魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2022-07-04 11:08:37	2022-07-04 11:09:15	38 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-shaapp03-1	win7-sp1-x64-shaapp03-1	KVM	2022-07-04 11:08:39	2022-07-04 11:09:17

魔盾分数
4.375 可疑的

文件详细信息

文件名	shellext.dll
文件大小	514560 字节
文件类型	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
CRC32	758F9FD9
MD5	cebbf354e76812d9406e8ec805c1c5d7
SHA1	21ae7e47ce9b3709b831737ea6513bde8322cc27
SHA256	d41887d82d0731468fec718bf0f15bf78925f72b62f6f5da974fcc246425b69f
SHA512	0d7d15912ac84b36ae8ca2f56435efaa7970657168e05ec672d5874dcae811664fd0d614bca64479814bb11f953688c3e1856bb94e8414952079bf338e8af65c
Ssdeep	6144:QLeDN96MCBE/8yi06OmDmrDwBZS5CPfsmuGJQhSOM5zvYVYOpoGaA8:QLeDPJCBSSm2ZS5CH1uGoS3MVaA8
PEiD	无匹配
Yara	IsPE64 (Detected a 64bit PE sample) IsDLL (Detect a DLL sample) IsWindowsGUI (Detected a Windows GUI sample) HasDebugData (Detected Debug Data) HasRichSignature (Detected Rich Signature) DebuggerCheck__QueryInfo () DebuggerTiming__PerformanceCounter () DebuggerTiming__Ticks (Detected timing ticks function) anti_dbg (Detected self protection if being debugged) create_com_service (Detected function for creating a COM server) win_mutex (Create or check mutex) create_process (Detection function for creating a new process) escalate_priv (Detected escalate priviledges function) win_registry (Detected system registries modification function) win_token (Affect system token) win_files_operation (Affect private profile) Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
VirusTotal	VirusTotal查询失败

特征

创建RWX内存

魔盾安全Yara规则检测结果 - 安全告警

Warning: Detected function for creating a COM server

Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files

可疑的样本异常终止

运行截图

网络分析

TCP连接

IP地址	端口
208.185.115.99	80

UDP连接

IP地址	端口
192.168.122.1	53

HTTP请求

URL	HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache

静态分析

PE 信息

初始地址	0x180000000
入口地址	0x1800461dc
声明校验值	0x0008dd29
实际校验值	0x00086854
最低操作系统版本要求	5.2
PDB路径	C:\var\JFR\workspace\last-successful\PL\Cmake\targets\Windows_x64\libs\Release\shellext.pdb
编译时间	2021-05-28 18:52:23
载入哈希	e414a80e78593af7ff0e9e0cd8cdd00c
导出DLL库名称	shellext.dll

版本信息

InternalName:	shellext.dll
OriginalFilename:	shellext.dll
FileDescription:	Shell Extension
Translation:	0x0804 0x03a8

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x0004d109	0x0004d200	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.05
.rdata	0x0004f000	0x00021e2a	0x00022000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.03
.data	0x00071000	0x00002a28	0x00001e00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	4.43
.pdata	0x00074000	0x0000786c	0x00007a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.71
.rsrc	0x0007c000	0x00003c30	0x00003e00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.56
.reloc	0x00080000	0x00000c3a	0x00000e00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	3.81

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
REGISTRY	0x0007dfe0	0x00000549	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.31	ASCII text, with CRLF line terminators
REGISTRY	0x0007dfe0	0x00000549	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.31	ASCII text, with CRLF line terminators
REGISTRY	0x0007dfe0	0x00000549	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.31	ASCII text, with CRLF line terminators
REGISTRY	0x0007dfe0	0x00000549	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.31	ASCII text, with CRLF line terminators
REGISTRY	0x0007dfe0	0x00000549	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.31	ASCII text, with CRLF line terminators
REGISTRY	0x0007dfe0	0x00000549	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.31	ASCII text, with CRLF line terminators
REGISTRY	0x0007dfe0	0x00000549	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.31	ASCII text, with CRLF line terminators
REGISTRY	0x0007dfe0	0x00000549	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.31	ASCII text, with CRLF line terminators
REGISTRY	0x0007dfe0	0x00000549	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.31	ASCII text, with CRLF line terminators
TYPELIB	0x0007e52c	0x00001224	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.05	data
RT_DIALOG	0x0007f750	0x00000078	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.14	data
RT_STRING	0x0007f7f8	0x0000003c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	1.72	data
RT_STRING	0x0007f7f8	0x0000003c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	1.72	data
RT_VERSION	0x0007f834	0x000001a4	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.14	data
RT_MANIFEST	0x0007f9d8	0x00000258	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.02	ASCII text, with CRLF line terminators

导入

库 PSAPI.DLL:

• 0x18004f700 - GetProcessImageFileNameW

库 imagehlp.dll:

• 0x18004f8f0 - UnMapAndLoad

• 0x18004f8f8 - ImageDirectoryEntryToData

• 0x18004f900 - MapAndLoad

• 0x18004f908 - ImageRvaToVa

库 cfl.dll:

• 0x18004f818 - ?assign@String@lang@cpp@@QEAAAEAV123@PEBD@Z

• 0x18004f820 - ?init@String@lang@cpp@@AEAAXPEAVIAllocator@23@@Z

• 0x18004f828 - ??1String@lang@cpp@@QEAA@XZ

• 0x18004f830 - ?log@SystemLog@diagnostics@cpp@@QEAAXW4SystemLogType@23@PEBGZZ

• 0x18004f838 - ?getInstance@SystemLog@diagnostics@cpp@@SAPEAV123@XZ

• 0x18004f840 - ?format@String@lang@cpp@@QEAAXPEBGZZ

库 KERNEL32.dll:

• 0x18004f118 - FindResourceExW

• 0x18004f120 - lstrcpynA

• 0x18004f128 - lstrcpynW

• 0x18004f130 - GetVersionExW

• 0x18004f138 - GetFileAttributesW

• 0x18004f140 - GlobalUnlock

• 0x18004f148 - GlobalLock

• 0x18004f150 - GetLongPathNameW

• 0x18004f158 - GetPrivateProfileIntW

• 0x18004f160 - GetPrivateProfileStringW

• 0x18004f168 - SetLastError

• 0x18004f170 - DeleteFileW

• 0x18004f178 - CreateMutexW

• 0x18004f180 - FindClose

• 0x18004f188 - FindNextFileW

• 0x18004f190 - FindFirstFileW

• 0x18004f198 - GetDriveTypeW

• 0x18004f1a0 - GetLogicalDriveStringsW

• 0x18004f1a8 - CloseHandle

• 0x18004f1b0 - GetFileAttributesExW

• 0x18004f1b8 - CreateFileW

• 0x18004f1c0 - WriteFile

• 0x18004f1c8 - SetFilePointer

• 0x18004f1d0 - ReadFile

• 0x18004f1d8 - DuplicateHandle

• 0x18004f1e0 - GetCurrentProcess

• 0x18004f1e8 - OpenProcess

• 0x18004f1f0 - GetCurrentProcessId

• 0x18004f1f8 - LockResource

• 0x18004f200 - lstrcmpiW

• 0x18004f208 - SwitchToThread

• 0x18004f210 - GetNativeSystemInfo

• 0x18004f218 - DeleteCriticalSection

• 0x18004f220 - Process32NextW

• 0x18004f228 - ProcessIdToSessionId

• 0x18004f230 - Process32FirstW

• 0x18004f238 - CreateToolhelp32Snapshot

• 0x18004f240 - Module32NextW

• 0x18004f248 - Module32FirstW

• 0x18004f250 - GetProcessId

• 0x18004f258 - CompareFileTime

• 0x18004f260 - GetProcessTimes

• 0x18004f268 - lstrlenA

• 0x18004f270 - GlobalFree

• 0x18004f278 - GlobalAlloc

• 0x18004f280 - ExpandEnvironmentStringsW

• 0x18004f288 - WaitNamedPipeW

• 0x18004f290 - GetFileSizeEx

• 0x18004f298 - DisconnectNamedPipe

• 0x18004f2a0 - ConnectNamedPipe

• 0x18004f2a8 - FlushFileBuffers

• 0x18004f2b0 - CreateNamedPipeW

• 0x18004f2b8 - ReadProcessMemory

• 0x18004f2c0 - HeapReAlloc

• 0x18004f2c8 - HeapFree

• 0x18004f2d0 - HeapAlloc

• 0x18004f2d8 - HeapDestroy

• 0x18004f2e0 - TerminateThread

• 0x18004f2e8 - WideCharToMultiByte

• 0x18004f2f0 - InitializeCriticalSection

• 0x18004f2f8 - GetThreadLocale

• 0x18004f300 - SetThreadLocale

• 0x18004f308 - GetModuleHandleW

• 0x18004f310 - GetProcAddress

• 0x18004f318 - GetLastError

• 0x18004f320 - LeaveCriticalSection

• 0x18004f328 - EnterCriticalSection

• 0x18004f330 - RaiseException

• 0x18004f338 - lstrlenW

• 0x18004f340 - LoadLibraryExW

• 0x18004f348 - FindResourceW

• 0x18004f350 - LoadResource

• 0x18004f358 - SizeofResource

• 0x18004f360 - MultiByteToWideChar

• 0x18004f368 - FreeLibrary

• 0x18004f370 - QueryDosDeviceW

• 0x18004f378 - GetModuleFileNameW

• 0x18004f380 - HeapSize

• 0x18004f388 - GetProcessHeap

• 0x18004f390 - Sleep

• 0x18004f398 - TerminateProcess

• 0x18004f3a0 - UnhandledExceptionFilter

• 0x18004f3a8 - SetUnhandledExceptionFilter

• 0x18004f3b0 - IsDebuggerPresent

• 0x18004f3b8 - RtlVirtualUnwind

• 0x18004f3c0 - GetSystemTimeAsFileTime

• 0x18004f3c8 - RtlLookupFunctionEntry

• 0x18004f3d0 - RtlCaptureContext

• 0x18004f3d8 - QueryPerformanceCounter

• 0x18004f3e0 - GetTickCount

• 0x18004f3e8 - GetCurrentThreadId

• 0x18004f3f0 - WaitForSingleObject

库 USER32.dll:

• 0x18004f798 - SetClipboardData

• 0x18004f7a0 - PostMessageW

• 0x18004f7a8 - EmptyClipboard

• 0x18004f7b0 - OpenClipboard

• 0x18004f7b8 - FindWindowExW

• 0x18004f7c0 - CloseClipboard

• 0x18004f7c8 - GetSystemMetrics

• 0x18004f7d0 - InsertMenuItemW

• 0x18004f7d8 - MessageBoxExW

• 0x18004f7e0 - SendMessageW

• 0x18004f7e8 - FindWindowW

• 0x18004f7f0 - CreatePopupMenu

• 0x18004f7f8 - CharNextW

• 0x18004f800 - RegisterClipboardFormatW

• 0x18004f808 - SetWindowLongPtrW

库 GDI32.dll:

• 0x18004f0c8 - GetObjectW

• 0x18004f0d0 - DeleteDC

• 0x18004f0d8 - CreateCompatibleDC

• 0x18004f0e0 - DeleteObject

• 0x18004f0e8 - SelectObject

• 0x18004f0f0 - SetDIBColorTable

• 0x18004f0f8 - CreateDIBSection

库 SHELL32.dll:

• 0x18004f710 - SHGetPathFromIDListW

• 0x18004f718 - None

• 0x18004f720 - None

• 0x18004f728 - ShellExecuteExW

• 0x18004f730 - SHBrowseForFolderW

• 0x18004f738 - SHGetPathFromIDListEx

• 0x18004f740 - SHGetFolderPathW

• 0x18004f748 - SHParseDisplayName

• 0x18004f750 - None

• 0x18004f758 - None

• 0x18004f760 - None

• 0x18004f768 - DragQueryFileW

库 ole32.dll:

• 0x18004f918 - CoCreateInstance

• 0x18004f920 - CoInitialize

• 0x18004f928 - CoUninitialize

• 0x18004f930 - ReleaseStgMedium

• 0x18004f938 - CoTaskMemAlloc

• 0x18004f940 - CoTaskMemRealloc

• 0x18004f948 - StringFromGUID2

• 0x18004f950 - CoTaskMemFree

库 OLEAUT32.dll:

• 0x18004f6b8 - LoadRegTypeLib

• 0x18004f6c0 - VarUI4FromStr

• 0x18004f6c8 - RegisterTypeLib

• 0x18004f6d0 - UnRegisterTypeLib

• 0x18004f6d8 - LoadTypeLib

• 0x18004f6e0 - SysAllocString

• 0x18004f6e8 - SysFreeString

• 0x18004f6f0 - SysStringLen

库 ADVAPI32.dll:

• 0x18004f000 - RegQueryInfoKeyW

• 0x18004f008 - RegDeleteValueW

• 0x18004f010 - RegCloseKey

• 0x18004f018 - RegCreateKeyExW

• 0x18004f020 - RegOpenKeyExW

• 0x18004f028 - RegSetValueExW

• 0x18004f030 - RegEnumKeyExW

• 0x18004f038 - RegQueryValueExW

• 0x18004f040 - AdjustTokenPrivileges

• 0x18004f048 - LookupPrivilegeValueW

• 0x18004f050 - OpenProcessToken

• 0x18004f058 - GetTokenInformation

• 0x18004f060 - CloseServiceHandle

• 0x18004f068 - QueryServiceStatusEx

• 0x18004f070 - OpenServiceW

• 0x18004f078 - OpenSCManagerW

• 0x18004f080 - ReportEventW

• 0x18004f088 - RegisterEventSourceW

• 0x18004f090 - SetSecurityDescriptorDacl

• 0x18004f098 - InitializeSecurityDescriptor

• 0x18004f0a0 - RegDeleteKeyW

库 MSVCP90.dll:

• 0x18004f400 - ??$?HGU?$char_traits@G@std@@V?$allocator@G@1@@std@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@AEBV10@PEBG@Z

• 0x18004f408 - ?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QEAAAEAV12@_K0AEBV12@@Z

• 0x18004f410 - ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QEAAAEAV12@PEBG@Z

• 0x18004f418 - ?clear@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QEAAXXZ

• 0x18004f420 - ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QEAAAEAV01@PEBG@Z

• 0x18004f428 - ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QEAAAEAV01@G@Z

• 0x18004f430 - ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QEBA_KPEBG_K@Z

• 0x18004f438 - ?swap@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QEAAXAEAV12@@Z

• 0x18004f440 - ?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QEBA?AV12@_K0@Z

• 0x18004f448 - ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QEAA@XZ

• 0x18004f450 - ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QEAAAEAV01@PEBG@Z

• 0x18004f458 - ??$?HGU?$char_traits@G@std@@V?$allocator@G@1@@std@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@AEBV10@0@Z

• 0x18004f460 - ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QEAAAEAV01@AEBV01@@Z

• 0x18004f468 - ?append@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QEAAAEAV12@PEBG@Z

• 0x18004f470 - ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QEAA@AEBV01@@Z

• 0x18004f478 - ??$?MGU?$char_traits@G@std@@V?$allocator@G@1@@std@@YA_NAEBV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z

• 0x18004f480 - ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA@PEBD@Z

• 0x18004f488 - ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA@XZ

• 0x18004f490 - ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA@AEBV01@@Z

• 0x18004f498 - ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QEAA@PEBG@Z

• 0x18004f4a0 - ?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2_KB

• 0x18004f4a8 - ?rfind@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QEBA_KG_K@Z

• 0x18004f4b0 - ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QEAA@XZ

库 SHLWAPI.dll:

• 0x18004f778 - SHDeleteKeyW

• 0x18004f780 - PathFileExistsW

• 0x18004f788 - SHCopyKeyW

库 MSVCR90.dll:

• 0x18004f4c0 - _encode_pointer

• 0x18004f4c8 - __dllonexit

• 0x18004f4d0 - _unlock

• 0x18004f4d8 - ?terminate@@YAXXZ

• 0x18004f4e0 - realloc

• 0x18004f4e8 - _vscwprintf

• 0x18004f4f0 - _vsnwprintf_s

• 0x18004f4f8 - _lock

• 0x18004f500 - _wctime64

• 0x18004f508 - memcpy

• 0x18004f510 - sprintf

• 0x18004f518 - isdigit

• 0x18004f520 - tolower

• 0x18004f528 - strstr

• 0x18004f530 - _onexit

• 0x18004f538 - _decode_pointer

• 0x18004f540 - _malloc_crt

• 0x18004f548 - _initterm

• 0x18004f550 - _initterm_e

• 0x18004f558 - _encoded_null

• 0x18004f560 - _amsg_exit

• 0x18004f568 - wcschr

• 0x18004f570 - _invalid_parameter_noinfo

• 0x18004f578 - ??0exception@std@@QEAA@AEBV01@@Z

• 0x18004f580 - memmove_s

• 0x18004f588 - ??0exception@std@@QEAA@XZ

• 0x18004f590 - ??2@YAPEAX_K@Z

• 0x18004f598 - _purecall

• 0x18004f5a0 - memcmp

• 0x18004f5a8 - calloc

• 0x18004f5b0 - _resetstkoflw

• 0x18004f5b8 - __CppXcptFilter

• 0x18004f5c0 - ?_type_info_dtor_internal_method@type_info@@QEAAXXZ

• 0x18004f5c8 - __crt_debugger_hook

• 0x18004f5d0 - __clean_type_info_names_internal

• 0x18004f5d8 - _swprintf

• 0x18004f5e0 - _time64

• 0x18004f5e8 - _snwprintf_s

• 0x18004f5f0 - _beginthreadex

• 0x18004f5f8 - _wtoi64

• 0x18004f600 - _i64tow

• 0x18004f608 - ??3@YAXPEAX@Z

• 0x18004f610 - wcsstr

• 0x18004f618 - malloc

• 0x18004f620 - free

• 0x18004f628 - memcpy_s

• 0x18004f630 - _CxxThrowException

• 0x18004f638 - wcscpy_s

• 0x18004f640 - wcsncpy_s

• 0x18004f648 - wcscat_s

• 0x18004f650 - ??_V@YAXPEAX@Z

• 0x18004f658 - __CxxFrameHandler3

• 0x18004f660 - _recalloc

• 0x18004f668 - memset

• 0x18004f670 - _wcsnicmp

• 0x18004f678 - wcsrchr

• 0x18004f680 - __C_specific_handler

• 0x18004f688 - _wcsicmp

• 0x18004f690 - ??0exception@std@@QEAA@AEBQEBD@Z

• 0x18004f698 - ?what@exception@std@@UEBAPEBDXZ

• 0x18004f6a0 - ??1exception@std@@UEAA@XZ

• 0x18004f6a8 - wcsncmp

库 gdiplus.dll:

• 0x18004f850 - GdipCreateBitmapFromFile

• 0x18004f858 - GdipCreateBitmapFromFileICM

• 0x18004f860 - GdipCreateBitmapFromScan0

• 0x18004f868 - GdipBitmapLockBits

• 0x18004f870 - GdipBitmapUnlockBits

• 0x18004f878 - GdiplusStartup

• 0x18004f880 - GdipGetImagePalette

• 0x18004f888 - GdipGetImageGraphicsContext

• 0x18004f890 - GdipDrawImageI

• 0x18004f898 - GdipCloneImage

• 0x18004f8a0 - GdipAlloc

• 0x18004f8a8 - GdipFree

• 0x18004f8b0 - GdipGetImagePaletteSize

• 0x18004f8b8 - GdipGetImagePixelFormat

• 0x18004f8c0 - GdipGetImageHeight

• 0x18004f8c8 - GdipGetImageWidth

• 0x18004f8d0 - GdipDisposeImage

• 0x18004f8d8 - GdiplusShutdown

• 0x18004f8e0 - GdipDeleteGraphics

库 COMCTL32.dll:

• 0x18004f0b0 - DestroyPropertySheetPage

• 0x18004f0b8 - CreatePropertySheetPageW

库 IPHLPAPI.DLL:

• 0x18004f108 - GetAdaptersInfo

导出

序列	地址	名称
1	0x180002cf0	DllCanUnloadNow
2	0x1800056a0	DllGetClassObject
3	0x180006000	DllInstall
4	0x180005fc0	DllRegisterServer
5	0x180005fe0	DllUnregisterServer

投放文件

无信息

行为分析

互斥量(Mutexes)

Local\MSCTF.Asm.MutexDefault1

执行的命令 无信息

创建的服务 无信息

启动的服务 无信息

进程

regsvr32.exe PID: 2544, 上一级进程 PID: 2244

访问的文件

C:\Users\test\AppData\Local\Temp\shellext.dll
C:\Users\test\AppData\Local\Temp\cfl.dll
C:\Windows\sysnative\cfl.dll
C:\Windows\system\cfl.dll
C:\Windows\cfl.dll
C:\ProgramData\Oracle\Java\javapath\cfl.dll
C:\Windows\sysnative\wbem\cfl.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\cfl.dll
C:\Program Files (x86)\WinRAR\cfl.dll
C:\Windows\sysnative\zh-CN\KERNELBASE.dll.mui
C:\Windows\sysnative\zh-CN\DUser.dll.mui
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\sysnative\regsvr32.exe.Local\
C:\Windows\winsxs\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_6ff606562acb8ef5
C:\Windows\winsxs\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_6ff606562acb8ef5\COMCTL32.dll.mui
C:\Windows\sysnative\imageres.dll
C:\Windows\sysnative\zh-CN\imageres.dll.mui
C:\Windows\sysnative\zh-Hans\imageres.dll.mui
C:\Windows\sysnative\zh\imageres.dll.mui
C:\Windows\sysnative\en-US\imageres.dll.mui
C:\Windows\Fonts\staticcache.dat

读取的文件

C:\Users\test\AppData\Local\Temp\shellext.dll
C:\Windows\sysnative\zh-CN\KERNELBASE.dll.mui
C:\Windows\sysnative\zh-CN\DUser.dll.mui
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\winsxs\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_6ff606562acb8ef5\COMCTL32.dll.mui
C:\Windows\sysnative\imageres.dll
C:\Windows\sysnative\zh-CN\imageres.dll.mui
C:\Windows\sysnative\zh-Hans\imageres.dll.mui
C:\Windows\sysnative\zh\imageres.dll.mui
C:\Windows\sysnative\en-US\imageres.dll.mui
C:\Windows\Fonts\staticcache.dat

修改的文件 无信息

删除的文件 无信息

注册表键

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\Software\Microsoft\DirectUI
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\regsvr32.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

读取的注册表键

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

修改的注册表键 无信息

删除的注册表键 无信息

API解析

user32.dll.SetProcessDPIAware
comctl32.dll.LoadIconWithScaleDown
ntdll.dll.RtlRunEncodeUnicodeString
ntdll.dll.RtlInitUnicodeString
ntdll.dll.RtlRunDecodeUnicodeString
duser.dll.InitGadgets
user32.dll.RegisterMessagePumpHook
uxtheme.dll.IsThemeActive
duser.dll.CreateGadget
duser.dll.SetGadgetMessageFilter
duser.dll.SetGadgetStyle
duser.dll.SetGadgetRootInfo
dwmapi.dll.DwmIsCompositionEnabled
uxtheme.dll.IsAppThemed
ole32.dll.CreateStreamOnHGlobal
xmllite.dll.CreateXmlReader
xmllite.dll.CreateXmlReaderInputWithEncodingName
duser.dll.FindStdColor
oleaut32.dll.#6
duser.dll.SetGadgetParent
duser.dll.GetDUserModule
duser.dll.AttachWndProcW
comctl32.dll.RegisterClassNameW
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
uxtheme.dll.OpenThemeData
duser.dll.GetGadgetRect
duser.dll.GetGadgetRgn
duser.dll.GetGadgetTicket
uxtheme.dll.EnableThemeDialogTexture
duser.dll.GetGadgetFocus
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
gdi32.dll.GetTextExtentExPointWPri
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
duser.dll.SetGadgetFocus
duser.dll.DUserSendEvent
duser.dll.SetGadgetRect
duser.dll.InvalidateGadget
duser.dll.ForwardGadgetMessage
oleaut32.dll.SysAllocString
oleaut32.dll.SysStringLen
oleaut32.dll.SysFreeString
duser.dll.SetGadgetFocusEx
duser.dll.DisableContainerHwnd
duser.dll.DUserFlushMessages
duser.dll.DUserFlushDeferredMessages
duser.dll.DeleteHandle
user32.dll.UnregisterMessagePumpHook
oleaut32.dll.#500