魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2019-01-15 23:44:27 | 2019-01-15 23:47:04 | 157 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-hpdapp01-1 | win7-sp1-x64-hpdapp01-1 | KVM | 2019-01-15 23:44:40 | 2019-01-15 23:47:06 |
| 魔盾分数 |
|---|
10.0恶意的 |
文件详细信息
| 文件名 | XHJ-V15.exe |
|---|---|
| 文件大小 | 10161802 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| CRC32 | 28E4CEF2 |
| MD5 | c9855033ae829415b3c58e040af2c413 |
| SHA1 | b5387a24b960aeb22bc05668a59b7c01d1988053 |
| SHA256 | 84d530b12c194bc6ef84aa9015ef66a9063aeb50d0a9deeec053714749a33d40 |
| SHA512 | 1a96e96f7acdeff51b5404c9697ebf9f264ee2d1f89e35d918fe5a26d800453a228cac2bde9ba416be51dc4a0250e0fe3f96bdc1e8ea677994354c77b3789342 |
| Ssdeep | 196608:abXn+eU41LBjVnnlv1YFa4IhenFhAwd+XWiDGPxmWBJcbGw9PajelZX:abX+21tJnlv4a4B/4XWCGPUWTcNajAZX |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal | 无此文件扫描结果 |
特征
创建RWX内存
发起了一些HTTP请求
url: http://2018.ip138.com/ic.asp
url: http://www.mssmz.pw/app/XHJ_Free/control/connect/api.php
url: http://www.mssmz.pw/app/XHJ_Free/control/connect/api.php?token=30951342149285402642
url: http://www.mssmz.pw/app/XHJ_Free/program/XHJ-Client.rar
url: http://www.mssmz.pw/app/XHJ_Free/pak/pak_free.rar
url: http://www.mssmz.pw/app/XHJ_Free/control/ui/index.php
url: http://www.mssmz.pw/app/XHJ_Free/control/ui/layui/css/layui.css
url: http://www.mssmz.pw/app/XHJ_Free/control/ui/css/form.css
url: http://www.mssmz.pw/app/XHJ_Free/control/ui/css/shuibo.css
url: http://www.mssmz.pw/app/XHJ_Free/control/ui/layui/layui.js
url: http://www.mssmz.pw/app/XHJ_Free/control/ui/js/form.js
url: http://www.mssmz.pw/app/XHJ_Free/control/ui/js/pak.js
url: http://www.mssmz.pw/app/XHJ_Free/control/ui/js/shuibo.js
url: http://www.mssmz.pw/app/XHJ_Free/control/ui/images/pubg.png
url: http://www.mssmz.pw/app/XHJ_Free/control/ui/images/zxh.png
url: http://www.mssmz.pw/app/XHJ_Free/control/ui/images/guanbi.png
url: http://www.mssmz.pw/app/XHJ_Free/control/ui/layui/lay/modules/layer.js
url: http://www.mssmz.pw/app/XHJ_Free/control/ui/layui/css/modules/layer/default/layer.css?v=3.1.1
url: http://www.mssmz.pw/app/XHJ_Free/control/ui/layui/lay/modules/jquery.js
网络活动包含了一个以上的不重复的用户代理
Process: 5ce11b.tmp
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Process: 5ce0dc.tmp
User-Agent: Agent6124723
Process: 5ce0dc.tmp
User-Agent: Agent6212897
对一个无法找到的进程进行重复搜索,可能希望以startbrowser=1选项运行
从文件自身的二进制镜像中读取数据
self_read: process: XHJ-V15.exe, pid: 2440, offset: 0x0000d400, length: 0x009a3a8a
self_read: process: 5ce0dc.tmp, pid: 2544, offset: 0x00000000, length: 0x00871000
创建一个隐藏文件或系统文件
file: C:\Users\test\AppData\Local\Temp\5ce0dc.tmp
file: C:\Users\test\AppData\Local\Temp\5ce11b.tmp
魔盾安全Yara规则检测结果 - 安全告警
Informational: Detected Entropy signature
Informational: Detected Overlay signature
Informational: Detected Rich Signature
Informational: Create a new process
Warning: Affect private profile
Critical: Detects malicious behaviors from a small size app
Informational: Detected no presence of any attachment
Informational: Detected the presence of an or several images
Informational: Detected no presence of any url
Informational: Look for DES [sbox]
生成可疑网络流量,可能被用来进行恶意活动
signature: ET POLICY Unsupported/Fake Windows NT Version 5.0
尝试阻止沙箱线程以防止恶意行为被记录
对一些具体的运行中的进程呈现出兴趣
process: steamwebhelperr.exe
尝试断开连接或更改沙箱进程监控的Windows功能
unhook: function_name: NtProtectVirtualMemory, type: modification
运行截图
网络分析
访问主机记录
| 直接访问 | IP地址 | 国家名 |
|---|---|---|
| 否 | 120.41.45.215 | China |
| 否 | 47.74.245.159 | Canada |
域名解析
| 域名 | 响应 |
|---|---|
| localhost.ptlogin2.qq.com | A 127.0.0.1 |
| 2018.ip138.com | A 120.41.45.215 |
| www.mssmz.pw |
CNAME sing.cname.ltd
A 47.74.245.159 CNAME singer.vip.cname.ltd |
TCP连接
| IP地址 | 端口 |
|---|---|
| 120.41.45.215 | 80 |
| 47.74.245.159 | 80 |
| 47.74.245.159 | 80 |
| 47.74.245.159 | 80 |
| 47.74.245.159 | 80 |
| 47.74.245.159 | 80 |
| 47.74.245.159 | 80 |
| 47.74.245.159 | 80 |
| 47.74.245.159 | 80 |
| 47.74.245.159 | 80 |
| 47.74.245.159 | 80 |
| 47.74.245.159 | 80 |
| 47.74.245.159 | 80 |
| 47.74.245.159 | 80 |
| 47.74.245.159 | 80 |
| 47.74.245.159 | 80 |
| 47.74.245.159 | 80 |
| 47.74.245.159 | 80 |
UDP连接
| IP地址 | 端口 |
|---|---|
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
HTTP请求
| URL | HTTP数据 |
|---|---|
| http://2018.ip138.com/ic.asp | GET /ic.asp HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Accept: text/html, application/xhtml+xml, */* Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: 2018.ip138.com |
| http://www.mssmz.pw/app/XHJ_Free/control/connect/api.php | GET /app/XHJ_Free/control/connect/api.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: */* Accept-Language: zh-cn Referer: http://www.mssmz.pw/app/XHJ_Free/control/connect/api.php User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: www.mssmz.pw |
| http://www.mssmz.pw/app/XHJ_Free/control/connect/api.php?token=30951342149285402642 | GET /app/XHJ_Free/control/connect/api.php?token=30951342149285402642 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: */* Accept-Language: zh-cn Referer: http://www.mssmz.pw/app/XHJ_Free/control/connect/api.php?token=30951342149285402642 User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: www.mssmz.pw |
| http://www.mssmz.pw/app/XHJ_Free/program/XHJ-Client.rar | GET /app/XHJ_Free/program/XHJ-Client.rar HTTP/1.1 Accept: */* Accept-Language: zh-cn Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322) Range: bytes=0- Host: www.mssmz.pw Cache-Control: no-cache |
| http://www.mssmz.pw/app/XHJ_Free/pak/pak_free.rar | GET /app/XHJ_Free/pak/pak_free.rar HTTP/1.1 Accept: */* Accept-Language: zh-cn Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322) Range: bytes=0- Host: www.mssmz.pw Cache-Control: no-cache |
| http://www.mssmz.pw/app/XHJ_Free/control/ui/index.php | GET /app/XHJ_Free/control/ui/index.php HTTP/1.1 Host: www.mssmz.pw Accept-Encoding: deflate, gzip, null Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.2171.99 Safari/537.36 |
| http://www.mssmz.pw/app/XHJ_Free/control/ui/layui/css/layui.css | GET /app/XHJ_Free/control/ui/layui/css/layui.css HTTP/1.1 Host: www.mssmz.pw Accept-Encoding: deflate, gzip, null Accept: text/css,*/*;q=0.1 Referer: http://www.mssmz.pw/app/XHJ_Free/control/ui/index.php Accept-Language: zh-cn User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.2171.99 Safari/537.36 |
| http://www.mssmz.pw/app/XHJ_Free/control/ui/css/form.css | GET /app/XHJ_Free/control/ui/css/form.css HTTP/1.1 Host: www.mssmz.pw Accept-Encoding: deflate, gzip, null Accept: text/css,*/*;q=0.1 Referer: http://www.mssmz.pw/app/XHJ_Free/control/ui/index.php Accept-Language: zh-cn User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.2171.99 Safari/537.36 |
| http://www.mssmz.pw/app/XHJ_Free/control/ui/css/shuibo.css | GET /app/XHJ_Free/control/ui/css/shuibo.css HTTP/1.1 Host: www.mssmz.pw Accept-Encoding: deflate, gzip, null Accept: text/css,*/*;q=0.1 Referer: http://www.mssmz.pw/app/XHJ_Free/control/ui/index.php Accept-Language: zh-cn User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.2171.99 Safari/537.36 |
| http://www.mssmz.pw/app/XHJ_Free/control/ui/layui/layui.js | GET /app/XHJ_Free/control/ui/layui/layui.js HTTP/1.1 Host: www.mssmz.pw Accept-Encoding: deflate, gzip, null Accept: */* Referer: http://www.mssmz.pw/app/XHJ_Free/control/ui/index.php Accept-Language: zh-cn User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.2171.99 Safari/537.36 |
| http://www.mssmz.pw/app/XHJ_Free/control/ui/js/form.js | GET /app/XHJ_Free/control/ui/js/form.js HTTP/1.1 Host: www.mssmz.pw Accept-Encoding: deflate, gzip, null Accept: */* Referer: http://www.mssmz.pw/app/XHJ_Free/control/ui/index.php Accept-Language: zh-cn User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.2171.99 Safari/537.36 |
| http://www.mssmz.pw/app/XHJ_Free/control/ui/js/pak.js | GET /app/XHJ_Free/control/ui/js/pak.js HTTP/1.1 Host: www.mssmz.pw Accept-Encoding: deflate, gzip, null Accept: */* Referer: http://www.mssmz.pw/app/XHJ_Free/control/ui/index.php Accept-Language: zh-cn User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.2171.99 Safari/537.36 |
| http://www.mssmz.pw/app/XHJ_Free/control/ui/js/shuibo.js | GET /app/XHJ_Free/control/ui/js/shuibo.js HTTP/1.1 Host: www.mssmz.pw Accept-Encoding: deflate, gzip, null Accept: */* Referer: http://www.mssmz.pw/app/XHJ_Free/control/ui/index.php Accept-Language: zh-cn User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.2171.99 Safari/537.36 |
| http://www.mssmz.pw/app/XHJ_Free/control/ui/images/pubg.png | GET /app/XHJ_Free/control/ui/images/pubg.png HTTP/1.1 Host: www.mssmz.pw Accept: */* Accept-Encoding: deflate, gzip, null Accept-Language: zh-cn Referer: http://www.mssmz.pw/app/XHJ_Free/control/ui/css/form.css User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.2171.99 Safari/537.36 |
| http://www.mssmz.pw/app/XHJ_Free/control/ui/images/zxh.png | GET /app/XHJ_Free/control/ui/images/zxh.png HTTP/1.1 Host: www.mssmz.pw Accept: */* Accept-Encoding: deflate, gzip, null Accept-Language: zh-cn Referer: http://www.mssmz.pw/app/XHJ_Free/control/ui/css/form.css User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.2171.99 Safari/537.36 |
| http://www.mssmz.pw/app/XHJ_Free/control/ui/images/guanbi.png | GET /app/XHJ_Free/control/ui/images/guanbi.png HTTP/1.1 Host: www.mssmz.pw Accept: */* Accept-Encoding: deflate, gzip, null Accept-Language: zh-cn Referer: http://www.mssmz.pw/app/XHJ_Free/control/ui/css/form.css User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.2171.99 Safari/537.36 |
| http://www.mssmz.pw/app/XHJ_Free/control/ui/layui/lay/modules/layer.js | GET /app/XHJ_Free/control/ui/layui/lay/modules/layer.js HTTP/1.1 Host: www.mssmz.pw Accept-Encoding: deflate, gzip, null Accept: */* Referer: http://www.mssmz.pw/app/XHJ_Free/control/ui/index.php Accept-Language: zh-cn User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.2171.99 Safari/537.36 |
| http://www.mssmz.pw/app/XHJ_Free/control/ui/layui/css/modules/layer/default/layer.css?v=3.1.1 | GET /app/XHJ_Free/control/ui/layui/css/modules/layer/default/layer.css?v=3.1.1 HTTP/1.1 Host: www.mssmz.pw Accept-Encoding: deflate, gzip, null Accept: text/css,*/*;q=0.1 Referer: http://www.mssmz.pw/app/XHJ_Free/control/ui/index.php Accept-Language: zh-cn User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.2171.99 Safari/537.36 |
| http://www.mssmz.pw/app/XHJ_Free/control/ui/layui/lay/modules/jquery.js | GET /app/XHJ_Free/control/ui/layui/lay/modules/jquery.js HTTP/1.1 Host: www.mssmz.pw Accept-Encoding: deflate, gzip, null Accept: */* Referer: http://www.mssmz.pw/app/XHJ_Free/control/ui/index.php Accept-Language: zh-cn User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.2171.99 Safari/537.36 |
静态分析
PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x00401b90 |
| 声明校验值 | 0x00000000 |
| 实际校验值 | 0x009b3590 |
| 最低操作系统版本要求 | 4.0 |
| 编译时间 | 2013-06-09 12:25:37 |
| 载入哈希 | 82bda8502023c6a780a99a89a90a3713 |
版本信息
| LegalCopyright: | \u4f5c\u8005\u7248\u6743\u6240\u6709 \u8bf7\u5c0a\u91cd\u5e76\u4f7f\u7528\u6b63\u7248 |
| InternalName: | XHJ-\u4e91\u5ba2\u6237\u7aef |
| FileVersion: | 3.8.3.0 |
| CompanyName: | 3.8.3.0 |
| ProductName: | XHJ-3.8.3 |
| ProductVersion: | 3.8.3.0 |
| FileDescription: | XHJ-\u4e91\u5ba2\u6237\u7aef |
| OriginalFilename: | \u4f5c\u8005\u7248\u6743\u6240\u6709 \u8bf7\u5c0a\u91cd\u5e76\u4f7f\u7528\u6b63\u7248 |
| Translation: | 0x0804 0x04b0 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x000071d0 | 0x00007200 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.51 |
| .rdata | 0x00009000 | 0x0000111c | 0x00001200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.52 |
| .data | 0x0000b000 | 0x0000e6e5 | 0x00002200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 3.22 |
| .rsrc | 0x0001a000 | 0x00002964 | 0x00002a00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.97 |
覆盖
| 偏移量: | 0x0001c964 |
| 大小: | 0x00994526 |
导入
库 KERNEL32.dll:
• 0x409000 - HeapAlloc
• 0x409004 - HeapReAlloc
• 0x409008 - HeapFree
• 0x40900c - IsBadReadPtr
• 0x409010 - GetModuleFileNameA
• 0x409014 - CreateFileA
• 0x409018 - GetFileSize
• 0x40901c - SetFilePointer
• 0x409020 - ReadFile
• 0x409024 - GetTickCount
• 0x409028 - GetTempPathA
• 0x40902c - CloseHandle
• 0x409030 - ExitProcess
• 0x409034 - SetFileAttributesA
• 0x409038 - DeleteFileA
• 0x40903c - WaitForSingleObject
• 0x409040 - CreateProcessA
• 0x409044 - GetStartupInfoA
• 0x409048 - GetCommandLineA
• 0x40904c - DeleteCriticalSection
• 0x409050 - GetModuleHandleA
• 0x409054 - CreateThread
• 0x409058 - WriteFile
• 0x40905c - GetProcessHeap
库 USER32.dll:
• 0x40908c - PeekMessageA
• 0x409090 - TranslateMessage
• 0x409094 - DispatchMessageA
• 0x409098 - wsprintfA
• 0x40909c - MessageBoxA
• 0x4090a0 - GetMessageA
库 MSVCRT.dll:
• 0x409064 - strrchr
• 0x409068 - _ftol
• 0x40906c - malloc
• 0x409070 - free
• 0x409074 - calloc
• 0x409078 - ??2@YAPAXI@Z
• 0x40907c - ??3@YAXPAX@Z
库 SHLWAPI.dll:
• 0x409084 - PathFileExistsA
投放文件
XHJ-Client.rar
| 文件名 | XHJ-Client.rar |
|---|---|
| 相关文件 |
|
| 文件大小 | 1058822 bytes |
| 文件类型 | RAR archive data, v1d, os: Win32 |
| MD5 | d92bb9c4ac2a73d9886312ebd2a613c5 |
| SHA1 | 2745a357cb49ef89cfbb0961737fab121e6dbe29 |
| SHA256 | 9e33eae5f5bcfa0fdfcb44401bf957931ab7e7b7b685a008312f7c3f109e6cec |
| SHA512 | e7a4c3a21b984f42cee5722ce51da5aef5b4e44f05adb5eeb364dc30f1fdd4a6c94442c7a6f77a5372ae20dd50517e515da7832d621f929f6fe550903a9f9370 |
| Ssdeep | 12288:T/LkOqEdHngEXYlMhZQnY/5PmWQKM37DnYRbSZVtVMna8xZP46XOcqqlOTcZbhLX:zLqEdjox5DY1WVDsHa6r8Tyb4goA |
| VirusTotal | 搜索相关分析 |
temporaryfile
| 文件名 | temporaryfile |
|---|---|
| 相关文件 |
|
| 文件大小 | 1379328 bytes |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
| MD5 | 28405b17acd506845c6ec1683c1db681 |
| SHA1 | 679dd49b72d59feb454d5ce7b3c6e9fb4f59824a |
| SHA256 | 5d3a3799f1488a919a1104a9bae6d743ad51f348e1eb49a8bdd3554ac7a3bc38 |
| SHA512 | 1ea6c0c5435a36e2746219f5f17121f56ae6308c7ee754fe65fc32beb9abb971355f62176ff95e52342699df68808106b47783c8ae7023e74b60fc1466b8cf56 |
| Ssdeep | 24576:bFSgCo4HndybLZIOGRA1R0y9u+CW4t800PYONDGh7Ca+fCud:bFyo4H0bSBAP59u+s0tDCf+fDd |
| VirusTotal | 搜索相关分析 |
node.RAR
| 文件名 | node.RAR |
|---|---|
| 相关文件 |
|
| 文件大小 | 5511713 bytes |
| 文件类型 | RAR archive data, v87, flags: Archive volume, Locked, Solid, |
| MD5 | 21b0ecdd0d4d06f90698bfcf7f1d8ad4 |
| SHA1 | d8246ced08b187ee655522445928e15077a13362 |
| SHA256 | cc303edefa6a7da2a2b58f3313febc067434e2aef019636eab794b942ad5c480 |
| SHA512 | 87fd8d6e7450b99098765e2089b073ce0e8373654e8b14b7663ca05d0674318fe3a906a4ce4f1a05b780a6eb5d96e68422b9a3934959969bee9724498cd636e0 |
| Ssdeep | 98304:sfuk0THsg+qhVYBqjVYqJjiKugyyVXkFlMqoV5GDaJRlhHH82N1TahYJ1f41cutk:sfljKhKq5HxZVUEpV5GD0NHv12hiEt3U |
| VirusTotal | 搜索相关分析 |
行为分析
互斥量(Mutexes)
- Local\MSCTF.Asm.MutexDefault1
- DBWinMutex
- 3D72E324-3CE0-459d-813C-A646E5C0F2ED
执行的命令
- C:\Users\test\AppData\Local\Temp\5ce11b.tmp
- C:\Users\test\AppData\Local\Temp\5ce0dc.tmp
- C:\Users\test\AppData\Local\Temp\steamwebhelperr.exe
- C:\Users\test\AppData\Local\Temp\XHJ-Client.exe 4A55484A484E53444A232424255E262A282324255E262A28223A7B3E7C7D3E4C3C3E3E3C7B3C3E3A4C736164736164736164617364
创建的服务
无信息
启动的服务
无信息
进程
XHJ-V15.exe PID: 2440, 上一级进程 PID: 2296
5ce11b.tmp PID: 2516, 上一级进程 PID: 2440
5ce0dc.tmp PID: 2544, 上一级进程 PID: 2440
XHJ-Client.exe PID: 2948, 上一级进程 PID: 2544
steamwebhelperr.exe PID: 1640, 上一级进程 PID: 2516
访问的文件
- C:\Users\test\AppData\Local\Temp\XHJ-V15.exe
- C:\Users\test\AppData\Local\Temp\5ce0dc.tmp
- C:\Users\test\AppData\Local\Temp\5ce11b.tmp
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Users\test\AppData\Local\Temp\kernel32.dll
- C:\Users\test\AppData\Local\Temp\6087703
- C:\Users\test\AppData\Local\Temp\6087703\....\
- C:\Users\test\AppData\Local\Temp\6087703\....\TemporaryFile
- C:\Users\test\AppData\Local\Temp\6087703\TemporaryFile
- C:\Users\test\AppData\Local\Temp\6087703\*.*
- C:\Users\test\AppData\Local\Temp\6087703\TemporaryFile\*.*
- C:\Users\test\AppData\Local\Temp\6087703\TemporaryFile\TemporaryFile
- C:\Users\test\AppData\Local\Temp\kernel32.DLL
- C:\Users\test\AppData\Local\Temp\ole32.dll
- C:\Users\test\AppData\Local\Temp\wininet.dll
- C:\Windows\SysWOW64\stdole2.tlb
- C:\Users\test\AppData\Local\Temp\Winhttp.dll
- C:\Users\test\AppData\Local\Temp\user32.DLL
- C:\
- C:\Users\test\AppData\Local\Temp\steamwebhelperr.exe
- C:\Users
- C:\Users\test
- C:\Users\test\AppData
- C:\Users\test\AppData\Local
- C:\Users\test\AppData\Local\Temp
- C:\Users\test\AppData\Local\Temp\5ce0dc.CHS
- C:\Users\test\AppData\Local\Temp\5ce0dc.CHS.DLL
- C:\Users\test\AppData\Local\Temp\5ce0dc.CH
- C:\Users\test\AppData\Local\Temp\5ce0dc.CH.DLL
- C:\Users\test\AppData\Local\Temp\gdiplus.dll
- C:\Users\test\AppData\Local\Temp\5ce0dc.tmp.Local\
- C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80
- C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
- C:\Users\test\AppData\Local\Temp\XHJ_Free_Pak.rar
- C:\Users\test\AppData\Local\Temp\XHJ-Client.rar
- C:\Users\test\AppData\Local\Temp\user32.dll
- C:\Users\test\AppData\Local\Temp\advpack.dll
- C:\Windows\System32\winhttp.dll
- C:\Users\test\AppData\Local\Temp\gdi32.DLL
- C:\Users\test\AppData\Local\Temp\GdiPlus.dll
- C:\Windows\Fonts\staticcache.dat
- C:\Users\test\AppData\Local\Temp\Kernel32.dll
- C:\Users\test\AppData\Local\Temp\Wininet.dll
- C:\Windows\System32\unrar.dll
- C:\Users\test\AppData\Local\Temp\Shlwapi.dll
- C:\Users\test\AppData\Local\Temp\unrar.dll
- \Device\KsecDD
- C:\Users\test\AppData\Local\Temp\XHJ-Client.exe
- C:\Users\test\AppData\Local\Temp\node.RAR
- C:\Users\test\AppData\Local\Temp\node.dll
- C:\Users\test\AppData\Local\Temp\Tips.mp3
- C:\Users\test\AppData\Local\Temp\ok.mp3
- \??\MountPointManager
- C:\Users\test\AppData\Local\Temp\XHJ-Client.CHS
- C:\Users\test\AppData\Local\Temp\XHJ-Client.CHS.DLL
- C:\Users\test\AppData\Local\Temp\XHJ-Client.CH
- C:\Users\test\AppData\Local\Temp\XHJ-Client.CH.DLL
- C:\Users\test\AppData\Local\Temp\ntdll.dll
- C:\Users\test\Documents\XHJ\path.ini
- C:\Users\test\Documents\XHJ\PakList.json
- C:\Users\test\AppData\Local\Temp\msvcp60.dll
- C:\Windows\System32\msvcp60.dll
- C:\Users\test\AppData\Local\Temp\Plugins\*
- C:\Program Files (x86)\Adobe\Reader 11.0\Reader\Browser\*
- C:\Program Files (x86)\Mozilla Firefox\plugins\*
- C:\PFiles\Plugins\*
- C:\Program Files (x86)\Windows Media Player\*
- C:\Windows\System32\Macromed\Flash\*
- C:\Windows\System32\Macromed\Shockwave 10\*
- C:\Windows\System32\Macromed\Flash\NPSWF32_20_0_0_286.dll
- C:\Program Files (x86)\Java\jre1.8.0_121\bin\dtplugin\npDeployJava1.dll
- C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
- C:\Program Files (x86)\Java\jre1.8.0_121\bin\plugin2\npjp2.dll
- C:\Program Files (x86)\Microsoft Office\Office14\NPSPWRAP.DLL
- C:\Program Files (x86)\Microsoft Office\Office14\NPAUTHZ.DLL
- C:\Program Files (x86)\Adobe\Reader 11.0\Reader\Browser\nppdf32.dll
- C:\Users\test\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll
- C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_20_0_0_286.dll
- C:\Windows\System32\itruscert\NPComBrg701.dll
- C:\Users\test\AppData\Local\Temp\
- C:\usr\local\ssl\openssl.cnf
- C:\Users\test\AppData\Local\Temp\cookies.dat
- C:\Users\test\AppData\Local\Temp\gdi32.dll
- C:\Windows\System32\114818047.dll
- C:\Users\test\AppData\Local\Temp\steamwebhelperr.exe.Local\
- C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_b7a33d2d3f47b7fb
- C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_b7a33d2d3f47b7fb\COMCTL32.dll.mui
读取的文件
- C:\Users\test\AppData\Local\Temp\XHJ-V15.exe
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Users\test\AppData\Local\Temp\5ce11b.tmp
- C:\Users\test\AppData\Local\Temp\6087703\....\
- C:\Windows\SysWOW64\stdole2.tlb
- C:\Users\test\AppData\Local\Temp\5ce0dc.tmp
- C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
- C:\Windows\System32\winhttp.dll
- C:\Windows\Fonts\staticcache.dat
- C:\Users\test\AppData\Local\Temp\XHJ-Client.rar
- \Device\KsecDD
- C:\Users\test\AppData\Local\Temp\node.RAR
- C:\Users\test\Documents\XHJ\path.ini
- C:\Users\test\AppData\Local\Temp\node.dll
- C:\Windows\System32\msvcp60.dll
- C:\usr\local\ssl\openssl.cnf
- C:\Users\test\AppData\Local\Temp\cookies.dat
- C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_b7a33d2d3f47b7fb\COMCTL32.dll.mui
修改的文件
- C:\Users\test\AppData\Local\Temp\5ce0dc.tmp
- C:\Users\test\AppData\Local\Temp\5ce11b.tmp
- C:\Users\test\AppData\Local\Temp\6087703\....\TemporaryFile
- C:\Users\test\AppData\Local\Temp\6087703\TemporaryFile
- C:\Users\test\AppData\Local\Temp\steamwebhelperr.exe
- C:\Users\test\AppData\Local\Temp\XHJ-Client.rar
- C:\Users\test\AppData\Local\Temp\XHJ_Free_Pak.rar
- C:\Windows\System32\unrar.dll
- C:\Users\test\AppData\Local\Temp\XHJ-Client.exe
- C:\Users\test\AppData\Local\Temp\node.RAR
- C:\Users\test\AppData\Local\Temp\node.dll
- C:\Users\test\AppData\Local\Temp\Tips.mp3
- C:\Users\test\AppData\Local\Temp\ok.mp3
- C:\Windows\System32\114818047.dll
删除的文件
- C:\Users\test\AppData\Local\Temp\6087703\TemporaryFile\TemporaryFile
- C:\Users\test\AppData\Local\Temp\6087703\TemporaryFile
- C:\Users\test\AppData\Local\Temp\6087703
- C:\Users\test\AppData\Local\Temp\XHJ_Free_Pak.rar
- C:\Users\test\AppData\Local\Temp\XHJ-Client.rar
- C:\Users\test\AppData\Local\Temp\unrar.dll
- C:\Users\test\AppData\Local\Temp\node.RAR
注册表键
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
- HKEY_CURRENT_USER\Software\Classes
- HKEY_CURRENT_USER\Software\Classes\TypeLib
- HKEY_CURRENT_USER\Software\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32\(Default)
- HKEY_CURRENT_USER\Software\Borland\Locales
- HKEY_CURRENT_USER\Software\Borland\Locales\C:\Users\test\AppData\Local\Temp\5ce0dc.tmp
- HKEY_CURRENT_USER\Software\Borland\Locales\(Default)
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\5ce0dc.tmp
- HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_CURRENT_USER
- HKEY_CURRENT_USER\Keyboard Layout\Toggle
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\Tracing
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\Tracing\Enabled
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ShareCredsWithWinHttp
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\DisableBranchCache
- HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
- HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Fixedsys
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\\xe5\xbe\xae\xe8\xbd\xaf\xe9\x9b\x85\xe9\xbb\x91
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\China Standard Time\Dynamic DST
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\5ce0dc.tmp
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Data
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Generation
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Data
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Generation
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
- HKEY_CURRENT_USER\Software\Borland\Locales\C:\Users\test\AppData\Local\Temp\XHJ-Client.exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
- HKEY_LOCAL_MACHINE\Software\Adobe\Acrobat Reader
- HKEY_LOCAL_MACHINE\Software\Adobe\Acrobat Reader\11.0\InstallPath
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\11.0\InstallPath\(Default)
- HKEY_LOCAL_MACHINE\Software\Mozilla
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Firefox\Extensions
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\Extensions
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox 10.0.9\Extensions
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox 10.0.9\extensions\Plugins
- HKEY_LOCAL_MACHINE\Software\Microsoft\MediaPlayer
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MediaPlayer\Installation Directory
- HKEY_LOCAL_MACHINE\Software\MozillaPlugins
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer\Path
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@alipay.com/NPComBrg701,version=1.0.2011.701
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@alipay.com/NPComBrg701,version=1.0.2011.701\Path
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@java.com/DTPlugin,version=11.121.2
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@java.com/DTPlugin,version=11.121.2\Path
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@java.com/JavaPlugin,version=11.121.2
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@java.com/JavaPlugin,version=11.121.2\Path
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0\Path
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@microsoft.com/SharePoint,version=14.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@microsoft.com/SharePoint,version=14.0\Path
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\Adobe Reader
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\Adobe Reader\Path
- HKEY_CURRENT_USER\Software\MozillaPlugins
- HKEY_CURRENT_USER\Software\MozillaPlugins\@tools.google.com/Google Update;version=3
- HKEY_CURRENT_USER\Software\MozillaPlugins\@tools.google.com/Google Update;version=3\Path
- HKEY_CURRENT_USER\Software\MozillaPlugins\@tools.google.com/Google Update;version=9
- HKEY_CURRENT_USER\Software\MozillaPlugins\@tools.google.com/Google Update;version=9\Path
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\XHJ-Client.exe
- HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\steamwebhelperr.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Wingdings
- HKEY_CURRENT_USER\Software\Valve\Steam
读取的注册表键
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32\(Default)
- HKEY_CURRENT_USER\Software\Borland\Locales\C:\Users\test\AppData\Local\Temp\5ce0dc.tmp
- HKEY_CURRENT_USER\Software\Borland\Locales\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\Tracing\Enabled
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ShareCredsWithWinHttp
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\DisableBranchCache
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Data
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Generation
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Data
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Generation
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
- HKEY_CURRENT_USER\Software\Borland\Locales\C:\Users\test\AppData\Local\Temp\XHJ-Client.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\11.0\InstallPath\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox 10.0.9\extensions\Plugins
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MediaPlayer\Installation Directory
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer\Path
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@alipay.com/NPComBrg701,version=1.0.2011.701\Path
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@java.com/DTPlugin,version=11.121.2\Path
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@java.com/JavaPlugin,version=11.121.2\Path
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0\Path
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@microsoft.com/SharePoint,version=14.0\Path
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\Adobe Reader\Path
- HKEY_CURRENT_USER\Software\MozillaPlugins\@tools.google.com/Google Update;version=3\Path
- HKEY_CURRENT_USER\Software\MozillaPlugins\@tools.google.com/Google Update;version=9\Path
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- kernel32.dll.TerminateProcess
- kernel32.dll.OpenProcess
- kernel32.dll.GetWindowsDirectoryA
- kernel32.dll.GetSystemDirectoryA
- kernel32.dll.MultiByteToWideChar
- kernel32.dll.SetLastError
- kernel32.dll.GetTimeZoneInformation
- kernel32.dll.GetVersion
- kernel32.dll.GetCurrentProcess
- kernel32.dll.TerminateThread
- kernel32.dll.CreateMutexA
- kernel32.dll.ReleaseMutex
- kernel32.dll.SuspendThread
- kernel32.dll.UnhandledExceptionFilter
- kernel32.dll.GetACP
- kernel32.dll.HeapSize
- kernel32.dll.RaiseException
- kernel32.dll.GetLocalTime
- kernel32.dll.GetSystemTime
- kernel32.dll.RtlUnwind
- kernel32.dll.GetStartupInfoA
- kernel32.dll.GetOEMCP
- kernel32.dll.GetCPInfo
- kernel32.dll.GetProcessVersion
- kernel32.dll.SetErrorMode
- kernel32.dll.GlobalFlags
- kernel32.dll.GetCurrentThread
- kernel32.dll.GetFileTime
- kernel32.dll.TlsGetValue
- kernel32.dll.LocalReAlloc
- kernel32.dll.TlsSetValue
- kernel32.dll.TlsFree
- kernel32.dll.GlobalHandle
- kernel32.dll.TlsAlloc
- kernel32.dll.LocalAlloc
- kernel32.dll.lstrcmpA
- kernel32.dll.GlobalGetAtomNameA
- kernel32.dll.GlobalAddAtomA
- kernel32.dll.GlobalFindAtomA
- kernel32.dll.GlobalDeleteAtom
- kernel32.dll.lstrcmpiA
- kernel32.dll.SetEndOfFile
- kernel32.dll.UnlockFile
- kernel32.dll.LockFile
- kernel32.dll.FlushFileBuffers
- kernel32.dll.DuplicateHandle
- kernel32.dll.lstrcpynA
- kernel32.dll.FileTimeToLocalFileTime
- kernel32.dll.FileTimeToSystemTime
- kernel32.dll.LocalFree
- kernel32.dll.InterlockedDecrement
- kernel32.dll.InterlockedIncrement
- kernel32.dll.GetFileSize
- kernel32.dll.SetFilePointer
- kernel32.dll.CreateToolhelp32Snapshot
- kernel32.dll.Process32First
- kernel32.dll.Process32Next
- kernel32.dll.CreateSemaphoreA
- kernel32.dll.ResumeThread
- kernel32.dll.ReleaseSemaphore
- kernel32.dll.EnterCriticalSection
- kernel32.dll.LeaveCriticalSection
- kernel32.dll.GetProfileStringA
- kernel32.dll.WriteFile
- kernel32.dll.WaitForMultipleObjects
- kernel32.dll.CreateFileA
- kernel32.dll.SetEvent
- kernel32.dll.FindResourceA
- kernel32.dll.LoadResource
- kernel32.dll.LockResource
- kernel32.dll.ReadFile
- kernel32.dll.lstrlenW
- kernel32.dll.RemoveDirectoryA
- kernel32.dll.GetModuleFileNameA
- kernel32.dll.GetCurrentThreadId
- kernel32.dll.ExitProcess
- kernel32.dll.GlobalSize
- kernel32.dll.GlobalFree
- kernel32.dll.DeleteCriticalSection
- kernel32.dll.InitializeCriticalSection
- kernel32.dll.lstrcatA
- kernel32.dll.lstrlenA
- kernel32.dll.WinExec
- kernel32.dll.lstrcpyA
- kernel32.dll.FindNextFileA
- kernel32.dll.InterlockedExchange
- kernel32.dll.GlobalReAlloc
- kernel32.dll.HeapFree
- kernel32.dll.HeapReAlloc
- kernel32.dll.GetProcessHeap
- kernel32.dll.HeapAlloc
- kernel32.dll.GetUserDefaultLCID
- kernel32.dll.GetFullPathNameA
- kernel32.dll.FreeLibrary
- kernel32.dll.LoadLibraryA
- kernel32.dll.GetLastError
- kernel32.dll.GetVersionExA
- kernel32.dll.WritePrivateProfileStringA
- kernel32.dll.CreateThread
- kernel32.dll.CreateEventA
- kernel32.dll.Sleep
- kernel32.dll.GlobalAlloc
- kernel32.dll.GlobalLock
- kernel32.dll.GlobalUnlock
- kernel32.dll.GetTempPathA
- kernel32.dll.FindFirstFileA
- kernel32.dll.FindClose
- kernel32.dll.GetFileAttributesA
- kernel32.dll.DeleteFileA
- kernel32.dll.SetCurrentDirectoryA
- kernel32.dll.GetVolumeInformationA
- kernel32.dll.GetModuleHandleA
- kernel32.dll.GetProcAddress
- kernel32.dll.MulDiv
- kernel32.dll.GetCommandLineA
- kernel32.dll.GetTickCount
- kernel32.dll.CreateProcessA
- kernel32.dll.WaitForSingleObject
- kernel32.dll.CloseHandle
- kernel32.dll.FreeEnvironmentStringsA
- kernel32.dll.FreeEnvironmentStringsW
- kernel32.dll.GetEnvironmentStrings
- kernel32.dll.GetEnvironmentStringsW
- kernel32.dll.SetHandleCount
- kernel32.dll.GetStdHandle
- kernel32.dll.GetFileType
- kernel32.dll.GetEnvironmentVariableA
- kernel32.dll.HeapDestroy
- kernel32.dll.HeapCreate
- kernel32.dll.VirtualFree
- kernel32.dll.SetEnvironmentVariableA
- kernel32.dll.LCMapStringA
- kernel32.dll.LCMapStringW
- kernel32.dll.VirtualAlloc
- kernel32.dll.IsBadWritePtr
- kernel32.dll.SetUnhandledExceptionFilter
- kernel32.dll.GetStringTypeA
- kernel32.dll.GetStringTypeW
- kernel32.dll.CompareStringA
- kernel32.dll.CompareStringW
- kernel32.dll.IsBadReadPtr
- kernel32.dll.IsBadCodePtr
- kernel32.dll.SetStdHandle
- kernel32.dll.WideCharToMultiByte
- advapi32.dll.RegOpenKeyExA
- advapi32.dll.RegSetValueExA
- advapi32.dll.RegQueryValueA
- advapi32.dll.RegCreateKeyExA
- advapi32.dll.RegCloseKey
- comctl32.dll.#17
- comctl32.dll.ImageList_Destroy
- comdlg32.dll.ChooseColorA
- comdlg32.dll.GetFileTitleA
- comdlg32.dll.GetSaveFileNameA
- comdlg32.dll.GetOpenFileNameA
- gdi32.dll.GetViewportExtEx
- gdi32.dll.ExtSelectClipRgn
- gdi32.dll.LineTo
- gdi32.dll.MoveToEx
- gdi32.dll.ExcludeClipRect
- gdi32.dll.GetClipBox
- gdi32.dll.ScaleWindowExtEx
- gdi32.dll.SetWindowExtEx
- gdi32.dll.EndDoc
- gdi32.dll.DeleteDC
- gdi32.dll.StartDocA
- gdi32.dll.StartPage
- gdi32.dll.BitBlt
- gdi32.dll.CreateCompatibleDC
- gdi32.dll.Ellipse
- gdi32.dll.Rectangle
- gdi32.dll.LPtoDP
- gdi32.dll.PtVisible
- gdi32.dll.GetCurrentObject
- gdi32.dll.RoundRect
- gdi32.dll.GetTextExtentPoint32A
- gdi32.dll.GetDeviceCaps
- gdi32.dll.StretchBlt
- gdi32.dll.CreatePalette
- gdi32.dll.GetSystemPaletteEntries
- gdi32.dll.CreateDIBitmap
- gdi32.dll.DeleteObject
- gdi32.dll.SelectClipRgn
- gdi32.dll.CreatePolygonRgn
- gdi32.dll.GetClipRgn
- gdi32.dll.SetStretchBltMode
- gdi32.dll.CreateRectRgnIndirect
- gdi32.dll.SetBkColor
- gdi32.dll.SetWindowOrgEx
- gdi32.dll.ScaleViewportExtEx
- gdi32.dll.SetViewportExtEx
- gdi32.dll.OffsetViewportOrgEx
- gdi32.dll.SetViewportOrgEx
- gdi32.dll.SetMapMode
- gdi32.dll.SetTextColor
- gdi32.dll.SetROP2
- gdi32.dll.SetPolyFillMode
- gdi32.dll.SetBkMode
- gdi32.dll.RestoreDC
- gdi32.dll.SaveDC
- gdi32.dll.RectVisible
- gdi32.dll.TextOutA
- gdi32.dll.ExtTextOutA
- gdi32.dll.Escape
- gdi32.dll.GetTextMetricsA
- gdi32.dll.EndPage
- gdi32.dll.GetObjectA
- gdi32.dll.GetStockObject
- gdi32.dll.CreateFontIndirectA
- gdi32.dll.CreateSolidBrush
- gdi32.dll.FillRgn
- gdi32.dll.CreateRectRgn
- gdi32.dll.CombineRgn
- gdi32.dll.PatBlt
- gdi32.dll.CreatePen
- gdi32.dll.SelectObject
- gdi32.dll.CreateBitmap
- gdi32.dll.CreateDCA
- gdi32.dll.CreateCompatibleBitmap
- gdi32.dll.GetPolyFillMode
- gdi32.dll.GetStretchBltMode
- gdi32.dll.GetROP2
- gdi32.dll.GetBkColor
- gdi32.dll.GetBkMode
- gdi32.dll.GetTextColor
- gdi32.dll.CreateRoundRectRgn
- gdi32.dll.CreateEllipticRgn
- gdi32.dll.PathToRegion
- gdi32.dll.EndPath
- gdi32.dll.BeginPath
- gdi32.dll.GetWindowOrgEx
- gdi32.dll.GetViewportOrgEx
- gdi32.dll.GetWindowExtEx
- gdi32.dll.GetDIBits
- gdi32.dll.DPtoLP
- gdi32.dll.RealizePalette
- gdi32.dll.SelectPalette
- ole32.dll.CLSIDFromProgID
- ole32.dll.OleRun
- ole32.dll.CoCreateInstance
- ole32.dll.CLSIDFromString
- ole32.dll.OleUninitialize
- ole32.dll.OleInitialize
- oleaut32.dll.#186
- oleaut32.dll.#161
- oleaut32.dll.#165
- oleaut32.dll.#163
- oleaut32.dll.#26
- oleaut32.dll.#15
- oleaut32.dll.#16
- oleaut32.dll.#2
- oleaut32.dll.#8
- oleaut32.dll.#11
- oleaut32.dll.#25
- oleaut32.dll.#23
- oleaut32.dll.#24
- oleaut32.dll.#17
- oleaut32.dll.#20
- oleaut32.dll.#19
- oleaut32.dll.#12
- oleaut32.dll.#9
- oleaut32.dll.#10
- shell32.dll.Shell_NotifyIconA
- shell32.dll.SHGetSpecialFolderPathA
- shell32.dll.ShellExecuteA
- user32.dll.ScreenToClient
- user32.dll.GetMessagePos
- user32.dll.SetWindowRgn
- user32.dll.DestroyAcceleratorTable
- user32.dll.GetWindow
- user32.dll.GetActiveWindow
- user32.dll.SetFocus
- user32.dll.IsIconic
- user32.dll.PeekMessageA
- user32.dll.SetMenu
- user32.dll.GetMenu
- user32.dll.GetSysColorBrush
- user32.dll.LoadStringA
- user32.dll.GetKeyState
- user32.dll.TranslateAcceleratorA
- user32.dll.IsWindowEnabled
- user32.dll.ShowWindow
- user32.dll.SystemParametersInfoA
- user32.dll.LoadImageA
- user32.dll.EnumDisplaySettingsA
- user32.dll.ClientToScreen
- user32.dll.EnableMenuItem
- user32.dll.GetSubMenu
- user32.dll.GetDlgCtrlID
- user32.dll.CreateAcceleratorTableA
- user32.dll.CreateMenu
- user32.dll.ModifyMenuA
- user32.dll.AppendMenuA
- user32.dll.CreatePopupMenu
- user32.dll.DrawIconEx
- user32.dll.CreateIconFromResourceEx
- user32.dll.RegisterClipboardFormatA
- user32.dll.SetRectEmpty
- user32.dll.DispatchMessageA
- user32.dll.UnregisterClassA
- user32.dll.ChildWindowFromPointEx
- user32.dll.CopyRect
- user32.dll.LoadBitmapA
- user32.dll.WinHelpA
- user32.dll.KillTimer
- user32.dll.SetTimer
- user32.dll.ReleaseCapture
- user32.dll.GetCapture
- user32.dll.SetCapture
- user32.dll.GetScrollRange
- user32.dll.SetScrollRange
- user32.dll.SetScrollPos
- user32.dll.GetMenuCheckMarkDimensions
- user32.dll.GetMenuState
- user32.dll.SetMenuItemBitmaps
- user32.dll.CheckMenuItem
- user32.dll.MoveWindow
- user32.dll.SetWindowTextA
- user32.dll.IsDialogMessageA
- user32.dll.SetRect
- user32.dll.DeleteMenu
- user32.dll.IntersectRect
- user32.dll.DestroyIcon
- user32.dll.PtInRect
- user32.dll.OffsetRect
- user32.dll.IsWindowVisible
- user32.dll.EnableWindow
- user32.dll.RedrawWindow
- user32.dll.GetWindowLongA
- user32.dll.SetWindowLongA
- user32.dll.GetSysColor
- user32.dll.SetActiveWindow
- user32.dll.SetCursorPos
- user32.dll.LoadCursorA
- user32.dll.SetCursor
- user32.dll.GetDC
- user32.dll.FillRect
- user32.dll.IsRectEmpty
- user32.dll.ReleaseDC
- user32.dll.IsChild
- user32.dll.DestroyMenu
- user32.dll.SetForegroundWindow
- user32.dll.GetWindowRect
- user32.dll.EqualRect
- user32.dll.UpdateWindow
- user32.dll.ValidateRect
- user32.dll.InvalidateRect
- user32.dll.GetClientRect
- user32.dll.GetFocus
- user32.dll.GetParent
- user32.dll.GetTopWindow
- user32.dll.PostMessageA
- user32.dll.IsWindow
- user32.dll.SetParent
- user32.dll.DestroyCursor
- user32.dll.SendMessageA
- user32.dll.SetWindowPos
- user32.dll.MessageBoxA
- user32.dll.GetCursorPos
- user32.dll.GetSystemMetrics
- user32.dll.EmptyClipboard
- user32.dll.SetClipboardData
- user32.dll.OpenClipboard
- user32.dll.GetClipboardData
- user32.dll.CloseClipboard
- user32.dll.wsprintfA
- user32.dll.WaitForInputIdle
- user32.dll.GetSystemMenu
- user32.dll.GetMessageA
- user32.dll.WindowFromPoint
- user32.dll.DrawFocusRect
- user32.dll.DrawEdge
- user32.dll.DrawFrameControl
- user32.dll.TranslateMessage
- user32.dll.LoadIconA
- user32.dll.GetDesktopWindow
- user32.dll.GetClassNameA
- user32.dll.GetWindowThreadProcessId
- user32.dll.FindWindowA
- user32.dll.GetDlgItem
- user32.dll.GetWindowTextA
- user32.dll.GetForegroundWindow
- user32.dll.DefWindowProcA
- user32.dll.GetClassInfoA
- user32.dll.IsZoomed
- user32.dll.PostQuitMessage
- user32.dll.InflateRect
- user32.dll.CopyAcceleratorTableA
- user32.dll.CreateIconFromResource
- user32.dll.GetWindowTextLengthA
- user32.dll.CharUpperA
- user32.dll.GetWindowDC
- user32.dll.BeginPaint
- user32.dll.EndPaint
- user32.dll.TabbedTextOutA
- user32.dll.DrawTextA
- user32.dll.GrayStringA
- user32.dll.DestroyWindow
- user32.dll.CreateDialogIndirectParamA
- user32.dll.EndDialog
- user32.dll.GetNextDlgTabItem
- user32.dll.GetWindowPlacement
- user32.dll.RegisterWindowMessageA
- user32.dll.GetLastActivePopup
- user32.dll.GetMessageTime
- user32.dll.RemovePropA
- user32.dll.CallWindowProcA
- user32.dll.GetPropA
- user32.dll.UnhookWindowsHookEx
- user32.dll.SetPropA
- user32.dll.GetClassLongA
- user32.dll.CallNextHookEx
- user32.dll.SetWindowsHookExA
- user32.dll.CreateWindowExA
- user32.dll.GetMenuItemID
- user32.dll.GetMenuItemCount
- user32.dll.RegisterClassA
- user32.dll.GetScrollPos
- user32.dll.AdjustWindowRectEx
- user32.dll.MapWindowPoints
- user32.dll.SendDlgItemMessageA
- user32.dll.ScrollWindowEx
- winmm.dll.midiStreamOut
- winmm.dll.midiOutPrepareHeader
- winmm.dll.waveOutWrite
- winmm.dll.waveOutPause
- winmm.dll.waveOutReset
- winmm.dll.waveOutClose
- winmm.dll.waveOutGetNumDevs
- winmm.dll.waveOutOpen
- winmm.dll.midiOutUnprepareHeader
- winmm.dll.midiStreamOpen
- winmm.dll.midiStreamProperty
- winmm.dll.midiStreamStop
- winmm.dll.midiOutReset
- winmm.dll.midiStreamClose
- winmm.dll.midiStreamRestart
- winmm.dll.waveOutUnprepareHeader
- winmm.dll.waveOutRestart
- winmm.dll.waveOutPrepareHeader
- winspool.drv.OpenPrinterA
- winspool.drv.DocumentPropertiesA
- winspool.drv.ClosePrinter
- ws2_32.dll.#9
- ws2_32.dll.#101
- ws2_32.dll.#3
- ws2_32.dll.#19
- ws2_32.dll.#18
- ws2_32.dll.#116
- ws2_32.dll.#115
- ws2_32.dll.#12
- ws2_32.dll.#11
- ws2_32.dll.#22
- ws2_32.dll.#111
- ws2_32.dll.#14
- ws2_32.dll.#23
- ws2_32.dll.#17
- ws2_32.dll.#10
- ws2_32.dll.#4
- ws2_32.dll.#16
- ws2_32.dll.#151
- ws2_32.dll.#52
- ws2_32.dll.#1
- ws2_32.dll.#5
- kernel32.dll.IsProcessorFeaturePresent
- cryptbase.dll.SystemFunction036
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle
- kernel32.dll.CreateDirectoryA
- kernel32.dll.MoveFileA
- ole32.dll.CoInitialize
- wininet.dll.InternetOpenA
- wininet.dll.InternetConnectA
- wininet.dll.HttpOpenRequestA
- wininet.dll.HttpSendRequestA
- rasapi32.dll.RasConnectionNotificationW
- sechost.dll.NotifyServiceStatusChangeA
- wininet.dll.InternetReadFile
- wininet.dll.HttpQueryInfoA
- wininet.dll.InternetCloseHandle
- winhttp.dll.WinHttpCheckPlatform
- winhttp.dll.WinHttpCrackUrl
- shlwapi.dll.StrCmpNW
- winhttp.dll.WinHttpOpen
- winhttp.dll.WinHttpConnect
- winhttp.dll.WinHttpOpenRequest
- winhttp.dll.WinHttpSetTimeouts
- winhttp.dll.WinHttpSetOption
- winhttp.dll.WinHttpAddRequestHeaders
- shlwapi.dll.#153
- winhttp.dll.WinHttpSendRequest
- ws2_32.dll.GetAddrInfoW
- ws2_32.dll.WSASocketW
- ws2_32.dll.#2
- ws2_32.dll.#21
- ws2_32.dll.WSAIoctl
- ws2_32.dll.FreeAddrInfoW
- ws2_32.dll.#6
- ws2_32.dll.WSARecv
- ws2_32.dll.WSASend
- ws2_32.dll.WSAGetOverlappedResult
- winhttp.dll.WinHttpReceiveResponse
- user32.dll.FindWindowExA
- winhttp.dll.WinHttpCloseHandle
- rpcrt4.dll.RpcBindingFree
- ole32.dll.CoUninitialize
- kernel32.dll.FlsAlloc
- kernel32.dll.FlsGetValue
- kernel32.dll.FlsSetValue
- kernel32.dll.FlsFree
- kernel32.dll.GetLongPathNameA
- kernel32.dll.GetDiskFreeSpaceExA
- oleaut32.dll.VariantChangeTypeEx
- oleaut32.dll.VarNeg
- oleaut32.dll.VarNot
- oleaut32.dll.VarAdd
- oleaut32.dll.VarSub
- oleaut32.dll.VarMul
- oleaut32.dll.VarDiv
- oleaut32.dll.VarIdiv
- oleaut32.dll.VarMod
- oleaut32.dll.VarAnd
- oleaut32.dll.VarOr
- oleaut32.dll.VarXor
- oleaut32.dll.VarCmp
- oleaut32.dll.VarI4FromStr
- oleaut32.dll.VarR4FromStr
- oleaut32.dll.VarR8FromStr
- oleaut32.dll.VarDateFromStr
- oleaut32.dll.VarCyFromStr
- oleaut32.dll.VarBoolFromStr
- oleaut32.dll.VarBstrFromCy
- oleaut32.dll.VarBstrFromDate
- oleaut32.dll.VarBstrFromBool
- gdiplus.dll.GdiplusStartup
- user32.dll.GetWindowInfo
- user32.dll.GetAncestor
- user32.dll.GetMonitorInfoA
- user32.dll.EnumDisplayMonitors
- user32.dll.EnumDisplayDevicesA
- gdi32.dll.ExtTextOutW
- gdi32.dll.GdiIsMetaPrintDC
- user32.dll.GetClassInfoExA
- kernel32.dll.LocalSize
- user32.dll.RegisterClassExA
- ole32.dll.CoInitializeEx
- ole32.dll.CoRegisterInitializeSpy
- ole32.dll.CoRevokeInitializeSpy
- advpack.dll.IsNTAdmin
- advapi32.dll.CheckTokenMembership
- sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid
- oleaut32.dll.#28
- shlwapi.dll.StrRChrA
- oleaut32.dll.#4
- oleaut32.dll.#6
- ole32.dll.CreateStreamOnHGlobal
- ole32.dll.GetHGlobalFromStream
- oleaut32.dll.#411
- gdi32.dll.CreateDIBSection
- gdiplus.dll.GdipCreateFromHDC
- kernel32.dll.RtlMoveMemory
- kernel32.dll.lstrcpyn
- gdiplus.dll.GdipCreateBitmapFromStream
- windowscodecs.dll.DllGetClassObject
- kernel32.dll.WerRegisterMemoryBlock
- gdiplus.dll.GdipGetImageDimension
- gdiplus.dll.GdipDrawImageRectRect
- gdiplus.dll.GdipDeleteGraphics
- user32.dll.UpdateLayeredWindow
- gdi32.dll.GetLayout
- gdi32.dll.GdiRealizationInfo
- gdi32.dll.FontIsLinked
- advapi32.dll.RegOpenKeyExW
- advapi32.dll.RegQueryInfoKeyW
- gdi32.dll.GetTextFaceAliasW
- advapi32.dll.RegEnumValueW
- advapi32.dll.RegQueryValueExW
- advapi32.dll.RegQueryValueExA
- advapi32.dll.RegEnumKeyExW
- gdi32.dll.GetTextExtentExPointWPri
- kernel32.dll.GetExitCodeThread
- wininet.dll.InternetGetConnectedState
- wininet.dll.InternetOpenUrlA
- shlwapi.dll.PathRemoveFileSpecA
- unrar.dll.RAROpenArchiveEx
- unrar.dll.RARSetPassword
- crypt32.dll.CryptProtectMemory
- crypt32.dll.CryptUnprotectMemory
- cryptbase.dll.SystemFunction040
- unrar.dll.RARReadHeader
- unrar.dll.RARSetCallback
- unrar.dll.RARProcessFile
- cryptbase.dll.SystemFunction041
- unrar.dll.RARCloseArchive
- setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
- setupapi.dll.CM_Get_Device_Interface_List_ExW
- comctl32.dll.#386
- comctl32.dll.#388
- oleaut32.dll.#500
- advapi32.dll.UnregisterTraceGuids
- comctl32.dll.#321
- ntdll.dll.RtlAdjustPrivilege
- ws2_32.dll.send
- kernel32.dll.VirtualProtect
- ws2_32.dll.recv
- ws2_32.dll.connect
- kernel32.dll.OpenProcessToken
- advapi32.dll.LookupPrivilegeValueA
- advapi32.dll.AdjustTokenPrivileges
- kernel32.dll.LoadLibraryExA
- node.dll.wkeIsInitialize
- node.dll.wkeInitialize
- wininet.dll.InternetOpenW
- gdi32.dll.GdiAlphaBlend
- kernel32.dll.CreateTimerQueue
- kernel32.dll.DeleteTimerQueueTimer
- kernel32.dll.CreateTimerQueueTimer
- user32.dll.SetWindowsHookExW
- node.dll.wkeCreateWebView
- node.dll.wkeSetHandle
- node.dll.wkeOnPaintUpdated
- node.dll.wkeSetTransparent
- user32.dll.GetWindowLongW
- user32.dll.SetWindowLongW
- node.dll.wkeResize
- node.dll.wkeSetCookieJarPath
- node.dll.wkeOnDocumentReady
- node.dll.wkeLoadURLW
- node.dll.wkeJsBindFunction
- user32.dll.CallWindowProcW
- gdi32.dll.GetFontAssocStatus
- oleaut32.dll.SysAllocString
- oleaut32.dll.SysStringLen
- oleaut32.dll.SysFreeString
- gdi32.dll.GetGlyphIndicesW
- node.dll.wkeSetFocus
- node.dll.wkeRepaintIfNeeded
- user32.dll.PostThreadMessageA
- user32.dll.WaitMessage
- user32.dll.RegisterHotKey
- node.dll.wkeKillFocus
- node.dll.wkeFireWindowsMessage
- node.dll.wkeFireMouseEvent
- kernel32.dll.FileTimeToDosDateTime
- kernel32.dll.GetFileInformationByHandle
- kernel32.dll.MapViewOfFile
- kernel32.dll.CreateFileMappingA
- kernel32.dll.UnmapViewOfFile
- kernel32.dll.SystemTimeToFileTime
- kernel32.dll.ExpandEnvironmentStringsA
- kernel32.dll.CopyFileA
- kernel32.dll.IsDBCSLeadByte
- advapi32.dll.RegCreateKeyA
- gdi32.dll.ExtCreateRegion
- gdi32.dll.SetPixel
- gdi32.dll.GetPixel
- rasapi32.dll.RasHangUpA
- rasapi32.dll.RasGetConnectStatusA
- kernel32.dll.FindResourceW
- kernel32.dll.FindResourceExW
- kernel32.dll.ResetEvent
- kernel32.dll.MapViewOfFileEx
- kernel32.dll.PostQueuedCompletionStatus
- kernel32.dll.CreateIoCompletionPort
- kernel32.dll.GetQueuedCompletionStatus
- kernel32.dll.GetModuleHandleExW
- kernel32.dll.InterlockedExchangeAdd
- kernel32.dll.DeleteFiber
- kernel32.dll.SwitchToFiber
- kernel32.dll.CreateFiber
- kernel32.dll.GetModuleHandleW
- kernel32.dll.FindNextFileW
- kernel32.dll.FindFirstFileW
- kernel32.dll.ConvertFiberToThread
- kernel32.dll.ConvertThreadToFiber
- kernel32.dll.GetSystemTimeAsFileTime
- kernel32.dll.QueryPerformanceCounter
- kernel32.dll.GetCurrentProcessId
- kernel32.dll.GlobalMemoryStatus
- kernel32.dll.LoadLibraryW
- kernel32.dll.GetConsoleMode
- kernel32.dll.SetConsoleMode
- kernel32.dll.ReadConsoleA
- kernel32.dll.GetEnvironmentVariableW
- kernel32.dll.WriteConsoleW
- kernel32.dll.SizeofResource
- kernel32.dll.GetNativeSystemInfo
- kernel32.dll.SwitchToThread
- kernel32.dll.InterlockedCompareExchange
- kernel32.dll.GetCurrentDirectoryW
- kernel32.dll.GetDriveTypeW
- kernel32.dll.PeekNamedPipe
- kernel32.dll.GetConsoleCP
- kernel32.dll.GetStartupInfoW
- kernel32.dll.IsValidCodePage
- kernel32.dll.GetModuleFileNameW
- kernel32.dll.IsDebuggerPresent
- kernel32.dll.FindFirstFileExA
- kernel32.dll.GetDriveTypeA
- kernel32.dll.SetConsoleCtrlHandler
- kernel32.dll.ExitThread
- kernel32.dll.CreateFileW
- kernel32.dll.ReadConsoleW
- kernel32.dll.InitializeCriticalSectionAndSpinCount
- user32.dll.GetProcessWindowStation
- user32.dll.MessageBoxW
- user32.dll.GetUserObjectInformationW
- user32.dll.MsgWaitForMultipleObjectsEx
- advapi32.dll.CryptSignHashW
- advapi32.dll.ReportEventW
- advapi32.dll.RegisterEventSourceW
- advapi32.dll.CryptEnumProvidersW
- advapi32.dll.CryptReleaseContext
- advapi32.dll.CryptDestroyKey
- advapi32.dll.CryptGetProvParam
- advapi32.dll.CryptGenRandom
- advapi32.dll.CryptDecrypt
- advapi32.dll.CryptCreateHash
- advapi32.dll.CryptSetHashParam
- advapi32.dll.DeregisterEventSource
- advapi32.dll.CryptDestroyHash
- advapi32.dll.CryptExportKey
- advapi32.dll.CryptGetUserKey
- advapi32.dll.CryptAcquireContextW
- shlwapi.dll.PathIsDirectoryA
- shlwapi.dll.PathFileExistsA
- winmm.dll.timeGetTime
- ws2_32.dll.#112
- ws2_32.dll.WSARecvFrom
- ws2_32.dll.WSASendTo
- ws2_32.dll.#7
- ws2_32.dll.WSACreateEvent
- ws2_32.dll.#8
- ws2_32.dll.freeaddrinfo
- ws2_32.dll.getaddrinfo
- ws2_32.dll.#15
- ws2_32.dll.WSAWaitForMultipleEvents
- ws2_32.dll.WSAEventSelect
- ws2_32.dll.WSAEnumNetworkEvents
- ws2_32.dll.WSAResetEvent
- ws2_32.dll.WSACloseEvent
- ws2_32.dll.#13
- ws2_32.dll.#20
- crypt32.dll.CertGetCertificateContextProperty
- crypt32.dll.CertOpenStore
- crypt32.dll.CertFindCertificateInStore
- crypt32.dll.CertEnumCertificatesInStore
- crypt32.dll.CertCloseStore
- crypt32.dll.CertFreeCertificateContext
- crypt32.dll.CertDuplicateCertificateContext
- ntdll.dll.LdrGetProcedureAddress
- 114818047.dll.Create_HP_TcpPackClientListener
- 114818047.dll.Create_HP_TcpPackClient
- comctl32.dll.RegisterClassNameW
- uxtheme.dll.OpenThemeData
- imm32.dll.ImmIsIME
- imm32.dll.ImmGetContext
- imm32.dll.ImmReleaseContext
- imm32.dll.ImmAssociateContext