魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2017-12-15 19:21:43 | 2017-12-15 19:24:00 | 137 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-shaapp01-1 | win7-sp1-x64-shaapp01-1 | KVM | 2017-12-15 19:21:43 | 2017-12-15 19:24:00 |
| 魔盾分数 |
|---|
10.0Amvbfzlb |
文件详细信息
| 文件名 | test.exe |
|---|---|
| 文件大小 | 1388544 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| CRC32 | 6561A158 |
| MD5 | 8e14ddfbb97114a680aa43b1776efb49 |
| SHA1 | 6c5ca6ddb5847463ca4e7ba01e49700050394688 |
| SHA256 | 4d3e1c58cb911662c52300a2f212d02096b02616a68fb35da3c09e34c30b27ec |
| SHA512 | 76b5d6882d6295ac9bee10214753b5bbb5626b9b3083e434d4fef3375bc088a0556e63ac0558bdcc6ebe8e1dbd011d7ae2156f3c6e9372d23b07d302ee43678a |
| Ssdeep | 24576:u0RCr0f4lZnHMvZxavQjJkmHiiEcwGDDepTT64cz:u0UhMhxDFhwGDSp/64cz |
| PEiD | 无匹配 |
| Yara | 无Yara规则匹配 |
| VirusTotal |
VirusTotal链接 VirusTotal扫描时间: 2017-12-15 11:21:31 扫描结果: 30/66 |
特征
发起了一些HTTP请求
url: http://122.114.30.56:5/sb/list.txt
url: http://122.114.30.56:5/sb/id.asp?id=49656E690000000D0F8BFBFF1FBA2223
创建RWX内存
投放出一个二进制文件并执行它
binary: C:\Users\test\AppData\Local\Temp\123.exe
HTTP数据流中包含可疑的恶意软件数据
ip_hostname: HTTP connection was made to an IP address rather than domain name
suspicious_request: http://122.114.30.56:5/sb/list.txt
suspicious_request: http://122.114.30.56:5/sb/id.asp?id=49656E690000000D0F8BFBFF1FBA2223
文件已被至少十个VirusTotal上的反病毒引擎检测为病毒
MicroWorld-eScan: Gen:Trojan.Heur.Dropper.un0@amVbFZlb
McAfee: Artemis!8E14DDFBB971
Cylance: Unsafe
VIPRE: Trojan.Win32.Generic!BT
K7GW: Trojan ( 003d23081 )
K7AntiVirus: Trojan ( 003d23081 )
Invincea: heuristic
Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9989
Cyren: W32/GenBl.8E14DDFB!Olympus
Paloalto: generic.ml
GData: Gen:Trojan.Heur.Dropper.un0@amVbFZlb
BitDefender: Gen:Trojan.Heur.Dropper.un0@amVbFZlb
NANO-Antivirus: Virus.Win32.Gen.ccmw
AegisLab: Gen.Troj.Heur!c
Avast: FileRepMalware
Tencent: Win32.Trojan.Dropper.Ebgu
Ad-Aware: Gen:Trojan.Heur.Dropper.un0@amVbFZlb
F-Secure: Gen:Trojan.Heur.Dropper.un0@amVbFZlb
DrWeb: Trojan.KillFiles.29194
McAfee-GW-Edition: BehavesLike.Win32.Rontokbro.th
Emsisoft: Gen:Trojan.Heur.Dropper.un0@amVbFZlb (B)
Avira: TR/Dropper.Gen
Endgame: malicious (high confidence)
Arcabit: Trojan.Heur.Dropper.EA6E9A
AVware: Trojan.Win32.Generic!BT
MAX: malware (ai score=88)
Ikarus: Backdoor.Win32.Hupigon
AVG: FileRepMalware
Cybereason: malicious.1b8fb7
CrowdStrike: malicious_confidence_100% (W)
运行截图
网络分析
访问主机记录
| 直接访问 | IP地址 | 国家名 |
|---|---|---|
| 是 | 122.114.30.56 | China |
TCP连接
| IP地址 | 端口 |
|---|---|
| 122.114.30.56 | 5 |
HTTP请求
| URL | HTTP数据 |
|---|---|
| http://122.114.30.56:5/sb/list.txt | GET /sb/list.txt HTTP/1.1 Connection: Keep-Alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36 Host: 122.114.30.56:5 |
| http://122.114.30.56:5/sb/id.asp?id=49656E690000000D0F8BFBFF1FBA2223 | GET /sb/id.asp?id=49656E690000000D0F8BFBFF1FBA2223 HTTP/1.1 Connection: Keep-Alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36 Host: 122.114.30.56:5 |
静态分析
PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x00401238 |
| 声明校验值 | 0x00159ec4 |
| 实际校验值 | 0x00159ec4 |
| 最低操作系统版本要求 | 4.0 |
| 编译时间 | 2017-12-10 22:38:24 |
| 载入哈希 | d92864a8239cd2e8117fef53396d4c0c |
| 图标 |  |
| 图标精确哈希值 | 8b67acc8289ad787f14ef265c8098b91 |
| 图标相似性哈希值 | 610ab0f829ac7b08395f2013f94801da |
版本信息
| Translation: | 0x0804 0x04b0 |
| InternalName: | \x5de5\x7a0b1 |
| FileVersion: | 1.00 |
| CompanyName: | \x843d\x53f6\x7684\x5fe7\x4f24 |
| ProductName: | \x5de5\x7a0b1 |
| ProductVersion: | 1.00 |
| OriginalFilename: | \x5de5\x7a0b1.exe |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x00001588 | 0x00002000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 4.09 |
| .data | 0x00003000 | 0x00000300 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .rsrc | 0x00004000 | 0x0014eb2c | 0x0014f000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 6.50 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| CUSTOM | 0x0000492c | 0x0002b000 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.55 | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
| CUSTOM | 0x0000492c | 0x0002b000 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.55 | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
| RT_ICON | 0x000043ec | 0x00000128 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 2.07 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x000043ec | 0x00000128 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 2.07 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x000043ec | 0x00000128 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 2.07 | GLS_BINARY_LSB_FIRST |
| RT_GROUP_ICON | 0x000043bc | 0x00000030 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 2.98 | MS Windows icon resource - 3 icons, 32x32, 2 colors |
| RT_VERSION | 0x000041d0 | 0x000001ec | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.35 | data |
导入
库 MSVBVM60.DLL:
• 0x401000 - _CIcos
• 0x401004 - _adj_fptan
• 0x401008 - __vbaAryMove
• 0x40100c - __vbaFreeVar
• 0x401010 - __vbaFreeVarList
• 0x401014 - _adj_fdiv_m64
• 0x401018 - _adj_fprem1
• 0x40101c - __vbaStrCat
• 0x401020 - __vbaSetSystemError
• 0x401024 - __vbaHresultCheckObj
• 0x401028 - _adj_fdiv_m32
• 0x40102c - __vbaAryDestruct
• 0x401030 - __vbaExitProc
• 0x401034 - __vbaOnError
• 0x401038 - __vbaObjSet
• 0x40103c - None
• 0x401040 - _adj_fdiv_m16i
• 0x401044 - _adj_fdivr_m16i
• 0x401048 - _CIsin
• 0x40104c - __vbaChkstk
• 0x401050 - __vbaFileClose
• 0x401054 - None
• 0x401058 - __vbaPutOwner3
• 0x40105c - DllFunctionCall
• 0x401060 - _adj_fpatan
• 0x401064 - None
• 0x401068 - _CIsqrt
• 0x40106c - __vbaExceptHandler
• 0x401070 - _adj_fprem
• 0x401074 - _adj_fdivr_m64
• 0x401078 - None
• 0x40107c - __vbaFPException
• 0x401080 - __vbaVarCat
• 0x401084 - _CIlog
• 0x401088 - __vbaFileOpen
• 0x40108c - __vbaNew2
• 0x401090 - __vbaVar2Vec
• 0x401094 - _adj_fdiv_m32i
• 0x401098 - _adj_fdivr_m32i
• 0x40109c - _adj_fdivr_m32
• 0x4010a0 - _adj_fdiv_r
• 0x4010a4 - None
• 0x4010a8 - None
• 0x4010ac - __vbaFpI4
• 0x4010b0 - _CIatan
• 0x4010b4 - __vbaStrMove
• 0x4010b8 - _allmul
• 0x4010bc - None
• 0x4010c0 - _CItan
• 0x4010c4 - _CIexp
• 0x4010c8 - __vbaFreeStr
• 0x4010cc - __vbaFreeObj
投放文件
\xe8\x90\xbd\xe5\x8f\xb6\xe7\x9a\x84\xe5\xbf\xa7\xe4\xbc\xa4.dll
| 文件名 | \xe8\x90\xbd\xe5\x8f\xb6\xe7\x9a\x84\xe5\xbf\xa7\xe4\xbc\xa4.dll |
|---|---|
| 相关文件 |
|
| 文件大小 | 176128 bytes |
| 文件类型 | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
| MD5 | a1572aa30ca960c26086fa33ce805cd6 |
| SHA1 | 407c7d69695189cdccd9c302aab193dbbdb40f2b |
| SHA256 | 59b73c07a60734ffddbfd99d56d238a4c389bb01ad87c69c76e9ca4d83c6872d |
| SHA512 | d7a7ebe8ac022c502316bf6d5cbfde97ba9f2d76033b73724f1dbc122b28a011b28b9d6855fe6791326cbb2dc778bbb00abf5e6be90ac1186782b004b54dc86b |
| Ssdeep | 1536:dtbFuRksd2wNfydHTG+00t+rm54oPQ4PygTGDIcADX0IEZ/HtkwAOCsXU+U0WwRe:LbFuOsdFWp0Z7AL0IcPtV7CsXSuRj |
| VirusTotal | 搜索相关分析 |
123.exe
| 文件名 | 123.exe |
|---|---|
| 相关文件 |
|
| 文件大小 | 1192448 bytes |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 8cd1a5bfe4b1ff66f492a4e486cec9a8 |
| SHA1 | 890208385b4baecb8fd61bdf9c401dd06d8b1345 |
| SHA256 | eca67026be257fa1c5fc8ee1ca34d8913f51cb81a175d56ec9608764a6379397 |
| SHA512 | a4d795f23ab7827e5246db1b2c5948c553235a3cee10cc96c0bc363247b230a1d601576a16d7afa368e6def973fdb405d68c5b1c4810de4d4f0573589fb9e745 |
| Ssdeep | 24576:E0f4lZnHMvZxavQjJkmHiiEcwGDDepTT64cz:EhMhxDFhwGDSp/64cz |
| VirusTotal | 搜索相关分析 |
行为分析
互斥量(Mutexes)
- Local\MSCTF.Asm.MutexDefault1
执行的命令
- C:\Users\test\AppData\Local\Temp\123.exe
创建的服务
无信息
启动的服务
无信息
进程
test.exe PID: 2032, 上一级进程 PID: 300
123.exe PID: 272, 上一级进程 PID: 2032
访问的文件
- C:\Users\test\AppData\Local\Temp\IMM32.DLL
- C:\Windows\System32\imm32.dll
- \Device\KsecDD
- C:\Users\test\AppData\Local\Temp\test.exe.cfg
- C:\Windows\sysnative\C_932.NLS
- C:\Windows\sysnative\C_949.NLS
- C:\Windows\sysnative\C_950.NLS
- C:\Users\test\AppData\Local\Temp\\xe8\x90\xbd\xe5\x8f\xb6\xe7\x9a\x84\xe5\xbf\xa7\xe4\xbc\xa4.dll
- C:\Users\test\AppData\Local\Temp\123.exe
- C:\Users\test\AppData\Local\Temp\123.CHS
- C:\Users\test\AppData\Local\Temp\123.CHS.DLL
- C:\Users\test\AppData\Local\Temp\123.CH
- C:\Users\test\AppData\Local\Temp\123.CH.DLL
- C:\Windows\Fonts\staticcache.dat
- C:\Windows\win.ini
- C:\Users\test\AppData\Local\Temp\0.ini
读取的文件
- \Device\KsecDD
- C:\Windows\Fonts\staticcache.dat
- C:\Windows\win.ini
- C:\Users\test\AppData\Local\Temp\0.ini
修改的文件
- C:\Users\test\AppData\Local\Temp\\xe8\x90\xbd\xe5\x8f\xb6\xe7\x9a\x84\xe5\xbf\xa7\xe4\xbc\xa4.dll
- C:\Users\test\AppData\Local\Temp\123.exe
删除的文件
无信息
注册表键
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
- HKEY_CURRENT_USER\Software\Borland\Locales
- HKEY_LOCAL_MACHINE\Software\Borland\Locales
- HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08040804
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\E0200804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\E0200804\layout text
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\E0210804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\E0210804\layout text
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\Tracing
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\Tracing\Enabled
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ShareCredsWithWinHttp
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\DisableBranchCache
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_CURRENT_USER
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\123.exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\System
- HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_CURRENT_USER\Keyboard Layout\Toggle
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\\xe9\x9a\xb6\xe4\xb9\xa6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Sans Serif
- HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
读取的注册表键
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\E0200804\layout text
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\E0210804\layout text
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\Tracing\Enabled
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ShareCredsWithWinHttp
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\DisableBranchCache
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- imm32.dll.ImmCreateContext
- imm32.dll.ImmDestroyContext
- imm32.dll.ImmGetContext
- imm32.dll.ImmReleaseContext
- imm32.dll.ImmAssociateContext
- imm32.dll.ImmGetConversionStatus
- imm32.dll.ImmSetConversionStatus
- imm32.dll.ImmGetOpenStatus
- imm32.dll.ImmSetOpenStatus
- imm32.dll.ImmSetCompositionFontA
- imm32.dll.ImmSetCompositionStringA
- imm32.dll.ImmGetCompositionStringA
- imm32.dll.ImmSetCompositionWindow
- imm32.dll.ImmEscapeA
- imm32.dll.ImmIsIME
- imm32.dll.ImmSetCandidateWindow
- imm32.dll.ImmNotifyIME
- imm32.dll.ImmSimulateHotKey
- cryptbase.dll.SystemFunction036
- oleaut32.dll.OleLoadPictureEx
- oleaut32.dll.DispCallFunc
- oleaut32.dll.LoadTypeLibEx
- oleaut32.dll.UnRegisterTypeLib
- oleaut32.dll.CreateTypeLib2
- oleaut32.dll.VarDateFromUdate
- oleaut32.dll.VarUdateFromDate
- oleaut32.dll.GetAltMonthNames
- oleaut32.dll.VarNumFromParseNum
- oleaut32.dll.VarParseNumFromStr
- oleaut32.dll.VarDecFromR4
- oleaut32.dll.VarDecFromR8
- oleaut32.dll.VarDecFromDate
- oleaut32.dll.VarDecFromI4
- oleaut32.dll.VarDecFromCy
- oleaut32.dll.VarR4FromDec
- oleaut32.dll.GetRecordInfoFromTypeInfo
- oleaut32.dll.GetRecordInfoFromGuids
- oleaut32.dll.SafeArrayGetRecordInfo
- oleaut32.dll.SafeArraySetRecordInfo
- oleaut32.dll.SafeArrayGetIID
- oleaut32.dll.SafeArraySetIID
- oleaut32.dll.SafeArrayCopyData
- oleaut32.dll.SafeArrayAllocDescriptorEx
- oleaut32.dll.SafeArrayCreateEx
- oleaut32.dll.VarFormat
- oleaut32.dll.VarFormatDateTime
- oleaut32.dll.VarFormatNumber
- oleaut32.dll.VarFormatPercent
- oleaut32.dll.VarFormatCurrency
- oleaut32.dll.VarWeekdayName
- oleaut32.dll.VarMonthName
- oleaut32.dll.VarAdd
- oleaut32.dll.VarAnd
- oleaut32.dll.VarCat
- oleaut32.dll.VarDiv
- oleaut32.dll.VarEqv
- oleaut32.dll.VarIdiv
- oleaut32.dll.VarImp
- oleaut32.dll.VarMod
- oleaut32.dll.VarMul
- oleaut32.dll.VarOr
- oleaut32.dll.VarPow
- oleaut32.dll.VarSub
- oleaut32.dll.VarXor
- oleaut32.dll.VarAbs
- oleaut32.dll.VarFix
- oleaut32.dll.VarInt
- oleaut32.dll.VarNeg
- oleaut32.dll.VarNot
- oleaut32.dll.VarRound
- oleaut32.dll.VarCmp
- oleaut32.dll.VarDecAdd
- oleaut32.dll.VarDecCmp
- oleaut32.dll.VarBstrCat
- oleaut32.dll.VarCyMulI4
- oleaut32.dll.VarBstrCmp
- ole32.dll.CoCreateInstanceEx
- ole32.dll.CLSIDFromProgIDEx
- sxs.dll.SxsOleAut32MapIIDOrCLSIDToTypeLibrary
- user32.dll.GetSystemMetrics
- user32.dll.MonitorFromWindow
- user32.dll.MonitorFromRect
- user32.dll.MonitorFromPoint
- user32.dll.EnumDisplayMonitors
- user32.dll.GetMonitorInfoA
- imm32.dll.ImmGetDefaultIMEWnd
- kernel32.dll.OpenProcess
- kernel32.dll.WaitForSingleObject
- kernel32.dll.GetDiskFreeSpaceExA
- oleaut32.dll.VariantChangeTypeEx
- oleaut32.dll.VarI4FromStr
- oleaut32.dll.VarR4FromStr
- oleaut32.dll.VarR8FromStr
- oleaut32.dll.VarDateFromStr
- oleaut32.dll.VarCyFromStr
- oleaut32.dll.VarBoolFromStr
- oleaut32.dll.VarBstrFromCy
- oleaut32.dll.VarBstrFromDate
- oleaut32.dll.VarBstrFromBool
- user32.dll.WINNLSEnableIME
- user32.dll.AnimateWindow
- comctl32.dll.InitializeFlatSB
- comctl32.dll.UninitializeFlatSB
- comctl32.dll.FlatSB_GetScrollProp
- comctl32.dll.FlatSB_SetScrollProp
- comctl32.dll.FlatSB_EnableScrollBar
- comctl32.dll.FlatSB_ShowScrollBar
- comctl32.dll.FlatSB_GetScrollRange
- comctl32.dll.FlatSB_GetScrollInfo
- comctl32.dll.FlatSB_GetScrollPos
- comctl32.dll.FlatSB_SetScrollPos
- comctl32.dll.FlatSB_SetScrollInfo
- comctl32.dll.FlatSB_SetScrollRange
- user32.dll.SetLayeredWindowAttributes
- uxtheme.dll.OpenThemeData
- uxtheme.dll.CloseThemeData
- uxtheme.dll.DrawThemeBackground
- uxtheme.dll.DrawThemeText
- uxtheme.dll.GetThemeBackgroundContentRect
- uxtheme.dll.GetThemeBackgroundExtent
- uxtheme.dll.GetThemeTextExtent
- uxtheme.dll.GetThemeTextMetrics
- uxtheme.dll.GetThemeBackgroundRegion
- uxtheme.dll.HitTestThemeBackground
- uxtheme.dll.DrawThemeEdge
- uxtheme.dll.DrawThemeIcon
- uxtheme.dll.IsThemePartDefined
- uxtheme.dll.IsThemeBackgroundPartiallyTransparent
- uxtheme.dll.GetThemeColor
- uxtheme.dll.GetThemeMetric
- uxtheme.dll.GetThemeString
- uxtheme.dll.GetThemeBool
- uxtheme.dll.GetThemeInt
- uxtheme.dll.GetThemeEnumValue
- uxtheme.dll.GetThemePosition
- uxtheme.dll.GetThemeFont
- uxtheme.dll.GetThemeRect
- uxtheme.dll.GetThemeMargins
- uxtheme.dll.GetThemeIntList
- uxtheme.dll.SetWindowTheme
- uxtheme.dll.GetThemeFilename
- uxtheme.dll.GetThemeSysColor
- uxtheme.dll.GetThemeSysColorBrush
- uxtheme.dll.GetThemeSysBool
- uxtheme.dll.GetThemeSysSize
- uxtheme.dll.GetThemeSysFont
- uxtheme.dll.GetThemeSysString
- uxtheme.dll.GetThemeSysInt
- uxtheme.dll.IsThemeActive
- uxtheme.dll.IsAppThemed
- uxtheme.dll.GetWindowTheme
- uxtheme.dll.EnableThemeDialogTexture
- uxtheme.dll.IsThemeDialogTextureEnabled
- uxtheme.dll.GetThemeAppProperties
- uxtheme.dll.SetThemeAppProperties
- uxtheme.dll.GetCurrentThemeName
- uxtheme.dll.GetThemeDocumentationProperty
- uxtheme.dll.DrawThemeParentBackground
- uxtheme.dll.EnableTheming
- ole32.dll.CoInitializeEx
- ole32.dll.CoAddRefServerProcess
- ole32.dll.CoReleaseServerProcess
- ole32.dll.CoResumeClassObjects
- ole32.dll.CoSuspendClassObjects
- shlwapi.dll.StrRChrA
- oleaut32.dll.#8
- oleaut32.dll.#12
- uxtheme.dll.GetThemePartSize
- uxtheme.dll.GetThemePropertyOrigin
- gdi32.dll.GetLayout
- gdi32.dll.GdiRealizationInfo
- gdi32.dll.FontIsLinked
- advapi32.dll.RegOpenKeyExW
- advapi32.dll.RegQueryInfoKeyW
- gdi32.dll.GetTextFaceAliasW
- advapi32.dll.RegEnumValueW
- advapi32.dll.RegCloseKey
- advapi32.dll.RegQueryValueExW
- shlwapi.dll.StrCmpNW
- oleaut32.dll.#4
- oleaut32.dll.#6
- shlwapi.dll.#153
- oleaut32.dll.#9
- gdi32.dll.GetFontAssocStatus
- advapi32.dll.RegQueryValueExA
- advapi32.dll.RegEnumKeyExW
- user32.dll.MsgWaitForMultipleObjects
- gdi32.dll.GetTextExtentExPointWPri
- comctl32.dll.InitCommonControlsEx
- user32.dll.NotifyWinEvent
- ws2_32.dll.#6
- ws2_32.dll.#5
- ws2_32.dll.WSARecv
- ws2_32.dll.WSASend
- ole32.dll.OleInitialize
- ole32.dll.OleUninitialize
- ole32.dll.RegisterDragDrop
- user32.dll.PeekMessageA
- ole32.dll.GetHGlobalFromStream
- oleaut32.dll.#411
- oleaut32.dll.#23
- oleaut32.dll.#24
- rpcrt4.dll.RpcBindingFree
- kernel32.dll.WriteProcessMemory
- kernel32.dll.CreateRemoteThread
- ole32.dll.CoUninitialize
- ole32.dll.CoRegisterInitializeSpy
- ole32.dll.CoRevokeInitializeSpy
- gdi32.dll.GdiIsMetaPrintDC
- kernel32.dll.NlsGetCacheUpdateCount
- kernel32.dll.ResumeThread
- winmm.dll.timeGetTime
- user32.dll.FindWindowA
- oleaut32.dll.#500
- kernel32.dll.VirtualFreeEx
- kernel32.dll.CloseHandle
- user32.dll.SetWindowTextA
- user32.dll.SetParent
- user32.dll.SetWindowLongA
- user32.dll.GetWindowRect
- user32.dll.MoveWindow
- user32.dll.CallWindowProcA
- user32.dll.FindWindowExA
- user32.dll.GetWindowTextA
- oleaut32.dll.SysAllocString
- oleaut32.dll.SysStringLen
- oleaut32.dll.SysFreeString
- ws2_32.dll.#116
- ws2_32.dll.#3