魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2020-11-30 12:49:22 2020-11-30 12:50:14 52 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp03-1 win7-sp1-x64-shaapp03-1 KVM 2020-11-30 12:49:23 2020-11-30 12:50:15
魔盾分数

10.0

恶意的

文件详细信息

文件名 MusicTools v1.9.0.0.exe
文件大小 4220021 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 F46093BE
MD5 ca33edcc509a99d3019fa0adb4a48346
SHA1 49d01615a5ccc2f3fb6c6b792fd274f9f13e3b27
SHA256 26eb93c7460cde6a875e45621df7ee9b877ad939f0223f62405361dcb29ea5eb
SHA512 f020a8e0edd22158e09438f112abaed12275be2c5c3fb63f5a760e487b852d1b0026581f34714d6e1f6e9f6b64dc35c8be8f3e4dcd9ac56b04b27eb00f712cf5
Ssdeep 98304:2gwR0QYiTlfnqCmuC1LJvXdV+iJ9lR+ckDRmCZ:2gWYn9uuJvNVtlR+cCZ
PEiD 无匹配
Yara
  • CRC32_poly_Constant (Look for CRC32 [poly])
  • RijnDael_AES_CHAR (Look for RijnDael AES (check2) [char])
  • RijnDael_AES_LONG (Look for RijnDael AES)
  • IsPE32 (Detected a 32bit PE sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
  • IsPacked (Detected Entropy signature)
  • HasOverlay (Detected Overlay signature)
  • HasModified_DOS_Message (Detected DOS Message)
  • screenshot (Detected take screenshot function)
  • create_process (Detection function for creating a new process)
  • keylogger (Detected keylogger function)
  • win_files_operation (Affect private profile)
  • win_hook (Detected hook table access function)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
VirusTotal VirusTotal链接
VirusTotal扫描时间: 2020-11-29 13:31:12
扫描结果: 9/69

特征

通过进程尝试延迟分析任务
Process: MusicTools.exe tried to sleep 62 seconds, actually delayed analysis time by 0 seconds
可能进行了时间有效期检查,检查本地时间后过早退出
创建RWX内存
魔盾安全Yara规则检测结果 - 安全告警
Warning: Look for RijnDael AES
Informational: Detected DOS Message
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
从文件自身的二进制镜像中读取数据
self_read: process: MusicTools v1.9.0.0.exe, pid: 2312, offset: 0x00000000, length: 0x00034c8c
self_read: process: MusicTools v1.9.0.0.exe, pid: 2312, offset: 0x00000000, length: 0x0003ffa0
self_read: process: MusicTools v1.9.0.0.exe, pid: 2312, offset: 0x00000000, length: 0x001000e1
self_read: process: MusicTools v1.9.0.0.exe, pid: 2312, offset: 0x00000000, length: 0x001008e9
self_read: process: MusicTools v1.9.0.0.exe, pid: 2312, offset: 0x00000000, length: 0x00100ab6
self_read: process: MusicTools v1.9.0.0.exe, pid: 2312, offset: 0x00000000, length: 0x00100aeb
self_read: process: MusicTools v1.9.0.0.exe, pid: 2312, offset: 0x00000000, length: 0x00100cba
self_read: process: MusicTools v1.9.0.0.exe, pid: 2312, offset: 0x00034365, length: 0x003d2110
self_read: process: MusicTools.exe, pid: 2636, offset: 0x00000000, length: 0x000a5200
创建一个隐藏文件或系统文件
file: C:\Users\test\AppData\Local\Temp\7ZipSfx.000
检测到网络活动但没有显示在API日志中
ip: 23.218.94.163
domain: acroipm.adobe.com
一个进程创建了一个隐藏窗口
Process: MusicTools v1.9.0.0.exe -> cmd.exe
样本投放可执行文件到临时目录然后抹除
Anomaly: C:\Users\test\AppData\Local\Temp\7ZipSfx.000\MusicTools.exe deleted
强制将一个创建的进程加载为另一个不相关进程的子进程
process: C:\Windows\sysnative\cmd.exe, PID 2496
异常的多次调用CMD
Command: cmd.exe /c attrib +h "c:\users\test\appdata\local\temp\7zipsfx.000"
检测到样本尝试模糊或欺骗文件类型
文件已被至少一个VirusTotal上的反病毒引擎检测为病毒
Bkav: W32.AIDetectVM.malware2
McAfee: Artemis!CA33EDCC509A
APEX: Malicious
McAfee-GW-Edition: BehavesLike.Win32.BadFile.rc
Microsoft: Trojan:Win32/Woreflint.A!cl
BitDefenderTheta: Gen:NN.ZemsilF.34658.Pm0@aGtZPId
eGambit: Unsafe.AI_Score_99%
Webroot: W32.Trojan.Gen
CrowdStrike: win/malicious_confidence_60% (D)

运行截图

网络分析

域名解析

域名 响应
acroipm.adobe.com CNAME acroipm.adobe.com.edgesuite.net
A 23.218.94.163
CNAME a1983.dscd.akamai.net
A 23.218.94.155

TCP连接

IP地址 端口
23.218.94.155 80

UDP连接

IP地址 端口
192.168.122.1 53

HTTP请求

URL HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x0041942f
声明校验值 0x0003e540
实际校验值 0x0040bd59
最低操作系统版本要求 4.0
编译时间 2012-12-31 08:38:51
载入哈希 f6baa5eaa8231d4fe8e922a2e6d240ea
图标
图标精确哈希值 d5b9392dcabed06cda461c15e6786241
图标相似性哈希值 7e406196e2740baa2cd11ed30cb18e8f

版本信息

Translation: 0x0000 0x04b0
LegalCopyright: Copyright \xc2 2020
Assembly Version: 1.9.0.0
InternalName: MusicTools.exe
FileVersion: 1.9.0.0
CompanyName:
LegalTrademarks:
Comments: \xe6\xe8\xe4\xe4\xe7\xe4\xe5\xe9\xe5\xe4\xe4\xe6\xef\xe7\xe6\xe7\xe4\xe9\xe6\xe7\xe9\xef
ProductName: MusicTools
ProductVersion: 1.9.0.0
FileDescription: MusicTools
OriginalFilename: MusicTools.exe

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x00018dde 0x00018e00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.67
.rdata 0x0001a000 0x00003bca 0x00003c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.72
.data 0x0001e000 0x00004dec 0x00000a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.45
.rsrc 0x00023000 0x00016ab0 0x00016c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.17

覆盖

偏移量: 0x00034200
大小: 0x003d2275

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_ICON 0x00038cb8 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 4.10 GLS_BINARY_LSB_FIRST
RT_ICON 0x00038cb8 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 4.10 GLS_BINARY_LSB_FIRST
RT_ICON 0x00038cb8 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 4.10 GLS_BINARY_LSB_FIRST
RT_ICON 0x00038cb8 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 4.10 GLS_BINARY_LSB_FIRST
RT_GROUP_ICON 0x00039120 0x0000003e LANG_NEUTRAL SUBLANG_NEUTRAL 2.77 MS Windows icon resource - 4 icons, 128x128
RT_VERSION 0x00039160 0x00000358 LANG_NEUTRAL SUBLANG_NEUTRAL 3.58 data
RT_MANIFEST 0x000394b8 0x000005f8 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.42 XML 1.0 document text

导入

库 COMCTL32.dll:
0x41a010 - None
库 SHELL32.dll:
0x41a25c - SHGetSpecialFolderPathW
0x41a260 - ShellExecuteW
0x41a264 - SHGetMalloc
0x41a268 - SHGetPathFromIDListW
0x41a26c - SHBrowseForFolderW
0x41a270 - SHGetFileInfoW
0x41a274 - ShellExecuteExW
库 GDI32.dll:
0x41a018 - CreateCompatibleDC
0x41a01c - CreateFontIndirectW
0x41a020 - DeleteObject
0x41a024 - DeleteDC
0x41a028 - GetCurrentObject
0x41a02c - StretchBlt
0x41a030 - GetDeviceCaps
0x41a034 - CreateCompatibleBitmap
0x41a038 - SelectObject
0x41a03c - SetStretchBltMode
0x41a040 - GetObjectW
库 ADVAPI32.dll:
0x41a000 - FreeSid
0x41a004 - AllocateAndInitializeSid
0x41a008 - CheckTokenMembership
库 USER32.dll:
0x41a27c - GetWindowLongW
0x41a280 - GetMenu
0x41a284 - SetWindowPos
0x41a288 - GetWindowDC
0x41a28c - ReleaseDC
0x41a290 - GetDlgItem
0x41a294 - GetParent
0x41a298 - GetWindowRect
0x41a29c - GetClassNameA
0x41a2a0 - CreateWindowExW
0x41a2a4 - SetTimer
0x41a2a8 - GetMessageW
0x41a2ac - DispatchMessageW
0x41a2b0 - KillTimer
0x41a2b4 - DestroyWindow
0x41a2b8 - SendMessageW
0x41a2bc - EndDialog
0x41a2c0 - wsprintfW
0x41a2c4 - GetWindowTextW
0x41a2c8 - GetWindowTextLengthW
0x41a2cc - GetSysColor
0x41a2d0 - wsprintfA
0x41a2d4 - SetWindowTextW
0x41a2d8 - MessageBoxA
0x41a2dc - ScreenToClient
0x41a2e0 - GetClientRect
0x41a2e4 - SetWindowLongW
0x41a2e8 - UnhookWindowsHookEx
0x41a2ec - SetFocus
0x41a2f0 - GetSystemMetrics
0x41a2f4 - SystemParametersInfoW
0x41a2f8 - ShowWindow
0x41a2fc - DrawTextW
0x41a300 - GetDC
0x41a304 - ClientToScreen
0x41a308 - GetWindow
0x41a30c - DialogBoxIndirectParamW
0x41a310 - DrawIconEx
0x41a314 - CallWindowProcW
0x41a318 - DefWindowProcW
0x41a31c - CallNextHookEx
0x41a320 - PtInRect
0x41a324 - SetWindowsHookExW
0x41a328 - LoadImageW
0x41a32c - LoadIconW
0x41a330 - MessageBeep
0x41a334 - EnableWindow
0x41a338 - IsWindow
0x41a33c - EnableMenuItem
0x41a340 - GetSystemMenu
0x41a344 - CreateWindowExA
0x41a348 - wvsprintfW
0x41a34c - CharUpperW
0x41a350 - GetKeyState
0x41a354 - CopyImage
库 ole32.dll:
0x41a35c - CreateStreamOnHGlobal
0x41a360 - CoCreateInstance
0x41a364 - CoInitialize
库 OLEAUT32.dll:
0x41a248 - VariantClear
0x41a24c - SysFreeString
0x41a250 - OleLoadPicture
0x41a254 - SysAllocString
库 KERNEL32.dll:
0x41a048 - GetFileSize
0x41a04c - SetFilePointer
0x41a050 - ReadFile
0x41a054 - WaitForMultipleObjects
0x41a058 - GetModuleHandleA
0x41a05c - SetFileTime
0x41a060 - SetEndOfFile
0x41a064 - LeaveCriticalSection
0x41a068 - EnterCriticalSection
0x41a06c - DeleteCriticalSection
0x41a070 - FormatMessageW
0x41a074 - lstrcpyW
0x41a078 - LocalFree
0x41a07c - IsBadReadPtr
0x41a080 - GetSystemDirectoryW
0x41a084 - GetCurrentThreadId
0x41a088 - SuspendThread
0x41a08c - TerminateThread
0x41a090 - InitializeCriticalSection
0x41a094 - ResetEvent
0x41a098 - SetEvent
0x41a09c - CreateEventW
0x41a0a0 - GetVersionExW
0x41a0a4 - GetModuleFileNameW
0x41a0a8 - GetCurrentProcess
0x41a0ac - SetProcessWorkingSetSize
0x41a0b0 - SetCurrentDirectoryW
0x41a0b4 - GetDriveTypeW
0x41a0b8 - CreateFileW
0x41a0bc - GetCommandLineW
0x41a0c0 - GetStartupInfoW
0x41a0c4 - CreateProcessW
0x41a0c8 - CreateJobObjectW
0x41a0cc - ResumeThread
0x41a0d0 - AssignProcessToJobObject
0x41a0d4 - CreateIoCompletionPort
0x41a0d8 - SetInformationJobObject
0x41a0dc - GetQueuedCompletionStatus
0x41a0e0 - GetExitCodeProcess
0x41a0e4 - CloseHandle
0x41a0e8 - SetEnvironmentVariableW
0x41a0ec - GetTempPathW
0x41a0f0 - GetSystemTimeAsFileTime
0x41a0f4 - lstrlenW
0x41a0f8 - CompareFileTime
0x41a0fc - SetThreadLocale
0x41a100 - FindFirstFileW
0x41a104 - DeleteFileW
0x41a108 - FindNextFileW
0x41a10c - FindClose
0x41a110 - RemoveDirectoryW
0x41a114 - ExpandEnvironmentStringsW
0x41a118 - WideCharToMultiByte
0x41a11c - VirtualAlloc
0x41a120 - GlobalMemoryStatusEx
0x41a124 - lstrcmpW
0x41a128 - GetEnvironmentVariableW
0x41a12c - lstrcmpiW
0x41a130 - lstrlenA
0x41a134 - GetLocaleInfoW
0x41a138 - MultiByteToWideChar
0x41a13c - GetUserDefaultUILanguage
0x41a140 - GetSystemDefaultUILanguage
0x41a144 - GetSystemDefaultLCID
0x41a148 - lstrcmpiA
0x41a14c - GlobalAlloc
0x41a150 - GlobalFree
0x41a154 - MulDiv
0x41a158 - FindResourceExA
0x41a15c - SizeofResource
0x41a160 - LoadResource
0x41a164 - LockResource
0x41a168 - LoadLibraryA
0x41a16c - GetProcAddress
0x41a170 - GetModuleHandleW
0x41a174 - ExitProcess
0x41a178 - lstrcatW
0x41a17c - GetDiskFreeSpaceExW
0x41a180 - SetFileAttributesW
0x41a184 - SetLastError
0x41a188 - Sleep
0x41a18c - GetExitCodeThread
0x41a190 - WaitForSingleObject
0x41a194 - CreateThread
0x41a198 - GetLastError
0x41a19c - SystemTimeToFileTime
0x41a1a0 - GetLocalTime
0x41a1a4 - GetFileAttributesW
0x41a1a8 - CreateDirectoryW
0x41a1ac - WriteFile
0x41a1b0 - GetStdHandle
0x41a1b4 - VirtualFree
0x41a1b8 - GetStartupInfoA
库 MSVCRT.dll:
0x41a1c0 - ??3@YAXPAX@Z
0x41a1c4 - ??2@YAPAXI@Z
0x41a1c8 - memcmp
0x41a1cc - free
0x41a1d0 - memcpy
0x41a1d4 - _wtol
0x41a1d8 - _controlfp
0x41a1dc - _except_handler3
0x41a1e0 - __set_app_type
0x41a1e4 - __p__fmode
0x41a1e8 - __p__commode
0x41a1ec - _adjust_fdiv
0x41a1f0 - __setusermatherr
0x41a1f4 - _initterm
0x41a1f8 - __getmainargs
0x41a1fc - _acmdln
0x41a200 - exit
0x41a204 - _XcptFilter
0x41a208 - _exit
0x41a20c - ??1type_info@@UAE@XZ
0x41a210 - _onexit
0x41a214 - __dllonexit
0x41a218 - _CxxThrowException
0x41a21c - _beginthreadex
0x41a220 - _EH_prolog
0x41a224 - ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z
0x41a228 - memset
0x41a22c - _wcsnicmp
0x41a230 - strncmp
0x41a234 - wcsncmp
0x41a238 - malloc
0x41a23c - memmove
0x41a240 - _purecall

投放文件

无信息

行为分析

互斥量(Mutexes)
  • Local\DirectSound DllMain mutex (0x00000A4C)
  • Local\MSCTF.Asm.MutexDefault1
执行的命令
  • cmd.exe /c attrib +h "C:\Users\test\AppData\Local\Temp\7ZipSfx.000"
  • MusicTools.exe
  • attrib +h "C:\Users\test\AppData\Local\Temp\7ZipSfx.000"
创建的服务 无信息
启动的服务 无信息

进程

MusicTools v1.9.0.0.exe PID: 2312, 上一级进程 PID: 2152

cmd.exe PID: 2496, 上一级进程 PID: 2312

attrib.exe PID: 2568, 上一级进程 PID: 2496

MusicTools.exe PID: 2636, 上一级进程 PID: 2312

访问的文件
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\test\AppData\Local\Temp\MusicTools v1.9.0.0.exe
  • \Device\KsecDD
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\bass.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\Bass.Net.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\DSkin.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\ICSharpCode.SharpZipLib.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\MusicTools.exe
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\Newtonsoft.Json.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\TagLibSharp.dll
  • \??\MountPointManager
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\*
  • C:\Users
  • C:\Users\test
  • C:\Users\test\AppData
  • C:\Users\test\AppData\Local
  • C:\Users\test\AppData\Local\Temp
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\attrib.*
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\attrib
  • C:\ProgramData\Oracle\Java\javapath\attrib.*
  • C:\ProgramData\Oracle\Java\javapath\attrib
  • C:\Windows\sysnative\attrib.*
  • C:\Windows\sysnative\attrib.COM
  • C:\Windows\sysnative\attrib.exe
  • C:\Windows\System32\MSCOREE.DLL.local
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
  • C:\Windows\Microsoft.NET\Framework\*
  • C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
  • C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
  • C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
  • C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\MusicTools.exe.config
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSVCR120_CLR0400.dll
  • C:\Windows\System32\MSVCR120_CLR0400.dll
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
  • C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll.aux
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ole32.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\MusicTools\*
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\MusicTools.INI
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
  • C:\Windows\assembly\pubpol49.dat
  • C:\Windows\assembly\GAC\PublisherPolicy.tme
  • C:\Windows\Microsoft.Net\assembly\GAC_32\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System\1be7a15b1f33bf22e4f53aaf45518c77\System.ni.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System\1be7a15b1f33bf22e4f53aaf45518c77\System.ni.dll.aux
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\psapi.dll
  • C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\mscorjit.dll
  • C:\Windows\System32\mscorjit.dll
  • C:\Windows\system\mscorjit.dll
  • C:\Windows\mscorjit.dll
  • C:\ProgramData\Oracle\Java\javapath\mscorjit.dll
  • C:\Windows\System32\wbem\mscorjit.dll
  • C:\Windows\System32\WindowsPowerShell\v1.0\mscorjit.dll
  • C:\Program Files (x86)\WinRAR\mscorjit.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\DSkin\*
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\DSkin.INI
  • C:\Windows\Microsoft.Net\assembly\GAC_32\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\*
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\fb06ad4bc55b9c3ca68a3f9259d826cd\System.Windows.Forms.ni.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\fb06ad4bc55b9c3ca68a3f9259d826cd\System.Windows.Forms.ni.dll.aux
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll
  • C:\Windows\Microsoft.Net\assembly\GAC_32\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\*
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\1d52bd4ac5e0a6422058a5d62c9f6d9d\System.Drawing.ni.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\1d52bd4ac5e0a6422058a5d62c9f6d9d\System.Drawing.ni.dll.aux
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\uxtheme.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\DownLoadFile.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\DownLoadFile\DownLoadFile.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\DownLoadFile.exe
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\DownLoadFile\DownLoadFile.exe
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\zh-CN\mscorrc.dll
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\zh-CN\mscorrc.dll.DLL
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\zh-Hans\mscorrc.dll
  • C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\bcrypt.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\*
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\eb4cca4f06a15158c3f7e2c56516729b\System.Core.ni.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\eb4cca4f06a15158c3f7e2c56516729b\System.Core.ni.dll.aux
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\MusicTools.exe.Local\
  • C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80
  • C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
  • C:\Users\test\AppData\Local\GDIPFONTCACHEV1.DAT
  • C:\Windows\Fonts\AGENCYR.TTF
  • C:\Windows\Fonts\simsun.ttc
  • C:\Windows\Fonts\msyh.ttf
  • C:\Windows\Fonts\msyhbd.ttf
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh-CN\DSkin.resources.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh-CN\DSkin.resources\DSkin.resources.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh-CN\DSkin.resources.exe
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh-CN\DSkin.resources\DSkin.resources.exe
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh-CHS\DSkin.resources.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh-CHS\DSkin.resources\DSkin.resources.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh-CHS\DSkin.resources.exe
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh-CHS\DSkin.resources\DSkin.resources.exe
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh-Hans\DSkin.resources.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh-Hans\DSkin.resources\DSkin.resources.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh-Hans\DSkin.resources.exe
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh-Hans\DSkin.resources\DSkin.resources.exe
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh\DSkin.resources.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh\DSkin.resources\DSkin.resources.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh\DSkin.resources.exe
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh\DSkin.resources\DSkin.resources.exe
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\oleaut32.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\*
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\fe4b221b4109f0c78f57a792500699b5\System.Configuration.ni.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\fe4b221b4109f0c78f57a792500699b5\System.Configuration.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\*
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\4fbda26d781323081b45526da6e87b35\System.Xml.ni.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\4fbda26d781323081b45526da6e87b35\System.Xml.ni.dll.aux
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh-CN\MusicTools.resources.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh-CN\MusicTools.resources\MusicTools.resources.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh-CN\MusicTools.resources.exe
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh-CN\MusicTools.resources\MusicTools.resources.exe
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh-CHS\MusicTools.resources.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh-CHS\MusicTools.resources\MusicTools.resources.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh-CHS\MusicTools.resources.exe
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh-CHS\MusicTools.resources\MusicTools.resources.exe
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh-Hans\MusicTools.resources.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh-Hans\MusicTools.resources\MusicTools.resources.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh-Hans\MusicTools.resources.exe
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh-Hans\MusicTools.resources\MusicTools.resources.exe
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh\MusicTools.resources.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh\MusicTools.resources\MusicTools.resources.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh\MusicTools.resources.exe
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\zh\MusicTools.resources\MusicTools.resources.exe
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\Imm32.dll
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\comctl32.dll
  • C:\Windows\Fonts\staticcache.dat
  • C:\Windows\Microsoft.Net\assembly\GAC_32\Newtonsoft.Json\v4.0_12.0.0.0__30ad4fe6b2a6aeed\Newtonsoft.Json.dll
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Newtonsoft.Json\v4.0_12.0.0.0__30ad4fe6b2a6aeed\Newtonsoft.Json.dll
  • C:\Windows\Microsoft.Net\assembly\GAC\Newtonsoft.Json\v4.0_12.0.0.0__30ad4fe6b2a6aeed\Newtonsoft.Json.dll
  • C:\Windows\assembly\GAC_32\Newtonsoft.Json\12.0.0.0__30ad4fe6b2a6aeed\Newtonsoft.Json.dll
  • C:\Windows\assembly\GAC_MSIL\Newtonsoft.Json\12.0.0.0__30ad4fe6b2a6aeed\Newtonsoft.Json.dll
  • C:\Windows\assembly\GAC\Newtonsoft.Json\12.0.0.0__30ad4fe6b2a6aeed\Newtonsoft.Json.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\Newtonsoft.Json\*
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\Newtonsoft.Json.INI
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\VERSION.dll
  • C:\Windows\Microsoft.Net\assembly\GAC_32\Bass.Net\v4.0_2.4.10.2__b7566c273e6ef480\Bass.Net.dll
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Bass.Net\v4.0_2.4.10.2__b7566c273e6ef480\Bass.Net.dll
  • C:\Windows\Microsoft.Net\assembly\GAC\Bass.Net\v4.0_2.4.10.2__b7566c273e6ef480\Bass.Net.dll
  • C:\Windows\assembly\GAC_32\Bass.Net\2.4.10.2__b7566c273e6ef480\Bass.Net.dll
  • C:\Windows\assembly\GAC_MSIL\Bass.Net\2.4.10.2__b7566c273e6ef480\Bass.Net.dll
  • C:\Windows\assembly\GAC\Bass.Net\2.4.10.2__b7566c273e6ef480\Bass.Net.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\Bass.Net\*
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\Bass.Net.INI
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\MSACM32.dll
  • C:\Windows\System32\msacm32.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\WINMM.dll
  • C:\Windows\System32\winmm.dll
  • C:\Windows\System32\mfreadwrite.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\dsound.DLL
  • C:\Windows\System32\dsound.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\POWRPROF.dll
  • C:\Windows\System32\powrprof.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\imageres.dll
  • C:\Windows\System32\imageres.dll
  • C:\Windows\System32\zh-CN\imageres.dll.mui
  • C:\Windows\sysnative\zh-CN\imageres.dll.mui
  • C:\Windows\System32\zh-Hans\imageres.dll.mui
  • C:\Windows\System32\zh\imageres.dll.mui
  • C:\Windows\System32\en-US\imageres.dll.mui
  • C:\Program Files\ViKey\ViKey32.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\HID.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\SetupApi.dll
  • \??\hid#vid_0627&pid_0001#6&2e2010ad&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
  • \??\hid#vid_0627&pid_0001#7&2053375d&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
  • \??\hid#vid_0627&pid_0001#7&d9986b8&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\DSkin.Design.dll
读取的文件
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\test\AppData\Local\Temp\MusicTools v1.9.0.0.exe
  • \Device\KsecDD
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\MusicTools.exe.config
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\MusicTools.exe
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
  • C:\Windows\System32\MSVCR120_CLR0400.dll
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
  • C:\Windows\assembly\pubpol49.dat
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System\1be7a15b1f33bf22e4f53aaf45518c77\System.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System\1be7a15b1f33bf22e4f53aaf45518c77\System.ni.dll
  • C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\DSkin.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\fb06ad4bc55b9c3ca68a3f9259d826cd\System.Windows.Forms.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\1d52bd4ac5e0a6422058a5d62c9f6d9d\System.Drawing.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\1d52bd4ac5e0a6422058a5d62c9f6d9d\System.Drawing.ni.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\fb06ad4bc55b9c3ca68a3f9259d826cd\System.Windows.Forms.ni.dll
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\zh-Hans\mscorrc.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\eb4cca4f06a15158c3f7e2c56516729b\System.Core.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\eb4cca4f06a15158c3f7e2c56516729b\System.Core.ni.dll
  • C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
  • C:\Users\test\AppData\Local\GDIPFONTCACHEV1.DAT
  • C:\Windows\Fonts\simsun.ttc
  • C:\Windows\Fonts\msyh.ttf
  • C:\Windows\Fonts\msyhbd.ttf
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\fe4b221b4109f0c78f57a792500699b5\System.Configuration.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\fe4b221b4109f0c78f57a792500699b5\System.Configuration.ni.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\4fbda26d781323081b45526da6e87b35\System.Xml.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\4fbda26d781323081b45526da6e87b35\System.Xml.ni.dll
  • C:\Windows\Fonts\staticcache.dat
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\Newtonsoft.Json.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\Bass.Net.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\bass.dll
  • C:\Windows\System32\msacm32.dll
  • C:\Windows\System32\winmm.dll
  • C:\Windows\System32\dsound.dll
  • C:\Windows\System32\powrprof.dll
  • C:\Windows\System32\imageres.dll
  • C:\Windows\System32\zh-CN\imageres.dll.mui
  • C:\Windows\sysnative\zh-CN\imageres.dll.mui
  • C:\Windows\System32\zh-Hans\imageres.dll.mui
  • C:\Windows\System32\zh\imageres.dll.mui
  • C:\Windows\System32\en-US\imageres.dll.mui
  • \??\hid#vid_0627&pid_0001#6&2e2010ad&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
  • \??\hid#vid_0627&pid_0001#7&2053375d&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
  • \??\hid#vid_0627&pid_0001#7&d9986b8&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
修改的文件
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\bass.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\Bass.Net.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\DSkin.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\ICSharpCode.SharpZipLib.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\MusicTools.exe
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\Newtonsoft.Json.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\TagLibSharp.dll
  • C:\Users\test\AppData\Local\GDIPFONTCACHEV1.DAT
  • \??\hid#vid_0627&pid_0001#6&2e2010ad&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
  • \??\hid#vid_0627&pid_0001#7&2053375d&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
  • \??\hid#vid_0627&pid_0001#7&d9986b8&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
删除的文件
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\bass.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\Bass.Net.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\DSkin.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\ICSharpCode.SharpZipLib.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\MusicTools.exe
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\Newtonsoft.Json.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000\TagLibSharp.dll
  • C:\Users\test\AppData\Local\Temp\7ZipSfx.000
注册表键
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Data
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Generation
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Data
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Generation
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
  • HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
  • Policy\Standards
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MusicTools.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
  • HKEY_CURRENT_USER\Software\Microsoft\Fusion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
  • HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index49
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext
  • HKEY_CURRENT_USER\Software\Classes
  • HKEY_CURRENT_USER\Software\Classes\AppID\MusicTools.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
  • HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
  • HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\8D3C0DA8
  • HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-2280033686-3172497658-3481507381-1000\Installer\Assemblies\C:|Users|test|AppData|Local|Temp|7ZipSfx.000|MusicTools.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|test|AppData|Local|Temp|7ZipSfx.000|MusicTools.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|test|AppData|Local|Temp|7ZipSfx.000|MusicTools.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-2280033686-3172497658-3481507381-1000\Installer\Assemblies\Global
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
  • HKEY_CURRENT_USER\Software\Microsoft\GDIPlus
  • HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-CHS
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-CHS
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-Hans
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-Hans
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data.SqlXml__b77a5c561934e089
  • HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
  • HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
  • HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Namespaces
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\MusicTools.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\System
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.12.0.Newtonsoft.Json__30ad4fe6b2a6aeed
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.12.0.Newtonsoft.Json__30ad4fe6b2a6aeed
  • HKEY_CURRENT_USER\Software\MusicTools
  • HKEY_CURRENT_USER\Software\MusicTools\hxDownload
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.2.4.Bass.Net__b7566c273e6ef480
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.4.Bass.Net__b7566c273e6ef480
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\DevicePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_CURRENT_USER
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
读取的注册表键
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Data
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Generation
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Data
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Generation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index49
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\8D3C0DA8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
  • HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-CHS
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-CHS
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-Hans
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-Hans
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_CURRENT_USER\Software\MusicTools\hxDownload
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\DevicePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
修改的注册表键
  • HKEY_CURRENT_USER\Software\MusicTools
  • HKEY_CURRENT_USER\Software\MusicTools\hxDownload
删除的注册表键 无信息
API解析
  • comctl32.dll.RegisterClassNameW
  • kernel32.dll.SortGetHandle
  • kernel32.dll.SortCloseHandle
  • uxtheme.dll.EnableThemeDialogTexture
  • kernel32.dll.GetNativeSystemInfo
  • cryptbase.dll.SystemFunction036
  • kernel32.dll.Wow64DisableWow64FsRedirection
  • setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
  • setupapi.dll.CM_Get_Device_Interface_List_ExW
  • comctl32.dll.#386
  • kernel32.dll.Wow64RevertWow64FsRedirection
  • advapi32.dll.UnregisterTraceGuids
  • comctl32.dll.#321
  • kernel32.dll.SetThreadUILanguage
  • kernel32.dll.CopyFileExW
  • kernel32.dll.IsDebuggerPresent
  • kernel32.dll.SetConsoleInputExeNameW
  • advapi32.dll.RegOpenKeyExW
  • advapi32.dll.RegQueryInfoKeyW
  • advapi32.dll.RegEnumKeyExW
  • advapi32.dll.RegEnumValueW
  • advapi32.dll.RegCloseKey
  • advapi32.dll.RegQueryValueExW
  • kernel32.dll.FlsAlloc
  • kernel32.dll.FlsFree
  • kernel32.dll.FlsGetValue
  • kernel32.dll.FlsSetValue
  • kernel32.dll.InitializeCriticalSectionEx
  • kernel32.dll.CreateEventExW
  • kernel32.dll.CreateSemaphoreExW
  • kernel32.dll.SetThreadStackGuarantee
  • kernel32.dll.CreateThreadpoolTimer
  • kernel32.dll.SetThreadpoolTimer
  • kernel32.dll.WaitForThreadpoolTimerCallbacks
  • kernel32.dll.CloseThreadpoolTimer
  • kernel32.dll.CreateThreadpoolWait
  • kernel32.dll.SetThreadpoolWait
  • kernel32.dll.CloseThreadpoolWait
  • kernel32.dll.FlushProcessWriteBuffers
  • kernel32.dll.FreeLibraryWhenCallbackReturns
  • kernel32.dll.GetCurrentProcessorNumber
  • kernel32.dll.GetLogicalProcessorInformation
  • kernel32.dll.CreateSymbolicLinkW
  • kernel32.dll.EnumSystemLocalesEx
  • kernel32.dll.CompareStringEx
  • kernel32.dll.GetDateFormatEx
  • kernel32.dll.GetLocaleInfoEx
  • kernel32.dll.GetTimeFormatEx
  • kernel32.dll.GetUserDefaultLocaleName
  • kernel32.dll.IsValidLocaleName
  • kernel32.dll.LCMapStringEx
  • kernel32.dll.GetTickCount64
  • kernel32.dll.AcquireSRWLockExclusive
  • kernel32.dll.ReleaseSRWLockExclusive
  • advapi32.dll.EventRegister
  • mscoree.dll.#142
  • mscoreei.dll.RegisterShimImplCallback
  • mscoreei.dll.OnShimDllMainCalled
  • mscoreei.dll._CorExeMain
  • shlwapi.dll.UrlIsW
  • version.dll.GetFileVersionInfoSizeW
  • version.dll.GetFileVersionInfoW
  • version.dll.VerQueryValueW
  • clr.dll.SetRuntimeInfo
  • clr.dll._CorExeMain
  • mscoree.dll.CreateConfigStream
  • mscoreei.dll.CreateConfigStream
  • kernel32.dll.GetNumaHighestNodeNumber
  • kernel32.dll.GetSystemWindowsDirectoryW
  • advapi32.dll.AllocateAndInitializeSid
  • advapi32.dll.OpenProcessToken
  • advapi32.dll.GetTokenInformation
  • advapi32.dll.InitializeAcl
  • advapi32.dll.AddAccessAllowedAce
  • advapi32.dll.FreeSid
  • kernel32.dll.AddSIDToBoundaryDescriptor
  • kernel32.dll.CreateBoundaryDescriptorW
  • kernel32.dll.CreatePrivateNamespaceW
  • kernel32.dll.OpenPrivateNamespaceW
  • kernel32.dll.DeleteBoundaryDescriptor
  • kernel32.dll.WerRegisterRuntimeExceptionModule
  • kernel32.dll.RaiseException
  • mscoree.dll.#24
  • mscoreei.dll.#24
  • ntdll.dll.NtSetSystemInformation
  • psapi.dll.GetProcessMemoryInfo
  • ole32.dll.CoInitializeEx
  • clrjit.dll.sxsJitStartup
  • clrjit.dll.getJit
  • kernel32.dll.LocaleNameToLCID
  • kernel32.dll.LCIDToLocaleName
  • kernel32.dll.GetUserPreferredUILanguages
  • nlssorting.dll.SortGetHandle
  • nlssorting.dll.SortCloseHandle
  • mscoree.dll.GetProcessExecutableHeap
  • mscoreei.dll.GetProcessExecutableHeap
  • ole32.dll.CoTaskMemAlloc
  • kernel32.dll.GetCurrentProcessId
  • advapi32.dll.LookupPrivilegeValueW
  • kernel32.dll.GetCurrentProcess
  • advapi32.dll.AdjustTokenPrivileges
  • kernel32.dll.CloseHandle
  • kernel32.dll.OpenProcess
  • psapi.dll.EnumProcessModules
  • psapi.dll.GetModuleInformation
  • psapi.dll.GetModuleBaseNameW
  • ole32.dll.CoTaskMemFree
  • psapi.dll.GetModuleFileNameExW
  • kernel32.dll.GetFullPathNameW
  • kernel32.dll.SetThreadErrorMode
  • kernel32.dll.GetFileAttributesExW
  • version.dll.VerLanguageNameW
  • kernel32.dll.LoadLibraryA
  • kernel32.dll.WideCharToMultiByte
  • kernel32.dll.GetProcAddress
  • kernel32.dll.VirtualProtect
  • kernel32.dll.VirtualAlloc
  • ole32.dll.CoWaitForMultipleHandles
  • sechost.dll.LookupAccountNameLocalW
  • advapi32.dll.LookupAccountSidW
  • sechost.dll.LookupAccountSidLocalW
  • cryptsp.dll.CryptAcquireContextW
  • cryptsp.dll.CryptGenRandom
  • ole32.dll.NdrOleInitializeExtension
  • ole32.dll.CoGetClassObject
  • ole32.dll.CoGetMarshalSizeMax
  • ole32.dll.CoMarshalInterface
  • ole32.dll.CoUnmarshalInterface
  • ole32.dll.StringFromIID
  • ole32.dll.CoGetPSClsid
  • ole32.dll.CoCreateInstance
  • ole32.dll.CoReleaseMarshalData
  • ole32.dll.DcomChannelSetHResult
  • rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
  • uxtheme.dll.IsAppThemed
  • kernel32.dll.CreateActCtxA
  • user32.dll.RegisterWindowMessageW
  • bcrypt.dll.BCryptGetFipsAlgorithmMode
  • cryptsp.dll.CryptGetDefaultProviderW
  • cryptsp.dll.CryptCreateHash
  • cryptsp.dll.CryptHashData
  • cryptsp.dll.CryptGetHashParam
  • cryptsp.dll.CryptDestroyHash
  • kernel32.dll.CreateFileW
  • kernel32.dll.GetFileType
  • kernel32.dll.GetFileSize
  • kernel32.dll.ReadFile
  • gdiplus.dll.GdiplusStartup
  • kernel32.dll.IsProcessorFeaturePresent
  • user32.dll.GetWindowInfo
  • user32.dll.GetAncestor
  • user32.dll.GetMonitorInfoA
  • user32.dll.EnumDisplayMonitors
  • user32.dll.EnumDisplayDevicesA
  • gdi32.dll.ExtTextOutW
  • gdi32.dll.GdiIsMetaPrintDC
  • gdiplus.dll.GdipCreateFontFamilyFromName
  • kernel32.dll.RegOpenKeyExW
  • kernel32.dll.RegQueryInfoKeyA
  • kernel32.dll.RegCloseKey
  • kernel32.dll.RegCreateKeyExW
  • kernel32.dll.RegQueryValueExW
  • gdiplus.dll.GdipCreateFont
  • gdiplus.dll.GdipGetFontSize
  • user32.dll.GetSystemMetrics
  • kernel32.dll.GetModuleHandleW
  • kernel32.dll.LoadLibraryW
  • user32.dll.AdjustWindowRectEx
  • kernel32.dll.GetCurrentThread
  • kernel32.dll.DuplicateHandle
  • kernel32.dll.GetCurrentThreadId
  • kernel32.dll.GetCurrentActCtx
  • kernel32.dll.ActivateActCtx
  • user32.dll.DefWindowProcW
  • gdi32.dll.GetStockObject
  • user32.dll.RegisterClassW
  • user32.dll.CreateWindowExW
  • user32.dll.SetWindowLongW
  • user32.dll.GetWindowLongW
  • user32.dll.CallWindowProcW
  • user32.dll.GetClientRect
  • user32.dll.GetWindowRect
  • user32.dll.GetParent
  • kernel32.dll.DeactivateActCtx
  • kernel32.dll.GetSystemDefaultLCID
  • gdi32.dll.GetObjectW
  • user32.dll.GetDC
  • gdiplus.dll.GdipCreateFontFromLogfontW
  • mscoree.dll.ND_RI2
  • mscoreei.dll.ND_RI2
  • mscoree.dll.ND_RU1
  • mscoreei.dll.ND_RU1
  • gdiplus.dll.GdipGetFontUnit
  • gdiplus.dll.GdipGetFontStyle
  • gdiplus.dll.GdipGetFamily
  • user32.dll.ReleaseDC
  • gdiplus.dll.GdipCreateFromHDC
  • gdiplus.dll.GdipGetDpiY
  • gdiplus.dll.GdipGetFontHeight
  • gdiplus.dll.GdipGetEmHeight
  • gdiplus.dll.GdipGetLineSpacing
  • gdiplus.dll.GdipDeleteGraphics
  • gdiplus.dll.GdipDeleteFont
  • user32.dll.LoadCursorW
  • gdiplus.dll.GdipCreateRegionRectI
  • kernel32.dll.CompareStringOrdinal
  • kernel32.dll.ResolveLocaleName
  • gdi32.dll.GetDeviceCaps
  • user32.dll.CreateIconFromResourceEx
  • user32.dll.GetProcessWindowStation
  • user32.dll.GetUserObjectInformationA
  • kernel32.dll.SetConsoleCtrlHandler
  • user32.dll.GetClassInfoW
  • user32.dll.GetSysColor
  • gdiplus.dll.GdipCreateStringFormat
  • gdiplus.dll.GdipSetStringFormatLineAlign
  • gdiplus.dll.GdipSetStringFormatAlign
  • gdiplus.dll.GdipStringFormatGetGenericTypographic
  • oleaut32.dll.OleCreatePictureIndirect
  • ole32.dll.CoGetContextToken
  • ole32.dll.CoGetObjectContext
  • user32.dll.GetIconInfo
  • gdi32.dll.DeleteObject
  • user32.dll.CopyImage
  • gdiplus.dll.GdipCreateMatrix
  • gdiplus.dll.GdipSetMatrixElements
  • gdiplus.dll.GdipRotateMatrix
  • gdiplus.dll.GdipCreateFromHWND
  • gdiplus.dll.GdipStringFormatGetGenericDefault
  • gdiplus.dll.GdipMeasureString
  • user32.dll.SystemParametersInfoW
  • gdiplus.dll.GdipLoadImageFromStream
  • windowscodecs.dll.DllGetClassObject
  • kernel32.dll.WerRegisterMemoryBlock
  • gdiplus.dll.GdipImageForceValidation
  • gdiplus.dll.GdipGetImageType
  • gdiplus.dll.GdipGetImageRawFormat
  • user32.dll.MonitorFromRect
  • user32.dll.GetMonitorInfoW
  • gdi32.dll.CreateDCW
  • gdi32.dll.DeleteDC
  • user32.dll.GetDoubleClickTime
  • gdiplus.dll.GdipCreateBitmapFromStream
  • gdiplus.dll.GdipGetImageWidth
  • gdiplus.dll.GdipGetImageHeight
  • gdiplus.dll.GdipCreateBitmapFromScan0
  • gdiplus.dll.GdipGetImagePixelFormat
  • gdiplus.dll.GdipGetImageGraphicsContext
  • gdiplus.dll.GdipGraphicsClear
  • gdiplus.dll.GdipCreateImageAttributes
  • gdiplus.dll.GdipSetImageAttributesColorKeys
  • gdiplus.dll.GdipDrawImageRectRectI
  • gdiplus.dll.GdipDisposeImageAttributes
  • gdiplus.dll.GdipDisposeImage
  • gdiplus.dll.GdipSetStringFormatTrimming
  • gdiplus.dll.GdipNewPrivateFontCollection
  • gdiplus.dll.GdipPrivateAddMemoryFont
  • gdiplus.dll.GdipGetFontCollectionFamilyCount
  • gdiplus.dll.GdipGetFontCollectionFamilyList
  • gdiplus.dll.GdipCloneFontFamily
  • ole32.dll.OleInitialize
  • user32.dll.GetKeyboardLayout
  • user32.dll.SetTimer
  • oleaut32.dll.#8
  • oleaut32.dll.#12
  • gdiplus.dll.GdipImageGetFrameDimensionsCount
  • kernel32.dll.LocalAlloc
  • gdiplus.dll.GdipImageGetFrameDimensionsList
  • kernel32.dll.LocalFree
  • gdiplus.dll.GdipImageGetFrameCount
  • gdiplus.dll.GdipGetPropertyItemSize
  • gdiplus.dll.GdipGetPropertyItem
  • shell32.dll.Shell_NotifyIcon
  • shell32.dll.Shell_NotifyIconW
  • shell32.dll.#66
  • user32.dll.GetWindowThreadProcessId
  • user32.dll.PostMessageW
  • user32.dll.GetCursorPos
  • user32.dll.MonitorFromPoint
  • gdiplus.dll.GdipDeleteRegion
  • user32.dll.MonitorFromWindow
  • user32.dll.InvalidateRect
  • gdiplus.dll.GdipGetRegionHRgn
  • user32.dll.IsWindowVisible
  • user32.dll.SetWindowRgn
  • user32.dll.GetWindowPlacement
  • user32.dll.SetWindowTextW
  • kernel32.dll.GetStartupInfoW
  • user32.dll.SendMessageW
  • user32.dll.GetSystemMenu
  • user32.dll.EnableMenuItem
  • user32.dll.GetWindowTextLengthW
  • user32.dll.GetWindowTextW
  • user32.dll.SetWindowPos
  • user32.dll.RedrawWindow
  • user32.dll.ShowWindow
  • user32.dll.GetWindow
  • user32.dll.MapWindowPoints
  • user32.dll.GetScrollBarInfo
  • user32.dll.ScreenToClient
  • imm32.dll.ImmGetContext
  • user32.dll.CreateWindowExA
  • user32.dll.GetWindowLongA
  • user32.dll.GetFocus
  • comctl32.dll.InitCommonControlsEx
  • uxtheme.dll.OpenThemeData
  • imm32.dll.ImmAssociateContext
  • gdi32.dll.GetLayout
  • gdi32.dll.GdiRealizationInfo
  • gdi32.dll.FontIsLinked
  • gdi32.dll.GetTextFaceAliasW
  • advapi32.dll.RegQueryValueExA
  • gdi32.dll.GetTextExtentExPointWPri
  • user32.dll.FindWindowExA
  • cryptsp.dll.CryptImportKey
  • cryptsp.dll.CryptExportKey
  • cryptsp.dll.CryptDestroyKey
  • advapi32.dll.RegCreateKeyExW
  • advapi32.dll.RegSetValueExW
  • msacm32.dll.acmStreamConvert
  • msacm32.dll.acmStreamPrepareHeader
  • msacm32.dll.acmStreamClose
  • msacm32.dll.acmStreamSize
  • msacm32.dll.acmStreamOpen
  • msacm32.dll.acmStreamUnprepareHeader
  • winmm.dll.mixerGetControlDetailsA
  • winmm.dll.mixerGetNumDevs
  • winmm.dll.mixerGetLineInfoW
  • winmm.dll.timeBeginPeriod
  • winmm.dll.mixerSetControlDetails
  • winmm.dll.mixerGetDevCapsA
  • winmm.dll.timeGetTime
  • winmm.dll.mixerOpen
  • winmm.dll.timeEndPeriod
  • winmm.dll.mixerGetLineControlsA
  • winmm.dll.mixerGetLineInfoA
  • winmm.dll.mixerClose
  • kernel32.dll.GetModuleFileNameA
  • kernel32.dll.DeviceIoControl
  • kernel32.dll.VirtualLock
  • kernel32.dll.GetExitCodeThread
  • kernel32.dll.CreateFileMappingA
  • kernel32.dll.EnterCriticalSection
  • kernel32.dll.CreateThread
  • kernel32.dll.AreFileApisANSI
  • kernel32.dll.TlsFree
  • kernel32.dll.GetVersion
  • kernel32.dll.TlsAlloc
  • kernel32.dll.GetVersionExA
  • kernel32.dll.SetThreadAffinityMask
  • kernel32.dll.DeleteCriticalSection
  • kernel32.dll.QueryPerformanceFrequency
  • kernel32.dll.GetModuleHandleA
  • kernel32.dll.CreateFileA
  • kernel32.dll.SetFilePointer
  • kernel32.dll.TlsGetValue
  • kernel32.dll.MapViewOfFile
  • kernel32.dll.UnmapViewOfFile
  • kernel32.dll.FreeLibrary
  • kernel32.dll.QueryPerformanceCounter
  • kernel32.dll.WaitForSingleObject
  • kernel32.dll.SetEvent
  • kernel32.dll.WaitForSingleObjectEx
  • kernel32.dll.GetTickCount
  • kernel32.dll.InitializeCriticalSection
  • kernel32.dll.TlsSetValue
  • kernel32.dll.Sleep
  • kernel32.dll.CreateEventA
  • kernel32.dll.LeaveCriticalSection
  • kernel32.dll.MultiByteToWideChar
  • kernel32.dll.SetThreadPriority
  • kernel32.dll.VirtualUnlock
  • kernel32.dll.FreeLibraryAndExitThread
  • kernel32.dll.GetLastError
  • kernel32.dll.QueueUserAPC
  • kernel32.dll.WaitForMultipleObjects
  • user32.dll.GetDesktopWindow
  • ole32.dll.CoUninitialize
  • ole32.dll.CLSIDFromString
  • ole32.dll.CoInitialize
  • ole32.dll.PropVariantClear
  • msvcrt.dll.free
  • msvcrt.dll._CIpow
  • msvcrt.dll._CIexp
  • msvcrt.dll.memcpy
  • msvcrt.dll.memset
  • msvcrt.dll._stricmp
  • msvcrt.dll._wcsdup
  • msvcrt.dll._initterm
  • msvcrt.dll._adjust_fdiv
  • msvcrt.dll.??2@YAPAXI@Z
  • msvcrt.dll.strpbrk
  • msvcrt.dll.strtoul
  • msvcrt.dll.realloc
  • msvcrt.dll.strrchr
  • msvcrt.dll._strdup
  • msvcrt.dll.wcsstr
  • msvcrt.dll.strncpy
  • msvcrt.dll.sprintf
  • msvcrt.dll._strnicmp
  • msvcrt.dll.sscanf
  • msvcrt.dll.memmove
  • msvcrt.dll.ceil
  • msvcrt.dll.ldexp
  • msvcrt.dll.floor
  • msvcrt.dll.qsort
  • msvcrt.dll.malloc
  • msvcrt.dll.strstr
  • msvcrt.dll.strchr
  • msvcrt.dll.memchr
  • bass.dll.BASS_GetVersion
  • bass.dll.BASS_SetConfig
  • shell32.dll.SHGetFolderPathW
  • bass.dll.BASS_Init
  • dsound.dll.DirectSoundEnumerateW
  • dsound.dll.DirectSoundCaptureEnumerateW
  • dsound.dll.DirectSoundCreate8
  • bass.dll.BASS_ErrorGetCode
  • user32.dll.GetActiveWindow
  • ole32.dll.CoRegisterMessageFilter
  • user32.dll.EnumThreadWindows
  • user32.dll.MessageBoxW
  • ole32.dll.CoRegisterInitializeSpy
  • ole32.dll.CoRevokeInitializeSpy
  • user32.dll.PeekMessageW
  • gdi32.dll.GetFontAssocStatus
  • bass.dll.BASS_ChannelIsActive
  • oleaut32.dll.SysAllocString
  • oleaut32.dll.SysStringLen
  • oleaut32.dll.SysFreeString
  • gdiplus.dll.GdipDeleteStringFormat
  • user32.dll.DestroyIcon
  • kernel32.dll.GetACP
  • cryptsp.dll.CryptGetProvParam
  • cryptsp.dll.CryptSetKeyParam
  • cryptsp.dll.CryptDecrypt
  • cryptsp.dll.CryptEncrypt
  • kernel32.dll.CreateSemaphoreA
  • hid.dll.HidD_GetHidGuid
  • setupapi.dll.SetupDiGetClassDevsA
  • setupapi.dll.SetupDiEnumDeviceInterfaces
  • setupapi.dll.SetupDiGetDeviceInterfaceDetailA
  • setupapi.dll.SetupDiDestroyDeviceInfoList
  • wintrust.dll.WinVerifyTrust
  • kernel32.dll.ReleaseSemaphore
  • oleaut32.dll.#500
  • bass.dll.BASS_ChannelStop
  • bass.dll.BASS_StreamFree
  • bass.dll.BASS_Stop
  • bass.dll.BASS_Free
  • psapi.dll.EnumProcesses
  • kernel32.dll.TerminateProcess