魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2021-04-08 22:50:11	2021-04-08 22:52:19	128 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-shaapp03-1	win7-sp1-x64-shaapp03-1	KVM	2021-04-08 22:50:11	2021-04-08 22:52:21

魔盾分数
10.0 恶意的

文件详细信息

文件名	菠扫号PC v130.0.1.exe
文件大小	9277440 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
CRC32	7CAFB617
MD5	08136abe82e6c61991d11a1016ed9268
SHA1	017a337c1adbba179994eb60a4b939e042201088
SHA256	faac12314500069ea5c7172f10d9cf5828e53be5be0c249e7805858e924e4b79
SHA512	cd7acfdfaab97225e969651756d4513a01380a902424c63e893481e1fb572960a69acba80562b62ae9bd77129cb2f97b67610744368c4bb93b6551fd7060e9ec
Ssdeep	196608:sRh+/pjtwAcixzOi2O2wxvVoV0JVp07X8l/sWEIf:sRhwLVxzOn5wxvV9DmWEq
PEiD	无匹配
Yara	Advapi_Hash_API (Looks for advapi API functions) CRC32_poly_Constant (Look for CRC32 [poly]) CRC32_table (Look for CRC32 table) MD5_Constants (Look for MD5 constants) RIPEMD160_Constants (Look for RIPEMD-160 constants) SHA1_Constants (Look for SHA1 constants) DES_sbox (Look for DES [sbox]) BASE64_table (Look for Base64 table) with_images (Detected the presence of an or several images) with_urls (Detected the presence of an or several urls) IsPE32 (Detected a 32bit PE sample) IsWindowsGUI (Detected a Windows GUI sample) IsPacked (Detected Entropy signature) DebuggerTiming__Ticks (Detected timing ticks function) network_http (Detected communications function over HTTP) network_tcp_socket (Detected network communications over RAW socket) screenshot (Detected take screenshot function) create_process (Detection function for creating a new process) keylogger (Detected keylogger function) win_registry (Detected system registries modification function) change_win_registry (Change registries to affect system) win_files_operation (Affect private profile) win_hook (Detected hook table access function) win_private_profile (Detected private profile access function) Maldun_Anomoly_Combined_Activities_Network_Logging (Spotted potential abnormal behaviors, like logging and network communications) Maldun_Anomoly_Combined_Activities_5 (Spotted potential mallicious behaviors like logging and network communication) Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
VirusTotal	VirusTotal查询失败

特征

魔盾wping.org 域名信誉系统

Greylist: apipc.abc10010.cn

发起了一些HTTP请求

url: http://www.baidu.com/

url: http://apipc.abc10010.cn/api.php?ace=mcq&acek=1660

二进制文件可能包含加密或压缩数据

section: name: .rdata, entropy: 7.76, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x0039d000, virtual_size: 0x0039ca72

section: name: .vmp0, entropy: 7.87, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x002a2000, virtual_size: 0x002a14d0

可执行文件可能使用VMProtect打包

section: {'name': '.vmp0', 'characteristics': 'IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ', 'virtual_address': '0x00689000', 'size_of_data': '0x002a2000', 'entropy': '7.87', 'virtual_size': '0x002a14d0', 'characteristics_raw': '0x60000060'}

通过进程尝试长时间延迟分析任务

Process: _________PC v130.0.1.exe tried to sleep 240 seconds, actually delayed analysis time by 0 seconds

检测到样本尝试模糊或欺骗文件类型

魔盾安全Yara规则检测结果 - 高危

Warning: Looks for advapi API functions

Critical: Spotted potential abnormal behaviors, like logging and network communications

Critical: Spotted potential mallicious behaviors like logging and network communication

Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files

运行截图

网络分析

域名解析

域名	响应
www.baidu.com	CNAME www.a.shifen.com A 180.101.49.11 A 180.101.49.12
apipc.abc10010.cn	CNAME apipc.abc10010.cn.cdn.dnsv1.com A 60.174.59.174 A 122.228.0.143 CNAME 8p3ancjo.slt.sched.tdnsv8.com A 122.246.6.14 A 117.68.66.28 A 60.167.222.35 A 180.96.32.88 A 60.174.156.19 A 180.96.32.89 A 117.68.66.27 A 58.216.107.24 A 122.228.0.170
acroipm.adobe.com	CNAME acroipm.adobe.com.edgesuite.net CNAME a1983.dscd.akamai.net A 23.202.48.81 A 23.202.48.32

TCP连接

IP地址	端口
180.101.49.12	80
192.168.122.1	53
23.202.48.32	80
60.174.156.19	80

UDP连接

IP地址	端口
192.168.122.1	53
192.168.122.1	53
192.168.122.1	53

HTTP请求

URL	HTTP数据
http://www.baidu.com/	HEAD / HTTP/1.1 Accept: / Referer: http://www.baidu.com/ Accept-Language: zh-cn User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/18.0.1 Connection: Keep-Alive Host: www.baidu.com Content-Length: 0 Cache-Control: no-cache
http://apipc.abc10010.cn/api.php?ace=mcq&acek=1660	POST /api.php?ace=mcq&acek=1660 HTTP/1.1 Accept: / Referer: http://apipc.abc10010.cn/api.php?ace=mcq&acek=1660 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-gb) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27 Content-Type: application/x-www-form-urlencoded Accept-Language: zh-cn Cookie: uti=373C3E353564 Content-Length: 73 Host: apipc.abc10010.cn Cache-Control: no-cache cctv=333735&mscctv=333735&tuci=3035353C20272B051800127A645F40B6B89387&yz=
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache

URL

HTTP数据

http://www.baidu.com/

HEAD / HTTP/1.1
Accept: */*
Referer: http://www.baidu.com/
Accept-Language: zh-cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/18.0.1
Connection: Keep-Alive
Host: www.baidu.com
Content-Length: 0
Cache-Control: no-cache

http://apipc.abc10010.cn/api.php?ace=mcq&acek=1660

POST /api.php?ace=mcq&acek=1660 HTTP/1.1
Accept: */*
Referer: http://apipc.abc10010.cn/api.php?ace=mcq&acek=1660
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-gb) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-cn
Cookie: uti=373C3E353564
Content-Length: 73
Host: apipc.abc10010.cn
Cache-Control: no-cache

cctv=333735&mscctv=333735&tuci=3035353C20272B051800127A645F40B6B89387&yz=

http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip

GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

静态分析

PE 信息

初始地址	0x00400000
入口地址	0x00551559
声明校验值	0x00000000
实际校验值	0x008e7987
最低操作系统版本要求	4.0
编译时间	2021-04-08 09:45:38
载入哈希	8f752e1a183ad17d1718a889e746af10
图标
图标精确哈希值	6b5faf674d7981efe27193e4c51a83d9
图标相似性哈希值	0d02bfa406f7771c93143a765894c749

版本信息

LegalCopyright:	Boluo
FileVersion:	130.0.0.0
CompanyName:	Boluo
Comments:	Boluo
ProductName:	Boluo
ProductVersion:	130.0.0.0
FileDescription:	Boluo
Translation:	0x0804 0x04b0

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x001b54ea	0x001b6000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.65
.rdata	0x001b7000	0x0039ca72	0x0039d000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	7.76
.data	0x00554000	0x00134c91	0x000ca000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	5.59
.vmp0	0x00689000	0x002a14d0	0x002a2000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	7.87
.rsrc	0x0092b000	0x0001867d	0x00019000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.57

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
TEXTINCLUDE	0x0092bfac	0x00000151	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.25	C source, ASCII text, with CRLF line terminators
TEXTINCLUDE	0x0092bfac	0x00000151	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.25	C source, ASCII text, with CRLF line terminators
TEXTINCLUDE	0x0092bfac	0x00000151	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.25	C source, ASCII text, with CRLF line terminators
WAVE	0x0092c100	0x00001448	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	6.35	RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 22050 Hz
RT_CURSOR	0x0092de68	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.43	AmigaOS bitmap font
RT_CURSOR	0x0092de68	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.43	AmigaOS bitmap font
RT_CURSOR	0x0092de68	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.43	AmigaOS bitmap font
RT_CURSOR	0x0092de68	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.43	AmigaOS bitmap font
RT_CURSOR	0x0092de68	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.43	AmigaOS bitmap font
RT_CURSOR	0x0092de68	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.43	AmigaOS bitmap font
RT_CURSOR	0x0092de68	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.43	AmigaOS bitmap font
RT_CURSOR	0x0092de68	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.43	AmigaOS bitmap font
RT_CURSOR	0x0092de68	0x00000134	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.43	AmigaOS bitmap font
RT_BITMAP	0x00930760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x00930760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x00930760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x00930760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x00930760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x00930760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x00930760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x00930760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x00930760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x00930760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x00930760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x00930760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x00930760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x00930760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x00930760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x00930760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_ICON	0x00930cb4	0x00010828	LANG_NEUTRAL	SUBLANG_NEUTRAL	3.56	data
RT_ICON	0x00930cb4	0x00010828	LANG_NEUTRAL	SUBLANG_NEUTRAL	3.56	data
RT_ICON	0x00930cb4	0x00010828	LANG_NEUTRAL	SUBLANG_NEUTRAL	3.56	data
RT_MENU	0x009414e8	0x00000284	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.28	data
RT_MENU	0x009414e8	0x00000284	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.28	data
RT_DIALOG	0x00942730	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x00942730	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x00942730	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x00942730	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x00942730	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x00942730	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x00942730	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x00942730	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x00942730	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x00942730	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_STRING	0x00943178	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x00943178	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x00943178	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x00943178	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x00943178	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x00943178	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x00943178	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x00943178	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x00943178	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x00943178	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x00943178	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_GROUP_CURSOR	0x00943228	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x00943228	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x00943228	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x00943228	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x00943228	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x00943228	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x00943228	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x00943228	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_ICON	0x00943274	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.02	MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_GROUP_ICON	0x00943274	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.02	MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_GROUP_ICON	0x00943274	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.02	MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_VERSION	0x00943288	0x00000228	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.16	data
RT_MANIFEST	0x009434b0	0x000001cd	LANG_NEUTRAL	SUBLANG_NEUTRAL	5.08	XML 1.0 document, ASCII text, with very long lines, with no line terminators

导入

库 WINMM.dll:

• 0x5b7798 - PlaySoundA

• 0x5b779c - waveOutOpen

• 0x5b77a0 - midiOutUnprepareHeader

• 0x5b77a4 - midiStreamOpen

• 0x5b77a8 - midiStreamProperty

• 0x5b77ac - midiOutPrepareHeader

• 0x5b77b0 - midiStreamOut

• 0x5b77b4 - midiStreamStop

• 0x5b77b8 - midiOutReset

• 0x5b77bc - waveOutGetNumDevs

• 0x5b77c0 - waveOutClose

• 0x5b77c4 - waveOutReset

• 0x5b77c8 - waveOutPause

• 0x5b77cc - waveOutWrite

• 0x5b77d0 - waveOutPrepareHeader

• 0x5b77d4 - waveOutUnprepareHeader

• 0x5b77d8 - midiStreamClose

• 0x5b77dc - midiStreamRestart

库 WS2_32.dll:

• 0x5b77f4 - shutdown

• 0x5b77f8 - getservbyname

• 0x5b77fc - inet_addr

• 0x5b7800 - inet_ntoa

• 0x5b7804 - gethostbyname

• 0x5b7808 - WSAStartup

• 0x5b780c - WSACleanup

• 0x5b7810 - WSAGetLastError

• 0x5b7814 - ntohs

• 0x5b7818 - accept

• 0x5b781c - recv

• 0x5b7820 - connect

• 0x5b7824 - ioctlsocket

• 0x5b7828 - recvfrom

• 0x5b782c - getpeername

• 0x5b7830 - setsockopt

• 0x5b7834 - socket

• 0x5b7838 - htons

• 0x5b783c - WSAAsyncSelect

• 0x5b7840 - closesocket

• 0x5b7844 - send

库 MSVFW32.dll:

• 0x5b7458 - DrawDibDraw

库 AVIFIL32.dll:

• 0x5b7020 - AVIStreamInfoA

• 0x5b7024 - AVIStreamGetFrame

库 KERNEL32.dll:

• 0x5b71d8 - InterlockedIncrement

• 0x5b71dc - InterlockedDecrement

• 0x5b71e0 - LocalFree

• 0x5b71e4 - FormatMessageA

• 0x5b71e8 - FileTimeToSystemTime

• 0x5b71ec - FileTimeToLocalFileTime

• 0x5b71f0 - lstrcpynA

• 0x5b71f4 - DuplicateHandle

• 0x5b71f8 - MapViewOfFile

• 0x5b71fc - LockFile

• 0x5b7200 - UnlockFile

• 0x5b7204 - SetEndOfFile

• 0x5b7208 - GetStringTypeExA

• 0x5b720c - GetThreadLocale

• 0x5b7210 - lstrcmpiA

• 0x5b7214 - GlobalDeleteAtom

• 0x5b7218 - GlobalFindAtomA

• 0x5b721c - GlobalAddAtomA

• 0x5b7220 - GlobalGetAtomNameA

• 0x5b7224 - lstrcmpA

• 0x5b7228 - LocalAlloc

• 0x5b722c - TlsAlloc

• 0x5b7230 - GlobalHandle

• 0x5b7234 - TlsFree

• 0x5b7238 - TlsSetValue

• 0x5b723c - LocalReAlloc

• 0x5b7240 - TlsGetValue

• 0x5b7244 - GetFileTime

• 0x5b7248 - GetCurrentThread

• 0x5b724c - GlobalFlags

• 0x5b7250 - SetErrorMode

• 0x5b7254 - GetProcessVersion

• 0x5b7258 - GetCPInfo

• 0x5b725c - GetOEMCP

• 0x5b7260 - GetStartupInfoA

• 0x5b7264 - RtlUnwind

• 0x5b7268 - RaiseException

• 0x5b726c - GetSystemTime

• 0x5b7270 - GetLocalTime

• 0x5b7274 - HeapSize

• 0x5b7278 - GetACP

• 0x5b727c - UnhandledExceptionFilter

• 0x5b7280 - FreeEnvironmentStringsA

• 0x5b7284 - FreeEnvironmentStringsW

• 0x5b7288 - GetEnvironmentStrings

• 0x5b728c - GetEnvironmentStringsW

• 0x5b7290 - SetHandleCount

• 0x5b7294 - GetStdHandle

• 0x5b7298 - GetFileType

• 0x5b729c - GetEnvironmentVariableA

• 0x5b72a0 - HeapDestroy

• 0x5b72a4 - HeapCreate

• 0x5b72a8 - VirtualFree

• 0x5b72ac - SetEnvironmentVariableW

• 0x5b72b0 - SetEnvironmentVariableA

• 0x5b72b4 - LCMapStringA

• 0x5b72b8 - LCMapStringW

• 0x5b72bc - VirtualAlloc

• 0x5b72c0 - IsBadWritePtr

• 0x5b72c4 - SetUnhandledExceptionFilter

• 0x5b72c8 - GetStringTypeA

• 0x5b72cc - GetStringTypeW

• 0x5b72d0 - CompareStringA

• 0x5b72d4 - CompareStringW

• 0x5b72d8 - IsBadReadPtr

• 0x5b72dc - IsBadCodePtr

• 0x5b72e0 - IsValidLocale

• 0x5b72e4 - IsValidCodePage

• 0x5b72e8 - EnumSystemLocalesA

• 0x5b72ec - SetStdHandle

• 0x5b72f0 - GetLocaleInfoW

• 0x5b72f4 - SetNamedPipeHandleState

• 0x5b72f8 - WaitNamedPipeA

• 0x5b72fc - OpenFileMappingA

• 0x5b7300 - OpenEventA

• 0x5b7304 - UnmapViewOfFile

• 0x5b7308 - GetVersion

• 0x5b730c - GetLocaleInfoA

• 0x5b7310 - GetTimeZoneInformation

• 0x5b7314 - SetLastError

• 0x5b7318 - GetSystemDirectoryA

• 0x5b731c - GetWindowsDirectoryA

• 0x5b7320 - TerminateProcess

• 0x5b7324 - GetCurrentProcess

• 0x5b7328 - GetFileSize

• 0x5b732c - SetFilePointer

• 0x5b7330 - CreateSemaphoreA

• 0x5b7334 - ResumeThread

• 0x5b7338 - ReleaseSemaphore

• 0x5b733c - EnterCriticalSection

• 0x5b7340 - LeaveCriticalSection

• 0x5b7344 - GetProfileStringA

• 0x5b7348 - WriteFile

• 0x5b734c - WaitForMultipleObjects

• 0x5b7350 - CreateFileA

• 0x5b7354 - SetEvent

• 0x5b7358 - FindResourceA

• 0x5b735c - LoadResource

• 0x5b7360 - LockResource

• 0x5b7364 - ReadFile

• 0x5b7368 - lstrlenW

• 0x5b736c - GetModuleFileNameA

• 0x5b7370 - WideCharToMultiByte

• 0x5b7374 - MultiByteToWideChar

• 0x5b7378 - GetCurrentThreadId

• 0x5b737c - ExitProcess

• 0x5b7380 - GlobalSize

• 0x5b7384 - GlobalFree

• 0x5b7388 - DeleteCriticalSection

• 0x5b738c - InitializeCriticalSection

• 0x5b7390 - lstrcatA

• 0x5b7394 - lstrlenA

• 0x5b7398 - WinExec

• 0x5b739c - lstrcpyA

• 0x5b73a0 - FindNextFileA

• 0x5b73a4 - GetDriveTypeA

• 0x5b73a8 - GlobalReAlloc

• 0x5b73ac - HeapFree

• 0x5b73b0 - HeapReAlloc

• 0x5b73b4 - GetProcessHeap

• 0x5b73b8 - HeapAlloc

• 0x5b73bc - GetUserDefaultLCID

• 0x5b73c0 - GetFullPathNameA

• 0x5b73c4 - FreeLibrary

• 0x5b73c8 - LoadLibraryA

• 0x5b73cc - GetLastError

• 0x5b73d0 - GetVersionExA

• 0x5b73d4 - WritePrivateProfileStringA

• 0x5b73d8 - GetPrivateProfileStringA

• 0x5b73dc - CreateThread

• 0x5b73e0 - CreateEventA

• 0x5b73e4 - Sleep

• 0x5b73e8 - GlobalAlloc

• 0x5b73ec - GlobalLock

• 0x5b73f0 - GlobalUnlock

• 0x5b73f4 - GetTempPathA

• 0x5b73f8 - FindFirstFileA

• 0x5b73fc - FindClose

• 0x5b7400 - GetFileAttributesA

• 0x5b7404 - DeleteFileA

• 0x5b7408 - CreateDirectoryA

• 0x5b740c - GetCurrentDirectoryA

• 0x5b7410 - SetCurrentDirectoryA

• 0x5b7414 - GetVolumeInformationA

• 0x5b7418 - GetModuleHandleA

• 0x5b741c - GetProcAddress

• 0x5b7420 - MulDiv

• 0x5b7424 - GetCommandLineA

• 0x5b7428 - GetTickCount

• 0x5b742c - WaitForSingleObject

• 0x5b7430 - CloseHandle

• 0x5b7434 - InterlockedExchange

• 0x5b7438 - VirtualProtect

• 0x5b743c - VirtualQuery

• 0x5b7440 - GetSystemInfo

• 0x5b7444 - InterlockedCompareExchange

• 0x5b7448 - FlushFileBuffers

库 USER32.dll:

• 0x5b74dc - MapDialogRect

• 0x5b74e0 - SetWindowContextHelpId

• 0x5b74e4 - CharNextA

• 0x5b74e8 - GetSysColorBrush

• 0x5b74ec - LoadStringA

• 0x5b74f0 - GetMenuCheckMarkDimensions

• 0x5b74f4 - SetMenuItemBitmaps

• 0x5b74f8 - CheckMenuItem

• 0x5b74fc - IsDialogMessageA

• 0x5b7500 - ScrollWindowEx

• 0x5b7504 - SendDlgItemMessageA

• 0x5b7508 - MapWindowPoints

• 0x5b750c - AdjustWindowRectEx

• 0x5b7510 - ScrollWindow

• 0x5b7514 - GetScrollInfo

• 0x5b7518 - SetScrollInfo

• 0x5b751c - ShowScrollBar

• 0x5b7520 - GetScrollPos

• 0x5b7524 - RegisterClassA

• 0x5b7528 - CreateWindowExA

• 0x5b752c - GetClassLongA

• 0x5b7530 - RemovePropA

• 0x5b7534 - GetMessageTime

• 0x5b7538 - GetLastActivePopup

• 0x5b753c - RegisterWindowMessageA

• 0x5b7540 - GetWindowPlacement

• 0x5b7544 - EndDialog

• 0x5b7548 - CreateDialogIndirectParamA

• 0x5b754c - DestroyWindow

• 0x5b7550 - EndPaint

• 0x5b7554 - BeginPaint

• 0x5b7558 - CharUpperA

• 0x5b755c - GetWindowTextLengthA

• 0x5b7560 - GetNextDlgTabItem

• 0x5b7564 - GetForegroundWindow

• 0x5b7568 - FindWindowExA

• 0x5b756c - GetDlgItem

• 0x5b7570 - FindWindowA

• 0x5b7574 - GetClassNameA

• 0x5b7578 - GetDesktopWindow

• 0x5b757c - GetWindowTextA

• 0x5b7580 - SetWindowTextA

• 0x5b7584 - GetMenuItemCount

• 0x5b7588 - GetMenuItemID

• 0x5b758c - GetMenuStringA

• 0x5b7590 - GetMenuState

• 0x5b7594 - GetTabbedTextExtentA

• 0x5b7598 - UnregisterClassA

• 0x5b759c - GrayStringA

• 0x5b75a0 - TabbedTextOutA

• 0x5b75a4 - WindowFromDC

• 0x5b75a8 - EnumChildWindows

• 0x5b75ac - GetWindowDC

• 0x5b75b0 - UnhookWindowsHookEx

• 0x5b75b4 - CallNextHookEx

• 0x5b75b8 - SetWindowsHookExA

• 0x5b75bc - FrameRect

• 0x5b75c0 - GetPropA

• 0x5b75c4 - MoveWindow

• 0x5b75c8 - CallWindowProcA

• 0x5b75cc - SetPropA

• 0x5b75d0 - DrawTextA

• 0x5b75d4 - GetCursor

• 0x5b75d8 - LoadIconA

• 0x5b75dc - TranslateMessage

• 0x5b75e0 - DrawFrameControl

• 0x5b75e4 - DrawEdge

• 0x5b75e8 - DrawFocusRect

• 0x5b75ec - WindowFromPoint

• 0x5b75f0 - GetMessageA

• 0x5b75f4 - DispatchMessageA

• 0x5b75f8 - PostThreadMessageA

• 0x5b75fc - RegisterClipboardFormatA

• 0x5b7600 - CreateIconFromResourceEx

• 0x5b7604 - CreateIconFromResource

• 0x5b7608 - DrawIconEx

• 0x5b760c - CreatePopupMenu

• 0x5b7610 - AppendMenuA

• 0x5b7614 - ModifyMenuA

• 0x5b7618 - CreateMenu

• 0x5b761c - CreateAcceleratorTableA

• 0x5b7620 - GetDlgCtrlID

• 0x5b7624 - GetSubMenu

• 0x5b7628 - EnableMenuItem

• 0x5b762c - ClientToScreen

• 0x5b7630 - EnumDisplaySettingsA

• 0x5b7634 - LoadImageA

• 0x5b7638 - SystemParametersInfoA

• 0x5b763c - ShowWindow

• 0x5b7640 - IsWindowEnabled

• 0x5b7644 - TranslateAcceleratorA

• 0x5b7648 - GetKeyState

• 0x5b764c - CopyAcceleratorTableA

• 0x5b7650 - PostQuitMessage

• 0x5b7654 - IsZoomed

• 0x5b7658 - GetClassInfoA

• 0x5b765c - DefWindowProcA

• 0x5b7660 - GetSystemMenu

• 0x5b7664 - DeleteMenu

• 0x5b7668 - GetMenu

• 0x5b766c - SetMenu

• 0x5b7670 - PeekMessageA

• 0x5b7674 - IsIconic

• 0x5b7678 - SetFocus

• 0x5b767c - GetActiveWindow

• 0x5b7680 - GetWindow

• 0x5b7684 - DestroyAcceleratorTable

• 0x5b7688 - SetWindowRgn

• 0x5b768c - GetMessagePos

• 0x5b7690 - ScreenToClient

• 0x5b7694 - ChildWindowFromPointEx

• 0x5b7698 - LoadBitmapA

• 0x5b769c - WinHelpA

• 0x5b76a0 - KillTimer

• 0x5b76a4 - SetTimer

• 0x5b76a8 - ReleaseCapture

• 0x5b76ac - GetCapture

• 0x5b76b0 - SetCapture

• 0x5b76b4 - GetScrollRange

• 0x5b76b8 - SetScrollRange

• 0x5b76bc - SetScrollPos

• 0x5b76c0 - SetRect

• 0x5b76c4 - InflateRect

• 0x5b76c8 - IntersectRect

• 0x5b76cc - DestroyIcon

• 0x5b76d0 - PtInRect

• 0x5b76d4 - OffsetRect

• 0x5b76d8 - IsWindowVisible

• 0x5b76dc - EnableWindow

• 0x5b76e0 - RedrawWindow

• 0x5b76e4 - GetWindowLongA

• 0x5b76e8 - SetWindowLongA

• 0x5b76ec - GetSysColor

• 0x5b76f0 - SetActiveWindow

• 0x5b76f4 - SetCursorPos

• 0x5b76f8 - LoadCursorA

• 0x5b76fc - SetCursor

• 0x5b7700 - GetDC

• 0x5b7704 - FillRect

• 0x5b7708 - IsRectEmpty

• 0x5b770c - ReleaseDC

• 0x5b7710 - IsChild

• 0x5b7714 - TrackPopupMenu

• 0x5b7718 - DestroyMenu

• 0x5b771c - SetForegroundWindow

• 0x5b7720 - GetWindowRect

• 0x5b7724 - EqualRect

• 0x5b7728 - UpdateWindow

• 0x5b772c - ValidateRect

• 0x5b7730 - InvalidateRect

• 0x5b7734 - GetClientRect

• 0x5b7738 - GetFocus

• 0x5b773c - GetParent

• 0x5b7740 - GetTopWindow

• 0x5b7744 - PostMessageA

• 0x5b7748 - IsWindow

• 0x5b774c - SetParent

• 0x5b7750 - DestroyCursor

• 0x5b7754 - SendMessageA

• 0x5b7758 - SetWindowPos

• 0x5b775c - MessageBeep

• 0x5b7760 - MessageBoxA

• 0x5b7764 - GetCursorPos

• 0x5b7768 - GetSystemMetrics

• 0x5b776c - EmptyClipboard

• 0x5b7770 - SetClipboardData

• 0x5b7774 - OpenClipboard

• 0x5b7778 - GetClipboardData

• 0x5b777c - CloseClipboard

• 0x5b7780 - wsprintfA

• 0x5b7784 - GetNextDlgGroupItem

• 0x5b7788 - SetRectEmpty

• 0x5b778c - CopyRect

• 0x5b7790 - DrawStateA

库 GDI32.dll:

• 0x5b7064 - CreateBrushIndirect

• 0x5b7068 - CreateDCA

• 0x5b706c - CreateCompatibleBitmap

• 0x5b7070 - CreateBitmap

• 0x5b7074 - GetPolyFillMode

• 0x5b7078 - CreatePatternBrush

• 0x5b707c - SelectObject

• 0x5b7080 - CreatePen

• 0x5b7084 - PatBlt

• 0x5b7088 - CombineRgn

• 0x5b708c - CreateRectRgn

• 0x5b7090 - GetStretchBltMode

• 0x5b7094 - FillRgn

• 0x5b7098 - CreateSolidBrush

• 0x5b709c - CreateFontIndirectA

• 0x5b70a0 - GetROP2

• 0x5b70a4 - GetStockObject

• 0x5b70a8 - SetDIBitsToDevice

• 0x5b70ac - GetNearestPaletteIndex

• 0x5b70b0 - SetPolyFillMode

• 0x5b70b4 - SetROP2

• 0x5b70b8 - SetMapMode

• 0x5b70bc - SetViewportOrgEx

• 0x5b70c0 - OffsetViewportOrgEx

• 0x5b70c4 - SetViewportExtEx

• 0x5b70c8 - GetObjectA

• 0x5b70cc - SetWindowExtEx

• 0x5b70d0 - ScaleWindowExtEx

• 0x5b70d4 - EndPage

• 0x5b70d8 - ExcludeClipRect

• 0x5b70dc - MoveToEx

• 0x5b70e0 - LineTo

• 0x5b70e4 - ExtSelectClipRgn

• 0x5b70e8 - GetViewportExtEx

• 0x5b70ec - GetTextMetricsA

• 0x5b70f0 - GetMapMode

• 0x5b70f4 - RestoreDC

• 0x5b70f8 - SaveDC

• 0x5b70fc - SetWindowOrgEx

• 0x5b7100 - SetTextColor

• 0x5b7104 - SetBkMode

• 0x5b7108 - SetBkColor

• 0x5b710c - CreateRectRgnIndirect

• 0x5b7110 - CreateDIBSection

• 0x5b7114 - SetPixel

• 0x5b7118 - SetStretchBltMode

• 0x5b711c - GetClipRgn

• 0x5b7120 - CreatePolygonRgn

• 0x5b7124 - SelectClipRgn

• 0x5b7128 - DeleteObject

• 0x5b712c - CreateDIBitmap

• 0x5b7130 - GetSystemPaletteEntries

• 0x5b7134 - CreatePalette

• 0x5b7138 - StretchBlt

• 0x5b713c - SelectPalette

• 0x5b7140 - RealizePalette

• 0x5b7144 - GetDIBits

• 0x5b7148 - GetWindowExtEx

• 0x5b714c - GetViewportOrgEx

• 0x5b7150 - GetWindowOrgEx

• 0x5b7154 - BeginPath

• 0x5b7158 - EndDoc

• 0x5b715c - DeleteDC

• 0x5b7160 - StartDocA

• 0x5b7164 - StartPage

• 0x5b7168 - BitBlt

• 0x5b716c - GetPixel

• 0x5b7170 - CreateCompatibleDC

• 0x5b7174 - GetClipBox

• 0x5b7178 - Escape

• 0x5b717c - ExtTextOutA

• 0x5b7180 - TextOutA

• 0x5b7184 - RectVisible

• 0x5b7188 - SetPixelV

• 0x5b718c - Ellipse

• 0x5b7190 - Rectangle

• 0x5b7194 - LPtoDP

• 0x5b7198 - DPtoLP

• 0x5b719c - GetCurrentObject

• 0x5b71a0 - RoundRect

• 0x5b71a4 - PtVisible

• 0x5b71a8 - GetTextExtentPoint32A

• 0x5b71ac - ScaleViewportExtEx

• 0x5b71b0 - GetDeviceCaps

• 0x5b71b4 - EndPath

• 0x5b71b8 - PathToRegion

• 0x5b71bc - CreateEllipticRgn

• 0x5b71c0 - CreateRoundRectRgn

• 0x5b71c4 - GetTextColor

• 0x5b71c8 - GetBkMode

• 0x5b71cc - GetBkColor

• 0x5b71d0 - CreatePenIndirect

库 MSIMG32.dll:

• 0x5b7450 - GradientFill

库 WINSPOOL.DRV:

• 0x5b77e4 - ClosePrinter

• 0x5b77e8 - DocumentPropertiesA

• 0x5b77ec - OpenPrinterA

库 comdlg32.dll:

• 0x5b784c - ChooseColorA

• 0x5b7850 - ChooseFontA

• 0x5b7854 - GetOpenFileNameA

• 0x5b7858 - GetSaveFileNameA

• 0x5b785c - GetFileTitleA

库 ADVAPI32.dll:

• 0x5b7000 - RegCreateKeyExA

• 0x5b7004 - RegQueryValueA

• 0x5b7008 - RegSetValueExA

• 0x5b700c - RegOpenKeyExA

• 0x5b7010 - RegQueryValueExA

• 0x5b7014 - RegCloseKey

• 0x5b7018 - RegEnumValueA

库 SHELL32.dll:

• 0x5b74cc - SHGetSpecialFolderPathA

• 0x5b74d0 - Shell_NotifyIconA

• 0x5b74d4 - ShellExecuteA

库 ole32.dll:

• 0x5b7864 - CoRevokeClassObject

• 0x5b7868 - OleFlushClipboard

• 0x5b786c - CoFreeUnusedLibraries

• 0x5b7870 - CreateILockBytesOnHGlobal

• 0x5b7874 - StgCreateDocfileOnILockBytes

• 0x5b7878 - OleIsCurrentClipboard

• 0x5b787c - CoRegisterMessageFilter

• 0x5b7880 - StgOpenStorageOnILockBytes

• 0x5b7884 - CoGetClassObject

• 0x5b7888 - CoDisconnectObject

• 0x5b788c - CoTaskMemFree

• 0x5b7890 - CoTaskMemAlloc

• 0x5b7894 - CLSIDFromProgID

• 0x5b7898 - OleInitialize

• 0x5b789c - OleUninitialize

• 0x5b78a0 - CLSIDFromString

• 0x5b78a4 - CoCreateInstance

• 0x5b78a8 - OleRun

库 OLEAUT32.dll:

• 0x5b7460 - SafeArrayDestroy

• 0x5b7464 - SysAllocString

• 0x5b7468 - VariantInit

• 0x5b746c - VariantCopyInd

• 0x5b7470 - SafeArrayGetElement

• 0x5b7474 - SafeArrayAccessData

• 0x5b7478 - SafeArrayUnaccessData

• 0x5b747c - SafeArrayGetDim

• 0x5b7480 - SafeArrayGetLBound

• 0x5b7484 - SafeArrayGetUBound

• 0x5b7488 - VariantChangeType

• 0x5b748c - VariantClear

• 0x5b7490 - VariantCopy

• 0x5b7494 - UnRegisterTypeLib

• 0x5b7498 - OleCreateFontIndirect

• 0x5b749c - LoadTypeLib

• 0x5b74a0 - VariantTimeToSystemTime

• 0x5b74a4 - SafeArrayCreate

• 0x5b74a8 - SafeArrayPutElement

• 0x5b74ac - RegisterTypeLib

• 0x5b74b0 - LHashValOfNameSys

• 0x5b74b4 - SysFreeString

• 0x5b74b8 - SafeArrayGetElemsize

• 0x5b74bc - SysAllocStringByteLen

• 0x5b74c0 - SysAllocStringLen

• 0x5b74c4 - SysStringLen

库 COMCTL32.dll:

• 0x5b702c - ImageList_DrawIndirect

• 0x5b7030 - ImageList_Read

• 0x5b7034 - ImageList_Duplicate

• 0x5b7038 - ImageList_Create

• 0x5b703c - ImageList_Destroy

• 0x5b7040 - ImageList_GetIcon

• 0x5b7044 - ImageList_GetImageInfo

• 0x5b7048 - ImageList_GetImageCount

• 0x5b704c - ImageList_SetBkColor

• 0x5b7050 - ImageList_Draw

• 0x5b7054 - _TrackMouseEvent

• 0x5b7058 - ImageList_AddMasked

• 0x5b705c - None

库 oledlg.dll:

• 0x5b78b0 - None

投放文件

无信息

行为分析

互斥量(Mutexes)

Local\MSCTF.Asm.MutexDefault1

执行的命令 无信息

创建的服务 无信息

启动的服务 无信息

进程

_________PC v130.0.1.exe PID: 2612, 上一级进程 PID: 2248

访问的文件

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\test\AppData\Local\Temp\ole32.DLL
C:\Windows\SysWOW64\msscript.ocx
C:\Users\test\AppData\Local\Temp\kernel32.dll
C:\Users\test\AppData\Local\Temp\advapi32.dll
C:\Windows\Fonts\staticcache.dat
C:\Users\test\AppData\Local\Temp\boluo.ini
C:\Users\test\AppData\Local\Temp\kernel32.DLL
C:\Users\test\AppData\Local\Temp\Wininet.DLL
C:\Users\test\AppData\Local\Temp\wininet.DLL
C:\Users\test\AppData\Local\Temp\Kernel32.DLL
C:\Users\test\AppData\Local\Temp\wininet.dll
C:\Users\test\AppData\Local\Temp\Ole32.DLL

读取的文件

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\SysWOW64\msscript.ocx
C:\Windows\Fonts\staticcache.dat
C:\Users\test\AppData\Local\Temp\boluo.ini

修改的文件 无信息

删除的文件 无信息

注册表键

HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\TypeLib
HKEY_CURRENT_USER\Software\Classes\TypeLib\{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}\1.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_CURRENT_USER\Software\Classes\CLSID
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\COM+Enabled
HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings\JITDebug
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\DisabledByDefault
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\DisabledByDefault
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\\xe5\xbe\xae\xe8\xbd\xaf\xe9\x9b\x85\xe9\xbb\x91
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\_________PC v130.0.1.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\DisableImprovedZoneCheck
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only

读取的注册表键

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}\1.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\COM+Enabled
HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings\JITDebug
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\DisableImprovedZoneCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only

修改的注册表键

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\DisabledByDefault
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\DisabledByDefault

删除的注册表键 无信息

API解析

kernel32.dll.IsProcessorFeaturePresent
cryptbase.dll.SystemFunction036
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
ole32.dll.CoInitialize
sxs.dll.SxsOleAut32RedirectTypeLibrary
advapi32.dll.RegOpenKeyW
advapi32.dll.RegQueryValueW
sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid
advapi32.dll.RegQueryValueExA
advapi32.dll.RegCloseKey
ole32.dll.CoGetObjectContext
ole32.dll.CoCreateInstance
advapi32.dll.RegCreateKeyA
kernel32.dll.OpenEventA
kernel32.dll.CreateEventA
advapi32.dll.RegOpenKeyA
kernel32.dll.RegCloseKey
advapi32.dll.RegSetValueExA
comctl32.dll.RegisterClassNameW
uxtheme.dll.EnableThemeDialogTexture
uxtheme.dll.OpenThemeData
imm32.dll.ImmIsIME
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegQueryValueExW
advapi32.dll.RegEnumKeyExW
gdi32.dll.GetTextExtentExPointWPri
gdi32.dll.GetFontAssocStatus
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
uxtheme.dll.BufferedPaintInit
uxtheme.dll.BeginBufferedPaint
gdi32.dll.GdiIsMetaPrintDC
uxtheme.dll.EndBufferedPaint
kernel32.dll.GetProcessHeap
wininet.dll.InternetOpenA
wininet.dll.InternetSetOptionA
kernel32.dll.HeapAlloc
wininet.dll.InternetConnectA
wininet.dll.HttpOpenRequestA
wininet.dll.HttpSendRequestA
rasapi32.dll.RasConnectionNotificationW
sechost.dll.OpenServiceA
sechost.dll.NotifyServiceStatusChangeA
wininet.dll.HttpQueryInfoA
wininet.dll.InternetReadFile
kernel32.dll.RtlMoveMemory
kernel32.dll.HeapReAlloc
wininet.dll.InternetCloseHandle
kernel32.dll.HeapFree
wininet.dll.InternetTimeToSystemTime
oleaut32.dll.#500