魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2016-05-28 15:04:59 | 2016-05-28 15:07:32 | 153 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64 | win7-sp1-x64 | KVM | 2016-05-28 15:05:02 | 2016-05-28 15:07:32 |
| 魔盾分数 |
|---|
2.8可疑的 |
文件详细信息
| 文件名 | msvcr71.dll |
|---|---|
| 文件大小 | 348160 字节 |
| 文件类型 | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
| CRC32 | F83AD7CD |
| MD5 | ca2f560921b7b8be1cf555a5a18d54c3 |
| SHA1 | 432dbcf54b6f1142058b413a9d52668a2bde011d |
| SHA256 | c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb |
| SHA512 | 23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e |
| Ssdeep | 6144:cPlV59g81QWguohIP/siMbo8Crn2zzwRFMciFMNrb3YgxS3bCAO5kkG:OlVvN1QWguohInJDrn8zwNF7eCr |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal |
VirusTotal链接 VirusTotal扫描时间: 2016-05-28 05:03:06 扫描结果: 0/56 |
特征
创建RWX内存
发起了一些HTTP请求
url: http://www.msftncsi.com/ncsi.txt
检测到网络活动但没有显示在API日志中
运行截图
网络分析
访问主机记录
| 直接访问 | IP地址 | 国家名 |
|---|---|---|
| 是 | 23.7.139.27 | United States |
| 否 | 125.56.218.24 | United States |
域名解析
| 域名 | 响应 |
|---|---|
| www.msftncsi.com |
A 125.56.218.24
CNAME www.msftncsi.com.edgesuite.net A 125.56.201.97 CNAME a1961.g2.akamai.net |
TCP连接
| IP地址 | 端口 |
|---|---|
| 125.56.218.24 | 80 |
UDP连接
| IP地址 | 端口 |
|---|---|
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.255 | 137 |
| 192.168.122.255 | 138 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 239.255.255.250 | 1900 |
| 52.169.179.91 | 123 |
| 192.168.122.69 | 52766 |
HTTP请求
| URL | HTTP数据 |
|---|---|
| http://www.msftncsi.com/ncsi.txt | GET /ncsi.txt HTTP/1.1 Connection: Close User-Agent: Microsoft NCSI Host: www.msftncsi.com |
静态分析
PE 信息
| 初始地址 | 0x7c360000 |
|---|---|
| 入口地址 | 0x7c36191a |
| 声明校验值 | 0x0005bf56 |
| 实际校验值 | 0x0005bf56 |
| 最低操作系统版本要求 | 4.0 |
| PDB路径 | msvcr71.pdb |
| 编译时间 | 2006-07-12 09:35:36 |
| 导出DLL库名称 | MSVCR71.dll |
版本信息
| LegalCopyright: | \xa9 Microsoft Corporation. All rights reserved. |
| InternalName: | MSVCR71.DLL |
| FileVersion: | 7.10.6030.0 |
| CompanyName: | Microsoft Corporation |
| ProductName: | Microsoft\xae Visual Studio .NET |
| ProductVersion: | 7.10.6030.0 |
| FileDescription: | Microsoft\xae C Runtime Library |
| OriginalFilename: | MSVCR71.DLL |
| Translation: | 0x0409 0x04b0 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x00038ff8 | 0x00039000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.78 |
| .rdata | 0x0003a000 | 0x00010060 | 0x00011000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 6.01 |
| .data | 0x0004b000 | 0x00006810 | 0x00006000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 2.48 |
| .rsrc | 0x00052000 | 0x000003b8 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 1.02 |
| .reloc | 0x00053000 | 0x00002b68 | 0x00003000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 6.45 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| RT_VERSION | 0x00052060 | 0x00000358 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.51 | data |
导入
库 KERNEL32.dll:
• 0x7c39a000 - GetModuleFileNameA
• 0x7c39a004 - GetModuleFileNameW
• 0x7c39a008 - ExitProcess
• 0x7c39a00c - GetProcAddress
• 0x7c39a010 - GetModuleHandleA
• 0x7c39a014 - TerminateProcess
• 0x7c39a018 - GetCurrentProcess
• 0x7c39a01c - WriteFile
• 0x7c39a020 - GetStdHandle
• 0x7c39a024 - GetCurrentThreadId
• 0x7c39a028 - GetCommandLineA
• 0x7c39a02c - GetVersionExA
• 0x7c39a030 - DeleteCriticalSection
• 0x7c39a034 - LeaveCriticalSection
• 0x7c39a038 - EnterCriticalSection
• 0x7c39a03c - ExitThread
• 0x7c39a040 - CloseHandle
• 0x7c39a044 - GetLastError
• 0x7c39a048 - ResumeThread
• 0x7c39a04c - CreateThread
• 0x7c39a050 - TlsAlloc
• 0x7c39a054 - SetLastError
• 0x7c39a058 - GetCurrentThread
• 0x7c39a05c - TlsFree
• 0x7c39a060 - TlsSetValue
• 0x7c39a064 - TlsGetValue
• 0x7c39a068 - FindNextFileA
• 0x7c39a06c - FindFirstFileA
• 0x7c39a070 - FindClose
• 0x7c39a074 - FindNextFileW
• 0x7c39a078 - FindFirstFileW
• 0x7c39a07c - HeapAlloc
• 0x7c39a080 - HeapFree
• 0x7c39a084 - GetEnvironmentVariableA
• 0x7c39a088 - HeapDestroy
• 0x7c39a08c - HeapCreate
• 0x7c39a090 - VirtualFree
• 0x7c39a094 - VirtualAlloc
• 0x7c39a098 - HeapReAlloc
• 0x7c39a09c - IsBadWritePtr
• 0x7c39a0a0 - SetHandleCount
• 0x7c39a0a4 - GetFileType
• 0x7c39a0a8 - GetStartupInfoA
• 0x7c39a0ac - GetACP
• 0x7c39a0b0 - GetOEMCP
• 0x7c39a0b4 - GetCPInfo
• 0x7c39a0b8 - LoadLibraryA
• 0x7c39a0bc - MultiByteToWideChar
• 0x7c39a0c0 - GetCommandLineW
• 0x7c39a0c4 - FreeEnvironmentStringsA
• 0x7c39a0c8 - GetEnvironmentStrings
• 0x7c39a0cc - FreeEnvironmentStringsW
• 0x7c39a0d0 - WideCharToMultiByte
• 0x7c39a0d4 - GetEnvironmentStringsW
• 0x7c39a0d8 - InitializeCriticalSection
• 0x7c39a0dc - RtlUnwind
• 0x7c39a0e0 - UnhandledExceptionFilter
• 0x7c39a0e4 - LCMapStringA
• 0x7c39a0e8 - LCMapStringW
• 0x7c39a0ec - GetStringTypeA
• 0x7c39a0f0 - GetStringTypeW
• 0x7c39a0f4 - SetConsoleCtrlHandler
• 0x7c39a0f8 - InterlockedExchange
• 0x7c39a0fc - VirtualQuery
• 0x7c39a100 - QueryPerformanceCounter
• 0x7c39a104 - GetTickCount
• 0x7c39a108 - GetCurrentProcessId
• 0x7c39a10c - GetSystemTimeAsFileTime
• 0x7c39a110 - SetEnvironmentVariableA
• 0x7c39a114 - SetEnvironmentVariableW
• 0x7c39a118 - GetUserDefaultLCID
• 0x7c39a11c - GetLocaleInfoA
• 0x7c39a120 - EnumSystemLocalesA
• 0x7c39a124 - IsValidLocale
• 0x7c39a128 - IsValidCodePage
• 0x7c39a12c - GetLocaleInfoW
• 0x7c39a130 - GetTimeFormatA
• 0x7c39a134 - GetDateFormatA
• 0x7c39a138 - GetTimeZoneInformation
• 0x7c39a13c - HeapSize
• 0x7c39a140 - VirtualProtect
• 0x7c39a144 - GetSystemInfo
• 0x7c39a148 - FlushFileBuffers
• 0x7c39a14c - SetFilePointer
• 0x7c39a150 - SetStdHandle
• 0x7c39a154 - CompareStringA
• 0x7c39a158 - CompareStringW
• 0x7c39a15c - Sleep
• 0x7c39a160 - Beep
• 0x7c39a164 - FileTimeToSystemTime
• 0x7c39a168 - FileTimeToLocalFileTime
• 0x7c39a16c - GetDiskFreeSpaceA
• 0x7c39a170 - GetLogicalDrives
• 0x7c39a174 - SetErrorMode
• 0x7c39a178 - GetFileAttributesA
• 0x7c39a17c - GetCurrentDirectoryA
• 0x7c39a180 - SetCurrentDirectoryA
• 0x7c39a184 - SetFileAttributesA
• 0x7c39a188 - GetFullPathNameA
• 0x7c39a18c - GetDriveTypeA
• 0x7c39a190 - CreateDirectoryA
• 0x7c39a194 - RemoveDirectoryA
• 0x7c39a198 - DeleteFileA
• 0x7c39a19c - GetFileAttributesW
• 0x7c39a1a0 - GetCurrentDirectoryW
• 0x7c39a1a4 - SetCurrentDirectoryW
• 0x7c39a1a8 - SetFileAttributesW
• 0x7c39a1ac - GetFullPathNameW
• 0x7c39a1b0 - CreateDirectoryW
• 0x7c39a1b4 - DeleteFileW
• 0x7c39a1b8 - MoveFileW
• 0x7c39a1bc - RemoveDirectoryW
• 0x7c39a1c0 - GetDriveTypeW
• 0x7c39a1c4 - MoveFileA
• 0x7c39a1c8 - RaiseException
• 0x7c39a1cc - IsBadReadPtr
• 0x7c39a1d0 - SetUnhandledExceptionFilter
• 0x7c39a1d4 - IsBadCodePtr
• 0x7c39a1d8 - GetExitCodeProcess
• 0x7c39a1dc - WaitForSingleObject
• 0x7c39a1e0 - FreeLibrary
• 0x7c39a1e4 - CreateProcessA
• 0x7c39a1e8 - CreateProcessW
• 0x7c39a1ec - HeapValidate
• 0x7c39a1f0 - HeapCompact
• 0x7c39a1f4 - HeapWalk
• 0x7c39a1f8 - ReadConsoleA
• 0x7c39a1fc - SetConsoleMode
• 0x7c39a200 - GetConsoleMode
• 0x7c39a204 - IsDBCSLeadByteEx
• 0x7c39a208 - GetConsoleCP
• 0x7c39a20c - ReadConsoleW
• 0x7c39a210 - SetEndOfFile
• 0x7c39a214 - WriteConsoleA
• 0x7c39a218 - GetConsoleOutputCP
• 0x7c39a21c - WriteConsoleW
• 0x7c39a220 - DuplicateHandle
• 0x7c39a224 - GetFileInformationByHandle
• 0x7c39a228 - PeekNamedPipe
• 0x7c39a22c - ReadConsoleInputA
• 0x7c39a230 - PeekConsoleInputA
• 0x7c39a234 - GetNumberOfConsoleInputEvents
• 0x7c39a238 - ReadConsoleInputW
• 0x7c39a23c - LockFile
• 0x7c39a240 - UnlockFile
• 0x7c39a244 - CreateFileA
• 0x7c39a248 - CreatePipe
• 0x7c39a24c - ReadFile
• 0x7c39a250 - CreateFileW
• 0x7c39a254 - SetFileTime
• 0x7c39a258 - LocalFileTimeToFileTime
• 0x7c39a25c - SystemTimeToFileTime
• 0x7c39a260 - GetLocalTime
• 0x7c39a264 - SetLocalTime
导出
| 序列 | 地址 | 名称 |
|---|---|---|
| 52 | 0x7c39220f | $I10_OUTPUT |
| 1 | 0x7c379835 | ??0__non_rtti_object@@QAE@ABV0@@Z |
| 2 | 0x7c37981d | ??0__non_rtti_object@@QAE@PBD@Z |
| 3 | 0x7c3797c9 | ??0bad_cast@@AAE@PBQBD@Z |
| 4 | 0x7c3797c9 | ??0bad_cast@@QAE@ABQBD@Z |
| 5 | 0x7c3797a9 | ??0bad_cast@@QAE@ABV0@@Z |
| 6 | 0x7c379790 | ??0bad_cast@@QAE@PBD@Z |
| 7 | 0x7c3797fa | ??0bad_typeid@@QAE@ABV0@@Z |
| 8 | 0x7c3797e1 | ??0bad_typeid@@QAE@PBD@Z |
| 9 | 0x7c3796d3 | ??0exception@@QAE@ABQBD@Z |
| 10 | 0x7c37971b | ??0exception@@QAE@ABV0@@Z |
| 11 | 0x7c3796c2 | ??0exception@@QAE@XZ |
| 12 | 0x7c379812 | ??1__non_rtti_object@@UAE@XZ |
| 13 | 0x7c3797c1 | ??1bad_cast@@UAE@XZ |
| 14 | 0x7c379812 | ??1bad_typeid@@UAE@XZ |
| 15 | 0x7c37976d | ??1exception@@UAE@XZ |
| 16 | 0x7c379975 | ??1type_info@@UAE@XZ |
| 17 | 0x7c381620 | ??2@YAPAXI@Z |
| 18 | 0x7c38162e | ??3@YAXPAX@Z |
| 19 | 0x7c379963 | ??4__non_rtti_object@@QAEAAV0@ABV0@@Z |
| 20 | 0x7c379963 | ??4bad_cast@@QAEAAV0@ABV0@@Z |
| 21 | 0x7c379963 | ??4bad_typeid@@QAEAAV0@ABV0@@Z |
| 22 | 0x7c379944 | ??4exception@@QAEAAV0@ABV0@@Z |
| 23 | 0x7c3799bb | ??8type_info@@QBEHABV0@@Z |
| 24 | 0x7c3799d6 | ??9type_info@@QBEHABV0@@Z |
| 25 | 0x7c39f130 | ??_7__non_rtti_object@@6B@ |
| 26 | 0x7c39a9d8 | ??_7bad_cast@@6B@ |
| 27 | 0x7c39a9f8 | ??_7bad_typeid@@6B@ |
| 28 | 0x7c39a9b8 | ??_7exception@@6B@ |
| 29 | 0x7c379898 | ??_Fbad_cast@@QAEXXZ |
| 30 | 0x7c3798ee | ??_Fbad_typeid@@QAEXXZ |
| 31 | 0x7c381633 | ??_U@YAPAXI@Z |
| 32 | 0x7c381635 | ??_V@YAXPAX@Z |
| 34 | 0x7c36a882 | ?_query_new_handler@@YAP6AHI@ZXZ |
| 35 | 0x7c36a8e6 | ?_query_new_mode@@YAHXZ |
| 36 | 0x7c36a85e | ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z |
| 37 | 0x7c36a8c9 | ?_set_new_mode@@YAHH@Z |
| 38 | 0x7c37a655 | ?_set_se_translator@@YAP6AXIPAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z |
| 39 | 0x7c3799f2 | ?before@type_info@@QBEHABV1@@Z |
| 40 | 0x7c37a66e | ?name@type_info@@QBEPBDXZ |
| 41 | 0x7c379a11 | ?raw_name@type_info@@QBEPBDXZ |
| 42 | 0x7c36a8a3 | ?set_new_handler@@YAP6AXXZP6AXXZ@Z |
| 43 | 0x7c37a623 | ?set_terminate@@YAP6AXXZP6AXXZ@Z |
| 44 | 0x7c37a63c | ?set_unexpected@@YAP6AXXZP6AXXZ@Z |
| 45 | 0x7c387bde | ?swprintf@@YAHPAGIPBGZZ |
| 46 | 0x7c362ae6 | ?swprintf@@YAHPA_WIPB_WZZ |
| 47 | 0x7c37a710 | ?terminate@@YAXXZ |
| 48 | 0x7c37a749 | ?unexpected@@YAXXZ |
| 49 | 0x7c3633df | ?vswprintf@@YAHPAGIPBGPAD@Z |
| 50 | 0x7c3633df | ?vswprintf@@YAHPA_WIPB_WPAD@Z |
| 51 | 0x7c379783 | ?what@exception@@UBEPBDXZ |
| 53 | 0x7c364c45 | _CIacos |
| 54 | 0x7c364d10 | _CIasin |
| 55 | 0x7c364e1a | _CIatan |
| 56 | 0x7c364ef8 | _CIatan2 |
| 57 | 0x7c364f02 | _CIcos |
| 58 | 0x7c364fd8 | _CIcosh |
| 59 | 0x7c365027 | _CIexp |
| 60 | 0x7c365080 | _CIfmod |
| 61 | 0x7c3650e7 | _CIlog |
| 62 | 0x7c365235 | _CIlog10 |
| 63 | 0x7c365383 | _CIpow |
| 64 | 0x7c3655cc | _CIsin |
| 65 | 0x7c364fce | _CIsinh |
| 66 | 0x7c36567a | _CIsqrt |
| 67 | 0x7c365734 | _CItan |
| 68 | 0x7c364fe2 | _CItanh |
| 69 | 0x7c396be2 | _CRT_RTC_INIT |
| 70 | 0x7c37a788 | _CxxThrowException |
| 71 | 0x7c36476f | _EH_prolog |
| 72 | 0x7c372299 | _Getdays |
| 73 | 0x7c372318 | _Getmonths |
| 74 | 0x7c3723ad | _Gettnames |
| 75 | 0x7c3aca0c | _HUGE |
| 76 | 0x7c372e2c | _Strftime |
| 77 | 0x7c36e12a | _XcptFilter |
| 78 | 0x7c36e28e | __CppXcptFilter |
| 79 | 0x7c379d8f | __CxxCallUnwindDtor |
| 80 | 0x7c379dbd | __CxxCallUnwindVecDtor |
| 81 | 0x7c379cb5 | __CxxDetectRethrow |
| 82 | 0x7c37a134 | __CxxExceptionFilter |
| 83 | 0x7c37a846 | __CxxFrameHandler |
| 84 | 0x7c37a87c | __CxxLongjmpUnwind |
| 85 | 0x7c379d8b | __CxxQueryExceptionSize |
| 86 | 0x7c379c12 | __CxxRegisterExceptionObject |
| 87 | 0x7c379ced | __CxxUnregisterExceptionObject |
| 88 | 0x7c379b9b | __DestructExceptionObject |
| 89 | 0x7c37acd4 | __RTCastToVoid |
| 90 | 0x7c37af5e | __RTDynamicCast |
| 91 | 0x7c37abaf | __RTtypeid |
| 92 | 0x7c3928ea | __STRINGTOLD |
| 93 | 0x7c37047c | ___lc_codepage_func |
| 94 | 0x7c370495 | ___lc_collate_cp_func |
| 95 | 0x7c3704ae | ___lc_handle_func |
| 96 | 0x7c370476 | ___mb_cur_max_func |
| 97 | 0x7c36e2a9 | ___setlc_active_func |
| 98 | 0x7c36e2af | ___unguarded_readlc_active_add_func |
| 99 | 0x7c3aca28 | __argc |
| 100 | 0x7c3aca2c | __argv |
| 101 | 0x7c3ab5fc | __badioinfo |
| 102 | 0x7c36f44b | __buffer_overrun |
| 103 | 0x7c362bc0 | __crtCompareStringA |
| 104 | 0x7c3749fa | __crtCompareStringW |
| 105 | 0x7c371120 | __crtGetLocaleInfoW |
| 106 | 0x7c374ea5 | __crtGetStringTypeW |
| 107 | 0x7c36141a | __crtLCMapStringA |
| 108 | 0x7c374c4c | __crtLCMapStringW |
| 109 | 0x7c3628ae | __dllonexit |
| 110 | 0x7c36be03 | __doserrno |
| 111 | 0x7c36edac | __fpecode |
| 112 | 0x7c36249d | __getmainargs |
| 113 | 0x7c3aca38 | __initenv |
| 114 | 0x7c36b038 | __iob_func |
| 115 | 0x7c373a39 | __isascii |
| 116 | 0x7c373a68 | __iscsym |
| 117 | 0x7c373a4e | __iscsymf |
| 118 | 0x7c3ab630 | __lc_clike |
| 119 | 0x7c3aca70 | __lc_codepage |
| 120 | 0x7c3aca74 | __lc_collate_cp |
| 121 | 0x7c3aca58 | __lc_handle |
| 122 | 0x7c3866c0 | __lconv_init |
| 123 | 0x7c3ab624 | __mb_cur_max |
| 124 | 0x7c36affc | __p___argc |
| 125 | 0x7c36b002 | __p___argv |
| 126 | 0x7c36b02c | __p___initenv |
| 127 | 0x7c36b04a | __p___mb_cur_max |
| 128 | 0x7c36b008 | __p___wargv |
| 129 | 0x7c36b032 | __p___winitenv |
| 130 | 0x7c36afea | __p__acmdln |
| 131 | 0x7c36aff6 | __p__amblksiz |
| 132 | 0x7c361230 | __p__commode |
| 133 | 0x7c36b00e | __p__daylight |
| 134 | 0x7c36b014 | __p__dstbias |
| 135 | 0x7c36b01a | __p__environ |
| 136 | 0x7c36b026 | __p__fileinfo |
| 137 | 0x7c36122a | __p__fmode |
| 138 | 0x7c36b038 | __p__iob |
| 139 | 0x7c36b044 | __p__mbcasemap |
| 140 | 0x7c36b03e | __p__mbctype |
| 141 | 0x7c36b050 | __p__osver |
| 142 | 0x7c36b056 | __p__pctype |
| 143 | 0x7c36b062 | __p__pgmptr |
| 144 | 0x7c36b05c | __p__pwctype |
| 145 | 0x7c36b06e | __p__timezone |
| 146 | 0x7c36b074 | __p__tzname |
| 147 | 0x7c36aff0 | __p__wcmdln |
| 148 | 0x7c36b020 | __p__wenviron |
| 149 | 0x7c36b07a | __p__winmajor |
| 150 | 0x7c36b080 | __p__winminor |
| 151 | 0x7c36b086 | __p__winver |
| 152 | 0x7c36b068 | __p__wpgmptr |
| 153 | 0x7c36e114 | __pctype_func |
| 154 | 0x7c3acaa0 | __pioinfo |
| 155 | 0x7c36e10e | __pwctype_func |
| 156 | 0x7c36edb5 | __pxcptinfoptrs |
| 157 | 0x7c36f301 | __security_error_handler |
| 158 | 0x7c36120d | __set_app_type |
| 159 | 0x7c36f457 | __set_buffer_overrun_handler |
| 160 | 0x7c3acdc0 | __setlc_active |
| 161 | 0x7c36a914 | __setusermatherr |
| 162 | 0x7c36b5d7 | __threadhandle |
| 163 | 0x7c36b5d1 | __threadid |
| 164 | 0x7c373a46 | __toascii |
| 165 | 0x7c37f5b0 | __unDName |
| 166 | 0x7c37f650 | __unDNameEx |
| 33 | 0x7c379bff | __uncaught_exception |
| 167 | 0x7c3acdc4 | __unguarded_readlc_active |
| 168 | 0x7c3aca30 | __wargv |
| 169 | 0x7c3866ed | __wcserror |
| 170 | 0x7c36af5d | __wgetmainargs |
| 171 | 0x7c3aca40 | __winitenv |
| 172 | 0x7c362b5d | _abnormal_termination |
| 173 | 0x7c3777ff | _access |
| 174 | 0x7c3aca50 | _acmdln |
| 175 | 0x7c365e5a | _adj_fdiv_m16i |
| 176 | 0x7c365dc2 | _adj_fdiv_m32 |
| 177 | 0x7c365e8e | _adj_fdiv_m32i |
| 178 | 0x7c365e0e | _adj_fdiv_m64 |
| 179 | 0x7c3658fd | _adj_fdiv_r |
| 180 | 0x7c365f5a | _adj_fdivr_m16i |
| 181 | 0x7c365ec2 | _adj_fdivr_m32 |
| 182 | 0x7c365f8e | _adj_fdivr_m32i |
| 183 | 0x7c365f0e | _adj_fdivr_m64 |
| 184 | 0x7c36656b | _adj_fpatan |
| 185 | 0x7c3661f2 | _adj_fprem |
| 186 | 0x7c3664aa | _adj_fprem1 |
| 187 | 0x7c36656e | _adj_fptan |
| 188 | 0x7c3aca7c | _adjust_fdiv |
| 189 | 0x7c3ab4d4 | _aexit_rtn |
| 190 | 0x7c3816cb | _aligned_free |
| 191 | 0x7c3816e0 | _aligned_malloc |
| 192 | 0x7c38163a | _aligned_offset_malloc |
| 193 | 0x7c3816f3 | _aligned_offset_realloc |
| 194 | 0x7c38185a | _aligned_realloc |
| 195 | 0x7c36afb7 | _amsg_exit |
| 196 | 0x7c36db77 | _assert |
| 197 | 0x7c392ce0 | _atodbl |
| 198 | 0x7c3736fb | _atoi64 |
| 199 | 0x7c392d25 | _atoldbl |
| 200 | 0x7c376b13 | _beep |
| 201 | 0x7c36b250 | _beginthread |
| 202 | 0x7c36b3a6 | _beginthreadex |
| 203 | 0x7c36ad94 | _c_exit |
| 204 | 0x7c393aad | _cabs |
| 205 | 0x7c36a888 | _callnewh |
| 206 | 0x7c36ad85 | _cexit |
| 207 | 0x7c381c61 | _cgets |
| 208 | 0x7c381d5a | _cgetws |
| 209 | 0x7c377845 | _chdir |
| 210 | 0x7c377a76 | _chdrive |
| 211 | 0x7c393aeb | _chgsign |
| 212 | 0x7c3866a8 | _chkesp |
| 213 | 0x7c377b04 | _chmod |
| 214 | 0x7c382162 | _chsize |
| 215 | 0x7c373593 | _clearfp |
| 216 | 0x7c3742a0 | _close |
| 217 | 0x7c374137 | _commit |
| 218 | 0x7c3aca78 | _commode |
| 219 | 0x7c3623bf | _control87 |
| 220 | 0x7c3623f1 | _controlfp |
| 221 | 0x7c393aca | _copysign |
| 222 | 0x7c3883bb | _cprintf |
| 223 | 0x7c3821f9 | _cputs |
| 224 | 0x7c382312 | _cputws |
| 225 | 0x7c3823ba | _creat |
| 226 | 0x7c389099 | _cscanf |
| 227 | 0x7c3907fd | _ctime64 |
| 228 | 0x7c37fe0c | _cwait |
| 229 | 0x7c3898c9 | _cwprintf |
| 230 | 0x7c38a671 | _cwscanf |
| 231 | 0x7c3ac8c4 | _daylight |
| 232 | 0x7c3ac8c8 | _dstbias |
| 233 | 0x7c3824bc | _dup |
| 234 | 0x7c3826b0 | _dup2 |
| 235 | 0x7c3754fd | _ecvt |
| 236 | 0x7c36b181 | _endthread |
| 237 | 0x7c36b2e1 | _endthreadex |
| 238 | 0x7c3aca34 | _environ |
| 239 | 0x7c382779 | _eof |
| 240 | 0x7c36bdfa | _errno |
| 241 | 0x7c364817 | _except_handler2 |
| 242 | 0x7c3638e2 | _except_handler3 |
| 243 | 0x7c37fe9b | _execl |
| 244 | 0x7c37feaf | _execle |
| 245 | 0x7c37fed0 | _execlp |
| 246 | 0x7c37fee1 | _execlpe |
| 247 | 0x7c37ff02 | _execv |
| 248 | 0x7c37ff67 | _execve |
| 249 | 0x7c3800a7 | _execvp |
| 250 | 0x7c3800ba | _execvpe |
| 251 | 0x7c36ad74 | _exit |
| 252 | 0x7c381871 | _expand |
| 253 | 0x7c371572 | _fcloseall |
| 254 | 0x7c3754b2 | _fcvt |
| 255 | 0x7c38a682 | _fdopen |
| 256 | 0x7c38a781 | _fgetchar |
| 257 | 0x7c38a78f | _fgetwchar |
| 258 | 0x7c38a79d | _filbuf |
| 259 | 0x7c3ab5f8 | _fileinfo |
| 260 | 0x7c382879 | _filelength |
| 261 | 0x7c38294d | _filelengthi64 |
| 262 | 0x7c38a87e | _fileno |
| 263 | 0x7c376b22 | _findclose |
| 264 | 0x7c376ba6 | _findfirst |
| 265 | 0x7c376dcb | _findfirst64 |
| 266 | 0x7c376fd6 | _findfirsti64 |
| 267 | 0x7c376c88 | _findnext |
| 268 | 0x7c376ed3 | _findnext64 |
| 269 | 0x7c3770d2 | _findnexti64 |
| 270 | 0x7c393eb5 | _finite |
| 271 | 0x7c362598 | _flsbuf |
| 272 | 0x7c363736 | _flushall |
| 273 | 0x7c3aca54 | _fmode |
| 274 | 0x7c393ef8 | _fpclass |
| 275 | 0x7c39448a | _fpieee_flt |
| 276 | 0x7c37351f | _fpreset |
| 277 | 0x7c38a886 | _fputchar |
| 278 | 0x7c38a899 | _fputwchar |
| 279 | 0x7c38a8ac | _fsopen |
| 280 | 0x7c382a41 | _fstat |
| 281 | 0x7c382cfd | _fstat64 |
| 282 | 0x7c382ffd | _fstati64 |
| 283 | 0x7c390816 | _ftime |
| 284 | 0x7c390911 | _ftime64 |
| 285 | 0x7c366571 | _ftol |
| 286 | 0x7c377b45 | _fullpath |
| 287 | 0x7c390a22 | _futime |
| 288 | 0x7c390b9f | _futime64 |
| 289 | 0x7c375552 | _gcvt |
| 290 | 0x7c36bf55 | _get_heap_handle |
| 291 | 0x7c374696 | _get_osfhandle |
| 292 | 0x7c36bf5b | _get_sbh_threshold |
| 293 | 0x7c383607 | _getch |
| 294 | 0x7c383642 | _getche |
| 295 | 0x7c377d2d | _getcwd |
| 296 | 0x7c377d73 | _getdcwd |
| 297 | 0x7c3771c9 | _getdiskfree |
| 298 | 0x7c380225 | _getdllprocaddr |
| 299 | 0x7c37798d | _getdrive |
| 300 | 0x7c37721b | _getdrives |
| 301 | 0x7c38aa16 | _getmaxstdio |
| 302 | 0x7c36d803 | _getmbcp |
| 303 | 0x7c377dba | _getpid |
| 304 | 0x7c390d22 | _getsystime |
| 305 | 0x7c38aa1c | _getw |
| 306 | 0x7c383887 | _getwch |
| 307 | 0x7c3838c3 | _getwche |
| 308 | 0x7c38aa99 | _getws |
| 309 | 0x7c3639e3 | _global_unwind2 |
| 310 | 0x7c390de6 | _gmtime64 |
| 311 | 0x7c3819b6 | _heapadd |
| 312 | 0x7c3819c5 | _heapchk |
| 313 | 0x7c381a92 | _heapmin |
| 314 | 0x7c381a8d | _heapset |
| 315 | 0x7c381b39 | _heapused |
| 316 | 0x7c381b47 | _heapwalk |
| 317 | 0x7c393a90 | _hypot |
| 318 | 0x7c362f07 | _i64toa |
| 319 | 0x7c362e5d | _i64tow |
| 320 | 0x7c36348d | _initterm |
| 321 | 0x7c3647da | _inp |
| 322 | 0x7c3647eb | _inpd |
| 323 | 0x7c3647e3 | _inpw |
| 324 | 0x7c3ab638 | _iob |
| 325 | 0x7c3741f3 | _isatty |
| 326 | 0x7c373d1d | _isctype |
| 327 | 0x7c384a29 | _ismbbalnum |
| 328 | 0x7c384a3d | _ismbbalpha |
| 329 | 0x7c384a51 | _ismbbgraph |
| 330 | 0x7c3849f6 | _ismbbkalnum |
| 331 | 0x7c384aac | _ismbbkana |
| 332 | 0x7c384a07 | _ismbbkprint |
| 333 | 0x7c384a18 | _ismbbkpunct |
| 334 | 0x7c384a8a | _ismbblead |
| 335 | 0x7c384a65 | _ismbbprint |
| 336 | 0x7c384a79 | _ismbbpunct |
| 337 | 0x7c384a9b | _ismbbtrail |
| 338 | 0x7c384ad3 | _ismbcalnum |
| 339 | 0x7c384b68 | _ismbcalpha |
| 340 | 0x7c384bfd | _ismbcdigit |
| 341 | 0x7c384c81 | _ismbcgraph |
| 342 | 0x7c384d16 | _ismbchira |
| 343 | 0x7c384d3d | _ismbckata |
| 344 | 0x7c384d95 | _ismbcl0 |
| 345 | 0x7c384ddf | _ismbcl1 |
| 346 | 0x7c384e31 | _ismbcl2 |
| 347 | 0x7c384e83 | _ismbclegal |
| 348 | 0x7c384ebc | _ismbclower |
| 349 | 0x7c384f46 | _ismbcprint |
| 350 | 0x7c384fdb | _ismbcpunct |
| 351 | 0x7c38506c | _ismbcspace |
| 352 | 0x7c384d69 | _ismbcsymbol |
| 353 | 0x7c3850f0 | _ismbcupper |
| 354 | 0x7c3851b7 | _ismbslead |
| 355 | 0x7c3851de | _ismbstrail |
| 356 | 0x7c393eca | _isnan |
| 357 | 0x7c3735e8 | _itoa |
| 358 | 0x7c3755ff | _itow |
| 359 | 0x7c394aea | _j0 |
| 360 | 0x7c394bdd | _j1 |
| 361 | 0x7c394cf0 | _jn |
| 362 | 0x7c38367d | _kbhit |
| 363 | 0x7c3867a1 | _lfind |
| 364 | 0x7c380254 | _loaddll |
| 365 | 0x7c363a25 | _local_unwind2 |
| 366 | 0x7c39100b | _localtime64 |
| 367 | 0x7c3630f0 | _lock |
| 368 | 0x7c3839fc | _locking |
| 369 | 0x7c393b27 | _logb |
| 370 | 0x7c3648c5 | _longjmpex |
| 371 | 0x7c3867d3 | _lrotl |
| 372 | 0x7c3867f0 | _lrotr |
| 373 | 0x7c38680d | _lsearch |
| 374 | 0x7c3743af | _lseek |
| 375 | 0x7c3744dd | _lseeki64 |
| 376 | 0x7c373612 | _ltoa |
| 377 | 0x7c375640 | _ltow |
| 378 | 0x7c38684c | _makepath |
| 379 | 0x7c385229 | _mbbtombc |
| 380 | 0x7c385358 | _mbbtype |
| 381 | 0x7c3accc0 | _mbcasemap |
| 382 | 0x7c38537f | _mbccpy |
| 383 | 0x7c3853a2 | _mbcjistojms |
| 384 | 0x7c385404 | _mbcjmstojis |
| 385 | 0x7c3854ae | _mbclen |
| 386 | 0x7c3854cc | _mbctohira |
| 387 | 0x7c3854fe | _mbctokata |
| 388 | 0x7c385521 | _mbctolower |
| 389 | 0x7c38528e | _mbctombb |
| 390 | 0x7c3855a6 | _mbctoupper |
| 391 | 0x7c3acba0 | _mbctype |
| 392 | 0x7c38566a | _mbsbtype |
| 393 | 0x7c363ac7 | _mbscat |
| 394 | 0x7c3753da | _mbschr |
| 395 | 0x7c36d9f1 | _mbscmp |
| 396 | 0x7c385691 | _mbscoll |
| 397 | 0x7c361356 | _mbscpy |
| 398 | 0x7c385747 | _mbscspn |
| 399 | 0x7c36da85 | _mbsdec |
| 400 | 0x7c372007 | _mbsdup |
| 401 | 0x7c36d813 | _mbsicmp |
| 402 | 0x7c38576e | _mbsicoll |
| 403 | 0x7c3857ad | _mbsinc |
| 404 | 0x7c3857c9 | _mbslen |
| 405 | 0x7c38580d | _mbslwr |
| 406 | 0x7c385892 | _mbsnbcat |
| 407 | 0x7c385962 | _mbsnbcmp |
| 408 | 0x7c385a6f | _mbsnbcnt |
| 409 | 0x7c385a96 | _mbsnbcoll |
| 410 | 0x7c36d95e | _mbsnbcpy |
| 411 | 0x7c385ae4 | _mbsnbicmp |
| 412 | 0x7c362d68 | _mbsnbicoll |
| 413 | 0x7c385c53 | _mbsnbset |
| 414 | 0x7c385ccf | _mbsncat |
| 415 | 0x7c385d8b | _mbsnccnt |
| 416 | 0x7c385dd9 | _mbsncmp |
| 417 | 0x7c385e7e | _mbsncoll |
| 418 | 0x7c385ee8 | _mbsncpy |
| 419 | 0x7c385f70 | _mbsnextc |
| 420 | 0x7c385f99 | _mbsnicmp |
| 421 | 0x7c3860df | _mbsnicoll |
| 422 | 0x7c386149 | _mbsninc |
| 423 | 0x7c386167 | _mbsnset |
| 424 | 0x7c36db50 | _mbspbrk |
| 425 | 0x7c386249 | _mbsrchr |
| 426 | 0x7c3862b4 | _mbsrev |
| 427 | 0x7c386323 | _mbsset |
| 428 | 0x7c3863f3 | _mbsspn |
| 429 | 0x7c38649f | _mbsspnp |
| 430 | 0x7c3864c6 | _mbsstr |
| 431 | 0x7c386578 | _mbstok |
| 432 | 0x7c375706 | _mbstrlen |
| 433 | 0x7c386623 | _mbsupr |
| 434 | 0x7c3649f5 | _memccpy |
| 435 | 0x7c38fa80 | _memicmp |
| 436 | 0x7c377dc0 | _mkdir |
| 437 | 0x7c383aa7 | _mktemp |
| 438 | 0x7c391469 | _mktime64 |
| 439 | 0x7c362903 | _msize |
| 440 | 0x7c393c12 | _nextafter |
| 441 | 0x7c361e50 | _onexit |
| 442 | 0x7c383e52 | _open |
| 443 | 0x7c374915 | _open_osfhandle |
| 444 | 0x7c3aca14 | _osplatform |
| 445 | 0x7c3aca18 | _osver |
| 446 | 0x7c3647f2 | _outp |
| 447 | 0x7c36480c | _outpd |
| 448 | 0x7c3647ff | _outpw |
| 449 | 0x7c38af32 | _pclose |
| 450 | 0x7c3ab628 | _pctype |
| 451 | 0x7c3aca44 | _pgmptr |
| 452 | 0x7c383efc | _pipe |
| 453 | 0x7c38ab66 | _popen |
| 454 | 0x7c3868dc | _purecall |
| 455 | 0x7c38413a | _putch |
| 456 | 0x7c3869bf | _putenv |
| 457 | 0x7c38afc1 | _putw |
| 458 | 0x7c38237a | _putwch |
| 459 | 0x7c38b041 | _putws |
| 460 | 0x7c3ab62c | _pwctype |
| 461 | 0x7c384356 | _read |
| 462 | 0x7c373ded | _resetstkoflw |
| 463 | 0x7c377dec | _rmdir |
| 464 | 0x7c36362e | _rmtmp |
| 465 | 0x7c3867d3 | _rotl |
| 466 | 0x7c3867f0 | _rotr |
| 467 | 0x7c365fc2 | _safe_fdiv |
| 468 | 0x7c365fd7 | _safe_fdivr |
| 469 | 0x7c36655f | _safe_fprem |
| 470 | 0x7c366565 | _safe_fprem1 |
| 471 | 0x7c393b11 | _scalb |
| 472 | 0x7c38b128 | _scprintf |
| 473 | 0x7c38b1c8 | _scwprintf |
| 474 | 0x7c3869fe | _searchenv |
| 475 | 0x7c3639c8 | _seh_longjmp_unwind |
| 476 | 0x7c3951f8 | _set_SSE2_enable |
| 477 | 0x7c36a8ec | _set_error_mode |
| 478 | 0x7c3868f0 | _set_purecall_handler |
| 479 | 0x7c36d1b3 | _set_sbh_threshold |
| 480 | 0x7c36f457 | _set_security_error_handler |
| 481 | 0x7c377221 | _seterrormode |
| 482 | 0x7c3648ca | _setjmp |
| 483 | 0x7c364902 | _setjmp3 |
| 484 | 0x7c38a91b | _setmaxstdio |
| 485 | 0x7c361cf7 | _setmbcp |
| 486 | 0x7c38446d | _setmode |
| 487 | 0x7c390d7d | _setsystime |
| 488 | 0x7c376b02 | _sleep |
| 489 | 0x7c38b1f9 | _snprintf |
| 490 | 0x7c38b250 | _snscanf |
| 491 | 0x7c362ae6 | _snwprintf |
| 492 | 0x7c38b281 | _snwscanf |
| 493 | 0x7c383ea7 | _sopen |
| 494 | 0x7c380276 | _spawnl |
| 495 | 0x7c38028e | _spawnle |
| 496 | 0x7c3802b3 | _spawnlp |
| 497 | 0x7c3802c9 | _spawnlpe |
| 498 | 0x7c3802ee | _spawnv |
| 499 | 0x7c380358 | _spawnve |
| 500 | 0x7c3804a1 | _spawnvp |
| 501 | 0x7c3804b8 | _spawnvpe |
| 502 | 0x7c386b17 | _splitpath |
| 503 | 0x7c377ed3 | _stat |
| 504 | 0x7c3781fa | _stat64 |
| 505 | 0x7c3784f8 | _stati64 |
| 506 | 0x7c373583 | _statusfp |
| 507 | 0x7c3720d2 | _strcmpi |
| 508 | 0x7c391476 | _strdate |
| 509 | 0x7c372007 | _strdup |
| 510 | 0x7c386c5f | _strerror |
| 511 | 0x7c3720d2 | _stricmp |
| 512 | 0x7c38faff | _stricoll |
| 513 | 0x7c38fb55 | _strlwr |
| 514 | 0x7c38fc69 | _strncoll |
| 515 | 0x7c37221a | _strnicmp |
| 516 | 0x7c38fce2 | _strnicoll |
| 517 | 0x7c364a50 | _strnset |
| 518 | 0x7c364a7b | _strrev |
| 519 | 0x7c364ab0 | _strset |
| 520 | 0x7c3914e6 | _strtime |
| 521 | 0x7c3759d0 | _strtoi64 |
| 522 | 0x7c3759e7 | _strtoui64 |
| 523 | 0x7c38fd5b | _strupr |
| 524 | 0x7c3759fe | _swab |
| 525 | 0x7c3ac958 | _sys_errlist |
| 526 | 0x7c3aca08 | _sys_nerr |
| 527 | 0x7c384504 | _tell |
| 528 | 0x7c384515 | _telli64 |
| 529 | 0x7c38b2fe | _tempnam |
| 530 | 0x7c39154d | _time64 |
| 531 | 0x7c3ac8c0 | _timezone |
| 532 | 0x7c373bb4 | _tolower |
| 533 | 0x7c375a29 | _toupper |
| 534 | 0x7c3ac8d0 | _tzname |
| 535 | 0x7c3734ac | _tzset |
| 536 | 0x7c373653 | _ui64toa |
| 537 | 0x7c3756c2 | _ui64tow |
| 538 | 0x7c373639 | _ultoa |
| 539 | 0x7c375681 | _ultow |
| 540 | 0x7c386d03 | _umask |
| 541 | 0x7c3835c6 | _ungetch |
| 542 | 0x7c3838ff | _ungetwch |
| 543 | 0x7c3787f5 | _unlink |
| 544 | 0x7c38025f | _unloaddll |
| 545 | 0x7c363112 | _unlock |
| 546 | 0x7c390b68 | _utime |
| 547 | 0x7c390ceb | _utime64 |
| 548 | 0x7c38b522 | _vscprintf |
| 549 | 0x7c38b5c0 | _vscwprintf |
| 550 | 0x7c38b5f0 | _vsnprintf |
| 551 | 0x7c3633df | _vsnwprintf |
| 552 | 0x7c3787f7 | _waccess |
| 553 | 0x7c3915a3 | _wasctime |
| 554 | 0x7c37883d | _wchdir |
| 555 | 0x7c378986 | _wchmod |
| 556 | 0x7c3aca4c | _wcmdln |
| 557 | 0x7c384528 | _wcreat |
| 558 | 0x7c372032 | _wcsdup |
| 559 | 0x7c386d19 | _wcserror |
| 560 | 0x7c362f2d | _wcsicmp |
| 561 | 0x7c38fe6f | _wcsicoll |
| 562 | 0x7c38ff0c | _wcslwr |
| 563 | 0x7c39002b | _wcsncoll |
| 564 | 0x7c3900a4 | _wcsnicmp |
| 565 | 0x7c37213b | _wcsnicoll |
| 566 | 0x7c390164 | _wcsnset |
| 567 | 0x7c39018d | _wcsrev |
| 568 | 0x7c3901bf | _wcsset |
| 569 | 0x7c375d6f | _wcstoi64 |
| 570 | 0x7c375d86 | _wcstoui64 |
| 571 | 0x7c3901d8 | _wcsupr |
| 572 | 0x7c39167f | _wctime |
| 573 | 0x7c391698 | _wctime64 |
| 574 | 0x7c39a750 | _wctype |
| 575 | 0x7c3aca3c | _wenviron |
| 576 | 0x7c380621 | _wexecl |
| 577 | 0x7c380635 | _wexecle |
| 578 | 0x7c380656 | _wexeclp |
| 579 | 0x7c380667 | _wexeclpe |
| 580 | 0x7c380688 | _wexecv |
| 581 | 0x7c3806ed | _wexecve |
| 582 | 0x7c38082a | _wexecvp |
| 583 | 0x7c38083d | _wexecvpe |
| 584 | 0x7c38b646 | _wfdopen |
| 585 | 0x7c37722c | _wfindfirst |
| 586 | 0x7c3773eb | _wfindfirst64 |
| 587 | 0x7c3775fe | _wfindfirsti64 |
| 588 | 0x7c37730e | _wfindnext |
| 589 | 0x7c3774f7 | _wfindnext64 |
| 590 | 0x7c377701 | _wfindnexti64 |
| 591 | 0x7c38b7a8 | _wfopen |
| 592 | 0x7c38b7bb | _wfreopen |
| 593 | 0x7c38b74c | _wfsopen |
| 594 | 0x7c3789c7 | _wfullpath |
| 595 | 0x7c378b6f | _wgetcwd |
| 596 | 0x7c378bb5 | _wgetdcwd |
| 597 | 0x7c386de4 | _wgetenv |
| 598 | 0x7c3aca20 | _winmajor |
| 599 | 0x7c3aca24 | _winminor |
| 600 | 0x7c3aca1c | _winver |
| 601 | 0x7c386e23 | _wmakepath |
| 602 | 0x7c378bfc | _wmkdir |
| 603 | 0x7c38453e | _wmktemp |
| 604 | 0x7c3848db | _wopen |
| 605 | 0x7c386ed4 | _wperror |
| 606 | 0x7c3aca48 | _wpgmptr |
| 607 | 0x7c38b821 | _wpopen |
| 608 | 0x7c387093 | _wputenv |
| 609 | 0x7c378c28 | _wremove |
| 610 | 0x7c378c54 | _wrename |
| 611 | 0x7c37408c | _write |
| 612 | 0x7c378c82 | _wrmdir |
| 613 | 0x7c3870d2 | _wsearchenv |
| 614 | 0x7c3871f0 | _wsetlocale |
| 615 | 0x7c384930 | _wsopen |
| 616 | 0x7c38098e | _wspawnl |
| 617 | 0x7c3809a6 | _wspawnle |
| 618 | 0x7c3809cb | _wspawnlp |
| 619 | 0x7c3809e1 | _wspawnlpe |
| 620 | 0x7c380a06 | _wspawnv |
| 621 | 0x7c380a70 | _wspawnve |
| 622 | 0x7c380bb3 | _wspawnvp |
| 623 | 0x7c380bca | _wspawnvpe |
| 624 | 0x7c387321 | _wsplitpath |
| 625 | 0x7c378dfa | _wstat |
| 626 | 0x7c3790b9 | _wstat64 |
| 627 | 0x7c3793bc | _wstati64 |
| 628 | 0x7c3916b1 | _wstrdate |
| 629 | 0x7c39172e | _wstrtime |
| 630 | 0x7c380d0b | _wsystem |
| 631 | 0x7c38bc41 | _wtempnam |
| 632 | 0x7c38becf | _wtmpnam |
| 633 | 0x7c375d9d | _wtof |
| 634 | 0x7c375ed3 | _wtoi |
| 635 | 0x7c375ed5 | _wtoi64 |
| 636 | 0x7c375e74 | _wtol |
| 637 | 0x7c378c52 | _wunlink |
| 638 | 0x7c3917a5 | _wutime |
| 639 | 0x7c3917dc | _wutime64 |
| 640 | 0x7c394ea6 | _y0 |
| 641 | 0x7c394fd2 | _y1 |
| 642 | 0x7c39510e | _yn |
| 643 | 0x7c36ecd8 | abort |
| 644 | 0x7c387508 | abs |
| 645 | 0x7c364c59 | acos |
| 646 | 0x7c391813 | asctime |
| 647 | 0x7c364d24 | asin |
| 648 | 0x7c364ddb | atan |
| 649 | 0x7c364eee | atan2 |
| 650 | 0x7c361e82 | atexit |
| 651 | 0x7c375f63 | atof |
| 652 | 0x7c3736f6 | atoi |
| 653 | 0x7c37366e | atol |
| 654 | 0x7c38747c | bsearch |
| 655 | 0x7c361844 | calloc |
| 656 | 0x7c366598 | ceil |
| 657 | 0x7c38bf8a | clearerr |
| 658 | 0x7c39191e | clock |
| 659 | 0x7c364f16 | cos |
| 660 | 0x7c364fba | cosh |
| 661 | 0x7c391961 | ctime |
| 662 | 0x7c39197a | difftime |
| 663 | 0x7c387513 | div |
| 664 | 0x7c363810 | exit |
| 665 | 0x7c364fec | exp |
| 666 | 0x7c39520c | fabs |
| 667 | 0x7c371f78 | fclose |
| 668 | 0x7c38bfef | feof |
| 669 | 0x7c38bffa | ferror |
| 670 | 0x7c3713ee | fflush |
| 671 | 0x7c38c005 | fgetc |
| 672 | 0x7c38c055 | fgetpos |
| 673 | 0x7c38c077 | fgets |
| 674 | 0x7c38c1f1 | fgetwc |
| 675 | 0x7c38c235 | fgetws |
| 676 | 0x7c3666b3 | floor |
| 677 | 0x7c365076 | fmod |
| 678 | 0x7c38a908 | fopen |
| 679 | 0x7c37143e | fprintf |
| 680 | 0x7c38c2b5 | fputc |
| 681 | 0x7c38c30d | fputs |
| 682 | 0x7c38c37e | fputwc |
| 683 | 0x7c38c3c8 | fputws |
| 684 | 0x7c38c51f | fread |
| 685 | 0x7c36355a | free |
| 686 | 0x7c38c56b | freopen |
| 687 | 0x7c3952bd | frexp |
| 688 | 0x7c38c5d1 | fscanf |
| 689 | 0x7c38c6aa | fseek |
| 690 | 0x7c38c6f3 | fsetpos |
| 691 | 0x7c38c86d | ftell |
| 692 | 0x7c38c8ae | fwprintf |
| 693 | 0x7c38ca13 | fwrite |
| 694 | 0x7c38ca5f | fwscanf |
| 695 | 0x7c38c005 | getc |
| 696 | 0x7c38a78d | getchar |
| 697 | 0x7c362fde | getenv |
| 698 | 0x7c38caa9 | gets |
| 699 | 0x7c38c233 | getwc |
| 700 | 0x7c38a79b | getwchar |
| 701 | 0x7c39198b | gmtime |
| 702 | 0x7c373deb | is_wctype |
| 703 | 0x7c373942 | isalnum |
| 704 | 0x7c3737a2 | isalpha |
| 705 | 0x7c3739ff | iscntrl |
| 706 | 0x7c373855 | isdigit |
| 707 | 0x7c3739c0 | isgraph |
| 708 | 0x7c375f9b | isleadbyte |
| 709 | 0x7c37381b | islower |
| 710 | 0x7c373981 | isprint |
| 711 | 0x7c373908 | ispunct |
| 712 | 0x7c3738ce | isspace |
| 713 | 0x7c3737e1 | isupper |
| 714 | 0x7c376018 | iswalnum |
| 715 | 0x7c375fb0 | iswalpha |
| 716 | 0x7c376059 | iswascii |
| 717 | 0x7c37604b | iswcntrl |
| 718 | 0x7c373d9a | iswctype |
| 719 | 0x7c375fdd | iswdigit |
| 720 | 0x7c37603a | iswgraph |
| 721 | 0x7c375fcf | iswlower |
| 722 | 0x7c376029 | iswprint |
| 723 | 0x7c37600a | iswpunct |
| 724 | 0x7c375ffc | iswspace |
| 725 | 0x7c375fc1 | iswupper |
| 726 | 0x7c375feb | iswxdigit |
| 727 | 0x7c37388f | isxdigit |
| 728 | 0x7c387508 | labs |
| 729 | 0x7c395369 | ldexp |
| 730 | 0x7c387513 | ldiv |
| 731 | 0x7c36f7e8 | localeconv |
| 732 | 0x7c391a92 | localtime |
| 733 | 0x7c3650a8 | log |
| 734 | 0x7c3651f6 | log10 |
| 735 | 0x7c36497d | longjmp |
| 736 | 0x7c36281a | malloc |
| 737 | 0x7c376065 | mblen |
| 738 | 0x7c362e33 | mbstowcs |
| 739 | 0x7c362a39 | mbtowc |
| 740 | 0x7c364ad1 | memchr |
| 741 | 0x7c3645b4 | memcmp |
| 742 | 0x7c36423b | memcpy |
| 743 | 0x7c3634d0 | memmove |
| 744 | 0x7c361fed | memset |
| 745 | 0x7c391dd2 | mktime |
| 746 | 0x7c3667d2 | modf |
| 747 | 0x7c38752d | perror |
| 748 | 0x7c365344 | pow |
| 749 | 0x7c38cb33 | printf |
| 750 | 0x7c38c2b5 | putc |
| 751 | 0x7c38a897 | putchar |
| 752 | 0x7c38cb99 | puts |
| 753 | 0x7c38c3c6 | putwc |
| 754 | 0x7c38a8aa | putwchar |
| 755 | 0x7c38763e | qsort |
| 756 | 0x7c36ef5f | raise |
| 757 | 0x7c3878c8 | rand |
| 758 | 0x7c3625f4 | realloc |
| 759 | 0x7c3787cb | remove |
| 760 | 0x7c379694 | rename |
| 761 | 0x7c38cc3a | rewind |
| 762 | 0x7c38ccc3 | scanf |
| 763 | 0x7c38cd17 | setbuf |
| 764 | 0x7c36eb7e | setlocale |
| 765 | 0x7c37149c | setvbuf |
| 766 | 0x7c36edbe | signal |
| 767 | 0x7c3655e0 | sin |
| 768 | 0x7c364fb0 | sinh |
| 769 | 0x7c38b0d0 | sprintf |
| 770 | 0x7c36568e | sqrt |
| 771 | 0x7c3878bb | srand |
| 772 | 0x7c38cd3c | sscanf |
| 773 | 0x7c363ac7 | strcat |
| 774 | 0x7c363c86 | strchr |
| 775 | 0x7c364040 | strcmp |
| 776 | 0x7c3902f7 | strcoll |
| 777 | 0x7c361356 | strcpy |
| 778 | 0x7c364570 | strcspn |
| 779 | 0x7c3878ea | strerror |
| 780 | 0x7c372e5e | strftime |
| 781 | 0x7c36283d | strlen |
| 782 | 0x7c364106 | strncat |
| 783 | 0x7c362247 | strncmp |
| 784 | 0x7c363b38 | strncpy |
| 785 | 0x7c3640c7 | strpbrk |
| 786 | 0x7c364b7c | strrchr |
| 787 | 0x7c364ba9 | strspn |
| 788 | 0x7c363d44 | strstr |
| 789 | 0x7c3760ee | strtod |
| 790 | 0x7c390355 | strtok |
| 791 | 0x7c37633b | strtol |
| 792 | 0x7c376352 | strtoul |
| 793 | 0x7c390414 | strxfrm |
| 794 | 0x7c38b159 | swprintf |
| 795 | 0x7c38cd70 | swscanf |
| 796 | 0x7c380dad | system |
| 797 | 0x7c365748 | tan |
| 798 | 0x7c364fc4 | tanh |
| 799 | 0x7c391ddf | time |
| 800 | 0x7c38cf08 | tmpfile |
| 801 | 0x7c38ce4e | tmpnam |
| 802 | 0x7c373c84 | tolower |
| 803 | 0x7c375afa | toupper |
| 804 | 0x7c373b6a | towlower |
| 805 | 0x7c362b74 | towupper |
| 806 | 0x7c38d08e | ungetc |
| 807 | 0x7c38d1e9 | ungetwc |
| 808 | 0x7c38d22f | vfprintf |
| 809 | 0x7c38d28c | vfwprintf |
| 810 | 0x7c38d2e9 | vprintf |
| 811 | 0x7c38b4cb | vsprintf |
| 812 | 0x7c38b552 | vswprintf |
| 813 | 0x7c38d348 | vwprintf |
| 814 | 0x7c362679 | wcscat |
| 815 | 0x7c3721f8 | wcschr |
| 816 | 0x7c372060 | wcscmp |
| 817 | 0x7c3904c0 | wcscoll |
| 818 | 0x7c36265d | wcscpy |
| 819 | 0x7c390516 | wcscspn |
| 820 | 0x7c391e18 | wcsftime |
| 821 | 0x7c363127 | wcslen |
| 822 | 0x7c390559 | wcsncat |
| 823 | 0x7c390596 | wcsncmp |
| 824 | 0x7c362f9f | wcsncpy |
| 825 | 0x7c372092 | wcspbrk |
| 826 | 0x7c3905cb | wcsrchr |
| 827 | 0x7c3905fb | wcsspn |
| 828 | 0x7c390641 | wcsstr |
| 829 | 0x7c3763ca | wcstod |
| 830 | 0x7c39069f | wcstok |
| 831 | 0x7c376712 | wcstol |
| 832 | 0x7c3768ea | wcstombs |
| 833 | 0x7c376729 | wcstoul |
| 834 | 0x7c390744 | wcsxfrm |
| 835 | 0x7c373ae2 | wctomb |
| 836 | 0x7c38d3a7 | wprintf |
| 837 | 0x7c38d40d | wscanf |
投放文件
行为分析
互斥量(Mutexes)
- Local\MSCTF.Asm.MutexDefault1
执行的命令
无信息
创建的服务
无信息
启动的服务
无信息
进程
rundll32.exe PID: 2824, 上一级进程 PID: 444
访问的文件
- C:\Users\test\AppData\Local\Temp\msvcr71.dll
- C:\Users\test\AppData\Local\Temp\msvcr71.dll.123.Manifest
- C:\Users\test\AppData\Local\Temp\msvcr71.dll.124.Manifest
- C:\Users\test\AppData\Local\Temp\msvcr71.dll.2.Manifest
- C:\Windows\SysWOW64\rundll32.exe
- C:\Windows\Fonts\staticcache.dat
- \Device\KsecDD
- C:\Windows\Globalization\Sorting\sortdefault.nls
读取的文件
- C:\Users\test\AppData\Local\Temp\msvcr71.dll
- C:\Users\test\AppData\Local\Temp\msvcr71.dll.123.Manifest
- C:\Users\test\AppData\Local\Temp\msvcr71.dll.124.Manifest
- C:\Users\test\AppData\Local\Temp\msvcr71.dll.2.Manifest
- C:\Windows\SysWOW64\rundll32.exe
- C:\Windows\Fonts\staticcache.dat
- \Device\KsecDD
- C:\Windows\Globalization\Sorting\sortdefault.nls
修改的文件
无信息
删除的文件
无信息
注册表键
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\msvcr71.dll
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\\xe5\xbe\xae\xe8\xbd\xaf\xe9\x9b\x85\xe9\xbb\x91
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\rundll32.exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_CURRENT_USER
- HKEY_CURRENT_USER\Keyboard Layout\Toggle
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
读取的注册表键
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\msvcr71.dll
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- kernel32.dll.InitializeCriticalSectionAndSpinCount
- kernel32.dll.FlsAlloc
- kernel32.dll.FlsGetValue
- kernel32.dll.FlsSetValue
- kernel32.dll.FlsFree
- kernel32.dll.IsProcessorFeaturePresent
- gdi32.dll.GetLayout
- gdi32.dll.GdiRealizationInfo
- gdi32.dll.FontIsLinked
- advapi32.dll.RegOpenKeyExW
- advapi32.dll.RegQueryInfoKeyW
- gdi32.dll.GetTextFaceAliasW
- advapi32.dll.RegEnumValueW
- advapi32.dll.RegCloseKey
- advapi32.dll.RegQueryValueExW
- advapi32.dll.RegQueryValueExA
- advapi32.dll.RegEnumKeyExW
- uxtheme.dll.ThemeInitApiHook
- user32.dll.IsProcessDPIAware
- dwmapi.dll.DwmIsCompositionEnabled
- gdi32.dll.GdiIsMetaPrintDC
- ole32.dll.CoInitializeEx
- ole32.dll.CoUninitialize
- cryptbase.dll.SystemFunction036
- ole32.dll.CoRegisterInitializeSpy
- ole32.dll.CoRevokeInitializeSpy
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle
- ole32.dll.CoCreateInstance
- oleaut32.dll.SysAllocString
- oleaut32.dll.SysStringLen
- oleaut32.dll.SysFreeString