dll
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Users\test\AppData\Roaming\Microsoft
- C:\Users\test\AppData\Roaming\Microsoft\DDORdraw
- C:\Users\test\AppData\Roaming\Microsoft\DDORdraw\apiMbrkr.exe
- C:\Windows\SysWOW64\ntdll.dll
- C:\Windows\sysnative\ntdll.dll
- \??\pipe\{DCFCEE09-8B72-6E26-F5D0-EF82F90493D6}
- \??\MountPointManager
- C:\Program Files (x86)\Internet Explorer\mshtml.DLL
- C:\Windows\System32\mshtml.dll
- C:\Program Files (x86)\Internet Explorer\msls31.dll
- C:\Windows\System32\msls31.dll
- C:\Program Files (x86)\Internet Explorer\ieapfltr.DLL
- C:\Windows\System32\ieapfltr.dll
- C:\Program Files (x86)\Internet Explorer\Secur32.dll
- C:\Windows\System32\secur32.dll
- C:\Users\test\AppData\Local\Temp\Shell32.dll
- C:\Windows\sysnative\shell32.dll
- C:\Windows\sysnative\Shell32.dll.manifest
- C:\Windows\sysnative\Shell32.dll.123.Manifest
- \Device\KsecDD
- C:\Windows\sysnative\?
- C:\Windows\system\?
- C:\Windows\?
- C:\ProgramData\Oracle\Java\javapath\?
- C:\Windows\sysnative\wbem\?
- C:\Windows\sysnative\WindowsPowerShell\v1.0\?
- C:\Program Files (x86)\WinRAR\?
读取的文件
- C:\Users\test\AppData\Local\Temp\calc.bin
- C:\Windows\sysnative\C_1252.NLS
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Users\test\AppData\Roaming\Microsoft\DDORdraw\apiMbrkr.exe
- C:\Windows\SysWOW64\ntdll.dll
- C:\Windows\sysnative\ntdll.dll
- \??\pipe\{DCFCEE09-8B72-6E26-F5D0-EF82F90493D6}
- C:\Windows\System32\mshtml.dll
- C:\Windows\System32\msls31.dll
- C:\Windows\System32\ieapfltr.dll
- C:\Windows\System32\secur32.dll
- C:\Windows\sysnative\shell32.dll
- C:\Windows\sysnative\Shell32.dll.123.Manifest
- \Device\KsecDD
修改的文件
- \??\mailslot\sla8c
- C:\Users\test\AppData\Roaming\Microsoft\DDORdraw\apiMbrkr.exe
- \??\pipe\{DCFCEE09-8B72-6E26-F5D0-EF82F90493D6}
删除的文件
- C:\Users\test\AppData\Local\Temp\calc.bin
注册表键
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\audisjob
- HKEY_USERS\
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
- HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\44A0939D-D32E-1666-7DB8-B7AA016CDB7E
- HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\44A0939D-D32E-1666-7DB8-B7AA016CDB7E\Client
- HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\44A0939D-D32E-1666-7DB8-B7AA016CDB7E\Client32
- HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\44A0939D-D32E-1666-7DB8-B7AA016CDB7E\Client64
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
- HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\44A0939D-D32E-1666-7DB8-B7AA016CDB7E\Scr
- HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\44A0939D-D32E-1666-7DB8-B7AA016CDB7E\Kill
- HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\44A0939D-D32E-1666-7DB8-B7AA016CDB7E\{AE7DE754-35A9-10A9-2FC2-3944D3167DB8}
- HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\44A0939D-D32E-1666-7DB8-B7AA016CDB7E\{B76E0D76-AA7C-0104-6CDB-7EC5603F92C9}
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Data
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Generation
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Data
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Generation
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
- HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ARIA_SUPPORT
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LEGACY_DISPPARAMS
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LEGACY_DISPPARAMS\iexplore.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LEGACY_DISPPARAMS\*
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PRIVATE_FONT_SETTING
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DATABINDING_SUPPORT
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ENFORCE_BSTR
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING
- HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_OBJECT_CACHING\iexplore.exe
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454
- HKEY_CURRENT_USER
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_CLEANUP_AT_FLS
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE\Path
- HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Application Compatibility
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Application Compatibility\iexplore.exe
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\DOMStorage
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\TotalLimit
- HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\DOMStorage
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\DomainLimit
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Safety\PrivacIE
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Safety\PrivacIE\DisableInPrivateBlocking
- HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Safety\PrivacIE
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Safety\PrivacIE\DisableLogging
- HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\44A0939D-D32E-1666-7DB8-B7AA016CDB7E\Config
- HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\44A0939D-D32E-1666-7DB8-B7AA016CDB7E\Keys
- HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\44A0939D-D32E-1666-7DB8-B7AA016CDB7E\audisjob
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Control Panel\Legacy CPL Map\?
读取的注册表键
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\audisjob
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
- HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\44A0939D-D32E-1666-7DB8-B7AA016CDB7E\Client
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
- HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\44A0939D-D32E-1666-7DB8-B7AA016CDB7E\Client32
- HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\44A0939D-D32E-1666-7DB8-B7AA016CDB7E\Client64
- HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\44A0939D-D32E-1666-7DB8-B7AA016CDB7E\Scr
- HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\44A0939D-D32E-1666-7DB8-B7AA016CDB7E\Kill
- HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\44A0939D-D32E-1666-7DB8-B7AA016CDB7E\{AE7DE754-35A9-10A9-2FC2-3944D3167DB8}
- HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\44A0939D-D32E-1666-7DB8-B7AA016CDB7E\{B76E0D76-AA7C-0104-6CDB-7EC5603F92C9}
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Data
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Generation
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Data
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Generation
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LEGACY_DISPPARAMS\iexplore.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LEGACY_DISPPARAMS\*
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_OBJECT_CACHING\iexplore.exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE\Path
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Application Compatibility\iexplore.exe
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\TotalLimit
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\DomainLimit
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Safety\PrivacIE\DisableInPrivateBlocking
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Safety\PrivacIE\DisableLogging
- HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\44A0939D-D32E-1666-7DB8-B7AA016CDB7E\Keys
- HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\44A0939D-D32E-1666-7DB8-B7AA016CDB7E\audisjob
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
修改的注册表键
- HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\44A0939D-D32E-1666-7DB8-B7AA016CDB7E
- HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\44A0939D-D32E-1666-7DB8-B7AA016CDB7E\Client32
- HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\44A0939D-D32E-1666-7DB8-B7AA016CDB7E\Client64
- HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\44A0939D-D32E-1666-7DB8-B7AA016CDB7E\Client
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\audisjob
删除的注册表键
无信息
API解析
- kernel32.dll.HeapAlloc
- kernel32.dll.HeapFree
- kernel32.dll.GetTickCount
- kernel32.dll.HeapCreate
- kernel32.dll.ExitThread
- kernel32.dll.GetLastError
- kernel32.dll.GetModuleHandleA
- kernel32.dll.Sleep
- kernel32.dll.GetProcAddress
- kernel32.dll.VirtualProtect
- kernel32.dll.CreateFileA
- kernel32.dll.WriteFile
- kernel32.dll.ReadFile
- kernel32.dll.CreateMailslotA
- kernel32.dll.CloseHandle
- kernel32.dll.GetCurrentProcessId
- kernel32.dll.HeapReAlloc
- kernel32.dll.WaitForSingleObject
- kernel32.dll.TerminateThread
- kernel32.dll.GetModuleFileNameW
- kernel32.dll.VirtualAlloc
- kernel32.dll.GetExitCodeThread
- kernel32.dll.CreateThread
- kernel32.dll.lstrlenA
- kernel32.dll.LoadLibraryA
- user32.dll.wsprintfA
- ntdll.dll.memcpy
- ntdll.dll.memset
- ntdll.dll.ZwOpenProcess
- ntdll.dll.mbstowcs
- ntdll.dll.NtCreateSection
- ntdll.dll.ZwClose
- ntdll.dll.RtlNtStatusToDosError
- ntdll.dll.NtUnmapViewOfSection
- ntdll.dll.NtMapViewOfSection
- ntdll.dll.NtQuerySystemInformation
- ntdll.dll.ZwQueryInformationProcess
- ntdll.dll.RtlFreeUnicodeString
- ntdll.dll.ZwOpenProcessToken
- ntdll.dll.ZwQueryInformationToken
- ntdll.dll.RtlUpcaseUnicodeString
- ntdll.dll.RtlUnwind
- ntdll.dll.NtQueryVirtualMemory
- shlwapi.dll.PathCombineW
- shlwapi.dll.PathFindExtensionA
- shlwapi.dll.PathFindExtensionW
- shlwapi.dll.StrChrA
- shlwapi.dll.StrRChrA
- shlwapi.dll.PathFindFileNameW
- shlwapi.dll.StrStrIW
- kernel32.dll.SetEvent
- kernel32.dll.CreateEventA
- kernel32.dll.CreateFileW
- kernel32.dll.lstrlenW
- kernel32.dll.ResetEvent
- kernel32.dll.CreateFileMappingW
- kernel32.dll.lstrcmpiW
- kernel32.dll.lstrcatW
- kernel32.dll.DeleteFileW
- kernel32.dll.CreateWaitableTimerA
- kernel32.dll.MoveFileExW
- kernel32.dll.SetWaitableTimer
- kernel32.dll.MapViewOfFile
- kernel32.dll.GetFileSize
- kernel32.dll.ExitProcess
- kernel32.dll.HeapDestroy
- kernel32.dll.SleepEx
- kernel32.dll.InterlockedDecrement
- kernel32.dll.InterlockedIncrement
- kernel32.dll.CreateProcessA
- kernel32.dll.TlsFree
- kernel32.dll.TlsAlloc
- kernel32.dll.AddVectoredExceptionHandler
- kernel32.dll.TlsSetValue
- kernel32.dll.TlsGetValue
- kernel32.dll.RemoveVectoredExceptionHandler
- kernel32.dll.GetTempPathA
- kernel32.dll.GetCurrentThreadId
- kernel32.dll.GetTempFileNameA
- kernel32.dll.GetModuleFileNameA
- kernel32.dll.OpenProcess
- kernel32.dll.VirtualProtectEx
- kernel32.dll.SuspendThread
- kernel32.dll.ResumeThread
- kernel32.dll.lstrcmpA
- kernel32.dll.GetFileTime
- kernel32.dll.InitializeCriticalSection
- kernel32.dll.LeaveCriticalSection
- kernel32.dll.EnterCriticalSection
- kernel32.dll.DeleteCriticalSection
- kernel32.dll.lstrcpyA
- kernel32.dll.GetLongPathNameW
- kernel32.dll.GetVersion
- kernel32.dll.ExpandEnvironmentStringsA
- kernel32.dll.lstrcatA
- kernel32.dll.LocalFree
- kernel32.dll.SetEndOfFile
- kernel32.dll.CreateDirectoryW
- kernel32.dll.FlushFileBuffers
- kernel32.dll.lstrcpyW
- kernel32.dll.SetFilePointer
- kernel32.dll.VirtualFree
- kernel32.dll.GetSystemTimeAsFileTime
- kernel32.dll.SetLastError
- kernel32.dll.lstrcmpiA
- kernel32.dll.CompareFileTime
- kernel32.dll.FindFirstFileA
- kernel32.dll.FindClose
- kernel32.dll.FindNextFileA
- advapi32.dll.OpenProcessToken
- advapi32.dll.RegDeleteValueW
- advapi32.dll.RegEnumKeyExA
- advapi32.dll.RegOpenKeyW
- advapi32.dll.GetTokenInformation
- advapi32.dll.ConvertStringSecurityDescriptorToSecurityDescriptorA
- advapi32.dll.RegSetValueExA
- advapi32.dll.RegQueryValueExA
- advapi32.dll.RegCreateKeyA
- advapi32.dll.RegOpenKeyA
- advapi32.dll.GetSidSubAuthority
- advapi32.dll.GetSidSubAuthorityCount
- advapi32.dll.RegCloseKey
- advapi32.dll.RegOpenKeyExA
- advapi32.dll.RegQueryValueExW
- user32.dll.wsprintfW
- shell32.dll.ShellExecuteExW
- ole32.dll.CoUninitialize
- ole32.dll.CoInitializeEx
- kernel32.dll.IsWow64Process
- user32.dll.FindWindowA
- user32.dll.GetWindowThreadProcessId
- kernel32.dll.Wow64EnableWow64FsRedirection
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle
- ntdll.dll.ZwWow64QueryInformationProcess64
- ntdll.dll.ZwWow64ReadVirtualMemory64
- ntdll.dll.RtlExitUserThread
- kernel32.dll.CreateRemoteThread
- ntdll.dll.sprintf
- ntdll.dll.strcpy
- ntdll.dll._snprintf
- ntdll.dll._wcsupr
- ntdll.dll._strupr
- ntdll.dll.memmove
- ntdll.dll.wcscpy
- ntdll.dll.ZwQueryKey
- ntdll.dll.RtlImageNtHeader
- ntdll.dll.wcstombs
- ntdll.dll.RtlAdjustPrivilege
- ntdll.dll._snwprintf
- ntdll.dll.__C_specific_handler
- ntdll.dll.__chkstk
- kernel32.dll.WideCharToMultiByte
- kernel32.dll.GetVersionExA
- kernel32.dll.FileTimeToLocalFileTime
- kernel32.dll.GetLocalTime
- kernel32.dll.FileTimeToSystemTime
- kernel32.dll.CreateDirectoryA
- kernel32.dll.RemoveDirectoryA
- kernel32.dll.DeleteFileA
- kernel32.dll.GetCurrentThread
- kernel32.dll.GetWindowsDirectoryA
- kernel32.dll.CopyFileW
- kernel32.dll.TerminateProcess
- kernel32.dll.DuplicateHandle
- kernel32.dll.SwitchToThread
- kernel32.dll.UnmapViewOfFile
- kernel32.dll.OpenWaitableTimerA
- kernel32.dll.OpenMutexA
- kernel32.dll.WaitForMultipleObjects
- kernel32.dll.CreateMutexA
- kernel32.dll.ReleaseMutex
- kernel32.dll.UnregisterWait
- kernel32.dll.LoadLibraryExW
- kernel32.dll.RegisterWaitForSingleObject
- kernel32.dll.OpenEventA
- kernel32.dll.GetDriveTypeW
- kernel32.dll.GetLogicalDriveStringsW
- kernel32.dll.GetExitCodeProcess
- kernel32.dll.CreateFileMappingA
- kernel32.dll.OpenFileMappingA
- kernel32.dll.lstrcpynA
- kernel32.dll.GlobalLock
- kernel32.dll.GlobalUnlock
- kernel32.dll.Thread32First
- kernel32.dll.Thread32Next
- kernel32.dll.QueueUserAPC
- kernel32.dll.OpenThread
- kernel32.dll.CreateToolhelp32Snapshot
- kernel32.dll.CallNamedPipeA
- kernel32.dll.WaitNamedPipeA
- kernel32.dll.ConnectNamedPipe
- kernel32.dll.GetOverlappedResult
- kernel32.dll.DisconnectNamedPipe
- kernel32.dll.CreateNamedPipeA
- kernel32.dll.CancelIo
- kernel32.dll.GetSystemTime
- kernel32.dll.LocalAlloc
- kernel32.dll.FreeLibrary
- kernel32.dll.RaiseException
- kernel32.dll.ExpandEnvironmentStringsW
- kernel32.dll.RemoveDirectoryW
- kernel32.dll.FindNextFileW
- kernel32.dll.GetFileAttributesW
- kernel32.dll.SetFilePointerEx
- kernel32.dll.FindFirstFileW
- kernel32.dll.GetComputerNameW
- advapi32.dll.GetUserNameA
- advapi32.dll.GetUserNameW
- psapi.dll.EnumProcessModules
- shlwapi.dll.StrToIntExA
- shlwapi.dll.StrTrimA
- user32.dll.GetShellWindow
- shlwapi.dll.PathFindFileNameA
- shlwapi.dll.StrChrW
- setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
- setupapi.dll.CM_Get_Device_Interface_List_ExW
- comctl32.dll.#386
- psapi.dll.GetProcessImageFileNameW
- advapi32.dll.UnregisterTraceGuids
- advapi32.dll.EventUnregister
- comctl32.dll.#321
- kernel32.dll.FlsGetValue
- ntdll.dll.strstr
- ntdll.dll._aulldiv
- ntdll.dll._allmul
- ntdll.dll._chkstk
- kernel32.dll.GetCurrentDirectoryW
- kernel32.dll.LoadLibraryW
- kernel32.dll.GetCommandLineA
- kernel32.dll.InterlockedExchange
- kernel32.dll.SetCurrentDirectoryW
- kernel32.dll.HeapSetInformation
- advapi32.dll.EventWrite
- advapi32.dll.EventRegister
- kernel32.dll.TryEnterCriticalSection
- kernel32.dll.SetCriticalSectionSpinCount
- wininet.dll.InternetWriteFile
- wininet.dll.HttpSendRequestW
- wininet.dll.DeleteUrlCacheEntry
- wininet.dll.InternetConnectW
- wininet.dll.HttpQueryInfoW
- wininet.dll.FindFirstUrlCacheEntryA
- wininet.dll.FindNextUrlCacheEntryA
- wininet.dll.InternetReadFileExW
- wininet.dll.InternetGetCookieA
- wininet.dll.FindCloseUrlCache
- wininet.dll.InternetSetStatusCallback
- wininet.dll.HttpQueryInfoA
- wininet.dll.HttpSendRequestA
- wininet.dll.InternetQueryOptionA
- wininet.dll.InternetSetOptionA
- wininet.dll.InternetReadFile
- wininet.dll.InternetReadFileExA
- wininet.dll.InternetQueryDataAvailable
- wininet.dll.InternetQueryOptionW
- wininet.dll.InternetConnectA
- shlwapi.dll.StrStrIA
- winhttp.dll.WinHttpOpen
- shlwapi.dll.PathFileExistsW
- advapi32.dll.RegSetValueExW
- winhttp.dll.WinHttpConnect
- winhttp.dll.WinHttpOpenRequest
- winhttp.dll.WinHttpQueryOption
- shell32.dll.Control_RunDLLW
- cryptbase.dll.SystemFunction036