魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2020-10-27 10:50:36 | 2020-10-27 10:51:39 | 63 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-shaapp03-1 | win7-sp1-x64-shaapp03-1 | KVM | 2020-10-27 10:51:02 | 2020-10-27 10:51:40 |
| 魔盾分数 |
|---|
10.0恶意的 |
文件详细信息
| 文件名 | WeChatWin.dll |
|---|---|
| 文件大小 | 28144720 字节 |
| 文件类型 | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
| CRC32 | 4B48B695 |
| MD5 | f46134a73a1a1f045e580391eb18ebfc |
| SHA1 | 131718ca7ce338a50e8c80ceb80eba19c88d50d4 |
| SHA256 | 79186bbfc4b8d6269dbc32ab726cce89d68a68baccc6f8f7e655f8a22b645e29 |
| SHA512 | dc8e3f290be546b9dfe3b11d6b7d14b267214aac84b2904522ec983b0ed5f7224b90b166c3685398ef1798d30645a11215cba040f6616f79e367f71cbcc1c055 |
| Ssdeep | 393216:C8pMowvqrXLDdbrhQo7pTbou3rgCj/0wKWrtGVbrk9jnWmwFN+MzoJ6OJaIL2Jc3:XpBwSd+oFhKhcXZR6P0/Xjr |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal |
VirusTotal链接 VirusTotal扫描时间: 2020-10-27 02:47:44 扫描结果: 1/69 |
特征
检测到网络活动但没有显示在API日志中
ip: 23.204.147.18
domain: acroipm.adobe.com
可执行文件可能使用VMProtect打包
section: {'name': '.vmp0', 'characteristics': 'IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ', 'virtual_address': '0x0187f000', 'size_of_data': '0x00137a00', 'entropy': '7.64', 'virtual_size': '0x001379a0', 'characteristics_raw': '0x60000060'}
文件已被至少一个VirusTotal上的反病毒引擎检测为病毒
eGambit: PE.Heur.InvalidSig
魔盾安全Yara规则检测结果 - 高危
Critical: Detected TLS Client Hello Module from an known APT sample
Warning: Detected code injection function with CreateRemoteThread in a remote process
Informational: Detect SMTP ability in RAW
Warning: Detected function for file downloader/dropper
Informational: Detected network communication using dga
Warning: Record Audio
Critical: Spotted potential abnormal behaviors, like logging and network communications
Critical: Spotted potential mallicious behaviors like logging and network communication
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
运行截图
网络分析
域名解析
| 域名 | 响应 |
|---|---|
| acroipm.adobe.com |
CNAME a1983.dscd.akamai.net
CNAME acroipm.adobe.com.edgesuite.net A 23.204.147.34 A 23.204.147.18 |
TCP连接
| IP地址 | 端口 |
|---|---|
| 23.204.147.18 | 80 |
UDP连接
| IP地址 | 端口 |
|---|---|
| 192.168.122.1 | 53 |
HTTP请求
| URL | HTTP数据 |
|---|---|
| http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip | GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache |
静态分析
PE 信息
| 初始地址 | 0x10000000 |
|---|---|
| 入口地址 | 0x10e74e9d |
| 声明校验值 | 0x01adfe8a |
| 最低操作系统版本要求 | 5.1 |
| 编译时间 | 2020-10-10 15:50:58 |
| 载入哈希 | ad1fcb070cfb450ca520fc644daa3369 |
| 导出DLL库名称 | WeChatWin.dll |
版本信息
| LegalCopyright: | Copyright (C) 2011-2019 Tencent |
| InternalName: | WeChat.exe |
| FileVersion: | 3.0.0.57 |
| CompanyName: | Tencent |
| ProductName: | |
| ProductVersion: | 3.0.0.1000 |
| FileDescription: | |
| OriginalFilename: | WeChat.exe |
| Translation: | 0x0804 0x04b0 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x013cbe26 | 0x013cc000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.55 |
| .rdata | 0x013cd000 | 0x00421ea2 | 0x00422000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.80 |
| .data | 0x017ef000 | 0x00089da0 | 0x00059600 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 5.34 |
| .gfids | 0x01879000 | 0x0000116c | 0x00001200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.08 |
| _RDATA | 0x0187b000 | 0x00002ce0 | 0x00002e00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.12 |
| .tls | 0x0187e000 | 0x00000002 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .vmp0 | 0x0187f000 | 0x001379a0 | 0x00137a00 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 7.64 |
| .reloc | 0x019b7000 | 0x0014fddc | 0x0014fe00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 6.62 |
| .rsrc | 0x01b07000 | 0x000004dd | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 3.69 |
覆盖
| 偏移量: | 0x01ad3a00 |
| 大小: | 0x00003a50 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| RT_VERSION | 0x01b070a0 | 0x000002c0 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.39 | data |
| RT_MANIFEST | 0x01b07360 | 0x0000017d | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.91 | XML 1.0 document text |
导入
库 KERNEL32.dll:
• 0x113cd1f8 - GetUserDefaultLCID
• 0x113cd1fc - VirtualAllocEx
• 0x113cd200 - ReadProcessMemory
• 0x113cd204 - VirtualFreeEx
• 0x113cd208 - GlobalMemoryStatusEx
• 0x113cd20c - GetThreadContext
• 0x113cd210 - SetThreadPriority
• 0x113cd214 - CreateDirectoryW
• 0x113cd218 - ResetEvent
• 0x113cd21c - FlushFileBuffers
• 0x113cd220 - InitializeCriticalSection
• 0x113cd224 - GetSystemDefaultUILanguage
• 0x113cd228 - CreateSemaphoreW
• 0x113cd22c - GetCurrentThreadId
• 0x113cd230 - GlobalFindAtomW
• 0x113cd234 - GlobalAddAtomW
• 0x113cd238 - FreeResource
• 0x113cd23c - InterlockedExchange
• 0x113cd240 - LeaveCriticalSection
• 0x113cd244 - EnterCriticalSection
• 0x113cd248 - lstrcmpW
• 0x113cd24c - Sleep
• 0x113cd250 - PulseEvent
• 0x113cd254 - LCMapStringW
• 0x113cd258 - LoadLibraryW
• 0x113cd25c - FreeLibrary
• 0x113cd260 - GetCurrentProcessId
• 0x113cd264 - WriteFile
• 0x113cd268 - ReleaseSemaphore
• 0x113cd26c - LocalAlloc
• 0x113cd270 - TlsSetValue
• 0x113cd274 - TlsFree
• 0x113cd278 - LocalFree
• 0x113cd27c - TlsGetValue
• 0x113cd280 - TlsAlloc
• 0x113cd284 - GetDriveTypeW
• 0x113cd288 - Module32NextW
• 0x113cd28c - Module32FirstW
• 0x113cd290 - GetVersionExW
• 0x113cd294 - GetModuleHandleA
• 0x113cd298 - GetNativeSystemInfo
• 0x113cd29c - CreatePipe
• 0x113cd2a0 - WriteConsoleW
• 0x113cd2a4 - FreeEnvironmentStringsW
• 0x113cd2a8 - GetEnvironmentStringsW
• 0x113cd2ac - GetCommandLineW
• 0x113cd2b0 - GetCommandLineA
• 0x113cd2b4 - GetOEMCP
• 0x113cd2b8 - IsValidCodePage
• 0x113cd2bc - FindNextFileA
• 0x113cd2c0 - FindFirstFileExA
• 0x113cd2c4 - SetStdHandle
• 0x113cd2c8 - EnumSystemLocalesW
• 0x113cd2cc - IsValidLocale
• 0x113cd2d0 - GetDateFormatW
• 0x113cd2d4 - CreateProcessA
• 0x113cd2d8 - GetConsoleCP
• 0x113cd2dc - GetModuleFileNameA
• 0x113cd2e0 - SetEnvironmentVariableA
• 0x113cd2e4 - SetConsoleCtrlHandler
• 0x113cd2e8 - FileTimeToSystemTime
• 0x113cd2ec - ExitThread
• 0x113cd2f0 - RtlUnwind
• 0x113cd2f4 - UnregisterWaitEx
• 0x113cd2f8 - QueryDepthSList
• 0x113cd2fc - InterlockedFlushSList
• 0x113cd300 - InterlockedPushEntrySList
• 0x113cd304 - InterlockedPopEntrySList
• 0x113cd308 - VirtualProtect
• 0x113cd30c - VirtualFree
• 0x113cd310 - VirtualAlloc
• 0x113cd314 - LoadLibraryExW
• 0x113cd318 - MultiByteToWideChar
• 0x113cd31c - GetThreadTimes
• 0x113cd320 - UnregisterWait
• 0x113cd324 - RegisterWaitForSingleObject
• 0x113cd328 - SetThreadAffinityMask
• 0x113cd32c - GetProcessAffinityMask
• 0x113cd330 - GetNumaHighestNodeNumber
• 0x113cd334 - DeleteTimerQueueTimer
• 0x113cd338 - ChangeTimerQueueTimer
• 0x113cd33c - CreateTimerQueueTimer
• 0x113cd340 - GetThreadPriority
• 0x113cd344 - SwitchToThread
• 0x113cd348 - SignalObjectAndWait
• 0x113cd34c - CreateTimerQueue
• 0x113cd350 - lstrlenA
• 0x113cd354 - MapViewOfFileEx
• 0x113cd358 - WaitForMultipleObjectsEx
• 0x113cd35c - OpenEventA
• 0x113cd360 - GetLogicalProcessorInformation
• 0x113cd364 - SetWaitableTimer
• 0x113cd368 - CreateWaitableTimerW
• 0x113cd36c - VerifyVersionInfoW
• 0x113cd370 - DeviceIoControl
• 0x113cd374 - CreateSemaphoreA
• 0x113cd378 - CreateEventA
• 0x113cd37c - GetStringTypeExA
• 0x113cd380 - LCMapStringA
• 0x113cd384 - GetStringTypeExW
• 0x113cd388 - VirtualQuery
• 0x113cd38c - SuspendThread
• 0x113cd390 - Thread32First
• 0x113cd394 - SetErrorMode
• 0x113cd398 - Thread32Next
• 0x113cd39c - WriteProcessMemory
• 0x113cd3a0 - SearchPathW
• 0x113cd3a4 - LockFileEx
• 0x113cd3a8 - MoveFileExW
• 0x113cd3ac - CreateFileMappingA
• 0x113cd3b0 - VirtualLock
• 0x113cd3b4 - UnlockFile
• 0x113cd3b8 - HeapCompact
• 0x113cd3bc - DeleteFileA
• 0x113cd3c0 - GetVersionExA
• 0x113cd3c4 - CreateFileA
• 0x113cd3c8 - FlushViewOfFile
• 0x113cd3cc - GetFileAttributesA
• 0x113cd3d0 - GetDiskFreeSpaceA
• 0x113cd3d4 - GetTempPathA
• 0x113cd3d8 - HeapValidate
• 0x113cd3dc - UnlockFileEx
• 0x113cd3e0 - GetFullPathNameA
• 0x113cd3e4 - LockFile
• 0x113cd3e8 - VirtualUnlock
• 0x113cd3ec - GetDiskFreeSpaceW
• 0x113cd3f0 - InterlockedCompareExchange
• 0x113cd3f4 - GetFullPathNameW
• 0x113cd3f8 - GetProcessId
• 0x113cd3fc - DosDateTimeToFileTime
• 0x113cd400 - SetFileTime
• 0x113cd404 - ExitProcess
• 0x113cd408 - GetACP
• 0x113cd40c - GetStartupInfoW
• 0x113cd410 - IsProcessorFeaturePresent
• 0x113cd414 - SetUnhandledExceptionFilter
• 0x113cd418 - UnhandledExceptionFilter
• 0x113cd41c - InitializeSListHead
• 0x113cd420 - VerSetConditionMask
• 0x113cd424 - OutputDebugStringA
• 0x113cd428 - WideCharToMultiByte
• 0x113cd42c - SetCurrentDirectoryW
• 0x113cd430 - GetCurrentDirectoryW
• 0x113cd434 - GetDiskFreeSpaceExW
• 0x113cd438 - CopyFileW
• 0x113cd43c - RemoveDirectoryW
• 0x113cd440 - GetFileSize
• 0x113cd444 - SetEndOfFile
• 0x113cd448 - SetFilePointer
• 0x113cd44c - GetFileSizeEx
• 0x113cd450 - SetFileAttributesW
• 0x113cd454 - DeleteFileW
• 0x113cd458 - MoveFileW
• 0x113cd45c - GetShortPathNameW
• 0x113cd460 - GetModuleFileNameW
• 0x113cd464 - TerminateThread
• 0x113cd468 - DuplicateHandle
• 0x113cd46c - GetCurrentProcess
• 0x113cd470 - QueryDosDeviceW
• 0x113cd474 - GetLogicalDriveStringsW
• 0x113cd478 - GetTimeFormatW
• 0x113cd47c - GetTimeZoneInformation
• 0x113cd480 - SystemTimeToTzSpecificLocalTime
• 0x113cd484 - FindNextFileW
• 0x113cd488 - FindClose
• 0x113cd48c - FindFirstFileW
• 0x113cd490 - GlobalHandle
• 0x113cd494 - GetSystemPowerStatus
• 0x113cd498 - DecodePointer
• 0x113cd49c - RaiseException
• 0x113cd4a0 - InitializeCriticalSectionAndSpinCount
• 0x113cd4a4 - GetProcessTimes
• 0x113cd4a8 - QueryPerformanceCounter
• 0x113cd4ac - QueryPerformanceFrequency
• 0x113cd4b0 - OpenMutexW
• 0x113cd4b4 - WritePrivateProfileStringW
• 0x113cd4b8 - OpenProcess
• 0x113cd4bc - CreateToolhelp32Snapshot
• 0x113cd4c0 - UnmapViewOfFile
• 0x113cd4c4 - MapViewOfFile
• 0x113cd4c8 - CreateFileMappingW
• 0x113cd4cc - GetSystemInfo
• 0x113cd4d0 - WinExec
• 0x113cd4d4 - GetCurrentThread
• 0x113cd4d8 - GetExitCodeThread
• 0x113cd4dc - GetLastError
• 0x113cd4e0 - OutputDebugStringW
• 0x113cd4e4 - InterlockedDecrement
• 0x113cd4e8 - InterlockedIncrement
• 0x113cd4ec - GetLocalTime
• 0x113cd4f0 - GlobalFree
• 0x113cd4f4 - ReadFile
• 0x113cd4f8 - CreateFileW
• 0x113cd4fc - CreateThread
• 0x113cd500 - lstrcatW
• 0x113cd504 - lstrlenW
• 0x113cd508 - GetFileAttributesW
• 0x113cd50c - GetProcAddress
• 0x113cd510 - FindResourceExW
• 0x113cd514 - FindResourceW
• 0x113cd518 - LoadResource
• 0x113cd51c - LockResource
• 0x113cd520 - SizeofResource
• 0x113cd524 - GetProcessHeap
• 0x113cd528 - HeapAlloc
• 0x113cd52c - HeapFree
• 0x113cd530 - HeapReAlloc
• 0x113cd534 - HeapSize
• 0x113cd538 - HeapDestroy
• 0x113cd53c - GlobalAlloc
• 0x113cd540 - GlobalSize
• 0x113cd544 - IsDebuggerPresent
• 0x113cd548 - GetLocaleInfoW
• 0x113cd54c - CompareStringW
• 0x113cd550 - GetCPInfo
• 0x113cd554 - EncodePointer
• 0x113cd558 - GetStringTypeW
• 0x113cd55c - AreFileApisANSI
• 0x113cd560 - SetFilePointerEx
• 0x113cd564 - GetFileAttributesExW
• 0x113cd568 - TryEnterCriticalSection
• 0x113cd56c - WaitForSingleObjectEx
• 0x113cd570 - ConvertThreadToFiber
• 0x113cd574 - ConvertFiberToThread
• 0x113cd578 - GetSystemTimeAsFileTime
• 0x113cd57c - FormatMessageW
• 0x113cd580 - CreateFiber
• 0x113cd584 - DeleteFiber
• 0x113cd588 - SwitchToFiber
• 0x113cd58c - SetConsoleMode
• 0x113cd590 - ReadConsoleW
• 0x113cd594 - ReadConsoleA
• 0x113cd598 - GetConsoleMode
• 0x113cd59c - GetEnvironmentVariableW
• 0x113cd5a0 - GetModuleHandleExW
• 0x113cd5a4 - SystemTimeToFileTime
• 0x113cd5a8 - FormatMessageA
• 0x113cd5ac - SetLastError
• 0x113cd5b0 - PeekNamedPipe
• 0x113cd5b4 - GetStdHandle
• 0x113cd5b8 - GetFileType
• 0x113cd5bc - WaitForMultipleObjects
• 0x113cd5c0 - ExpandEnvironmentStringsA
• 0x113cd5c4 - VerifyVersionInfoA
• 0x113cd5c8 - GetSystemDirectoryA
• 0x113cd5cc - LoadLibraryA
• 0x113cd5d0 - SleepEx
• 0x113cd5d4 - GlobalUnlock
• 0x113cd5d8 - GlobalLock
• 0x113cd5dc - MulDiv
• 0x113cd5e0 - GetSystemDirectoryW
• 0x113cd5e4 - GetTempPathW
• 0x113cd5e8 - CreateEventW
• 0x113cd5ec - WaitForSingleObject
• 0x113cd5f0 - CloseHandle
• 0x113cd5f4 - SetEvent
• 0x113cd5f8 - GetModuleHandleW
• 0x113cd5fc - SetThreadExecutionState
• 0x113cd600 - GetExitCodeProcess
• 0x113cd604 - TerminateProcess
• 0x113cd608 - CreateProcessW
• 0x113cd60c - HeapCreate
• 0x113cd610 - GetSystemTime
• 0x113cd614 - OpenThread
• 0x113cd618 - ReleaseMutex
• 0x113cd61c - CreateMutexW
• 0x113cd620 - GetFileTime
• 0x113cd624 - DeleteCriticalSection
• 0x113cd628 - FreeLibraryAndExitThread
• 0x113cd62c - GetTickCount
库 USER32.dll:
• 0x113cd714 - RegisterClassExW
• 0x113cd718 - UnregisterHotKey
• 0x113cd71c - RegisterHotKey
• 0x113cd720 - RegisterWindowMessageW
• 0x113cd724 - SetForegroundWindow
• 0x113cd728 - UpdateWindow
• 0x113cd72c - FindWindowExW
• 0x113cd730 - GetMessageW
• 0x113cd734 - TranslateMessage
• 0x113cd738 - DispatchMessageW
• 0x113cd73c - PostThreadMessageW
• 0x113cd740 - PeekMessageW
• 0x113cd744 - SetWindowRgn
• 0x113cd748 - mouse_event
• 0x113cd74c - RegisterClassW
• 0x113cd750 - MessageBoxW
• 0x113cd754 - GetClassNameA
• 0x113cd758 - AttachThreadInput
• 0x113cd75c - GetSysColor
• 0x113cd760 - GetShellWindow
• 0x113cd764 - GetAncestor
• 0x113cd768 - GetLastActivePopup
• 0x113cd76c - GetClassNameW
• 0x113cd770 - EnumChildWindows
• 0x113cd774 - EnumDisplayMonitors
• 0x113cd778 - GetWindowDC
• 0x113cd77c - PrintWindow
• 0x113cd780 - SetParent
• 0x113cd784 - IsHungAppWindow
• 0x113cd788 - FindWindowA
• 0x113cd78c - FindWindowExA
• 0x113cd790 - SystemParametersInfoW
• 0x113cd794 - InflateRect
• 0x113cd798 - GetClassInfoExW
• 0x113cd79c - CallWindowProcW
• 0x113cd7a0 - SetCapture
• 0x113cd7a4 - WindowFromPoint
• 0x113cd7a8 - BeginPaint
• 0x113cd7ac - EndPaint
• 0x113cd7b0 - PostMessageA
• 0x113cd7b4 - CallNextHookEx
• 0x113cd7b8 - SetWindowsHookExW
• 0x113cd7bc - UnhookWindowsHookEx
• 0x113cd7c0 - OffsetRect
• 0x113cd7c4 - MonitorFromRect
• 0x113cd7c8 - GetWindowPlacement
• 0x113cd7cc - CharPrevW
• 0x113cd7d0 - ScreenToClient
• 0x113cd7d4 - SetRect
• 0x113cd7d8 - IsRectEmpty
• 0x113cd7dc - wsprintfW
• 0x113cd7e0 - DefWindowProcW
• 0x113cd7e4 - GetWindowThreadProcessId
• 0x113cd7e8 - FindWindowW
• 0x113cd7ec - LoadImageW
• 0x113cd7f0 - DrawTextW
• 0x113cd7f4 - BringWindowToTop
• 0x113cd7f8 - SwitchToThisWindow
• 0x113cd7fc - GetProcessWindowStation
• 0x113cd800 - GetUserObjectInformationW
• 0x113cd804 - UnregisterClassW
• 0x113cd808 - GetUpdateRect
• 0x113cd80c - GetGUIThreadInfo
• 0x113cd810 - ValidateRect
• 0x113cd814 - GetMessageExtraInfo
• 0x113cd818 - CreateCaret
• 0x113cd81c - ShowCaret
• 0x113cd820 - HideCaret
• 0x113cd824 - SetCaretPos
• 0x113cd828 - InvalidateRgn
• 0x113cd82c - CreateAcceleratorTableW
• 0x113cd830 - NotifyWinEvent
• 0x113cd834 - LoadStringW
• 0x113cd838 - LoadStringA
• 0x113cd83c - IsClipboardFormatAvailable
• 0x113cd840 - SetClipboardData
• 0x113cd844 - GetClipboardData
• 0x113cd848 - CloseClipboard
• 0x113cd84c - RegisterClipboardFormatW
• 0x113cd850 - EmptyClipboard
• 0x113cd854 - OpenClipboard
• 0x113cd858 - CharNextW
• 0x113cd85c - SendInput
• 0x113cd860 - GetActiveWindow
• 0x113cd864 - InvalidateRect
• 0x113cd868 - FlashWindowEx
• 0x113cd86c - GetForegroundWindow
• 0x113cd870 - SetWindowTextW
• 0x113cd874 - PostMessageW
• 0x113cd878 - ShowWindow
• 0x113cd87c - LoadCursorW
• 0x113cd880 - SetCursor
• 0x113cd884 - IntersectRect
• 0x113cd888 - ClientToScreen
• 0x113cd88c - GetKeyState
• 0x113cd890 - PtInRect
• 0x113cd894 - GetCursorPos
• 0x113cd898 - GetSystemMetrics
• 0x113cd89c - MoveWindow
• 0x113cd8a0 - GetFocus
• 0x113cd8a4 - GetParent
• 0x113cd8a8 - EndDeferWindowPos
• 0x113cd8ac - DeferWindowPos
• 0x113cd8b0 - BeginDeferWindowPos
• 0x113cd8b4 - IsZoomed
• 0x113cd8b8 - IsIconic
• 0x113cd8bc - IsWindow
• 0x113cd8c0 - GetWindow
• 0x113cd8c4 - KillTimer
• 0x113cd8c8 - IsWindowVisible
• 0x113cd8cc - UpdateLayeredWindow
• 0x113cd8d0 - SetWindowPos
• 0x113cd8d4 - SendMessageW
• 0x113cd8d8 - SetTimer
• 0x113cd8dc - SendMessageTimeoutW
• 0x113cd8e0 - DestroyWindow
• 0x113cd8e4 - ReleaseDC
• 0x113cd8e8 - GetDC
• 0x113cd8ec - ReleaseCapture
• 0x113cd8f0 - GetClipboardFormatNameW
• 0x113cd8f4 - SetPropW
• 0x113cd8f8 - GetPropW
• 0x113cd8fc - GetWindowTextA
• 0x113cd900 - SetLayeredWindowAttributes
• 0x113cd904 - SetWindowLongW
• 0x113cd908 - GetWindowTextLengthW
• 0x113cd90c - GetWindowTextW
• 0x113cd910 - IsWindowEnabled
• 0x113cd914 - GetDesktopWindow
• 0x113cd918 - GetWindowLongW
• 0x113cd91c - MapWindowPoints
• 0x113cd920 - SetRectEmpty
• 0x113cd924 - wvsprintfW
• 0x113cd928 - DestroyIcon
• 0x113cd92c - DrawIcon
• 0x113cd930 - FillRect
• 0x113cd934 - GetIconInfo
• 0x113cd938 - CreateWindowExW
• 0x113cd93c - PostQuitMessage
• 0x113cd940 - GetWindowRect
• 0x113cd944 - EqualRect
• 0x113cd948 - GetCaretPos
• 0x113cd94c - MonitorFromWindow
• 0x113cd950 - SetFocus
• 0x113cd954 - EnableWindow
• 0x113cd958 - MonitorFromPoint
• 0x113cd95c - GetMonitorInfoW
• 0x113cd960 - GetClientRect
• 0x113cd964 - UnionRect
库 GDI32.dll:
• 0x113cd0cc - RoundRect
• 0x113cd0d0 - CreateFontIndirectW
• 0x113cd0d4 - CreateEllipticRgn
• 0x113cd0d8 - PtInRegion
• 0x113cd0dc - CreatePolygonRgn
• 0x113cd0e0 - GetPixel
• 0x113cd0e4 - GetCurrentObject
• 0x113cd0e8 - PatBlt
• 0x113cd0ec - CreateBitmap
• 0x113cd0f0 - StretchDIBits
• 0x113cd0f4 - CreateRoundRectRgn
• 0x113cd0f8 - GetDIBits
• 0x113cd0fc - RealizePalette
• 0x113cd100 - SelectPalette
• 0x113cd104 - CreateDCA
• 0x113cd108 - CombineRgn
• 0x113cd10c - SetDIBColorTable
• 0x113cd110 - RestoreDC
• 0x113cd114 - SetDIBitsToDevice
• 0x113cd118 - SaveDC
• 0x113cd11c - GetObjectA
• 0x113cd120 - GetBkColor
• 0x113cd124 - GetTextColor
• 0x113cd128 - SelectClipRgn
• 0x113cd12c - GetCharABCWidthsW
• 0x113cd130 - ExtSelectClipRgn
• 0x113cd134 - CreateRectRgnIndirect
• 0x113cd138 - GetClipBox
• 0x113cd13c - StretchBlt
• 0x113cd140 - SetStretchBltMode
• 0x113cd144 - GetTextExtentPointW
• 0x113cd148 - GetStockObject
• 0x113cd14c - SetBkColor
• 0x113cd150 - GetTextExtentPoint32W
• 0x113cd154 - SetTextColor
• 0x113cd158 - BitBlt
• 0x113cd15c - SetMapMode
• 0x113cd160 - TextOutW
• 0x113cd164 - SetBkMode
• 0x113cd168 - Rectangle
• 0x113cd16c - CreatePen
• 0x113cd170 - CreateSolidBrush
• 0x113cd174 - CreateCompatibleBitmap
• 0x113cd178 - GetObjectW
• 0x113cd17c - GetDeviceCaps
• 0x113cd180 - DeleteObject
• 0x113cd184 - SetWorldTransform
• 0x113cd188 - SetGraphicsMode
• 0x113cd18c - DeleteDC
• 0x113cd190 - SelectObject
• 0x113cd194 - CreateDIBSection
• 0x113cd198 - CreateCompatibleDC
• 0x113cd19c - GdiFlush
• 0x113cd1a0 - SetWindowOrgEx
• 0x113cd1a4 - GetTextMetricsW
• 0x113cd1a8 - GetClipRgn
• 0x113cd1ac - ExtTextOutW
• 0x113cd1b0 - CreatePenIndirect
• 0x113cd1b4 - MoveToEx
• 0x113cd1b8 - LineTo
• 0x113cd1bc - FillRgn
库 COMDLG32.dll:
• 0x113cd094 - GetSaveFileNameW
• 0x113cd098 - GetOpenFileNameW
• 0x113cd09c - CommDlgExtendedError
库 ADVAPI32.dll:
• 0x113cd000 - RegQueryInfoKeyW
• 0x113cd004 - DeregisterEventSource
• 0x113cd008 - ReportEventW
• 0x113cd00c - RegEnumKeyExW
• 0x113cd010 - CryptAcquireContextA
• 0x113cd014 - CryptEnumProvidersW
• 0x113cd018 - CryptSignHashW
• 0x113cd01c - CryptDestroyHash
• 0x113cd020 - CryptCreateHash
• 0x113cd024 - CryptDecrypt
• 0x113cd028 - CryptExportKey
• 0x113cd02c - RegOpenKeyW
• 0x113cd030 - ControlTraceW
• 0x113cd034 - StartTraceW
• 0x113cd038 - ProcessTrace
• 0x113cd03c - OpenTraceW
• 0x113cd040 - CryptReleaseContext
• 0x113cd044 - CryptGenRandom
• 0x113cd048 - CryptAcquireContextW
• 0x113cd04c - RegCreateKeyW
• 0x113cd050 - RegCreateKeyExW
• 0x113cd054 - RegDeleteValueW
• 0x113cd058 - RegEnumValueW
• 0x113cd05c - CryptDestroyKey
• 0x113cd060 - RegSetValueExW
• 0x113cd064 - RegCloseKey
• 0x113cd068 - GetCurrentHwProfileW
• 0x113cd06c - RegQueryValueExW
• 0x113cd070 - RegOpenKeyExW
• 0x113cd074 - CryptGetUserKey
• 0x113cd078 - CryptGetProvParam
• 0x113cd07c - CryptSetHashParam
• 0x113cd080 - RegisterEventSourceW
库 SHELL32.dll:
• 0x113cd6b4 - SHGetFolderPathW
• 0x113cd6b8 - SHAppBarMessage
• 0x113cd6bc - SHFileOperationW
• 0x113cd6c0 - SHGetSpecialFolderLocation
• 0x113cd6c4 - Shell_NotifyIconW
• 0x113cd6c8 - SHCreateDirectoryExW
• 0x113cd6cc - SHGetPathFromIDListW
• 0x113cd6d0 - DragQueryFileW
• 0x113cd6d4 - SHGetFileInfoW
• 0x113cd6d8 - ShellExecuteW
• 0x113cd6dc - SHBrowseForFolderW
库 ole32.dll:
• 0x113cde74 - CoSetProxyBlanket
• 0x113cde78 - StgCreateDocfileOnILockBytes
• 0x113cde7c - CLSIDFromProgID
• 0x113cde80 - CLSIDFromString
• 0x113cde84 - OleLockRunning
• 0x113cde88 - OleCreateStaticFromData
• 0x113cde8c - OleDuplicateData
• 0x113cde90 - StgCreateDocfile
• 0x113cde94 - OleUninitialize
• 0x113cde98 - OleInitialize
• 0x113cde9c - StringFromGUID2
• 0x113cdea0 - PropVariantClear
• 0x113cdea4 - CoInitialize
• 0x113cdea8 - CreateILockBytesOnHGlobal
• 0x113cdeac - CoInitializeSecurity
• 0x113cdeb0 - CoInitializeEx
• 0x113cdeb4 - CoUninitialize
• 0x113cdeb8 - CoCreateGuid
• 0x113cdebc - RegisterDragDrop
• 0x113cdec0 - CoTaskMemAlloc
• 0x113cdec4 - CreateStreamOnHGlobal
• 0x113cdec8 - CoCreateInstance
• 0x113cdecc - CoTaskMemFree
• 0x113cded0 - DoDragDrop
• 0x113cded4 - ReleaseStgMedium
• 0x113cded8 - OleSetContainedObject
库 OLEAUT32.dll:
• 0x113cd648 - SysAllocStringByteLen
• 0x113cd64c - SysStringByteLen
• 0x113cd650 - SafeArrayAccessData
• 0x113cd654 - SafeArrayCreateVector
• 0x113cd658 - OleCreatePropertyFrame
• 0x113cd65c - VariantInit
• 0x113cd660 - SysAllocString
• 0x113cd664 - SafeArrayDestroy
• 0x113cd668 - SysFreeString
• 0x113cd66c - SysStringLen
• 0x113cd670 - VariantClear
• 0x113cd674 - SafeArrayUnaccessData
• 0x113cd678 - VariantTimeToSystemTime
• 0x113cd67c - SystemTimeToVariantTime
库 WINMM.dll:
• 0x113cda28 - PlaySoundW
• 0x113cda2c - waveOutGetNumDevs
• 0x113cda30 - waveOutPrepareHeader
• 0x113cda34 - waveOutWrite
• 0x113cda38 - waveOutPause
• 0x113cda3c - waveOutRestart
• 0x113cda40 - waveInAddBuffer
• 0x113cda44 - waveInPrepareHeader
• 0x113cda48 - waveOutOpen
• 0x113cda4c - mixerGetLineControlsW
• 0x113cda50 - mixerGetControlDetailsW
• 0x113cda54 - mixerClose
• 0x113cda58 - waveInOpen
• 0x113cda5c - waveInMessage
• 0x113cda60 - waveInGetDevCapsW
• 0x113cda64 - waveInGetNumDevs
• 0x113cda68 - waveOutReset
• 0x113cda6c - waveOutClose
• 0x113cda70 - waveOutGetDevCapsW
• 0x113cda74 - waveOutSetVolume
• 0x113cda78 - waveOutMessage
• 0x113cda7c - waveOutUnprepareHeader
• 0x113cda80 - waveOutGetVolume
• 0x113cda84 - waveInUnprepareHeader
• 0x113cda88 - waveInClose
• 0x113cda8c - waveInStart
• 0x113cda90 - waveInReset
• 0x113cda94 - waveInStop
• 0x113cda98 - mixerGetDevCapsW
• 0x113cda9c - mixerOpen
• 0x113cdaa0 - mixerGetLineInfoW
• 0x113cdaa4 - timeGetTime
• 0x113cdaa8 - timeBeginPeriod
库 DDRAW.dll:
• 0x113cd0c4 - DirectDrawCreate
库 SETUPAPI.dll:
• 0x113cd69c - SetupDiGetDeviceInstanceIdW
• 0x113cd6a0 - SetupDiGetClassDevsW
• 0x113cd6a4 - SetupDiDestroyDeviceInfoList
• 0x113cd6a8 - SetupDiGetDeviceRegistryPropertyW
• 0x113cd6ac - SetupDiEnumDeviceInfo
库 WS2_32.dll:
• 0x113cdaf8 - gethostbyname
• 0x113cdafc - inet_ntoa
• 0x113cdb00 - WSACreateEvent
• 0x113cdb04 - WSAGetLastError
• 0x113cdb08 - socket
• 0x113cdb0c - setsockopt
• 0x113cdb10 - closesocket
• 0x113cdb14 - htons
• 0x113cdb18 - sendto
• 0x113cdb1c - gethostname
• 0x113cdb20 - ntohl
• 0x113cdb24 - htonl
• 0x113cdb28 - ntohs
• 0x113cdb2c - connect
• 0x113cdb30 - ioctlsocket
• 0x113cdb34 - __WSAFDIsSet
• 0x113cdb38 - select
• 0x113cdb3c - send
• 0x113cdb40 - recv
• 0x113cdb44 - getsockname
• 0x113cdb48 - getaddrinfo
• 0x113cdb4c - freeaddrinfo
• 0x113cdb50 - WSACloseEvent
• 0x113cdb54 - WSASetLastError
• 0x113cdb58 - bind
• 0x113cdb5c - getpeername
• 0x113cdb60 - getsockopt
• 0x113cdb64 - WSAIoctl
• 0x113cdb68 - accept
• 0x113cdb6c - listen
• 0x113cdb70 - recvfrom
• 0x113cdb74 - WSACleanup
• 0x113cdb78 - WSAStartup
• 0x113cdb7c - getnameinfo
• 0x113cdb80 - WSAEnumNetworkEvents
• 0x113cdb84 - WSAEventSelect
• 0x113cdb88 - WSAResetEvent
• 0x113cdb8c - WSASetEvent
• 0x113cdb90 - WSAWaitForMultipleEvents
• 0x113cdb94 - inet_addr
库 WLDAP32.dll:
• 0x113cdab0 - None
• 0x113cdab4 - None
• 0x113cdab8 - None
• 0x113cdabc - None
• 0x113cdac0 - None
• 0x113cdac4 - None
• 0x113cdac8 - None
• 0x113cdacc - None
• 0x113cdad0 - None
• 0x113cdad4 - None
• 0x113cdad8 - None
• 0x113cdadc - None
• 0x113cdae0 - None
• 0x113cdae4 - None
• 0x113cdae8 - None
• 0x113cdaec - None
• 0x113cdaf0 - None
库 gdiplus.dll:
• 0x113cdba4 - GdipSetInterpolationMode
• 0x113cdba8 - GdipFillEllipseI
• 0x113cdbac - GdipFillRectangleI
• 0x113cdbb0 - GdipSetSolidFillColor
• 0x113cdbb4 - GdipGetImageGraphicsContext
• 0x113cdbb8 - GdipCreateBitmapFromScan0
• 0x113cdbbc - GdipFillPieI
• 0x113cdbc0 - GdipCloneBrush
• 0x113cdbc4 - GdipDeleteBrush
• 0x113cdbc8 - GdipCreateSolidFill
• 0x113cdbcc - GdipDrawEllipseI
• 0x113cdbd0 - GdipDeletePen
• 0x113cdbd4 - GdipCreatePen1
• 0x113cdbd8 - GdipSetSmoothingMode
• 0x113cdbdc - GdipLoadImageFromStream
• 0x113cdbe0 - GdipDisposeImage
• 0x113cdbe4 - GdipDrawImageRectRectI
• 0x113cdbe8 - GdipLoadImageFromFile
• 0x113cdbec - GdipDrawImageRectI
• 0x113cdbf0 - GdipDeleteGraphics
• 0x113cdbf4 - GdipCreateFromHDC
• 0x113cdbf8 - GdipCreateTexture
• 0x113cdbfc - GdipGetImageWidth
• 0x113cdc00 - GdipSetMatrixElements
• 0x113cdc04 - GdipDeleteMatrix
• 0x113cdc08 - GdipCreateMatrix2
• 0x113cdc0c - GdipFree
• 0x113cdc10 - GdipAlloc
• 0x113cdc14 - GdipGetMatrixElements
• 0x113cdc18 - GdipTranslateMatrix
• 0x113cdc1c - GdipRotateMatrix
• 0x113cdc20 - GdipFillPolygonI
• 0x113cdc24 - GdipCreatePath
• 0x113cdc28 - GdipDeletePath
• 0x113cdc2c - GdipCreateMatrix
• 0x113cdc30 - GdipSetWorldTransform
• 0x113cdc34 - GdipBitmapGetPixel
• 0x113cdc38 - GdipBitmapSetPixel
• 0x113cdc3c - GdipCreateFontFromDC
• 0x113cdc40 - GdipCreateFontFromLogfontA
• 0x113cdc44 - GdipDeleteFont
• 0x113cdc48 - GdipCreateStringFormat
• 0x113cdc4c - GdipDeleteStringFormat
• 0x113cdc50 - GdipSetStringFormatAlign
• 0x113cdc54 - GdipSetStringFormatLineAlign
• 0x113cdc58 - GdipSetTextRenderingHint
• 0x113cdc5c - GdipSetStringFormatTrimming
• 0x113cdc60 - GdipDrawArcI
• 0x113cdc64 - GdipDrawString
• 0x113cdc68 - GdipDrawImageRectRect
• 0x113cdc6c - GdipImageGetFrameDimensionsCount
• 0x113cdc70 - GdipImageGetFrameDimensionsList
• 0x113cdc74 - GdipImageGetFrameCount
• 0x113cdc78 - GdipGetPropertyItemSize
• 0x113cdc7c - GdipGetPropertyItem
• 0x113cdc80 - GdipGetImageFlags
• 0x113cdc84 - GdipImageSelectActiveFrame
• 0x113cdc88 - GdipResetClip
• 0x113cdc8c - GdipImageRotateFlip
• 0x113cdc90 - GdipDrawLine
• 0x113cdc94 - GdipGetImagePixelFormat
• 0x113cdc98 - GdipDrawLineI
• 0x113cdc9c - GdipGetImageHeight
• 0x113cdca0 - GdipGetPenLineJoin
• 0x113cdca4 - GdipDrawPath
• 0x113cdca8 - GdipSetPenLineCap197819
• 0x113cdcac - GdipSetPenLineJoin
• 0x113cdcb0 - GdipResetPath
• 0x113cdcb4 - GdipDrawRectangleI
• 0x113cdcb8 - GdipSetImageAttributesColorMatrix
• 0x113cdcbc - GdipDisposeImageAttributes
• 0x113cdcc0 - GdipCreateBitmapFromFileICM
• 0x113cdcc4 - GdipSaveImageToFile
• 0x113cdcc8 - GdiplusStartup
• 0x113cdccc - GdiplusShutdown
• 0x113cdcd0 - GdipCreateBitmapFromStream
• 0x113cdcd4 - GdipCreatePen2
• 0x113cdcd8 - GdipCreateFontFromLogfontW
• 0x113cdcdc - GdipGetImagePaletteSize
• 0x113cdce0 - GdipGetImagePalette
• 0x113cdce4 - GdipBitmapLockBits
• 0x113cdce8 - GdipBitmapUnlockBits
• 0x113cdcec - GdipDrawImageI
• 0x113cdcf0 - GdipCreateLineBrushI
• 0x113cdcf4 - GdipGetImageThumbnail
• 0x113cdcf8 - GdipSaveImageToStream
• 0x113cdcfc - GdipGetImageEncodersSize
• 0x113cdd00 - GdipGetImageEncoders
• 0x113cdd04 - GdipCreateBitmapFromHBITMAP
• 0x113cdd08 - GdipAddPathArcI
• 0x113cdd0c - GdipFillPath
• 0x113cdd10 - GdipAddPathLineI
• 0x113cdd14 - GdipCloneImage
• 0x113cdd18 - GdipCreateImageAttributes
• 0x113cdd1c - GdipSetStringFormatFlags
库 SHLWAPI.dll:
• 0x113cd6e4 - AssocQueryStringA
• 0x113cd6e8 - StrCpyW
• 0x113cd6ec - SHCreateStreamOnFileEx
• 0x113cd6f0 - StrCmpW
• 0x113cd6f4 - PathIsDirectoryW
• 0x113cd6f8 - PathRemoveFileSpecW
• 0x113cd6fc - PathFileExistsW
• 0x113cd700 - StrStrIW
• 0x113cd704 - PathFindExtensionW
• 0x113cd708 - StrCatW
• 0x113cd70c - PathCombineW
库 IMM32.dll:
• 0x113cd1c4 - ImmNotifyIME
• 0x113cd1c8 - ImmReleaseContext
• 0x113cd1cc - ImmGetContext
• 0x113cd1d0 - ImmSetCompositionWindow
• 0x113cd1d4 - ImmSetCompositionFontW
库 urlmon.dll:
• 0x113cdee0 - URLDownloadToFileW
库 MSIMG32.dll:
• 0x113cd634 - AlphaBlend
库 PSAPI.DLL:
• 0x113cd684 - GetModuleFileNameExW
• 0x113cd688 - EnumProcessModules
• 0x113cd68c - GetModuleInformation
• 0x113cd690 - QueryWorkingSet
• 0x113cd694 - GetPerformanceInfo
库 WINHTTP.dll:
• 0x113cd9e8 - WinHttpCloseHandle
• 0x113cd9ec - WinHttpGetProxyForUrl
• 0x113cd9f0 - WinHttpGetIEProxyConfigForCurrentUser
• 0x113cd9f4 - WinHttpOpen
• 0x113cd9f8 - WinHttpCrackUrl
• 0x113cd9fc - WinHttpSetTimeouts
库 USERENV.dll:
• 0x113cd96c - GetAllUsersProfileDirectoryW
库 IPHLPAPI.DLL:
• 0x113cd1dc - NotifyAddrChange
• 0x113cd1e0 - GetIpAddrTable
• 0x113cd1e4 - GetAdaptersInfo
• 0x113cd1e8 - GetAdaptersAddresses
• 0x113cd1ec - GetIpForwardTable
• 0x113cd1f0 - GetNetworkParams
库 VERSION.dll:
• 0x113cd974 - GetFileVersionInfoSizeW
• 0x113cd978 - GetFileVersionInfoW
• 0x113cd97c - VerQueryValueW
库 COMCTL32.dll:
• 0x113cd088 - _TrackMouseEvent
• 0x113cd08c - None
库 VoipEngine.dll:
• 0x113cd984 - ?SendVideo@IMultiTalkMgr@MultiTalk@@QAEHHPAEHPAX@Z
• 0x113cd988 - isWxGF
• 0x113cd98c - wxam2pic
• 0x113cd990 - getWxGFInfo
• 0x113cd994 - SKP_Silk_SDK_InitDecoder
• 0x113cd998 - SKP_Silk_SDK_Get_Decoder_Size
• 0x113cd99c - SKP_Silk_SDK_Decode
• 0x113cd9a0 - ?GetAudioData@IMultiTalkMgr@MultiTalk@@QAEHPAEG@Z
• 0x113cd9a4 - ?GetAudioFormat@IMultiTalkMgr@MultiTalk@@QAEHPAH0@Z
• 0x113cd9a8 - ?GetVideoData@IMultiTalkMgr@MultiTalk@@QAEHPAH0000@Z
• 0x113cd9ac - ?GetInviteInfo@IMultiTalkMgr@MultiTalk@@QAEXPAPAXPAH@Z
• 0x113cd9b0 - ?SetLogWriter@ILogWriter@@SAHPAVIChannelLogWriter@@H@Z
• 0x113cd9b4 - CreateEngineInstance
• 0x113cd9b8 - CreateChannelInstance
• 0x113cd9bc - ??0IMultiTalkObserver@MultiTalk@@QAE@XZ
• 0x113cd9c0 - ?GetVoiceActivity@IMultiTalkMgr@MultiTalk@@QAEHH@Z
• 0x113cd9c4 - ?OnMemberChanged@IMultiTalkMgr@MultiTalk@@QAEXABV?$vector@HV?$allocator@H@std@@@std@@@Z
• 0x113cd9c8 - ?SetAppCmd@IMultiTalkMgr@MultiTalk@@QAEHHPAEH@Z
• 0x113cd9cc - ?Open@IMultiTalkMgr@MultiTalk@@QAEHPAVIMultiTalkObserver@2@III_KPAUSvrAddrArray_MP@2@IABV?$vector@HV?$allocator@H@std@@@std@@PAEH_NH2HHH4PAIHHI@Z
• 0x113cd9d0 - ??1IMultiTalkMgr@MultiTalk@@QAE@XZ
• 0x113cd9d4 - ?SendAudio@IMultiTalkMgr@MultiTalk@@QAEHPAEG@Z
• 0x113cd9d8 - ??0IMultiTalkMgr@MultiTalk@@QAE@PAVIMVQQEngine@@@Z
• 0x113cd9dc - ?SetEngintInfo@IMultiTalkMgr@MultiTalk@@QAEXPAXH@Z
• 0x113cd9e0 - ?Close@IMultiTalkMgr@MultiTalk@@QAEHXZ
库 libFFmpeg.dll:
• 0x113cdd24 - avcodec_close
• 0x113cdd28 - av_opt_set_bin
• 0x113cdd2c - av_opt_set
• 0x113cdd30 - av_opt_set_defaults
• 0x113cdd34 - av_buffersrc_add_frame_flags
• 0x113cdd38 - av_buffersink_get_frame
• 0x113cdd3c - av_buffersink_set_frame_size
• 0x113cdd40 - avfilter_graph_parse_ptr
• 0x113cdd44 - avfilter_inout_free
• 0x113cdd48 - avfilter_inout_alloc
• 0x113cdd4c - avfilter_graph_free
• 0x113cdd50 - avfilter_graph_config
• 0x113cdd54 - avfilter_graph_create_filter
• 0x113cdd58 - avfilter_graph_alloc
• 0x113cdd5c - avfilter_get_by_name
• 0x113cdd60 - avfilter_register_all
• 0x113cdd64 - av_dump_format
• 0x113cdd68 - av_write_trailer
• 0x113cdd6c - av_interleaved_write_frame
• 0x113cdd70 - avformat_write_header
• 0x113cdd74 - avformat_alloc_output_context2
• 0x113cdd78 - avformat_seek_file
• 0x113cdd7c - avio_feof
• 0x113cdd80 - av_read_frame
• 0x113cdd84 - avcodec_flush_buffers
• 0x113cdd88 - av_seek_frame
• 0x113cdd8c - av_free
• 0x113cdd90 - av_samples_get_buffer_size
• 0x113cdd94 - avcodec_decode_audio4
• 0x113cdd98 - av_frame_unref
• 0x113cdd9c - audio_resample
• 0x113cdda0 - av_audio_resample_init
• 0x113cdda4 - swr_convert
• 0x113cdda8 - swr_init
• 0x113cddac - swr_alloc_set_opts
• 0x113cddb0 - av_get_default_channel_layout
• 0x113cddb4 - avcodec_fill_audio_frame
• 0x113cddb8 - av_get_bytes_per_sample
• 0x113cddbc - av_gettime
• 0x113cddc0 - av_frame_get_best_effort_timestamp
• 0x113cddc4 - sws_scale
• 0x113cddc8 - avcodec_decode_video2
• 0x113cddcc - sws_getContext
• 0x113cddd0 - avpicture_fill
• 0x113cddd4 - avpicture_get_size
• 0x113cddd8 - av_dict_get
• 0x113cdddc - avcodec_open2
• 0x113cdde0 - avcodec_find_decoder
• 0x113cdde4 - avformat_close_input
• 0x113cdde8 - avformat_new_stream
• 0x113cddec - avformat_free_context
• 0x113cddf0 - avio_closep
• 0x113cddf4 - avio_open
• 0x113cddf8 - avcodec_encode_video2
• 0x113cddfc - avcodec_encode_audio2
• 0x113cde00 - avcodec_find_encoder
• 0x113cde04 - av_frame_alloc
• 0x113cde08 - sws_freeContext
• 0x113cde0c - audio_resample_close
• 0x113cde10 - swr_free
• 0x113cde14 - av_frame_free
• 0x113cde18 - avformat_find_stream_info
• 0x113cde1c - avformat_open_input
• 0x113cde20 - av_lockmgr_register
• 0x113cde24 - av_log_set_level
• 0x113cde28 - av_register_all
• 0x113cde2c - avformat_network_init
• 0x113cde30 - av_free_packet
• 0x113cde34 - av_malloc
• 0x113cde38 - av_strerror
• 0x113cde3c - av_packet_rescale_ts
• 0x113cde40 - av_packet_unref
• 0x113cde44 - av_mallocz
• 0x113cde48 - av_strdup
• 0x113cde4c - av_rescale_q
• 0x113cde50 - av_log
• 0x113cde54 - av_log_set_callback
• 0x113cde58 - av_get_sample_fmt_name
• 0x113cde5c - av_dict_set
• 0x113cde60 - av_dict_free
• 0x113cde64 - av_frame_get_buffer
• 0x113cde68 - avcodec_copy_context
• 0x113cde6c - av_init_packet
库 OLEACC.dll:
• 0x113cd63c - LresultFromObject
• 0x113cd640 - CreateStdAccessibleObject
库 WININET.dll:
• 0x113cda04 - InternetOpenW
• 0x113cda08 - InternetReadFile
• 0x113cda0c - InternetCloseHandle
• 0x113cda10 - InternetConnectW
• 0x113cda14 - HttpOpenRequestW
• 0x113cda18 - HttpSendRequestW
• 0x113cda1c - InternetGetConnectedState
• 0x113cda20 - InternetOpenUrlW
库 WSOCK32.dll:
• 0x113cdb9c - shutdown
库 CRYPT32.dll:
• 0x113cd0a4 - CertFreeCertificateContext
• 0x113cd0a8 - CertGetCertificateContextProperty
• 0x113cd0ac - CertCloseStore
• 0x113cd0b0 - CertDuplicateCertificateContext
• 0x113cd0b4 - CertFindCertificateInStore
• 0x113cd0b8 - CertEnumCertificatesInStore
• 0x113cd0bc - CertOpenStore
导出
| 序列 | 地址 | 名称 |
|---|---|---|
| 1 | 0x1008fd40 | ??0IChannelLogWriter@@QAE@$$QAV0@@Z |
| 2 | 0x1008fd40 | ??0IChannelLogWriter@@QAE@ABV0@@Z |
| 3 | 0x1008fd30 | ??0IChannelLogWriter@@QAE@XZ |
| 4 | 0x1007c880 | ??4IChannelLogWriter@@QAEAAV0@$$QAV0@@Z |
| 5 | 0x1007c880 | ??4IChannelLogWriter@@QAEAAV0@ABV0@@Z |
| 6 | 0x1007c880 | ??4ILogWriter@@QAEAAV0@$$QAV0@@Z |
| 7 | 0x1007c880 | ??4ILogWriter@@QAEAAV0@ABV0@@Z |
| 8 | 0x115473a4 | ??_7IChannelLogWriter@@6B@ |
| 9 | 0x10a97630 | ?AddExtraMem@TXBugReport@@YAHKI@Z |
| 10 | 0x10a97730 | ?AddExtraMem@TXBugReport@@YAHPAXI@Z |
| 11 | 0x10a97740 | ?AddIgnoreHookCheckModule@TXBugReport@@YAXPB_W@Z |
| 12 | 0x10a98cd0 | ?AddReleaseMonitorPoint@TXBugReport@@YAXPAJ@Z |
| 13 | 0x10a98a50 | ?DoBugReport@TXBugReport@@YAJPAU_EXCEPTION_POINTERS@@PB_W@Z |
| 14 | 0x10a973a0 | ?GetBugReportFlag@TXBugReport@@YAKXZ |
| 15 | 0x10a97620 | ?GetBugReportInfo@TXBugReport@@YAPAUtagBugReportInfo@1@XZ |
| 16 | 0x10a96f20 | ?GetCustomFiltFunc@TXBugReport@@YAP6AHPAU_EXCEPTION_POINTERS@@@ZXZ |
| 17 | 0x10a97dd0 | ?InitBugReport@TXBugReport@@YAXPB_W000GGKHHKKP6GHPAUtagBugReportInfo@1@PBD200PAPAXPAKPAX@Z@Z |
| 18 | 0x10a97820 | ?InitBugReportEx@TXBugReport@@YAXPB_W000GGKHHKKP6GHPAUtagBugReportInfo@1@PBD200PAPAXPAKPAX@ZH@Z |
| 19 | 0x10a98ca0 | ?RaiseSelfFatalException@TXBugReport@@YAXW4SelfException@1@@Z |
| 20 | 0x10a98d10 | ?RecordCallStackIfNeed@TXBugReport@@YAXPAJ@Z |
| 21 | 0x10a97380 | ?SetBugReportFlag@TXBugReport@@YAHK@Z |
| 22 | 0x10a97150 | ?SetBugReportPath@TXBugReport@@YAHPB_W@Z |
| 23 | 0x10a98be0 | ?SetBugReportUin@TXBugReport@@YAXKH@Z |
| 24 | 0x10a96f10 | ?SetCustomFiltFunc@TXBugReport@@YAXP6AHPAU_EXCEPTION_POINTERS@@@Z@Z |
| 25 | 0x10a97100 | ?SetExtInfo@TXBugReport@@YAHKKPB_W@Z |
| 26 | 0x10a972e0 | ?SetExtRptFilePath@TXBugReport@@YAHPB_W0@Z |
| 27 | 0x10a97540 | ?SetLogFileMd5Dir@TXBugReport@@YAHPB_W00@Z |
| 28 | 0x10a97e60 | ?UninitBugReport@TXBugReport@@YAXXZ |
| 29 | 0x10a98b50 | ?ValidateBugReport@TXBugReport@@YAXXZ |
| 30 | 0x11858424 | ?pfPostBugReport@TXBugReport@@3P6AXXZA |
| 31 | 0x11858428 | ?pfPreBugReport@TXBugReport@@3P6AXXZA |
| 32 | 0x10d079a0 | SignWith3Des |
| 33 | 0x1096a970 | StartWachat |
| 34 | 0x10574210 | _TlsGetData@12 |
| 35 | 0x105741e0 | _TlsStoreData@12 |
| 36 | 0x10ec6e10 | __ASSERT |
投放文件
行为分析
互斥量(Mutexes)
- Local\MSCTF.Asm.MutexDefault1
执行的命令
无信息
创建的服务
无信息
启动的服务
无信息
进程
rundll32.exe PID: 2416, 上一级进程 PID: 2264
访问的文件
- C:\Users\test\AppData\Local\Temp\WeChatWin.dll
- C:\Users\test\AppData\Local\Temp\WeChatWin.dll.123.Manifest
- C:\Users\test\AppData\Local\Temp\WeChatWin.dll.124.Manifest
- C:\Windows\SysWOW64\rundll32.exe.Local\
- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af
- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
- C:\Users\test\AppData\Local\Temp\WINMM.dll
- C:\Windows\System32\winmm.dll
- C:\Users\test\AppData\Local\Temp\DDRAW.dll
- C:\Windows\System32\ddraw.dll
- C:\Users\test\AppData\Local\Temp\DCIMAN32.dll
- C:\Windows\System32\dciman32.dll
- C:\Users\test\AppData\Local\Temp\dwmapi.dll
- C:\Windows\System32\dwmapi.dll
- C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80
- C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
- C:\Users\test\AppData\Local\Temp\MSIMG32.dll
- C:\Windows\System32\msimg32.dll
- C:\Users\test\AppData\Local\Temp\WINHTTP.dll
- C:\Windows\System32\winhttp.dll
- C:\Users\test\AppData\Local\Temp\webio.dll
- C:\Windows\System32\webio.dll
- C:\Users\test\AppData\Local\Temp\IPHLPAPI.DLL
- C:\Windows\System32\IPHLPAPI.DLL
- C:\Users\test\AppData\Local\Temp\WINNSI.DLL
- C:\Windows\System32\winnsi.dll
- C:\Users\test\AppData\Local\Temp\VoipEngine.dll
- C:\Windows\System32\VoipEngine.dll
- C:\Windows\system\VoipEngine.dll
- C:\Windows\VoipEngine.dll
- C:\ProgramData\Oracle\Java\javapath\VoipEngine.dll
- C:\Windows\System32\wbem\VoipEngine.dll
- C:\Windows\System32\WindowsPowerShell\v1.0\VoipEngine.dll
- C:\Program Files (x86)\WinRAR\VoipEngine.dll
- C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
- C:\Windows\Fonts\staticcache.dat
- \Device\KsecDD
- C:\Windows\Globalization\Sorting\sortdefault.nls
读取的文件
- C:\Users\test\AppData\Local\Temp\WeChatWin.dll
- C:\Users\test\AppData\Local\Temp\WeChatWin.dll.123.Manifest
- C:\Users\test\AppData\Local\Temp\WeChatWin.dll.124.Manifest
- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
- C:\Windows\System32\winmm.dll
- C:\Windows\System32\ddraw.dll
- C:\Windows\System32\dciman32.dll
- C:\Windows\System32\dwmapi.dll
- C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
- C:\Windows\System32\msimg32.dll
- C:\Windows\System32\winhttp.dll
- C:\Windows\System32\webio.dll
- C:\Windows\System32\IPHLPAPI.DLL
- C:\Windows\System32\winnsi.dll
- C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
- C:\Windows\Fonts\staticcache.dat
- \Device\KsecDD
- C:\Windows\Globalization\Sorting\sortdefault.nls
修改的文件
无信息
删除的文件
无信息
注册表键
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\rundll32.exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_CURRENT_USER
- HKEY_CURRENT_USER\Keyboard Layout\Toggle
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
读取的注册表键
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- gdi32.dll.GetLayout
- gdi32.dll.GdiRealizationInfo
- gdi32.dll.FontIsLinked
- advapi32.dll.RegOpenKeyExW
- advapi32.dll.RegQueryInfoKeyW
- gdi32.dll.GetTextFaceAliasW
- advapi32.dll.RegEnumValueW
- advapi32.dll.RegCloseKey
- advapi32.dll.RegQueryValueExW
- advapi32.dll.RegQueryValueExA
- advapi32.dll.RegEnumKeyExW
- gdi32.dll.GetTextExtentExPointWPri
- ole32.dll.CoInitializeEx
- ole32.dll.CoUninitialize
- cryptbase.dll.SystemFunction036
- ole32.dll.CoRegisterInitializeSpy
- ole32.dll.CoRevokeInitializeSpy
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle
- oleaut32.dll.SysAllocString
- oleaut32.dll.SysStringLen
- oleaut32.dll.SysFreeString
- oleaut32.dll.#500