魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2024-04-18 13:35:11	2024-04-18 13:37:21	130 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-shaapp03-1	win7-sp1-x64-shaapp03-1	KVM	2024-04-18 13:35:11	2024-04-18 13:37:23

魔盾分数
2.05 可疑的

文件详细信息

文件名	SpaceSniffer_磁盘清理.exe
文件大小	849920 字节
文件类型	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
CRC32	DD4780A6
MD5	c0500ff614eb785dec51883039c3df9c
SHA1	5d1dc8a359e4f4a00d935a5d9539b5f49d530b19
SHA256	00833c999d803b4a1c6320998ac1cceaf2ee128da50881e1dbc738ff3fee7938
SHA512	a25a6c2b7646dec4d1ecd028c3ad36c1e8d520beea1ac440c4af9631956a3e69e533be0d76c1289195510ff25ad8b56b91e567f8f132e8b68c2ca74f7a3f90c8
Ssdeep	24576:s9CGLypHmqUFFfaRSYtsHiwBM/tJzktFKeQr5v3Br:sYGDzfaMksHiX/bkfK9r55
PEiD	无匹配
Yara	with_images (Detected the presence of an or several images) with_urls (Detected the presence of an or several urls) IsPE32 (Detected a 32bit PE sample) IsWindowsGUI (Detected a Windows GUI sample) IsPacked (Detected Entropy signature) Borland (Detects Borland program) UPXv20MarkusLaszloReiser () UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser () UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser () upx_3 (UPX 3.X) screenshot (Detected take screenshot function) win_registry (Detected system registries modification function) UPX (Detected UPX. Commonly used by RAT!)
VirusTotal	VirusTotal查询失败

特征

创建RWX内存

二进制文件可能包含加密或压缩数据

section: name: UPX1, entropy: 7.79, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x000c7400, virtual_size: 0x000c8000

专有的Yara规则检测结果 - 安全告警

Warning: Detected UPX. Commonly used by RAT!

可执行文件被使用UPX压缩

section: name: UPX0, entropy: 0.00, characteristics: IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000000, virtual_size: 0x00200000

运行截图

网络分析

TCP连接

IP地址	端口
23.223.198.226	80

UDP连接

IP地址	端口
192.168.122.1	53

HTTP请求

URL	HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache

静态分析

PE 信息

初始地址	0x00400000
入口地址	0x006c8090
声明校验值	0x00000000
实际校验值	0x000d2669
最低操作系统版本要求	4.0
编译时间	2009-12-17 06:12:32
载入哈希	fa7b16add81f1f67fab9c82982a0b353
图标
图标精确哈希值	5c5bbef8d8c56bea2988225bf200fa63
图标相似性哈希值	8ce6c3e1fcab8f0b0b2aa98877e65c86

版本信息

LegalCopyright:	Copyright Uderzo Umberto
InternalName:
FileVersion:	1.1.2.0
CompanyName:	Uderzo Software e Consulenza Informatica
LegalTrademarks:
Comments:
ProductName:	SpaceSniffer
ProductVersion:	1.1.2.0
FileDescription:	\xe7\xe7\xe7\xe9\xe5\xe6\xe5\xe5
OriginalFilename:
Translation:	0x0804 0x03a8

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
UPX0	0x00001000	0x00200000	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
UPX1	0x00201000	0x000c8000	0x000c7400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	7.79
.rsrc	0x002c9000	0x00008000	0x00008000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	4.45

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
RT_CURSOR	0x0024667c	0x00000134	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.16	data
RT_CURSOR	0x0024667c	0x00000134	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.16	data
RT_CURSOR	0x0024667c	0x00000134	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.16	data
RT_CURSOR	0x0024667c	0x00000134	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.16	data
RT_CURSOR	0x0024667c	0x00000134	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.16	data
RT_CURSOR	0x0024667c	0x00000134	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.16	data
RT_CURSOR	0x0024667c	0x00000134	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.16	data
RT_BITMAP	0x002479e4	0x000000e8	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.84	data
RT_BITMAP	0x002479e4	0x000000e8	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.84	data
RT_BITMAP	0x002479e4	0x000000e8	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.84	data
RT_BITMAP	0x002479e4	0x000000e8	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.84	data
RT_BITMAP	0x002479e4	0x000000e8	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.84	data
RT_BITMAP	0x002479e4	0x000000e8	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.84	data
RT_BITMAP	0x002479e4	0x000000e8	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.84	data
RT_BITMAP	0x002479e4	0x000000e8	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.84	data
RT_BITMAP	0x002479e4	0x000000e8	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.84	data
RT_BITMAP	0x002479e4	0x000000e8	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.84	data
RT_BITMAP	0x002479e4	0x000000e8	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.84	data
RT_ICON	0x002ce17c	0x000025a8	LANG_ITALIAN	SUBLANG_ITALIAN	3.82	data
RT_ICON	0x002ce17c	0x000025a8	LANG_ITALIAN	SUBLANG_ITALIAN	3.82	data
RT_ICON	0x002ce17c	0x000025a8	LANG_ITALIAN	SUBLANG_ITALIAN	3.82	data
RT_ICON	0x002ce17c	0x000025a8	LANG_ITALIAN	SUBLANG_ITALIAN	3.82	data
RT_ICON	0x002ce17c	0x000025a8	LANG_ITALIAN	SUBLANG_ITALIAN	3.82	data
RT_ICON	0x002ce17c	0x000025a8	LANG_ITALIAN	SUBLANG_ITALIAN	3.82	data
RT_ICON	0x002ce17c	0x000025a8	LANG_ITALIAN	SUBLANG_ITALIAN	3.82	data
RT_ICON	0x002ce17c	0x000025a8	LANG_ITALIAN	SUBLANG_ITALIAN	3.82	data
RT_DIALOG	0x0024e2e0	0x00000052	LANG_NEUTRAL	SUBLANG_NEUTRAL	5.71	data
RT_DIALOG	0x0024e2e0	0x00000052	LANG_NEUTRAL	SUBLANG_NEUTRAL	5.71	data
RT_STRING	0x0024f8f4	0x0000014c	LANG_NEUTRAL	SUBLANG_NEUTRAL	7.08	data
RT_STRING	0x0024f8f4	0x0000014c	LANG_NEUTRAL	SUBLANG_NEUTRAL	7.08	data
RT_STRING	0x0024f8f4	0x0000014c	LANG_NEUTRAL	SUBLANG_NEUTRAL	7.08	data
RT_STRING	0x0024f8f4	0x0000014c	LANG_NEUTRAL	SUBLANG_NEUTRAL	7.08	data
RT_STRING	0x0024f8f4	0x0000014c	LANG_NEUTRAL	SUBLANG_NEUTRAL	7.08	data
RT_STRING	0x0024f8f4	0x0000014c	LANG_NEUTRAL	SUBLANG_NEUTRAL	7.08	data
RT_STRING	0x0024f8f4	0x0000014c	LANG_NEUTRAL	SUBLANG_NEUTRAL	7.08	data
RT_STRING	0x0024f8f4	0x0000014c	LANG_NEUTRAL	SUBLANG_NEUTRAL	7.08	data
RT_STRING	0x0024f8f4	0x0000014c	LANG_NEUTRAL	SUBLANG_NEUTRAL	7.08	data
RT_STRING	0x0024f8f4	0x0000014c	LANG_NEUTRAL	SUBLANG_NEUTRAL	7.08	data
RT_STRING	0x0024f8f4	0x0000014c	LANG_NEUTRAL	SUBLANG_NEUTRAL	7.08	data
RT_STRING	0x0024f8f4	0x0000014c	LANG_NEUTRAL	SUBLANG_NEUTRAL	7.08	data
RT_STRING	0x0024f8f4	0x0000014c	LANG_NEUTRAL	SUBLANG_NEUTRAL	7.08	data
RT_STRING	0x0024f8f4	0x0000014c	LANG_NEUTRAL	SUBLANG_NEUTRAL	7.08	data
RT_STRING	0x0024f8f4	0x0000014c	LANG_NEUTRAL	SUBLANG_NEUTRAL	7.08	data
RT_STRING	0x0024f8f4	0x0000014c	LANG_NEUTRAL	SUBLANG_NEUTRAL	7.08	data
RT_STRING	0x0024f8f4	0x0000014c	LANG_NEUTRAL	SUBLANG_NEUTRAL	7.08	data
RT_STRING	0x0024f8f4	0x0000014c	LANG_NEUTRAL	SUBLANG_NEUTRAL	7.08	data
RT_STRING	0x0024f8f4	0x0000014c	LANG_NEUTRAL	SUBLANG_NEUTRAL	7.08	data
RT_RCDATA	0x002c48a0	0x00000498	LANG_NEUTRAL	SUBLANG_NEUTRAL	6.92	data
RT_RCDATA	0x002c48a0	0x00000498	LANG_NEUTRAL	SUBLANG_NEUTRAL	6.92	data
RT_RCDATA	0x002c48a0	0x00000498	LANG_NEUTRAL	SUBLANG_NEUTRAL	6.92	data
RT_RCDATA	0x002c48a0	0x00000498	LANG_NEUTRAL	SUBLANG_NEUTRAL	6.92	data
RT_RCDATA	0x002c48a0	0x00000498	LANG_NEUTRAL	SUBLANG_NEUTRAL	6.92	data
RT_RCDATA	0x002c48a0	0x00000498	LANG_NEUTRAL	SUBLANG_NEUTRAL	6.92	data
RT_RCDATA	0x002c48a0	0x00000498	LANG_NEUTRAL	SUBLANG_NEUTRAL	6.92	data
RT_RCDATA	0x002c48a0	0x00000498	LANG_NEUTRAL	SUBLANG_NEUTRAL	6.92	data
RT_RCDATA	0x002c48a0	0x00000498	LANG_NEUTRAL	SUBLANG_NEUTRAL	6.92	data
RT_RCDATA	0x002c48a0	0x00000498	LANG_NEUTRAL	SUBLANG_NEUTRAL	6.92	data
RT_GROUP_CURSOR	0x002c4db0	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.88	data
RT_GROUP_CURSOR	0x002c4db0	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.88	data
RT_GROUP_CURSOR	0x002c4db0	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.88	data
RT_GROUP_CURSOR	0x002c4db0	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.88	data
RT_GROUP_CURSOR	0x002c4db0	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.88	data
RT_GROUP_CURSOR	0x002c4db0	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.88	data
RT_GROUP_CURSOR	0x002c4db0	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.88	data
RT_GROUP_ICON	0x002d0728	0x00000076	LANG_ITALIAN	SUBLANG_ITALIAN	2.86	MS Windows icon resource - 8 icons, 16x16
RT_VERSION	0x002d07a4	0x0000031c	LANG_CHINESE	SUBLANG_NEUTRAL	3.42	data
RT_MANIFEST	0x002d0ac4	0x00000245	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.95	XML 1.0 document, ASCII text, with CRLF line terminators

导入

库 KERNEL32.DLL:

• 0x6d0e10 - LoadLibraryA

• 0x6d0e14 - GetProcAddress

• 0x6d0e18 - VirtualProtect

• 0x6d0e1c - VirtualAlloc

• 0x6d0e20 - VirtualFree

• 0x6d0e24 - ExitProcess

库 ADVAPI32.DLL:

• 0x6d0e2c - RegCloseKey

库 COMCTL32.DLL:

• 0x6d0e34 - None

库 COMDLG32.DLL:

• 0x6d0e3c - ChooseColorA

库 GDI32.DLL:

• 0x6d0e44 - BitBlt

库 MSIMG32.DLL:

• 0x6d0e4c - GradientFill

库 OLE32.DLL:

• 0x6d0e54 - CoInitialize

库 OLEAUT32.DLL:

• 0x6d0e5c - VariantInit

库 SHELL32.DLL:

• 0x6d0e64 - SHGetMalloc

库 USER32.DLL:

• 0x6d0e6c - GetDC

库 VERSION.DLL:

• 0x6d0e74 - VerQueryValueA

库 WINMM.DLL:

• 0x6d0e7c - timeGetTime

投放文件

无信息

行为分析

互斥量(Mutexes)

Local\MSCTF.Asm.MutexDefault1

执行的命令 无信息

创建的服务 无信息

启动的服务 无信息

进程

SpaceSniffer_____________.exe PID: 2560, 上一级进程 PID: 2308

访问的文件

C:\Users\test\AppData\Local\Temp\SpaceSniffer_____________.exe
C:\Users
C:\Users\test
C:\Users\test\AppData
C:\Users\test\AppData\Local
C:\Users\test\AppData\Local\Temp
C:\Users\test\AppData\Local\Temp\SpaceSniffer_____________.CHS
C:\Users\test\AppData\Local\Temp\SpaceSniffer_____________.CHS.DLL
C:\Users\test\AppData\Local\Temp\SpaceSniffer_____________.CH
C:\Users\test\AppData\Local\Temp\SpaceSniffer_____________.CH.DLL
C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Windows\Fonts\staticcache.dat
C:\Users\test\AppData\Local\Temp\SpaceSnifferConfig.xml
C:\

读取的文件

C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Windows\Fonts\staticcache.dat

修改的文件 无信息

删除的文件 无信息

注册表键

HKEY_CURRENT_USER\Software\Borland\Locales
HKEY_CURRENT_USER\Software\Borland\Locales\C:\Users\test\AppData\Local\Temp\SpaceSniffer_____________.exe
HKEY_CURRENT_USER\Software\Borland\Locales\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08040804
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\E0200804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\E0200804\layout text
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\E0210804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\E0210804\layout text
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\SpaceSniffer_____________.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US

读取的注册表键

HKEY_CURRENT_USER\Software\Borland\Locales\C:\Users\test\AppData\Local\Temp\SpaceSniffer_____________.exe
HKEY_CURRENT_USER\Software\Borland\Locales\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\E0200804\layout text
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\E0210804\layout text
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US

修改的注册表键 无信息

删除的注册表键 无信息

API解析

kernel32.dll.CloseHandle
kernel32.dll.CompareStringA
kernel32.dll.CreateEventA
kernel32.dll.CreateFileA
kernel32.dll.CreateFileW
kernel32.dll.CreateThread
kernel32.dll.DeleteCriticalSection
kernel32.dll.DeleteFileA
kernel32.dll.EnterCriticalSection
kernel32.dll.EnumCalendarInfoA
kernel32.dll.ExitProcess
kernel32.dll.ExitThread
kernel32.dll.FileTimeToLocalFileTime
kernel32.dll.FileTimeToSystemTime
kernel32.dll.FindClose
kernel32.dll.FindFirstFileA
kernel32.dll.FindFirstFileW
kernel32.dll.FindNextFileW
kernel32.dll.FindResourceA
kernel32.dll.FormatMessageA
kernel32.dll.FreeLibrary
kernel32.dll.FreeResource
kernel32.dll.GetACP
kernel32.dll.GetCPInfo
kernel32.dll.GetCommandLineA
kernel32.dll.GetCommandLineW
kernel32.dll.GetCompressedFileSizeW
kernel32.dll.GetComputerNameA
kernel32.dll.GetCurrentProcess
kernel32.dll.GetCurrentProcessId
kernel32.dll.GetCurrentThreadId
kernel32.dll.GetDateFormatA
kernel32.dll.GetDiskFreeSpaceA
kernel32.dll.GetDriveTypeA
kernel32.dll.GetEnvironmentStrings
kernel32.dll.GetExitCodeThread
kernel32.dll.GetFileAttributesA
kernel32.dll.GetFileAttributesW
kernel32.dll.GetFileSizeEx
kernel32.dll.GetFileTime
kernel32.dll.GetFileType
kernel32.dll.GetFullPathNameA
kernel32.dll.GetLastError
kernel32.dll.GetLocalTime
kernel32.dll.GetLocaleInfoA
kernel32.dll.GetLogicalDriveStringsA
kernel32.dll.GetLogicalDrives
kernel32.dll.GetModuleFileNameA
kernel32.dll.GetModuleHandleA
kernel32.dll.GetOEMCP
kernel32.dll.GetProcAddress
kernel32.dll.GetProcessHeap
kernel32.dll.GetStartupInfoA
kernel32.dll.GetStdHandle
kernel32.dll.GetStringTypeA
kernel32.dll.GetStringTypeW
kernel32.dll.GetSystemDefaultLangID
kernel32.dll.GetSystemDirectoryA
kernel32.dll.GetSystemInfo
kernel32.dll.GetSystemTimeAsFileTime
kernel32.dll.GetTempPathA
kernel32.dll.GetThreadLocale
kernel32.dll.GetTickCount
kernel32.dll.GetTimeFormatA
kernel32.dll.GetUserDefaultLCID
kernel32.dll.GetVersion
kernel32.dll.GetVersionExA
kernel32.dll.GetVolumeInformationA
kernel32.dll.GetWindowsDirectoryA
kernel32.dll.GlobalAddAtomA
kernel32.dll.GlobalDeleteAtom
kernel32.dll.GlobalFindAtomA
kernel32.dll.HeapAlloc
kernel32.dll.HeapFree
kernel32.dll.InitializeCriticalSection
kernel32.dll.InterlockedDecrement
kernel32.dll.InterlockedExchange
kernel32.dll.InterlockedIncrement
kernel32.dll.IsValidLocale
kernel32.dll.LCMapStringA
kernel32.dll.LeaveCriticalSection
kernel32.dll.LoadLibraryA
kernel32.dll.LoadLibraryExA
kernel32.dll.LoadResource
kernel32.dll.LocalFree
kernel32.dll.LockResource
kernel32.dll.MulDiv
kernel32.dll.MultiByteToWideChar
kernel32.dll.OutputDebugStringA
kernel32.dll.QueryPerformanceCounter
kernel32.dll.QueryPerformanceFrequency
kernel32.dll.RaiseException
kernel32.dll.ReadDirectoryChangesW
kernel32.dll.ReadFile
kernel32.dll.ResetEvent
kernel32.dll.ResumeThread
kernel32.dll.RtlUnwind
kernel32.dll.SetComputerNameA
kernel32.dll.SetConsoleCtrlHandler
kernel32.dll.SetEndOfFile
kernel32.dll.SetErrorMode
kernel32.dll.SetEvent
kernel32.dll.SetFilePointer
kernel32.dll.SetHandleCount
kernel32.dll.SetLastError
kernel32.dll.SetThreadLocale
kernel32.dll.SizeofResource
kernel32.dll.Sleep
kernel32.dll.TerminateThread
kernel32.dll.TlsAlloc
kernel32.dll.TlsFree
kernel32.dll.TlsGetValue
kernel32.dll.TlsSetValue
kernel32.dll.UnhandledExceptionFilter
kernel32.dll.VirtualAlloc
kernel32.dll.VirtualFree
kernel32.dll.VirtualQuery
kernel32.dll.WaitForSingleObject
kernel32.dll.WideCharToMultiByte
kernel32.dll.WriteFile
kernel32.dll.lstrcmpA
kernel32.dll.lstrcpyA
kernel32.dll.lstrcpynA
kernel32.dll.lstrlenA
advapi32.dll.AdjustTokenPrivileges
advapi32.dll.LookupPrivilegeValueA
advapi32.dll.OpenProcessToken
advapi32.dll.RegCloseKey
advapi32.dll.RegFlushKey
advapi32.dll.RegOpenKeyExA
advapi32.dll.RegQueryValueExA
comctl32.dll.ImageList_Add
comctl32.dll.ImageList_BeginDrag
comctl32.dll.ImageList_Destroy
comctl32.dll.ImageList_DragEnter
comctl32.dll.ImageList_DragLeave
comctl32.dll.ImageList_DragMove
comctl32.dll.ImageList_DragShowNolock
comctl32.dll.ImageList_Draw
comctl32.dll.ImageList_DrawEx
comctl32.dll.ImageList_EndDrag
comctl32.dll.ImageList_GetBkColor
comctl32.dll.ImageList_GetDragImage
comctl32.dll.ImageList_GetIconSize
comctl32.dll.ImageList_GetImageCount
comctl32.dll.ImageList_Read
comctl32.dll.ImageList_Remove
comctl32.dll.ImageList_SetBkColor
comctl32.dll.ImageList_SetIconSize
comctl32.dll.ImageList_Write
comctl32.dll.#17
comctl32.dll._TrackMouseEvent
comctl32.dll.ImageList_Create
comdlg32.dll.ChooseColorA
comdlg32.dll.GetOpenFileNameA
comdlg32.dll.GetSaveFileNameA
gdi32.dll.BitBlt
gdi32.dll.CombineRgn
gdi32.dll.CopyEnhMetaFileA
gdi32.dll.CreateBitmap
gdi32.dll.CreateBrushIndirect
gdi32.dll.CreateCompatibleBitmap
gdi32.dll.CreateCompatibleDC
gdi32.dll.CreateDIBSection
gdi32.dll.CreateDIBitmap
gdi32.dll.CreateFontIndirectA
gdi32.dll.CreateHalftonePalette
gdi32.dll.CreatePalette
gdi32.dll.CreatePenIndirect
gdi32.dll.CreateRectRgn
gdi32.dll.CreateSolidBrush
gdi32.dll.DeleteDC
gdi32.dll.DeleteEnhMetaFile
gdi32.dll.DeleteObject
gdi32.dll.ExcludeClipRect
gdi32.dll.ExtTextOutA
gdi32.dll.ExtTextOutW
gdi32.dll.GetBitmapBits
gdi32.dll.GetBrushOrgEx
gdi32.dll.GetClipBox
gdi32.dll.GetCurrentPositionEx
gdi32.dll.GetDCOrgEx
gdi32.dll.GetDIBColorTable
gdi32.dll.GetDIBits
gdi32.dll.GetDeviceCaps
gdi32.dll.GetEnhMetaFileBits
gdi32.dll.GetEnhMetaFileHeader
gdi32.dll.GetEnhMetaFilePaletteEntries
gdi32.dll.GetObjectA
gdi32.dll.GetPaletteEntries
gdi32.dll.GetPixel
gdi32.dll.GetRgnBox
gdi32.dll.GetStockObject
gdi32.dll.GetSystemPaletteEntries
gdi32.dll.GetTextExtentPoint32A
gdi32.dll.GetTextExtentPoint32W
gdi32.dll.GetTextExtentPointA
gdi32.dll.GetTextMetricsA
gdi32.dll.GetWinMetaFileBits
gdi32.dll.GetWindowOrgEx
gdi32.dll.IntersectClipRect
gdi32.dll.LineTo
gdi32.dll.MaskBlt
gdi32.dll.MoveToEx
gdi32.dll.PatBlt
gdi32.dll.PlayEnhMetaFile
gdi32.dll.Polygon
gdi32.dll.Polyline
gdi32.dll.RealizePalette
gdi32.dll.RectVisible
gdi32.dll.Rectangle
gdi32.dll.RestoreDC
gdi32.dll.RoundRect
gdi32.dll.SaveDC
gdi32.dll.SelectClipRgn
gdi32.dll.SelectObject
gdi32.dll.SelectPalette
gdi32.dll.SetBkColor
gdi32.dll.SetBkMode
gdi32.dll.SetBrushOrgEx
gdi32.dll.SetDIBColorTable
gdi32.dll.SetEnhMetaFileBits
gdi32.dll.SetPixel
gdi32.dll.SetROP2
gdi32.dll.SetStretchBltMode
gdi32.dll.SetTextColor
gdi32.dll.SetViewportOrgEx
gdi32.dll.SetWinMetaFileBits
gdi32.dll.SetWindowOrgEx
gdi32.dll.StretchBlt
gdi32.dll.StretchDIBits
gdi32.dll.UnrealizeObject
msimg32.dll.GradientFill
ole32.dll.CoCreateInstance
ole32.dll.CoInitialize
ole32.dll.CoInitializeEx
ole32.dll.CoTaskMemAlloc
ole32.dll.CoUninitialize
ole32.dll.OleUninitialize
oleaut32.dll.#202
oleaut32.dll.#200
oleaut32.dll.#23
oleaut32.dll.#15
oleaut32.dll.#25
oleaut32.dll.#20
oleaut32.dll.#19
oleaut32.dll.#148
oleaut32.dll.#26
oleaut32.dll.#24
oleaut32.dll.#201
oleaut32.dll.#2
oleaut32.dll.#4
oleaut32.dll.#6
oleaut32.dll.#5
oleaut32.dll.#7
oleaut32.dll.#12
oleaut32.dll.#9
oleaut32.dll.#10
oleaut32.dll.#11
oleaut32.dll.#8
shell32.dll.CommandLineToArgvW
shell32.dll.DragAcceptFiles
shell32.dll.DragQueryFileA
shell32.dll.SHBrowseForFolderA
shell32.dll.SHGetDesktopFolder
shell32.dll.SHGetMalloc
shell32.dll.SHGetSpecialFolderLocation
shell32.dll.ShellExecuteA
shell32.dll.SHGetPathFromIDListA
user32.dll.ActivateKeyboardLayout
user32.dll.AdjustWindowRectEx
user32.dll.BeginPaint
user32.dll.CallNextHookEx
user32.dll.CallWindowProcA
user32.dll.CharLowerA
user32.dll.CharLowerBuffA
user32.dll.CharNextA
user32.dll.CharNextW
user32.dll.CharToOemA
user32.dll.CharUpperBuffA
user32.dll.CheckMenuItem
user32.dll.ChildWindowFromPoint
user32.dll.ClientToScreen
user32.dll.CloseClipboard
user32.dll.CreateIcon
user32.dll.CreateMenu
user32.dll.CreatePopupMenu
user32.dll.CreateWindowExA
user32.dll.DefFrameProcA
user32.dll.DefMDIChildProcA
user32.dll.DefWindowProcA
user32.dll.DeleteMenu
user32.dll.DestroyCursor
user32.dll.DestroyIcon
user32.dll.DestroyMenu
user32.dll.DestroyWindow
user32.dll.DispatchMessageA
user32.dll.DispatchMessageW
user32.dll.DrawEdge
user32.dll.DrawFocusRect
user32.dll.DrawFrameControl
user32.dll.DrawIcon
user32.dll.DrawIconEx
user32.dll.DrawMenuBar
user32.dll.DrawTextA
user32.dll.EmptyClipboard
user32.dll.EnableMenuItem
user32.dll.EnableScrollBar
user32.dll.EnableWindow
user32.dll.EndPaint
user32.dll.EnumChildWindows
user32.dll.EnumClipboardFormats
user32.dll.EnumThreadWindows
user32.dll.EnumWindows
user32.dll.EqualRect
user32.dll.FillRect
user32.dll.FindWindowA
user32.dll.FlashWindow
user32.dll.FrameRect
user32.dll.GetActiveWindow
user32.dll.GetCapture
user32.dll.GetClassInfoA
user32.dll.GetClassLongA
user32.dll.GetClassNameA
user32.dll.GetClientRect
user32.dll.GetClipboardData
user32.dll.GetCursor
user32.dll.GetCursorPos
user32.dll.GetDC
user32.dll.GetDCEx
user32.dll.GetDesktopWindow
user32.dll.GetDlgItem
user32.dll.GetFocus
user32.dll.GetForegroundWindow
user32.dll.GetIconInfo
user32.dll.GetKeyNameTextA
user32.dll.GetKeyState
user32.dll.GetKeyboardLayout
user32.dll.GetKeyboardLayoutList
user32.dll.GetKeyboardLayoutNameA
user32.dll.GetKeyboardState
user32.dll.GetKeyboardType
user32.dll.GetLastActivePopup
user32.dll.GetMenu
user32.dll.GetMenuItemCount
user32.dll.GetMenuItemID
user32.dll.GetMenuItemInfoA
user32.dll.GetMenuState
user32.dll.GetMenuStringA
user32.dll.GetMessagePos
user32.dll.GetParent
user32.dll.GetPropA
user32.dll.GetScrollInfo
user32.dll.GetScrollPos
user32.dll.GetScrollRange
user32.dll.GetSubMenu
user32.dll.GetSysColor
user32.dll.GetSysColorBrush
user32.dll.GetSystemMenu
user32.dll.GetTopWindow
user32.dll.GetWindow
user32.dll.GetWindowDC
user32.dll.GetWindowLongA
user32.dll.GetWindowLongW
user32.dll.GetWindowPlacement
user32.dll.GetWindowRect
user32.dll.GetWindowTextA
user32.dll.GetWindowThreadProcessId
user32.dll.InflateRect
user32.dll.InsertMenuA
user32.dll.InsertMenuItemA
user32.dll.IntersectRect
user32.dll.InvalidateRect
user32.dll.IsChild
user32.dll.IsDialogMessageA
user32.dll.IsDialogMessageW
user32.dll.IsIconic
user32.dll.IsRectEmpty
user32.dll.IsWindow
user32.dll.IsWindowEnabled
user32.dll.IsWindowUnicode
user32.dll.IsWindowVisible
user32.dll.IsZoomed
user32.dll.KillTimer
user32.dll.LoadBitmapA
user32.dll.LoadCursorA
user32.dll.LoadIconA
user32.dll.LoadKeyboardLayoutA
user32.dll.LoadStringA
user32.dll.LockSetForegroundWindow
user32.dll.MapVirtualKeyA
user32.dll.MapWindowPoints
user32.dll.MessageBoxA
user32.dll.MsgWaitForMultipleObjects
user32.dll.OemToCharA
user32.dll.OffsetRect
user32.dll.OpenClipboard
user32.dll.PeekMessageA
user32.dll.PeekMessageW
user32.dll.PostMessageA
user32.dll.PostQuitMessage
user32.dll.PtInRect
user32.dll.RedrawWindow
user32.dll.RegisterClassA
user32.dll.RegisterClipboardFormatA
user32.dll.RegisterWindowMessageA
user32.dll.ReleaseCapture
user32.dll.ReleaseDC
user32.dll.RemoveMenu
user32.dll.RemovePropA
user32.dll.ScreenToClient
user32.dll.ScrollWindow
user32.dll.SendMessageA
user32.dll.SendMessageW
user32.dll.SetActiveWindow
user32.dll.SetCapture
user32.dll.SetClassLongA
user32.dll.SetClipboardData
user32.dll.SetCursor
user32.dll.SetFocus
user32.dll.SetForegroundWindow
user32.dll.SetMenu
user32.dll.SetMenuItemInfoA
user32.dll.SetParent
user32.dll.SetPropA
user32.dll.SetRect
user32.dll.SetScrollInfo
user32.dll.SetScrollPos
user32.dll.SetScrollRange
user32.dll.SetTimer
user32.dll.SetWindowLongA
user32.dll.SetWindowLongW
user32.dll.SetWindowPlacement
user32.dll.SetWindowPos
user32.dll.SetWindowTextA
user32.dll.SetWindowsHookExA
user32.dll.ShowOwnedPopups
user32.dll.ShowScrollBar
user32.dll.ShowWindow
user32.dll.SystemParametersInfoA
user32.dll.TrackPopupMenu
user32.dll.TranslateMDISysAccel
user32.dll.TranslateMessage
user32.dll.UnhookWindowsHookEx
user32.dll.UnregisterClassA
user32.dll.UpdateWindow
user32.dll.WaitMessage
user32.dll.WindowFromPoint
user32.dll.wsprintfA
user32.dll.GetSystemMetrics
version.dll.GetFileVersionInfoA
version.dll.GetFileVersionInfoSizeA
version.dll.VerQueryValueA
winmm.dll.timeGetTime
spacesniffer_____________.exe.___CPPdebugHook
kernel32.dll.GetLongPathNameA
kernel32.dll.GetDiskFreeSpaceExA
oleaut32.dll.VariantChangeTypeEx
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarAdd
oleaut32.dll.VarSub
oleaut32.dll.VarMul
oleaut32.dll.VarDiv
oleaut32.dll.VarIdiv
oleaut32.dll.VarMod
oleaut32.dll.VarAnd
oleaut32.dll.VarOr
oleaut32.dll.VarXor
oleaut32.dll.VarCmp
oleaut32.dll.VarI4FromStr
oleaut32.dll.VarR4FromStr
oleaut32.dll.VarR8FromStr
oleaut32.dll.VarDateFromStr
oleaut32.dll.VarCyFromStr
oleaut32.dll.VarBoolFromStr
oleaut32.dll.VarBstrFromCy
oleaut32.dll.VarBstrFromDate
oleaut32.dll.VarBstrFromBool
ole32.dll.CoCreateInstanceEx
ole32.dll.CoAddRefServerProcess
ole32.dll.CoReleaseServerProcess
ole32.dll.CoResumeClassObjects
ole32.dll.CoSuspendClassObjects
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
user32.dll.WINNLSEnableIME
imm32.dll.ImmGetContext
imm32.dll.ImmReleaseContext
imm32.dll.ImmGetConversionStatus
imm32.dll.ImmSetConversionStatus
imm32.dll.ImmSetOpenStatus
imm32.dll.ImmSetCompositionWindow
imm32.dll.ImmSetCompositionFontA
imm32.dll.ImmGetCompositionStringA
imm32.dll.ImmIsIME
imm32.dll.ImmNotifyIME
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.AnimateWindow
comctl32.dll.InitializeFlatSB
comctl32.dll.UninitializeFlatSB
comctl32.dll.FlatSB_GetScrollProp
comctl32.dll.FlatSB_SetScrollProp
comctl32.dll.FlatSB_EnableScrollBar
comctl32.dll.FlatSB_ShowScrollBar
comctl32.dll.FlatSB_GetScrollRange
comctl32.dll.FlatSB_GetScrollInfo
comctl32.dll.FlatSB_GetScrollPos
comctl32.dll.FlatSB_SetScrollPos
comctl32.dll.FlatSB_SetScrollInfo
comctl32.dll.FlatSB_SetScrollRange
user32.dll.SetLayeredWindowAttributes
uxtheme.dll.OpenThemeData
uxtheme.dll.CloseThemeData
uxtheme.dll.DrawThemeBackground
uxtheme.dll.DrawThemeEdge
uxtheme.dll.GetThemeColor
uxtheme.dll.GetThemeMetric
uxtheme.dll.GetThemeMargins
uxtheme.dll.SetWindowTheme
uxtheme.dll.IsThemeActive
uxtheme.dll.IsAppThemed
uxtheme.dll.EnableTheming
cryptbase.dll.SystemFunction036
uxtheme.dll.DrawThemeText
uxtheme.dll.GetThemeBackgroundContentRect
uxtheme.dll.GetThemePartSize
uxtheme.dll.GetThemeTextExtent
uxtheme.dll.GetThemeTextMetrics
uxtheme.dll.GetThemeBackgroundRegion
uxtheme.dll.HitTestThemeBackground
uxtheme.dll.DrawThemeIcon
uxtheme.dll.IsThemePartDefined
uxtheme.dll.IsThemeBackgroundPartiallyTransparent
uxtheme.dll.GetThemeString
uxtheme.dll.GetThemeBool
uxtheme.dll.GetThemeInt
uxtheme.dll.GetThemeEnumValue
uxtheme.dll.GetThemePosition
uxtheme.dll.GetThemeFont
uxtheme.dll.GetThemeRect
uxtheme.dll.GetThemeIntList
uxtheme.dll.GetThemePropertyOrigin
uxtheme.dll.GetThemeFilename
uxtheme.dll.GetThemeSysColor
uxtheme.dll.GetThemeSysColorBrush
uxtheme.dll.GetThemeSysBool
uxtheme.dll.GetThemeSysSize
uxtheme.dll.GetThemeSysFont
uxtheme.dll.GetThemeSysString
uxtheme.dll.GetThemeSysInt
uxtheme.dll.GetWindowTheme
uxtheme.dll.EnableThemeDialogTexture
uxtheme.dll.IsThemeDialogTextureEnabled
uxtheme.dll.GetThemeAppProperties
uxtheme.dll.SetThemeAppProperties
uxtheme.dll.GetCurrentThemeName
uxtheme.dll.GetThemeDocumentationProperty
uxtheme.dll.DrawThemeParentBackground
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegQueryValueExW
advapi32.dll.RegEnumKeyExW
gdi32.dll.GetTextExtentExPointWPri
gdi32.dll.GetFontAssocStatus
comctl32.dll.InitCommonControlsEx
imm32.dll.ImmAssociateContext
comctl32.dll.RegisterClassNameW
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
kernel32.dll.Wow64DisableWow64FsRedirection
kernel32.dll.Wow64RevertWow64FsRedirection
ntdll.dll.NtQueryInformationFile
user32.dll.MonitorFromWindow
uxtheme.dll.BufferedPaintInit
uxtheme.dll.BufferedPaintRenderAnimation
uxtheme.dll.BeginBufferedAnimation
uxtheme.dll.EndBufferedAnimation
uxtheme.dll.BeginBufferedPaint
uxtheme.dll.EndBufferedPaint
gdi32.dll.GdiIsMetaPrintDC