魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2020-10-27 16:15:06 | 2020-10-27 16:17:23 | 137 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-shaapp03-1 | win7-sp1-x64-shaapp03-1 | KVM | 2020-10-27 16:15:07 | 2020-10-27 16:17:24 |
| 魔盾分数 |
|---|
10.0恶意的 |
文件详细信息
| 文件名 | 1212.rar |
|---|---|
| 文件大小 | 4269568 字节 |
| 文件类型 | PE32 executable (console) Intel 80386, for MS Windows |
| CRC32 | FB005446 |
| MD5 | 04a6aeeb73e4e8c17014d2686b29efe1 |
| SHA1 | 49ad597edfd7ce6c2687e0f376fe6d09af3abb93 |
| SHA256 | 8fc90ed4ebc298a4e20332eea71de5987940c448556ef670e85dc596b2c0370f |
| SHA512 | 3ff11791ca399d38e88fa3459696a6dbe0a67deecee11d1d0f2fe8a2f54ff6647485fdcce33fe8291ad99c635204cbd3fcdcfffff4a312882cf251d481064c9e |
| Ssdeep | 98304:W2z65h0Slr40E9ciS+4VoGtvVRIinVqpX3Gmf:ZSlr4rciS+AFvVRIwuXPf |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal |
VirusTotal链接 VirusTotal扫描时间: 2019-03-19 02:19:36 扫描结果: 39/66 |
特征
在加密调用中发现至少一个IP地址,域名,或文件名
ioc: dit.exe
发起了一些HTTP请求
url: http://w.eydata.net/
url: http://w.eydata.net/98039776530cf506
url: http://w.eydata.net/98529ec3e5a5dad8
url: http://w.eydata.net/9e8236ac98f4fb46
url: http://w.eydata.net/17112dbe9584bbd0
url: http://w.eydata.net/e43fb3d5cc338666
url: http://w.eydata.net/d94d988aad6f61a4
生成可疑网络流量,可能被用来进行恶意活动
signature: ET POLICY Http Client Body contains pwd= in cleartext
多次尝试建立挂起的进程
魔盾安全Yara规则检测结果 - 安全告警
Warning: Looks for advapi API functions
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
从文件自身的二进制镜像中读取数据
self_read: process: ini.cg, pid: 2932, offset: 0x00000000, length: 0x00000040
self_read: process: ini.cg, pid: 2932, offset: 0x000000f8, length: 0x00000020
self_read: process: ini.cg, pid: 2932, offset: 0x0000017b, length: 0x00080000
self_read: process: ini.cg, pid: 1332, offset: 0x00000000, length: 0x00000040
self_read: process: ini.cg, pid: 1332, offset: 0x000000f8, length: 0x00000020
self_read: process: ini.cg, pid: 1332, offset: 0x0000017b, length: 0x00080000
self_read: process: cmd.exe, pid: 2464, offset: 0x00000000, length: 0x00000040
self_read: process: cmd.exe, pid: 2464, offset: 0x000000c8, length: 0x00049d17
HTTP数据流中包含可疑的恶意软件数据
post_no_referer: HTTP traffic contains a POST request with no referer header
suspicious_request: http://w.eydata.net/98039776530cf506
suspicious_request: http://w.eydata.net/98529ec3e5a5dad8
suspicious_request: http://w.eydata.net/9e8236ac98f4fb46
suspicious_request: http://w.eydata.net/17112dbe9584bbd0
suspicious_request: http://w.eydata.net/e43fb3d5cc338666
suspicious_request: http://w.eydata.net/d94d988aad6f61a4
执行了一个进程并在其中注入代码(可能是在解包过程中)
嗅探键盘记录(keystrokes)
对一些具体的运行中的进程呈现出兴趣
process: ini.cg
尝试断开连接或更改沙箱进程监控的Windows功能
unhook: function_name: SetWindowLongA, type: modification
unhook: function_name: SetWindowLongW, type: modification
文件已被至少一个VirusTotal上的反病毒引擎检测为病毒
Bkav: HW32.Packed.
MicroWorld-eScan: Gen:Trojan.Heur.FU.@tW@aug70ufb
CAT-QuickHeal: Trojan.Agent
McAfee: GenericRXGQ-YC!04A6AEEB73E4
K7GW: Adware ( 005070c51 )
K7AntiVirus: Adware ( 005070c51 )
Arcabit: Trojan.Heur.FU.EB78A0
Cyren: W32/Trojan.IQYH-3637
ESET-NOD32: a variant of Win32/Packed.BlackMoon.A potentially unwanted
TrendMicro-HouseCall: TROJ_GEN.R005C0PCF19
Avast: Win32:Malware-gen
Kaspersky: UDS:DangerousObject.Multi.Generic
BitDefender: Gen:Trojan.Heur.FU.@tW@aug70ufb
Paloalto: generic.ml
ViRobot: Trojan.Win32.Z.Packed.4269568
Ad-Aware: Gen:Trojan.Heur.FU.@tW@aug70ufb
Emsisoft: Gen:Trojan.Heur.FU.@tW@aug70ufb (B)
Comodo: TrojWare.Win32.Kryptik.ARSN@4t6mxs
Invincea: heuristic
McAfee-GW-Edition: BehavesLike.Win32.Generic.rc
Trapmine: malicious.high.ml.score
Sophos: Generic PUA OM (PUA)
Antiy-AVL: Trojan[Packed]/Win32.Blackmoon
Endgame: malicious (high confidence)
Microsoft: Trojan:Win32/Tiggre!rfn
ZoneAlarm: UDS:DangerousObject.Multi.Generic
GData: Gen:Trojan.Heur.FU.@tW@aug70ufb
Acronis: suspicious
VBA32: BScope.Trojan.Downloader
MAX: malware (ai score=99)
Rising: Trojan.Tiggre!8.ED98 (CLOUD)
Yandex: Riskware.BlackMoon!
SentinelOne: DFI - Suspicious PE
eGambit: Unsafe.AI_Score_91%
Fortinet: W32/Injector.BBYK!tr
AVG: Win32:Malware-gen
Cybereason: malicious.b73e4e
Panda: Trj/GdSda.A
CrowdStrike: win/malicious_confidence_90% (W)
运行截图
网络分析
域名解析
| 域名 | 响应 |
|---|---|
| acroipm.adobe.com |
CNAME a1983.dscd.akamai.net
CNAME acroipm.adobe.com.edgesuite.net A 23.59.188.114 A 23.59.188.113 |
| w.eydata.net |
A 117.24.14.105
A 180.188.18.9 |
| watson.microsoft.com |
A 104.42.151.234
CNAME legacy.umwatsonrouting.trafficmanager.net CNAME skypedataprdcolwus16.cloudapp.net |
TCP连接
| IP地址 | 端口 |
|---|---|
| 117.24.14.105 | 80 |
| 117.24.14.105 | 80 |
| 117.24.14.105 | 80 |
| 117.24.14.105 | 80 |
| 23.59.188.113 | 80 |
UDP连接
| IP地址 | 端口 |
|---|---|
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
HTTP请求
| URL | HTTP数据 |
|---|---|
| http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip | GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache |
| http://w.eydata.net/ | GET / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Accept: text/html, application/xhtml+xml, */* Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: w.eydata.net |
| http://w.eydata.net/98039776530cf506 | POST /98039776530cf506 HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: w.eydata.net Content-Length: 7 Cache-Control: no-cache ver=1.0 |
| http://w.eydata.net/98529ec3e5a5dad8 | POST /98529ec3e5a5dad8 HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: w.eydata.net Content-Length: 0 Cache-Control: no-cache |
| http://w.eydata.net/9e8236ac98f4fb46 | POST /9e8236ac98f4fb46 HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: w.eydata.net Content-Length: 21 Cache-Control: no-cache StatusCode=&UserName= |
| http://w.eydata.net/17112dbe9584bbd0 | POST /17112dbe9584bbd0 HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: w.eydata.net Content-Length: 67 Cache-Control: no-cache UserName=&UserPwd=&Version=1.0&Mac=AC5381C9304FC469DC9C9DA578A97012 |
| http://w.eydata.net/e43fb3d5cc338666 | POST /e43fb3d5cc338666 HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: w.eydata.net Content-Length: 9 Cache-Control: no-cache UserName= |
| http://w.eydata.net/d94d988aad6f61a4 | POST /d94d988aad6f61a4 HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: w.eydata.net Content-Length: 25 Cache-Control: no-cache StatusCode=-101&UserName= |
| http://w.eydata.net/9e8236ac98f4fb46 | POST /9e8236ac98f4fb46 HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: w.eydata.net Content-Length: 25 Cache-Control: no-cache StatusCode=-101&UserName= |
静态分析
投放文件
War3Edit.exe
| 文件名 | War3Edit.exe |
|---|---|
| 相关文件 |
|
| 文件大小 | 4269568 bytes |
| 文件类型 | PE32 executable (console) Intel 80386, for MS Windows |
| MD5 | 04a6aeeb73e4e8c17014d2686b29efe1 |
| SHA1 | 49ad597edfd7ce6c2687e0f376fe6d09af3abb93 |
| SHA256 | 8fc90ed4ebc298a4e20332eea71de5987940c448556ef670e85dc596b2c0370f |
| SHA512 | 3ff11791ca399d38e88fa3459696a6dbe0a67deecee11d1d0f2fe8a2f54ff6647485fdcce33fe8291ad99c635204cbd3fcdcfffff4a312882cf251d481064c9e |
| Ssdeep | 98304:W2z65h0Slr40E9ciS+4VoGtvVRIinVqpX3Gmf:ZSlr4rciS+AFvVRIwuXPf |
| VirusTotal | 搜索相关分析 |
行为分析
互斥量(Mutexes)
- Local\MSCTF.Asm.MutexDefault1
执行的命令
- C:\Users\test\AppData\Local\Temp\ini.cg
- C:\Windows\system32\cmd.exe
创建的服务
无信息
启动的服务
无信息
进程
cmd.exe PID: 2712, 上一级进程 PID: 2264
War3Edit.exe PID: 2844, 上一级进程 PID: 2712
ini.cg PID: 2932, 上一级进程 PID: 2844
ini.cg PID: 1332, 上一级进程 PID: 2844
cmd.exe PID: 2464, 上一级进程 PID: 1332
访问的文件
- C:\Users\test\AppData\Local\Temp\ini.cg
- C:\Users\test\AppData\Local\Temp\ini.g
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Users\test\AppData\Local\Temp\?\xe9\x9d\xaa
- C:\Windows\Fonts\staticcache.dat
- C:\Users\test\AppData\Local\Temp\ini.cg.Local\
- C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_b7a33d2d3f47b7fb
- C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_b7a33d2d3f47b7fb\comctl32.dll.mui
- C:\Users\test\AppData\Local\Temp\user32.DLL
- C:\Users\test\AppData\Local\Temp\user32.dll
- C:\H\xe9\x85\x8d\xe7\xbd\xae.ini
- C:\
- C:\Users\test\AppData\Local\Temp\ole32.dll
- C:\Users\test\AppData\Local\Temp\Winhttp.dll
- C:\Users\test\AppData\Local\Temp\kernel32.dll
- C:\Windows\SysWOW64\stdole2.tlb
- C:\Users\test\AppData\Local\Temp\\xe9\x85\x8d\xe7\xbd\xae.ini
- C:\Users\test\AppData\Local\Temp\wininet.dll
- C:\\xe7\x94\xa8\xe6\x88\xb7.ini
- \??\PhysicalDrive0
- C:\Users\test\AppData\Local\Temp\kernel32.DLL
- C:\Users\test\AppData\Local\Temp\ntdll.dll
- C:\Users\test\AppData\Local\Temp\Q\xe6\x9e\x95w
- C:\Users
- C:\Users\test
- C:\Users\test\AppData
- C:\Users\test\AppData\Local
- C:\Users\test\AppData\Local\Temp
- C:\Windows\SysWOW64
- C:\Windows\SysWOW64\\xe6\xa3\xbc&
- C:\Windows\SysWOW64\cmd.exe
- C:\Windows\win.ini
- C:\Windows\SysWOW64\War3Lua.dll
读取的文件
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Users\test\AppData\Local\Temp\?\xe9\x9d\xaa
- C:\Users\test\AppData\Local\Temp\ini.cg
- C:\Windows\Fonts\staticcache.dat
- C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_b7a33d2d3f47b7fb\comctl32.dll.mui
- C:\Users\test\AppData\Local\Temp\ini.g
- C:\Windows\SysWOW64\stdole2.tlb
- C:\Users\test\AppData\Local\Temp\\xe9\x85\x8d\xe7\xbd\xae.ini
- C:\\xe7\x94\xa8\xe6\x88\xb7.ini
- \??\PhysicalDrive0
- C:\Users\test\AppData\Local\Temp\Q\xe6\x9e\x95w
- C:\Windows\SysWOW64\\xe6\xa3\xbc&
- C:\Windows\SysWOW64\cmd.exe
- C:\Windows\win.ini
修改的文件
- C:\Users\test\AppData\Local\Temp\ini.cg
- C:\Users\test\AppData\Local\Temp\ini.g
- \??\PhysicalDrive0
- C:\\xe7\x94\xa8\xe6\x88\xb7.ini
- C:\Windows\SysWOW64\War3Lua.dll
删除的文件
- C:\Users\test\AppData\Local\Temp\ini.g
- C:\Users\test\AppData\Local\Temp\ini.cg
注册表键
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ini.cg
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
- HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\ini.cg
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\(Default)
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
- HKEY_CURRENT_USER\Software\Classes
- HKEY_CURRENT_USER\Software\Classes\TypeLib
- HKEY_CURRENT_USER\Software\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32\(Default)
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WOW\boot
- HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib\ 800x600x24(BGR 0)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\\xe5\xbe\xae\xe8\xbd\xaf\xe9\x9b\x85\xe9\xbb\x91
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe
- HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib\Halftone
- HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib\DrawToBitmap
- HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib\DecompressToBitmap
- HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib\DecompressToScreen
- HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib\dva
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IconServiceLib
- HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
- HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
- HKEY_CLASSES_ROOT\CLSID\{2B46E70F-CDA7-473E-89F6-DC9630A2390B}\Instance
- HKEY_CURRENT_USER
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\cmd.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\SimSun
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
- HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_CURRENT_USER\Keyboard Layout\Toggle
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
- HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
读取的注册表键
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32\(Default)
- HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib\Halftone
- HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib\DrawToBitmap
- HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib\DecompressToBitmap
- HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib\DecompressToScreen
- HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib\dva
- HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib\ 800x600x24(BGR 0)
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IconServiceLib
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\SimSun
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
修改的注册表键
- HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib
- HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib\ 800x600x24(BGR 0)
删除的注册表键
无信息
API解析
- cryptsp.dll.CryptAcquireContextA
- cryptsp.dll.CryptCreateHash
- cryptsp.dll.CryptHashData
- cryptsp.dll.CryptGetHashParam
- cryptsp.dll.CryptDestroyHash
- cryptsp.dll.CryptReleaseContext
- kernel32.dll.CloseHandle
- user32.dll.FindWindowExA
- user32.dll.IsWindow
- user32.dll.GetWindowTextLengthA
- user32.dll.SetWindowTextA
- user32.dll.SendMessageA
- kernel32.dll.lstrcpynA
- kernel32.dll.VirtualAlloc
- kernel32.dll.VirtualFree
- kernel32.dll.VirtualProtect
- iphlpapi.dll.GetAdaptersInfo
- winmm.dll.midiStreamOut
- winmm.dll.midiOutPrepareHeader
- winmm.dll.waveOutUnprepareHeader
- winmm.dll.waveOutPrepareHeader
- winmm.dll.waveOutRestart
- winmm.dll.waveOutWrite
- winmm.dll.waveOutPause
- winmm.dll.waveOutReset
- winmm.dll.waveOutClose
- winmm.dll.waveOutGetNumDevs
- winmm.dll.midiStreamStop
- winmm.dll.midiOutReset
- winmm.dll.midiStreamClose
- winmm.dll.midiStreamRestart
- winmm.dll.waveOutOpen
- winmm.dll.midiOutUnprepareHeader
- winmm.dll.midiStreamOpen
- winmm.dll.midiStreamProperty
- ws2_32.dll.#116
- ws2_32.dll.#12
- ws2_32.dll.#3
- ws2_32.dll.#5
- ws2_32.dll.#1
- ws2_32.dll.#14
- ws2_32.dll.#101
- ws2_32.dll.#17
- ws2_32.dll.#10
- ws2_32.dll.#16
- kernel32.dll.MultiByteToWideChar
- kernel32.dll.SetLastError
- kernel32.dll.QueryPerformanceFrequency
- kernel32.dll.QueryPerformanceCounter
- kernel32.dll.GetTimeZoneInformation
- kernel32.dll.GetVersion
- kernel32.dll.InterlockedDecrement
- kernel32.dll.InterlockedIncrement
- kernel32.dll.CreateMutexA
- kernel32.dll.ReleaseMutex
- kernel32.dll.TerminateThread
- kernel32.dll.SuspendThread
- kernel32.dll.GetACP
- kernel32.dll.UnhandledExceptionFilter
- kernel32.dll.HeapSize
- kernel32.dll.RaiseException
- kernel32.dll.GetLocalTime
- kernel32.dll.GetSystemTime
- kernel32.dll.RtlUnwind
- kernel32.dll.GetStartupInfoA
- kernel32.dll.GetOEMCP
- kernel32.dll.GetCPInfo
- kernel32.dll.GetProcessVersion
- kernel32.dll.SetErrorMode
- kernel32.dll.GlobalFlags
- kernel32.dll.GetCurrentThread
- kernel32.dll.GetFileTime
- kernel32.dll.TlsGetValue
- kernel32.dll.LocalReAlloc
- kernel32.dll.TlsSetValue
- kernel32.dll.TlsFree
- kernel32.dll.GlobalHandle
- kernel32.dll.TlsAlloc
- kernel32.dll.LocalAlloc
- kernel32.dll.lstrcmpA
- kernel32.dll.GlobalGetAtomNameA
- kernel32.dll.GlobalAddAtomA
- kernel32.dll.GlobalFindAtomA
- kernel32.dll.GlobalDeleteAtom
- kernel32.dll.lstrcmpiA
- kernel32.dll.SetEndOfFile
- kernel32.dll.UnlockFile
- kernel32.dll.LockFile
- kernel32.dll.FlushFileBuffers
- kernel32.dll.DuplicateHandle
- kernel32.dll.FileTimeToLocalFileTime
- kernel32.dll.FileTimeToSystemTime
- kernel32.dll.LocalFree
- kernel32.dll.WideCharToMultiByte
- kernel32.dll.OpenProcess
- kernel32.dll.TerminateProcess
- kernel32.dll.GetCurrentProcess
- kernel32.dll.GetFileSize
- kernel32.dll.SetFilePointer
- kernel32.dll.CreateToolhelp32Snapshot
- kernel32.dll.Process32First
- kernel32.dll.Process32Next
- kernel32.dll.CreateSemaphoreA
- kernel32.dll.ResumeThread
- kernel32.dll.ReleaseSemaphore
- kernel32.dll.EnterCriticalSection
- kernel32.dll.LeaveCriticalSection
- kernel32.dll.GetProfileStringA
- kernel32.dll.WriteFile
- kernel32.dll.ReadFile
- kernel32.dll.WaitForMultipleObjects
- kernel32.dll.CreateFileA
- kernel32.dll.DeviceIoControl
- kernel32.dll.SetEvent
- kernel32.dll.FindResourceA
- kernel32.dll.LoadResource
- kernel32.dll.LockResource
- kernel32.dll.lstrlenW
- kernel32.dll.GetModuleFileNameA
- kernel32.dll.GetCurrentThreadId
- kernel32.dll.ExitProcess
- kernel32.dll.GlobalSize
- kernel32.dll.GlobalFree
- kernel32.dll.DeleteCriticalSection
- kernel32.dll.InitializeCriticalSection
- kernel32.dll.lstrcatA
- kernel32.dll.lstrlenA
- kernel32.dll.WinExec
- kernel32.dll.lstrcpyA
- kernel32.dll.FindNextFileA
- kernel32.dll.InterlockedExchange
- kernel32.dll.GlobalReAlloc
- kernel32.dll.HeapFree
- kernel32.dll.HeapReAlloc
- kernel32.dll.GetProcessHeap
- kernel32.dll.HeapAlloc
- kernel32.dll.GetUserDefaultLCID
- kernel32.dll.GetFullPathNameA
- kernel32.dll.FreeLibrary
- kernel32.dll.LoadLibraryA
- kernel32.dll.GetLastError
- kernel32.dll.GetVersionExA
- kernel32.dll.WritePrivateProfileStringA
- kernel32.dll.GetPrivateProfileStringA
- kernel32.dll.CreateThread
- kernel32.dll.CreateEventA
- kernel32.dll.Sleep
- kernel32.dll.GlobalAlloc
- kernel32.dll.GlobalLock
- kernel32.dll.GlobalUnlock
- kernel32.dll.FindFirstFileA
- kernel32.dll.FindClose
- kernel32.dll.GetFileAttributesA
- kernel32.dll.GetCurrentDirectoryA
- kernel32.dll.SetCurrentDirectoryA
- kernel32.dll.GetVolumeInformationA
- kernel32.dll.GetModuleHandleA
- kernel32.dll.GetProcAddress
- kernel32.dll.MulDiv
- kernel32.dll.GetCommandLineA
- kernel32.dll.GetTickCount
- kernel32.dll.WaitForSingleObject
- kernel32.dll.FreeEnvironmentStringsA
- kernel32.dll.FreeEnvironmentStringsW
- kernel32.dll.GetEnvironmentStrings
- kernel32.dll.GetEnvironmentStringsW
- kernel32.dll.SetHandleCount
- kernel32.dll.GetStdHandle
- kernel32.dll.GetFileType
- kernel32.dll.GetEnvironmentVariableA
- kernel32.dll.HeapDestroy
- kernel32.dll.HeapCreate
- kernel32.dll.SetEnvironmentVariableA
- kernel32.dll.LCMapStringA
- kernel32.dll.LCMapStringW
- kernel32.dll.IsBadWritePtr
- kernel32.dll.SetUnhandledExceptionFilter
- kernel32.dll.GetStringTypeA
- kernel32.dll.GetStringTypeW
- kernel32.dll.CompareStringA
- kernel32.dll.CompareStringW
- kernel32.dll.IsBadReadPtr
- kernel32.dll.IsBadCodePtr
- kernel32.dll.SetStdHandle
- user32.dll.DestroyAcceleratorTable
- user32.dll.SetWindowRgn
- user32.dll.GetMessagePos
- user32.dll.ScreenToClient
- user32.dll.ChildWindowFromPointEx
- user32.dll.CopyRect
- user32.dll.GetWindow
- user32.dll.GetActiveWindow
- user32.dll.SetFocus
- user32.dll.IsIconic
- user32.dll.PeekMessageA
- user32.dll.SetMenu
- user32.dll.GetMenu
- user32.dll.DeleteMenu
- user32.dll.GetSystemMenu
- user32.dll.DefWindowProcA
- user32.dll.GetClassInfoA
- user32.dll.IsZoomed
- user32.dll.PostQuitMessage
- user32.dll.CopyAcceleratorTableA
- user32.dll.GetKeyState
- user32.dll.TranslateAcceleratorA
- user32.dll.IsWindowEnabled
- user32.dll.ShowWindow
- user32.dll.SystemParametersInfoA
- user32.dll.LoadImageA
- user32.dll.EnumDisplaySettingsA
- user32.dll.ClientToScreen
- user32.dll.EnableMenuItem
- user32.dll.GetSubMenu
- user32.dll.GetDlgCtrlID
- user32.dll.CreateAcceleratorTableA
- user32.dll.CreateMenu
- user32.dll.ModifyMenuA
- user32.dll.AppendMenuA
- user32.dll.WinHelpA
- user32.dll.KillTimer
- user32.dll.SetTimer
- user32.dll.ReleaseCapture
- user32.dll.GetCapture
- user32.dll.SetCapture
- user32.dll.GetScrollRange
- user32.dll.SetScrollRange
- user32.dll.SetScrollPos
- user32.dll.SetRect
- user32.dll.InflateRect
- user32.dll.IntersectRect
- user32.dll.DestroyIcon
- user32.dll.PtInRect
- user32.dll.OffsetRect
- user32.dll.IsWindowVisible
- user32.dll.GetSysColorBrush
- user32.dll.LoadStringA
- user32.dll.EnableWindow
- user32.dll.RedrawWindow
- user32.dll.GetWindowLongA
- user32.dll.SetWindowLongA
- user32.dll.GetSysColor
- user32.dll.SetActiveWindow
- user32.dll.SetCursorPos
- user32.dll.LoadCursorA
- user32.dll.SetCursor
- user32.dll.GetDC
- user32.dll.FillRect
- user32.dll.IsRectEmpty
- user32.dll.ReleaseDC
- user32.dll.IsChild
- user32.dll.DestroyMenu
- user32.dll.SetForegroundWindow
- user32.dll.GetWindowRect
- user32.dll.EqualRect
- user32.dll.UpdateWindow
- user32.dll.ValidateRect
- user32.dll.InvalidateRect
- user32.dll.GetClientRect
- user32.dll.GetFocus
- user32.dll.GetParent
- user32.dll.GetTopWindow
- user32.dll.PostMessageA
- user32.dll.SetParent
- user32.dll.DestroyCursor
- user32.dll.SetWindowPos
- user32.dll.MessageBoxA
- user32.dll.GetCursorPos
- user32.dll.GetSystemMetrics
- user32.dll.EmptyClipboard
- user32.dll.SetClipboardData
- user32.dll.OpenClipboard
- user32.dll.GetClipboardData
- user32.dll.CloseClipboard
- user32.dll.wsprintfA
- user32.dll.CreatePopupMenu
- user32.dll.DrawIconEx
- user32.dll.CreateIconFromResourceEx
- user32.dll.RegisterClipboardFormatA
- user32.dll.SetRectEmpty
- user32.dll.DispatchMessageA
- user32.dll.GetMessageA
- user32.dll.WindowFromPoint
- user32.dll.DrawFocusRect
- user32.dll.DrawEdge
- user32.dll.DrawFrameControl
- user32.dll.LoadIconA
- user32.dll.TranslateMessage
- user32.dll.GetDesktopWindow
- user32.dll.GetClassNameA
- user32.dll.GetWindowThreadProcessId
- user32.dll.FindWindowA
- user32.dll.GetDlgItem
- user32.dll.GetWindowTextA
- user32.dll.LoadBitmapA
- user32.dll.UnregisterClassA
- user32.dll.CreateIconFromResource
- user32.dll.CharUpperA
- user32.dll.GetWindowDC
- user32.dll.BeginPaint
- user32.dll.EndPaint
- user32.dll.TabbedTextOutA
- user32.dll.DrawTextA
- user32.dll.GrayStringA
- user32.dll.DestroyWindow
- user32.dll.CreateDialogIndirectParamA
- user32.dll.EndDialog
- user32.dll.GetNextDlgTabItem
- user32.dll.GetWindowPlacement
- user32.dll.RegisterWindowMessageA
- user32.dll.GetForegroundWindow
- user32.dll.GetLastActivePopup
- user32.dll.GetMessageTime
- user32.dll.RemovePropA
- user32.dll.CallWindowProcA
- user32.dll.GetPropA
- user32.dll.UnhookWindowsHookEx
- user32.dll.SetPropA
- user32.dll.GetClassLongA
- user32.dll.CallNextHookEx
- user32.dll.SetWindowsHookExA
- user32.dll.CreateWindowExA
- user32.dll.GetMenuItemID
- user32.dll.GetMenuItemCount
- user32.dll.RegisterClassA
- user32.dll.GetScrollPos
- user32.dll.AdjustWindowRectEx
- user32.dll.MapWindowPoints
- user32.dll.SendDlgItemMessageA
- user32.dll.ScrollWindowEx
- user32.dll.IsDialogMessageA
- user32.dll.MoveWindow
- user32.dll.CheckMenuItem
- user32.dll.SetMenuItemBitmaps
- user32.dll.GetMenuState
- user32.dll.GetMenuCheckMarkDimensions
- gdi32.dll.RectVisible
- gdi32.dll.PtVisible
- gdi32.dll.GetViewportExtEx
- gdi32.dll.ExtSelectClipRgn
- gdi32.dll.LineTo
- gdi32.dll.EndPage
- gdi32.dll.EndDoc
- gdi32.dll.DeleteDC
- gdi32.dll.StartDocA
- gdi32.dll.StartPage
- gdi32.dll.BitBlt
- gdi32.dll.CreateCompatibleDC
- gdi32.dll.Ellipse
- gdi32.dll.Rectangle
- gdi32.dll.LPtoDP
- gdi32.dll.DPtoLP
- gdi32.dll.GetCurrentObject
- gdi32.dll.RoundRect
- gdi32.dll.TextOutA
- gdi32.dll.GetTextExtentPoint32A
- gdi32.dll.GetDeviceCaps
- gdi32.dll.CreatePolygonRgn
- gdi32.dll.GetClipRgn
- gdi32.dll.SetStretchBltMode
- gdi32.dll.CreateRectRgnIndirect
- gdi32.dll.SetBkColor
- gdi32.dll.MoveToEx
- gdi32.dll.ExcludeClipRect
- gdi32.dll.GetClipBox
- gdi32.dll.ScaleWindowExtEx
- gdi32.dll.SetWindowExtEx
- gdi32.dll.SetWindowOrgEx
- gdi32.dll.ScaleViewportExtEx
- gdi32.dll.SetViewportExtEx
- gdi32.dll.OffsetViewportOrgEx
- gdi32.dll.ExtTextOutA
- gdi32.dll.Escape
- gdi32.dll.GetTextMetricsA
- gdi32.dll.GetObjectA
- gdi32.dll.GetStockObject
- gdi32.dll.CreateFontIndirectA
- gdi32.dll.CreateSolidBrush
- gdi32.dll.FillRgn
- gdi32.dll.CreateRectRgn
- gdi32.dll.CombineRgn
- gdi32.dll.PatBlt
- gdi32.dll.CreatePen
- gdi32.dll.SelectObject
- gdi32.dll.CreateBitmap
- gdi32.dll.CreateDCA
- gdi32.dll.CreateCompatibleBitmap
- gdi32.dll.GetPolyFillMode
- gdi32.dll.GetStretchBltMode
- gdi32.dll.GetROP2
- gdi32.dll.GetBkColor
- gdi32.dll.GetBkMode
- gdi32.dll.GetTextColor
- gdi32.dll.SetViewportOrgEx
- gdi32.dll.SetMapMode
- gdi32.dll.SetTextColor
- gdi32.dll.SetROP2
- gdi32.dll.SetPolyFillMode
- gdi32.dll.SetBkMode
- gdi32.dll.RestoreDC
- gdi32.dll.SaveDC
- gdi32.dll.CreateRoundRectRgn
- gdi32.dll.CreateEllipticRgn
- gdi32.dll.PathToRegion
- gdi32.dll.EndPath
- gdi32.dll.BeginPath
- gdi32.dll.GetWindowOrgEx
- gdi32.dll.GetViewportOrgEx
- gdi32.dll.GetWindowExtEx
- gdi32.dll.GetDIBits
- gdi32.dll.RealizePalette
- gdi32.dll.SelectPalette
- gdi32.dll.StretchBlt
- gdi32.dll.CreatePalette
- gdi32.dll.GetSystemPaletteEntries
- gdi32.dll.SelectClipRgn
- gdi32.dll.CreateDIBitmap
- gdi32.dll.DeleteObject
- winspool.drv.OpenPrinterA
- winspool.drv.DocumentPropertiesA
- winspool.drv.ClosePrinter
- advapi32.dll.RegOpenKeyExA
- advapi32.dll.RegSetValueExA
- advapi32.dll.RegQueryValueA
- advapi32.dll.RegCreateKeyExA
- advapi32.dll.RegCloseKey
- shell32.dll.ShellExecuteA
- shell32.dll.Shell_NotifyIconA
- ole32.dll.CLSIDFromProgID
- ole32.dll.OleRun
- ole32.dll.CoCreateInstance
- ole32.dll.CLSIDFromString
- ole32.dll.OleUninitialize
- ole32.dll.OleInitialize
- oleaut32.dll.#12
- oleaut32.dll.#9
- oleaut32.dll.#19
- oleaut32.dll.#20
- oleaut32.dll.#17
- oleaut32.dll.#24
- oleaut32.dll.#10
- oleaut32.dll.#186
- oleaut32.dll.#161
- oleaut32.dll.#165
- oleaut32.dll.#163
- oleaut32.dll.#26
- oleaut32.dll.#15
- oleaut32.dll.#16
- oleaut32.dll.#2
- oleaut32.dll.#8
- oleaut32.dll.#11
- oleaut32.dll.#25
- oleaut32.dll.#23
- comctl32.dll.#17
- comctl32.dll.ImageList_Destroy
- comdlg32.dll.ChooseColorA
- comdlg32.dll.GetFileTitleA
- comdlg32.dll.GetSaveFileNameA
- comdlg32.dll.GetOpenFileNameA
- kernel32.dll.IsProcessorFeaturePresent
- cryptbase.dll.SystemFunction036
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle
- kernel32.dll.RtlMoveMemory
- comctl32.dll.ImageList_Draw
- msimg32.dll.TransparentBlt
- msvcrt.dll.free
- msvfw32.dll.DrawDibOpen
- kernel32.dll.FlushInstructionCache
- kernel32.dll.VirtualQuery
- kernel32.dll.SizeofResource
- comctl32.dll.ImageList_GetIcon
- comctl32.dll.ImageList_GetImageInfo
- comctl32.dll.ImageList_GetIconSize
- gdi32.dll.SelectClipPath
- gdi32.dll.GetPixel
- gdi32.dll.CreatePatternBrush
- gdi32.dll.CreateFontA
- gdi32.dll.OffsetRgn
- gdi32.dll.ExtCreateRegion
- gdi32.dll.SetPixel
- gdi32.dll.PtInRegion
- gdi32.dll.CreateDIBSection
- gdi32.dll.GetTextExtentPointA
- gdi32.dll.ExtTextOutW
- msvcrt.dll.??3@YAXPAX@Z
- msvcrt.dll.__CxxFrameHandler
- msvcrt.dll.??2@YAPAXI@Z
- msvcrt.dll._ftol
- msvcrt.dll._mbsstr
- msvcrt.dll._mbscmp
- msvcrt.dll.__dllonexit
- msvcrt.dll.malloc
- msvcrt.dll._initterm
- msvcrt.dll._adjust_fdiv
- msvcrt.dll._onexit
- msvcrt.dll.memcpy
- msvfw32.dll.DrawDibDraw
- msvfw32.dll.DrawDibClose
- user32.dll.EnumThreadWindows
- user32.dll.EnumChildWindows
- user32.dll.LockWindowUpdate
- user32.dll.DrawStateA
- user32.dll.GetWindowRgn
- user32.dll.TrackPopupMenu
- user32.dll.GetWindowInfo
- user32.dll.MenuItemFromPoint
- user32.dll.GetMenuItemRect
- user32.dll.SetMenuItemInfoA
- user32.dll.IsMenu
- user32.dll.GetUpdateRect
- user32.dll.ShowScrollBar
- user32.dll.WindowFromDC
- user32.dll.EnableScrollBar
- user32.dll.GetScrollBarInfo
- user32.dll.SetScrollInfo
- user32.dll.GetScrollInfo
- user32.dll.GetDCEx
- user32.dll.GetWindowLongW
- user32.dll.SetWindowLongW
- user32.dll.GetMenuItemInfoA
- user32.dll.GetComboBoxInfo
- user32.dll.TrackMouseEvent
- user32.dll.GetIconInfo
- user32.dll.RegisterClassExA
- user32.dll.UpdateLayeredWindow
- user32.dll.SetLayeredWindowAttributes
- dciman32.dll.DCIOpenProvider
- dciman32.dll.DCICloseProvider
- dciman32.dll.DCICreatePrimary
- dciman32.dll.DCIEndAccess
- dciman32.dll.DCIBeginAccess
- dciman32.dll.DCIDestroy
- comctl32.dll.RegisterClassNameW
- uxtheme.dll.OpenThemeData
- imm32.dll.ImmIsIME
- gdi32.dll.GetLayout
- gdi32.dll.GdiRealizationInfo
- gdi32.dll.FontIsLinked
- advapi32.dll.RegOpenKeyExW
- advapi32.dll.RegQueryInfoKeyW
- gdi32.dll.GetTextFaceAliasW
- advapi32.dll.RegEnumValueW
- advapi32.dll.RegQueryValueExW
- advapi32.dll.RegQueryValueExA
- advapi32.dll.RegEnumKeyExW
- gdi32.dll.GetTextExtentExPointWPri
- comctl32.dll.InitCommonControlsEx
- imm32.dll.ImmAssociateContext
- uxtheme.dll.EnableThemeDialogTexture
- imm32.dll.ImmGetContext
- imm32.dll.ImmReleaseContext
- user32.dll.GetMenuStringA
- ole32.dll.CoInitialize
- winhttp.dll.WinHttpCheckPlatform
- winhttp.dll.WinHttpCrackUrl
- shlwapi.dll.StrCmpNW
- winhttp.dll.WinHttpOpen
- winhttp.dll.WinHttpConnect
- winhttp.dll.WinHttpOpenRequest
- winhttp.dll.WinHttpSetTimeouts
- winhttp.dll.WinHttpSetOption
- winhttp.dll.WinHttpAddRequestHeaders
- shlwapi.dll.#153
- winhttp.dll.WinHttpSendRequest
- ws2_32.dll.GetAddrInfoW
- ws2_32.dll.WSASocketW
- ws2_32.dll.#2
- ws2_32.dll.#21
- ws2_32.dll.#9
- ws2_32.dll.WSAIoctl
- ws2_32.dll.FreeAddrInfoW
- ws2_32.dll.#6
- ws2_32.dll.WSARecv
- ws2_32.dll.WSASend
- winhttp.dll.WinHttpReceiveResponse
- winhttp.dll.WinHttpQueryDataAvailable
- winhttp.dll.WinHttpReadData
- winhttp.dll.WinHttpQueryHeaders
- ole32.dll.CoUninitialize
- winhttp.dll.WinHttpCloseHandle
- rpcrt4.dll.RpcBindingFree
- kernel32.dll.lstrcpyn
- wininet.dll.InternetOpenA
- wininet.dll.InternetConnectA
- wininet.dll.HttpOpenRequestA
- wininet.dll.HttpSendRequestA
- rasapi32.dll.RasConnectionNotificationW
- sechost.dll.OpenSCManagerA
- sechost.dll.NotifyServiceStatusChangeA
- wininet.dll.InternetReadFile
- wininet.dll.InternetCloseHandle
- gdi32.dll.GdiIsMetaPrintDC
- kernel32.dll.LocalSize
- kernel32.dll.CreateProcessA
- kernel32.dll.GetThreadContext
- kernel32.dll.ReadProcessMemory
- ntdll.dll.ZwUnmapViewOfSection
- kernel32.dll.VirtualAllocEx
- kernel32.dll.WriteProcessMemory
- kernel32.dll.VirtualProtectEx
- kernel32.dll.SetThreadContext
- windowscodecs.dll.WICCreateImagingFactory_Proxy
- ole32.dll.CreateStreamOnHGlobal
- kernel32.dll.WerRegisterMemoryBlock
- ole32.dll.GetHGlobalFromStream
- shell32.dll.#66
- ole32.dll.CoTaskMemFree
- kernel32.dll.FlsGetValue
- user32.dll.NotifyWinEvent
- ole32.dll.RegisterDragDrop
- kernel32.dll.GetCurrentProcessId
- kernel32.dll.OpenProcessToken
- advapi32.dll.LookupPrivilegeValueA
- advapi32.dll.AdjustTokenPrivileges
- kernel32.dll.Module32First
- kernel32.dll.Module32Next
- user32.dll.wvsprintfA
- ole32.dll.CoInitializeEx
- ole32.dll.CoRegisterInitializeSpy
- ole32.dll.CoRevokeInitializeSpy
- user32.dll.GetAsyncKeyState
- oleaut32.dll.SysAllocString
- oleaut32.dll.SysStringLen
- oleaut32.dll.SysFreeString