魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2024-03-27 12:47:59 | 2024-03-27 12:48:41 | 42 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-shaapp03-1 | win7-sp1-x64-shaapp03-1 | KVM | 2024-03-27 12:48:00 | 2024-03-27 12:48:44 |
| 魔盾分数 |
|---|
9.575恶意的 |
文件详细信息
| 文件名 | Authentication.dll |
|---|---|
| 文件大小 | 5659136 字节 |
| 文件类型 | PE32+ executable (DLL) (GUI) x86-64, for MS Windows |
| CRC32 | 2515C224 |
| MD5 | 5210048b4079b0ded4fcda595ab30d17 |
| SHA1 | 266da516e0aede2d2b37adcb4d0d9f65eac59f57 |
| SHA256 | 268dbf077dcab8fc6cd8b4a7dbdf178c8509e94420f668f5c588329c5506546b |
| SHA512 | efac7166fc0cdbf468a992b484b1841c58b2a82d499ea84d7970a7cb0539b78d78284569bba0f71210698f9e1d49d529c85f75d3f9b0a5a772e7231636d15459 |
| Ssdeep | 98304:FS35qol5tBVMGiclvb6UYxGHFR8ol8jZ7+Uhy3emNk4v:FSpq2Vnigvb6hxGHFR8ZjoZv |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal | VirusTotal查询失败 |
特征
创建RWX内存
二进制文件可能包含加密或压缩数据
section: name: .vmp1, entropy: 7.85, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x004c8200, virtual_size: 0x004c8058
可执行文件可能使用VMProtect打包
section: {'name': '.vmp0', 'characteristics': 'IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ', 'virtual_address': '0x004b5000', 'size_of_data': '0x00000000', 'entropy': '0.00', 'virtual_size': '0x0014cc37', 'characteristics_raw': '0x60000060'}
可疑的样本异常终止
专有的Yara规则检测结果 - 高危
Warning: Detected function for creating a COM server
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
运行截图
网络分析
TCP连接
| IP地址 | 端口 |
|---|---|
| 2.21.22.176 | 80 |
UDP连接
| IP地址 | 端口 |
|---|---|
| 192.168.122.1 | 53 |
HTTP请求
| URL | HTTP数据 |
|---|---|
| http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip | GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache |
静态分析
PE 信息
| 初始地址 | 0x180000000 |
|---|---|
| 入口地址 | 0x180807626 |
| 声明校验值 | 0x0056cf8e |
| 实际校验值 | 0x0056cf8e |
| 最低操作系统版本要求 | 6.0 |
| PDB路径 | d:\agent\_work\85\s\Source\bin\x64\Release\Authentication.pdb |
| 编译时间 | 2024-01-19 22:51:46 |
| 载入哈希 | 33b857e98d2813a96148b266d86a34fe |
| 图标 |  |
| 图标精确哈希值 | 1bc6dd6232f32b8eb518b2dd3e1965cf |
| 图标相似性哈希值 | 9c406f03bd9bc8aa88f96425814974cf |
| 导出DLL库名称 | Authentication.dll |
版本信息
| LegalCopyright: | \xc2 2024 Minitab, LLC. All rights reserved. |
| InternalName: | Authentication |
| FileVersion: | 22.1.0.0 |
| CompanyName: | Minitab, LLC |
| ProductName: | Minitab 22 Statistical Software |
| ProductVersion: | 22.1.0.0.7480b3d0-20240311.8 |
| FileDescription: | Minitab 22 |
| OriginalFilename: | Authentication.dll |
| Translation: | 0x0409 0x04b0 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x002d8a8c | 0x00000000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 0.00 |
| .textidx | 0x002da000 | 0x000b9951 | 0x00000000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 0.00 |
| .rdata | 0x00394000 | 0x000d839a | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 0.00 |
| .data | 0x0046d000 | 0x000205b0 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .pdata | 0x0048e000 | 0x00025530 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 0.00 |
| _RDATA | 0x004b4000 | 0x000000f4 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 0.00 |
| .vmp0 | 0x004b5000 | 0x0014cc37 | 0x00000000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 0.00 |
| .vmp1 | 0x00602000 | 0x004c8058 | 0x004c8200 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 7.85 |
| .reloc | 0x00acb000 | 0x000000c4 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 1.97 |
| .rsrc | 0x00acc000 | 0x000a3ef6 | 0x0009d200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 3.71 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| AFX_DIALOG_LAYOUT | 0x00b69068 | 0x00000002 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | data |
| AFX_DIALOG_LAYOUT | 0x00b69068 | 0x00000002 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | data |
| AFX_DIALOG_LAYOUT | 0x00b69068 | 0x00000002 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | data |
| AFX_DIALOG_LAYOUT | 0x00b69068 | 0x00000002 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | data |
| AFX_DIALOG_LAYOUT | 0x00b69068 | 0x00000002 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | data |
| AFX_DIALOG_LAYOUT | 0x00b69068 | 0x00000002 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | data |
| AFX_DIALOG_LAYOUT | 0x00b69068 | 0x00000002 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | data |
| AFX_DIALOG_LAYOUT | 0x00b69068 | 0x00000002 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | data |
| AFX_DIALOG_LAYOUT | 0x00b69068 | 0x00000002 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | data |
| RT_BITMAP | 0x00b6a848 | 0x000015f2 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | empty |
| RT_BITMAP | 0x00b6a848 | 0x000015f2 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | empty |
| RT_BITMAP | 0x00b6a848 | 0x000015f2 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | empty |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00b67e00 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | GLS_BINARY_LSB_FIRST |
| RT_DIALOG | 0x00b6d6d8 | 0x0000018a | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | empty |
| RT_DIALOG | 0x00b6d6d8 | 0x0000018a | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | empty |
| RT_DIALOG | 0x00b6d6d8 | 0x0000018a | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | empty |
| RT_DIALOG | 0x00b6d6d8 | 0x0000018a | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | empty |
| RT_DIALOG | 0x00b6d6d8 | 0x0000018a | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | empty |
| RT_DIALOG | 0x00b6d6d8 | 0x0000018a | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | empty |
| RT_DIALOG | 0x00b6d6d8 | 0x0000018a | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | empty |
| RT_DIALOG | 0x00b6d6d8 | 0x0000018a | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | empty |
| RT_DIALOG | 0x00b6d6d8 | 0x0000018a | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | empty |
| RT_STRING | 0x00b6fea8 | 0x0000004e | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | empty |
| RT_STRING | 0x00b6fea8 | 0x0000004e | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | empty |
| RT_STRING | 0x00b6fea8 | 0x0000004e | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | empty |
| RT_STRING | 0x00b6fea8 | 0x0000004e | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | empty |
| RT_STRING | 0x00b6fea8 | 0x0000004e | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | empty |
| RT_STRING | 0x00b6fea8 | 0x0000004e | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | empty |
| RT_STRING | 0x00b6fea8 | 0x0000004e | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | empty |
| RT_STRING | 0x00b6fea8 | 0x0000004e | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | empty |
| RT_STRING | 0x00b6fea8 | 0x0000004e | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | empty |
| RT_STRING | 0x00b6fea8 | 0x0000004e | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | empty |
| RT_STRING | 0x00b6fea8 | 0x0000004e | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | empty |
| RT_STRING | 0x00b6fea8 | 0x0000004e | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | empty |
| RT_STRING | 0x00b6fea8 | 0x0000004e | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | empty |
| RT_STRING | 0x00b6fea8 | 0x0000004e | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | empty |
| RT_STRING | 0x00b6fea8 | 0x0000004e | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0.00 | empty |
| RT_GROUP_ICON | 0x00b68350 | 0x0000012c | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.42 | MS Windows icon resource - 21 icons, 48x48, 2 colors |
| RT_GROUP_ICON | 0x00b68350 | 0x0000012c | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.42 | MS Windows icon resource - 21 icons, 48x48, 2 colors |
| RT_VERSION | 0x00b68480 | 0x00000380 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.30 | 8086 relocatable (Microsoft) |
| RT_MANIFEST | 0x00b68800 | 0x00000825 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.45 | XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators |
导入
库 WSOCK32.dll:
• 0x180800000 - WSAGetLastError
• 0x180800008 - getpeername
• 0x180800010 - socket
• 0x180800018 - ioctlsocket
• 0x180800020 - send
• 0x180800028 - htonl
• 0x180800030 - recv
• 0x180800038 - inet_ntoa
• 0x180800040 - connect
• 0x180800048 - closesocket
• 0x180800050 - __WSAFDIsSet
• 0x180800058 - getsockopt
• 0x180800060 - WSAStartup
• 0x180800068 - select
• 0x180800070 - WSACleanup
• 0x180800078 - setsockopt
• 0x180800080 - inet_addr
库 NETAPI32.dll:
• 0x180800090 - Netbios
库 VERSION.dll:
• 0x1808000a0 - VerQueryValueW
• 0x1808000a8 - GetFileVersionInfoExW
• 0x1808000b0 - GetFileVersionInfoSizeExW
库 IPHLPAPI.DLL:
• 0x1808000c0 - GetIpForwardTable
库 KERNEL32.dll:
• 0x1808000d0 - QueryPerformanceCounter
• 0x1808000d8 - GetSystemTimeAsFileTime
• 0x1808000e0 - InitializeSListHead
• 0x1808000e8 - FindFirstFileA
• 0x1808000f0 - FindNextFileA
• 0x1808000f8 - FormatMessageA
• 0x180800100 - GetEnvironmentStrings
• 0x180800108 - FreeEnvironmentStringsA
• 0x180800110 - GetVersionExA
• 0x180800118 - lstrlenA
• 0x180800120 - GetCommandLineW
• 0x180800128 - GetEnvironmentVariableA
• 0x180800130 - GetEnvironmentVariableW
• 0x180800138 - ReleaseMutex
• 0x180800140 - CreateMutexA
• 0x180800148 - GetWindowsDirectoryA
• 0x180800150 - GetVersion
• 0x180800158 - GetLocalTime
• 0x180800160 - GetTimeZoneInformation
• 0x180800168 - GetModuleHandleA
• 0x180800170 - FindNextFileW
• 0x180800178 - GetProcessTimes
• 0x180800180 - CreateEventA
• 0x180800188 - GetDriveTypeA
• 0x180800190 - GetVolumeInformationA
• 0x180800198 - CreateFileA
• 0x1808001a0 - DeviceIoControl
• 0x1808001a8 - SetNamedPipeHandleState
• 0x1808001b0 - SleepEx
• 0x1808001b8 - WaitNamedPipeA
• 0x1808001c0 - LoadLibraryExA
• 0x1808001c8 - DefineDosDeviceA
• 0x1808001d0 - QueryDosDeviceA
• 0x1808001d8 - GetComputerNameW
• 0x1808001e0 - CreateThread
• 0x1808001e8 - GetTimeFormatW
• 0x1808001f0 - FindFirstFileExW
• 0x1808001f8 - SetStdHandle
• 0x180800200 - VirtualQuery
• 0x180800208 - VirtualAlloc
• 0x180800210 - GetSystemInfo
• 0x180800218 - HeapQueryInformation
• 0x180800220 - GetCommandLineA
• 0x180800228 - FreeLibraryAndExitThread
• 0x180800230 - ExitThread
• 0x180800238 - ExitProcess
• 0x180800240 - UnhandledExceptionFilter
• 0x180800248 - GetFileType
• 0x180800250 - GetFileInformationByHandle
• 0x180800258 - GetDriveTypeW
• 0x180800260 - InterlockedFlushSList
• 0x180800268 - RtlUnwindEx
• 0x180800270 - RtlPcToFileHeader
• 0x180800278 - GetStringTypeW
• 0x180800280 - GetCPInfo
• 0x180800288 - CompareStringEx
• 0x180800290 - LCMapStringEx
• 0x180800298 - TryEnterCriticalSection
• 0x1808002a0 - AcquireSRWLockExclusive
• 0x1808002a8 - ReleaseSRWLockExclusive
• 0x1808002b0 - InitializeSRWLock
• 0x1808002b8 - QueryPerformanceFrequency
• 0x1808002c0 - OutputDebugStringW
• 0x1808002c8 - GetStartupInfoW
• 0x1808002d0 - IsDebuggerPresent
• 0x1808002d8 - WaitForSingleObjectEx
• 0x1808002e0 - ResetEvent
• 0x1808002e8 - RtlVirtualUnwind
• 0x1808002f0 - RtlLookupFunctionEntry
• 0x1808002f8 - RtlCaptureContext
• 0x180800300 - GetUserDefaultLCID
• 0x180800308 - GetTempFileNameW
• 0x180800310 - SearchPathW
• 0x180800318 - GetProfileIntW
• 0x180800320 - GetTickCount
• 0x180800328 - GetTempPathW
• 0x180800330 - VerifyVersionInfoW
• 0x180800338 - VerSetConditionMask
• 0x180800340 - SystemTimeToTzSpecificLocalTime
• 0x180800348 - IsProcessorFeaturePresent
• 0x180800350 - GetFileSizeEx
• 0x180800358 - GetFileAttributesExW
• 0x180800360 - FileTimeToLocalFileTime
• 0x180800368 - GetWindowsDirectoryW
• 0x180800370 - lstrcpyW
• 0x180800378 - FindResourceExW
• 0x180800380 - lstrcmpiW
• 0x180800388 - GetCurrentProcess
• 0x180800390 - DuplicateHandle
• 0x180800398 - WriteFile
• 0x1808003a0 - UnlockFile
• 0x1808003a8 - SetFilePointer
• 0x1808003b0 - SetEndOfFile
• 0x1808003b8 - ReadFile
• 0x1808003c0 - LockFile
• 0x1808003c8 - GetVolumeInformationW
• 0x1808003d0 - TerminateProcess
• 0x1808003d8 - GetFullPathNameW
• 0x1808003e0 - GetFileSize
• 0x1808003e8 - FlushFileBuffers
• 0x1808003f0 - FindFirstFileW
• 0x1808003f8 - FindClose
• 0x180800400 - CreateFileW
• 0x180800408 - DeleteFileW
• 0x180800410 - GetUserDefaultUILanguage
• 0x180800418 - GetSystemDefaultUILanguage
• 0x180800420 - GlobalFlags
• 0x180800428 - SetErrorMode
• 0x180800430 - GlobalGetAtomNameW
• 0x180800438 - LocalReAlloc
• 0x180800440 - LocalAlloc
• 0x180800448 - GlobalHandle
• 0x180800450 - GlobalReAlloc
• 0x180800458 - TlsFree
• 0x180800460 - TlsSetValue
• 0x180800468 - TlsGetValue
• 0x180800470 - TlsAlloc
• 0x180800478 - InitializeCriticalSection
• 0x180800480 - VirtualProtect
• 0x180800488 - GetPrivateProfileIntW
• 0x180800490 - lstrcmpA
• 0x180800498 - GetVersionExW
• 0x1808004a0 - GetCurrentThread
• 0x1808004a8 - ResumeThread
• 0x1808004b0 - SetThreadPriority
• 0x1808004b8 - CreateEventW
• 0x1808004c0 - WaitForSingleObject
• 0x1808004c8 - SetEvent
• 0x1808004d0 - FileTimeToSystemTime
• 0x1808004d8 - CompareStringW
• 0x1808004e0 - QueryActCtxW
• 0x1808004e8 - FindActCtxSectionStringW
• 0x1808004f0 - DeactivateActCtx
• 0x1808004f8 - ActivateActCtx
• 0x180800500 - CreateActCtxW
• 0x180800508 - GlobalFindAtomW
• 0x180800510 - GlobalAddAtomW
• 0x180800518 - lstrcmpW
• 0x180800520 - GlobalDeleteAtom
• 0x180800528 - LoadLibraryExW
• 0x180800530 - GetModuleHandleExW
• 0x180800538 - GetSystemDirectoryW
• 0x180800540 - GetCurrentThreadId
• 0x180800548 - OutputDebugStringA
• 0x180800550 - CopyFileW
• 0x180800558 - LocalFree
• 0x180800560 - GlobalFree
• 0x180800568 - GlobalLock
• 0x180800570 - GlobalUnlock
• 0x180800578 - GlobalSize
• 0x180800580 - GlobalAlloc
• 0x180800588 - SetLastError
• 0x180800590 - WideCharToMultiByte
• 0x180800598 - MulDiv
• 0x1808005a0 - Sleep
• 0x1808005a8 - Process32NextW
• 0x1808005b0 - Process32FirstW
• 0x1808005b8 - CreateToolhelp32Snapshot
• 0x1808005c0 - K32GetModuleBaseNameW
• 0x1808005c8 - GetLocaleInfoW
• 0x1808005d0 - FormatMessageW
• 0x1808005d8 - LoadLibraryW
• 0x1808005e0 - OpenProcess
• 0x1808005e8 - GetCurrentProcessId
• 0x1808005f0 - GetCurrentDirectoryW
• 0x1808005f8 - UnmapViewOfFile
• 0x180800600 - MapViewOfFile
• 0x180800608 - CreateFileMappingW
• 0x180800610 - CloseHandle
• 0x180800618 - GetFileAttributesW
• 0x180800620 - CreateDirectoryW
• 0x180800628 - MultiByteToWideChar
• 0x180800630 - GetProcessHeap
• 0x180800638 - HeapSize
• 0x180800640 - HeapFree
• 0x180800648 - HeapReAlloc
• 0x180800650 - HeapAlloc
• 0x180800658 - RaiseException
• 0x180800660 - GetDateFormatW
• 0x180800668 - GetSystemTime
• 0x180800670 - InitializeCriticalSectionAndSpinCount
• 0x180800678 - WritePrivateProfileStringW
• 0x180800680 - GetPrivateProfileStringW
• 0x180800688 - SetThreadLocale
• 0x180800690 - GetThreadLocale
• 0x180800698 - GetModuleHandleW
• 0x1808006a0 - GetModuleFileNameW
• 0x1808006a8 - DeleteCriticalSection
• 0x1808006b0 - InitializeCriticalSectionEx
• 0x1808006b8 - LeaveCriticalSection
• 0x1808006c0 - EnterCriticalSection
• 0x1808006c8 - GetLastError
• 0x1808006d0 - DecodePointer
• 0x1808006d8 - EncodePointer
• 0x1808006e0 - FindResourceW
• 0x1808006e8 - SizeofResource
• 0x1808006f0 - LockResource
• 0x1808006f8 - LoadResource
• 0x180800700 - LoadLibraryA
• 0x180800708 - GetProcAddress
• 0x180800710 - FreeLibrary
• 0x180800718 - GetFileTime
• 0x180800720 - SetUnhandledExceptionFilter
• 0x180800728 - LCMapStringW
• 0x180800730 - IsValidLocale
• 0x180800738 - EnumSystemLocalesW
• 0x180800740 - GetStdHandle
• 0x180800748 - GetConsoleOutputCP
• 0x180800750 - GetConsoleMode
• 0x180800758 - SetFilePointerEx
• 0x180800760 - ReadConsoleW
• 0x180800768 - IsValidCodePage
• 0x180800770 - GetACP
• 0x180800778 - GetOEMCP
• 0x180800780 - GetEnvironmentStringsW
• 0x180800788 - FreeEnvironmentStringsW
• 0x180800790 - SetEnvironmentVariableW
• 0x180800798 - WriteConsoleW
• 0x1808007a0 - RtlUnwind
• 0x1808007a8 - GetThreadPriority
• 0x1808007b0 - GetThreadContext
• 0x1808007b8 - SetThreadContext
• 0x1808007c0 - GetSystemDirectoryA
• 0x1808007c8 - GetProcessAffinityMask
• 0x1808007d0 - SetThreadAffinityMask
• 0x1808007d8 - PeekNamedPipe
库 USER32.dll:
• 0x1808007e8 - WindowFromPoint
• 0x1808007f0 - ReleaseCapture
• 0x1808007f8 - SetCapture
• 0x180800800 - GetNextDlgGroupItem
• 0x180800808 - GetMenuDefaultItem
• 0x180800810 - CreatePopupMenu
• 0x180800818 - LoadImageW
• 0x180800820 - TrackMouseEvent
• 0x180800828 - CharUpperW
• 0x180800830 - DestroyIcon
• 0x180800838 - KillTimer
• 0x180800840 - SetTimer
• 0x180800848 - DeleteMenu
• 0x180800850 - CopyImage
• 0x180800858 - RealChildWindowFromPoint
• 0x180800860 - GetSysColorBrush
• 0x180800868 - OffsetRect
• 0x180800870 - SetRectEmpty
• 0x180800878 - SendDlgItemMessageA
• 0x180800880 - SystemParametersInfoW
• 0x180800888 - GetMenuItemInfoW
• 0x180800890 - DestroyMenu
• 0x180800898 - GetSystemMetrics
• 0x1808008a0 - IntersectRect
• 0x1808008a8 - InflateRect
• 0x1808008b0 - LoadMenuW
• 0x1808008b8 - MapDialogRect
• 0x1808008c0 - GetAsyncKeyState
• 0x1808008c8 - ShowOwnedPopups
• 0x1808008d0 - PostQuitMessage
• 0x1808008d8 - GetCursorPos
• 0x1808008e0 - TranslateMessage
• 0x1808008e8 - GetMessageW
• 0x1808008f0 - GetWindowThreadProcessId
• 0x1808008f8 - GetDesktopWindow
• 0x180800900 - GetActiveWindow
• 0x180800908 - GetNextDlgTabItem
• 0x180800910 - EndDialog
• 0x180800918 - CreateDialogIndirectParamW
• 0x180800920 - IsDialogMessageW
• 0x180800928 - SetWindowTextW
• 0x180800930 - IsWindowEnabled
• 0x180800938 - CheckDlgButton
• 0x180800940 - GetDlgItemTextW
• 0x180800948 - SetDlgItemTextW
• 0x180800950 - MoveWindow
• 0x180800958 - ShowWindow
• 0x180800960 - GetMonitorInfoW
• 0x180800968 - MonitorFromWindow
• 0x180800970 - WinHelpW
• 0x180800978 - GetScrollInfo
• 0x180800980 - SetScrollInfo
• 0x180800988 - CallNextHookEx
• 0x180800990 - SetWindowsHookExW
• 0x180800998 - GetWindow
• 0x1808009a0 - GetLastActivePopup
• 0x1808009a8 - DrawIconEx
• 0x1808009b0 - GetClassNameW
• 0x1808009b8 - UpdateLayeredWindow
• 0x1808009c0 - MonitorFromPoint
• 0x1808009c8 - LoadAcceleratorsW
• 0x1808009d0 - GetClassLongPtrW
• 0x1808009d8 - SetWindowLongPtrW
• 0x1808009e0 - TranslateAcceleratorW
• 0x1808009e8 - InsertMenuItemW
• 0x1808009f0 - CharNextW
• 0x1808009f8 - SendMessageW
• 0x180800a00 - GetWindowLongPtrW
• 0x180800a08 - SetWindowLongW
• 0x180800a10 - GetWindowLongW
• 0x180800a18 - PtInRect
• 0x180800a20 - EqualRect
• 0x180800a28 - CopyRect
• 0x180800a30 - MapWindowPoints
• 0x180800a38 - MessageBoxW
• 0x180800a40 - UnpackDDElParam
• 0x180800a48 - GetWindowTextLengthW
• 0x180800a50 - GetWindowTextW
• 0x180800a58 - RemovePropW
• 0x180800a60 - GetPropW
• 0x180800a68 - SetPropW
• 0x180800a70 - ShowScrollBar
• 0x180800a78 - OpenClipboard
• 0x180800a80 - SetScrollRange
• 0x180800a88 - GetScrollPos
• 0x180800a90 - SetScrollPos
• 0x180800a98 - ScrollWindow
• 0x180800aa0 - RedrawWindow
• 0x180800aa8 - ValidateRect
• 0x180800ab0 - SetForegroundWindow
• 0x180800ab8 - GetForegroundWindow
• 0x180800ac0 - SetActiveWindow
• 0x180800ac8 - UpdateWindow
• 0x180800ad0 - TrackPopupMenu
• 0x180800ad8 - SetMenu
• 0x180800ae0 - GetMenu
• 0x180800ae8 - GetCapture
• 0x180800af0 - GetKeyState
• 0x180800af8 - SetFocus
• 0x180800b00 - GetDlgCtrlID
• 0x180800b08 - CloseClipboard
• 0x180800b10 - UnionRect
• 0x180800b18 - SetClipboardData
• 0x180800b20 - EmptyClipboard
• 0x180800b28 - DrawStateW
• 0x180800b30 - SetClassLongPtrW
• 0x180800b38 - SetWindowRgn
• 0x180800b40 - SetParent
• 0x180800b48 - DrawEdge
• 0x180800b50 - DrawFrameControl
• 0x180800b58 - IsZoomed
• 0x180800b60 - BringWindowToTop
• 0x180800b68 - SetCursorPos
• 0x180800b70 - CopyIcon
• 0x180800b78 - FrameRect
• 0x180800b80 - DrawIcon
• 0x180800b88 - GetIconInfo
• 0x180800b90 - GetDlgItem
• 0x180800b98 - IsIconic
• 0x180800ba0 - MessageBeep
• 0x180800ba8 - EnableScrollBar
• 0x180800bb0 - HideCaret
• 0x180800bb8 - InvertRect
• 0x180800bc0 - NotifyWinEvent
• 0x180800bc8 - MapVirtualKeyW
• 0x180800bd0 - GetKeyNameTextW
• 0x180800bd8 - SetLayeredWindowAttributes
• 0x180800be0 - GetTopWindow
• 0x180800be8 - EnumDisplayMonitors
• 0x180800bf0 - EnableWindow
• 0x180800bf8 - GetClientRect
• 0x180800c00 - LoadIconW
• 0x180800c08 - UnregisterClassW
• 0x180800c10 - PostMessageW
• 0x180800c18 - GetDC
• 0x180800c20 - GetWindowRect
• 0x180800c28 - IsRectEmpty
• 0x180800c30 - GetParent
• 0x180800c38 - InvalidateRect
• 0x180800c40 - SetCursor
• 0x180800c48 - DrawFocusRect
• 0x180800c50 - FillRect
• 0x180800c58 - LoadCursorW
• 0x180800c60 - GetSystemMenu
• 0x180800c68 - EnableMenuItem
• 0x180800c70 - ReleaseDC
• 0x180800c78 - GetMenuStringW
• 0x180800c80 - GetMenuState
• 0x180800c88 - GetSubMenu
• 0x180800c90 - GetMenuItemID
• 0x180800c98 - GetMenuItemCount
• 0x180800ca0 - InsertMenuW
• 0x180800ca8 - AppendMenuW
• 0x180800cb0 - RemoveMenu
• 0x180800cb8 - UnhookWindowsHookEx
• 0x180800cc0 - DrawTextW
• 0x180800cc8 - DrawTextExW
• 0x180800cd0 - GrayStringW
• 0x180800cd8 - TabbedTextOutW
• 0x180800ce0 - GetWindowDC
• 0x180800ce8 - ReuseDDElParam
• 0x180800cf0 - BeginPaint
• 0x180800cf8 - EndPaint
• 0x180800d00 - ClientToScreen
• 0x180800d08 - ScreenToClient
• 0x180800d10 - GetSysColor
• 0x180800d18 - GetFocus
• 0x180800d20 - CheckMenuItem
• 0x180800d28 - SetMenuItemBitmaps
• 0x180800d30 - GetMenuCheckMarkDimensions
• 0x180800d38 - SetMenuItemInfoW
• 0x180800d40 - LoadBitmapW
• 0x180800d48 - RegisterWindowMessageW
• 0x180800d50 - DispatchMessageW
• 0x180800d58 - PeekMessageW
• 0x180800d60 - GetMessagePos
• 0x180800d68 - GetMessageTime
• 0x180800d70 - DefWindowProcW
• 0x180800d78 - CallWindowProcW
• 0x180800d80 - RegisterClassW
• 0x180800d88 - GetClassInfoW
• 0x180800d90 - GetClassInfoExW
• 0x180800d98 - CreateWindowExW
• 0x180800da0 - IsWindow
• 0x180800da8 - IsMenu
• 0x180800db0 - IsChild
• 0x180800db8 - DestroyWindow
• 0x180800dc0 - SetWindowPos
• 0x180800dc8 - GetWindowPlacement
• 0x180800dd0 - SetWindowPlacement
• 0x180800dd8 - BeginDeferWindowPos
• 0x180800de0 - DeferWindowPos
• 0x180800de8 - EndDeferWindowPos
• 0x180800df0 - IsWindowVisible
• 0x180800df8 - GetComboBoxInfo
• 0x180800e00 - PostThreadMessageW
• 0x180800e08 - WaitMessage
• 0x180800e10 - GetKeyboardLayout
• 0x180800e18 - GetScrollRange
• 0x180800e20 - IsCharLowerW
• 0x180800e28 - MapVirtualKeyExW
• 0x180800e30 - ToUnicodeEx
• 0x180800e38 - GetKeyboardState
• 0x180800e40 - CreateAcceleratorTableW
• 0x180800e48 - DestroyAcceleratorTable
• 0x180800e50 - CopyAcceleratorTableW
• 0x180800e58 - SetRect
• 0x180800e60 - LockWindowUpdate
• 0x180800e68 - SetMenuDefaultItem
• 0x180800e70 - GetDoubleClickTime
• 0x180800e78 - ModifyMenuW
• 0x180800e80 - RegisterClipboardFormatW
• 0x180800e88 - CharUpperBuffW
• 0x180800e90 - IsClipboardFormatAvailable
• 0x180800e98 - GetUpdateRect
• 0x180800ea0 - DrawMenuBar
• 0x180800ea8 - DefFrameProcW
• 0x180800eb0 - DefMDIChildProcW
• 0x180800eb8 - TranslateMDISysAccel
• 0x180800ec0 - SubtractRect
• 0x180800ec8 - CreateMenu
• 0x180800ed0 - GetWindowRgn
• 0x180800ed8 - DestroyCursor
• 0x180800ee0 - MessageBoxA
• 0x180800ee8 - SendMessageA
• 0x180800ef0 - SetDlgItemTextA
• 0x180800ef8 - GetDlgItemTextA
• 0x180800f00 - SetWindowTextA
• 0x180800f08 - GetWindowLongA
• 0x180800f10 - wsprintfA
• 0x180800f18 - DialogBoxIndirectParamA
• 0x180800f20 - AdjustWindowRectEx
• 0x180800f28 - CreateDialogIndirectParamA
库 GDI32.dll:
• 0x180800f38 - SaveDC
• 0x180800f40 - SelectClipRgn
• 0x180800f48 - ExtSelectClipRgn
• 0x180800f50 - SelectObject
• 0x180800f58 - SelectPalette
• 0x180800f60 - SetBkColor
• 0x180800f68 - SetBkMode
• 0x180800f70 - SetMapMode
• 0x180800f78 - SetLayout
• 0x180800f80 - GetLayout
• 0x180800f88 - SetPolyFillMode
• 0x180800f90 - SetROP2
• 0x180800f98 - SetTextColor
• 0x180800fa0 - SetTextAlign
• 0x180800fa8 - MoveToEx
• 0x180800fb0 - TextOutW
• 0x180800fb8 - ExtTextOutW
• 0x180800fc0 - SetViewportExtEx
• 0x180800fc8 - SetViewportOrgEx
• 0x180800fd0 - SetWindowExtEx
• 0x180800fd8 - SetWindowOrgEx
• 0x180800fe0 - OffsetViewportOrgEx
• 0x180800fe8 - OffsetWindowOrgEx
• 0x180800ff0 - ScaleViewportExtEx
• 0x180800ff8 - ScaleWindowExtEx
• 0x180801000 - CombineRgn
• 0x180801008 - CreateRectRgnIndirect
• 0x180801010 - SetRectRgn
• 0x180801018 - DPtoLP
• 0x180801020 - EnumFontFamiliesExW
• 0x180801028 - CreatePalette
• 0x180801030 - RestoreDC
• 0x180801038 - GetPaletteEntries
• 0x180801040 - GetSystemPaletteEntries
• 0x180801048 - RealizePalette
• 0x180801050 - CreateDIBitmap
• 0x180801058 - EnumFontFamiliesW
• 0x180801060 - GetTextCharsetInfo
• 0x180801068 - SetPixel
• 0x180801070 - StretchBlt
• 0x180801078 - CreateDIBSection
• 0x180801080 - SetDIBColorTable
• 0x180801088 - CreateEllipticRgn
• 0x180801090 - Ellipse
• 0x180801098 - GetTextColor
• 0x1808010a0 - CreatePolygonRgn
• 0x1808010a8 - Polygon
• 0x1808010b0 - Polyline
• 0x1808010b8 - CreateRoundRectRgn
• 0x1808010c0 - LPtoDP
• 0x1808010c8 - Rectangle
• 0x1808010d0 - GetRgnBox
• 0x1808010d8 - OffsetRgn
• 0x1808010e0 - RoundRect
• 0x1808010e8 - FillRgn
• 0x1808010f0 - FrameRgn
• 0x1808010f8 - GetBoundsRect
• 0x180801100 - PtInRegion
• 0x180801108 - ExtFloodFill
• 0x180801110 - SetPaletteEntries
• 0x180801118 - SetPixelV
• 0x180801120 - GetWindowOrgEx
• 0x180801128 - GetViewportOrgEx
• 0x180801130 - GetTextFaceW
• 0x180801138 - PtVisible
• 0x180801140 - RectVisible
• 0x180801148 - LineTo
• 0x180801150 - IntersectClipRect
• 0x180801158 - GetWindowExtEx
• 0x180801160 - GetViewportExtEx
• 0x180801168 - GetPixel
• 0x180801170 - GetObjectType
• 0x180801178 - GetClipBox
• 0x180801180 - ExcludeClipRect
• 0x180801188 - Escape
• 0x180801190 - DeleteObject
• 0x180801198 - CreateRectRgn
• 0x1808011a0 - CreatePatternBrush
• 0x1808011a8 - CreatePen
• 0x1808011b0 - CreateHatchBrush
• 0x1808011b8 - CreateDCW
• 0x1808011c0 - CopyMetaFileW
• 0x1808011c8 - PatBlt
• 0x1808011d0 - MaskBlt
• 0x1808011d8 - CreateCompatibleDC
• 0x1808011e0 - CreateBitmap
• 0x1808011e8 - BitBlt
• 0x1808011f0 - GetTextMetricsW
• 0x1808011f8 - GetDeviceCaps
• 0x180801200 - GetBkColor
• 0x180801208 - GetStockObject
• 0x180801210 - GetTextExtentPoint32W
• 0x180801218 - GetObjectW
• 0x180801220 - CreateFontIndirectW
• 0x180801228 - DeleteDC
• 0x180801230 - GetNearestPaletteIndex
• 0x180801238 - CreateCompatibleBitmap
• 0x180801240 - CreateSolidBrush
库 MSIMG32.dll:
• 0x180801250 - AlphaBlend
• 0x180801258 - TransparentBlt
库 COMDLG32.dll:
• 0x180801268 - GetOpenFileNameA
库 WINSPOOL.DRV:
• 0x180801278 - OpenPrinterW
• 0x180801280 - ClosePrinter
• 0x180801288 - DocumentPropertiesW
库 ADVAPI32.dll:
• 0x180801298 - RegOpenKeyExA
• 0x1808012a0 - RegDeleteKeyW
• 0x1808012a8 - RegQueryInfoKeyA
• 0x1808012b0 - StartServiceA
• 0x1808012b8 - QueryServiceStatus
• 0x1808012c0 - OpenServiceA
• 0x1808012c8 - OpenSCManagerA
• 0x1808012d0 - CloseServiceHandle
• 0x1808012d8 - ReportEventA
• 0x1808012e0 - RegisterEventSourceA
• 0x1808012e8 - DeregisterEventSource
• 0x1808012f0 - RegEnumKeyExA
• 0x1808012f8 - RegSetValueExA
• 0x180801300 - RegQueryValueExA
• 0x180801308 - GetUserNameW
• 0x180801310 - GetUserNameA
• 0x180801318 - RegCreateKeyExA
• 0x180801320 - RegCloseKey
• 0x180801328 - RegEnumValueA
• 0x180801330 - RegDeleteValueA
• 0x180801338 - RegEnumKeyExW
• 0x180801340 - RegQueryValueW
• 0x180801348 - RegEnumKeyW
• 0x180801350 - RegCreateKeyExW
• 0x180801358 - RegSetValueExW
• 0x180801360 - RegEnumValueW
• 0x180801368 - RegDeleteValueW
• 0x180801370 - RegQueryValueExW
• 0x180801378 - RegQueryInfoKeyW
• 0x180801380 - RegOpenKeyExW
库 SHELL32.dll:
• 0x180801390 - None
• 0x180801398 - SHAppBarMessage
• 0x1808013a0 - DragFinish
• 0x1808013a8 - DragQueryFileW
• 0x1808013b0 - SHBrowseForFolderW
• 0x1808013b8 - SHGetDesktopFolder
• 0x1808013c0 - SHGetSpecialFolderLocation
• 0x1808013c8 - SHGetPathFromIDListW
• 0x1808013d0 - SHGetFileInfoW
• 0x1808013d8 - ShellExecuteW
• 0x1808013e0 - SHGetSpecialFolderPathW
• 0x1808013e8 - SHGetKnownFolderPath
库 COMCTL32.dll:
• 0x1808013f8 - None
库 SHLWAPI.dll:
• 0x180801408 - StrFormatKBSizeW
• 0x180801410 - PathStripToRootW
• 0x180801418 - PathIsUNCW
• 0x180801420 - PathRemoveFileSpecW
• 0x180801428 - PathFindFileNameW
• 0x180801430 - PathFindExtensionW
• 0x180801438 - PathFileExistsW
• 0x180801440 - PathRemoveBackslashW
库 UxTheme.dll:
• 0x180801450 - CloseThemeData
• 0x180801458 - OpenThemeData
• 0x180801460 - DrawThemeParentBackground
• 0x180801468 - DrawThemeBackground
• 0x180801470 - GetThemeColor
• 0x180801478 - GetCurrentThemeName
• 0x180801480 - GetWindowTheme
• 0x180801488 - IsAppThemed
• 0x180801490 - IsThemeBackgroundPartiallyTransparent
• 0x180801498 - GetThemeSysColor
• 0x1808014a0 - GetThemePartSize
• 0x1808014a8 - DrawThemeText
库 ole32.dll:
• 0x1808014b8 - OleLockRunning
• 0x1808014c0 - RevokeDragDrop
• 0x1808014c8 - RegisterDragDrop
• 0x1808014d0 - CoLockObjectExternal
• 0x1808014d8 - OleGetClipboard
• 0x1808014e0 - CoInitializeEx
• 0x1808014e8 - CreateStreamOnHGlobal
• 0x1808014f0 - CoDisconnectObject
• 0x1808014f8 - CoInitialize
• 0x180801500 - CoCreateGuid
• 0x180801508 - CoUninitialize
• 0x180801510 - ReleaseStgMedium
• 0x180801518 - OleDuplicateData
• 0x180801520 - CoTaskMemAlloc
• 0x180801528 - CoTaskMemFree
• 0x180801530 - StringFromGUID2
• 0x180801538 - CoCreateInstance
• 0x180801540 - OleTranslateAccelerator
• 0x180801548 - OleCreateMenuDescriptor
• 0x180801550 - DoDragDrop
• 0x180801558 - CoInitializeSecurity
• 0x180801560 - CoSetProxyBlanket
• 0x180801568 - IsAccelerator
• 0x180801570 - OleDestroyMenuDescriptor
库 OLEAUT32.dll:
• 0x180801580 - VariantTimeToSystemTime
• 0x180801588 - SystemTimeToVariantTime
• 0x180801590 - UnRegisterTypeLib
• 0x180801598 - RegisterTypeLib
• 0x1808015a0 - LoadTypeLib
• 0x1808015a8 - SysStringLen
• 0x1808015b0 - SysFreeString
• 0x1808015b8 - SysAllocString
• 0x1808015c0 - SafeArrayDestroy
• 0x1808015c8 - VarUdateFromDate
• 0x1808015d0 - VariantClear
• 0x1808015d8 - SafeArrayAccessData
• 0x1808015e0 - SafeArrayUnaccessData
• 0x1808015e8 - VariantCopy
• 0x1808015f0 - VarBstrFromDate
• 0x1808015f8 - SysAllocStringLen
• 0x180801600 - SafeArrayGetUBound
• 0x180801608 - VariantInit
• 0x180801610 - VariantChangeType
• 0x180801618 - SafeArrayGetLBound
库 gdiplus.dll:
• 0x180801628 - GdipAlloc
• 0x180801630 - GdipFree
• 0x180801638 - GdiplusStartup
• 0x180801640 - GdipCloneImage
• 0x180801648 - GdipDisposeImage
• 0x180801650 - GdipGetImageGraphicsContext
• 0x180801658 - GdipGetImageWidth
• 0x180801660 - GdipGetImageHeight
• 0x180801668 - GdipDrawImageRectI
• 0x180801670 - GdipSetInterpolationMode
• 0x180801678 - GdipCreateFromHDC
• 0x180801680 - GdipCreateBitmapFromHBITMAP
• 0x180801688 - GdipDrawImageI
• 0x180801690 - GdipDeleteGraphics
• 0x180801698 - GdipBitmapUnlockBits
• 0x1808016a0 - GdipBitmapLockBits
• 0x1808016a8 - GdipCreateBitmapFromScan0
• 0x1808016b0 - GdipGetImagePixelFormat
• 0x1808016b8 - GdipGetImagePalette
• 0x1808016c0 - GdipGetImagePaletteSize
• 0x1808016c8 - GdipCreateBitmapFromStream
• 0x1808016d0 - GdiplusShutdown
库 WS2_32.dll:
• 0x1808016e0 - getnameinfo
• 0x1808016e8 - freeaddrinfo
• 0x1808016f0 - getaddrinfo
库 OLEACC.dll:
• 0x180801700 - AccessibleObjectFromWindow
• 0x180801708 - LresultFromObject
• 0x180801710 - CreateStdAccessibleObject
库 IMM32.dll:
• 0x180801720 - ImmReleaseContext
• 0x180801728 - ImmGetContext
• 0x180801730 - ImmGetOpenStatus
库 WINMM.dll:
• 0x180801740 - PlaySoundW
库 WINHTTP.dll:
• 0x180801750 - WinHttpSendRequest
• 0x180801758 - WinHttpCrackUrl
• 0x180801760 - WinHttpReceiveResponse
• 0x180801768 - WinHttpSetOption
• 0x180801770 - WinHttpOpenRequest
• 0x180801778 - WinHttpConnect
• 0x180801780 - WinHttpCloseHandle
• 0x180801788 - WinHttpOpen
• 0x180801790 - WinHttpQueryHeaders
库 KERNEL32.dll:
• 0x1808017a0 - LocalAlloc
• 0x1808017a8 - LocalFree
• 0x1808017b0 - GetModuleFileNameW
• 0x1808017b8 - GetProcessAffinityMask
• 0x1808017c0 - SetProcessAffinityMask
• 0x1808017c8 - SetThreadAffinityMask
• 0x1808017d0 - Sleep
• 0x1808017d8 - ExitProcess
• 0x1808017e0 - FreeLibrary
• 0x1808017e8 - LoadLibraryA
• 0x1808017f0 - GetModuleHandleA
• 0x1808017f8 - GetProcAddress
库 USER32.dll:
• 0x180801808 - GetProcessWindowStation
• 0x180801810 - GetUserObjectInformationW
导出
| 序列 | 地址 | 名称 |
|---|---|---|
| 1 | 0x180038d40 | ??0AuthenticationAccess@MtbLicensing@@QEAA@XZ |
| 2 | 0x180030840 | ??0IAuthenticationAccess@MtbLicensing@@QEAA@AEBV01@@Z |
| 3 | 0x180030840 | ??0IAuthenticationAccess@MtbLicensing@@QEAA@XZ |
| 4 | 0x180030850 | ??0ILicenseStatus@MtbLicensing@@QEAA@AEBV01@@Z |
| 5 | 0x180030850 | ??0ILicenseStatus@MtbLicensing@@QEAA@XZ |
| 6 | 0x180030860 | ??0ILicenseStatusLine@MtbLicensing@@QEAA@AEBV01@@Z |
| 7 | 0x180030860 | ??0ILicenseStatusLine@MtbLicensing@@QEAA@XZ |
| 8 | 0x1800317e0 | ??1AuthenticationAccess@MtbLicensing@@UEAA@XZ |
| 9 | 0x180031820 | ??1IAuthenticationAccess@MtbLicensing@@UEAA@XZ |
| 10 | 0x180031830 | ??1ILicenseStatus@MtbLicensing@@UEAA@XZ |
| 11 | 0x180031840 | ??1ILicenseStatusLine@MtbLicensing@@UEAA@XZ |
| 12 | 0x180031a80 | ??4IAuthenticationAccess@MtbLicensing@@QEAAAEAV01@AEBV01@@Z |
| 13 | 0x180031a80 | ??4ILicenseStatus@MtbLicensing@@QEAAAEAV01@AEBV01@@Z |
| 14 | 0x180031a80 | ??4ILicenseStatusLine@MtbLicensing@@QEAAAEAV01@AEBV01@@Z |
| 15 | 0x180399260 | ??_7AuthenticationAccess@MtbLicensing@@6B@ |
| 16 | 0x180398448 | ??_7IAuthenticationAccess@MtbLicensing@@6B@ |
| 17 | 0x1803984c0 | ??_7ILicenseStatus@MtbLicensing@@6B@ |
| 18 | 0x1803984e8 | ??_7ILicenseStatusLine@MtbLicensing@@6B@ |
| 19 | 0x180038e50 | ?AcquireLicense@AuthenticationAccess@MtbLicensing@@UEAA_NXZ |
| 20 | 0x180038e60 | ?AcquireLicenseNoUI@AuthenticationAccess@MtbLicensing@@UEAA_NXZ |
| 21 | 0x180038e70 | ?GetDaysLeftInTrial@AuthenticationAccess@MtbLicensing@@UEAA?AV?$shared_ptr@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@std@@XZ |
| 22 | 0x180038e90 | ?GetPurchaseUrl@AuthenticationAccess@MtbLicensing@@UEAA?AV?$shared_ptr@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@std@@XZ |
| 23 | 0x180038eb0 | ?GetStatus@AuthenticationAccess@MtbLicensing@@UEAA?AV?$shared_ptr@VILicenseStatus@MtbLicensing@@@std@@XZ |
| 24 | 0x180038ed0 | ?Initialize@AuthenticationAccess@MtbLicensing@@UEAA_NAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0000JW4LicenseType@2@PEAVILicenseStateUpdateReceiver@2@@Z |
| 25 | 0x180038ee0 | ?IsAddonLicensed@AuthenticationAccess@MtbLicensing@@UEAA_NAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z |
| 26 | 0x180038ef0 | ?IsLicenseActive@AuthenticationAccess@MtbLicensing@@UEAA_NXZ |
| 27 | 0x180038f00 | ?IsTrial@AuthenticationAccess@MtbLicensing@@UEAA_NXZ |
| 28 | 0x180038f10 | ?PerformLicenseFunction@AuthenticationAccess@MtbLicensing@@UEAAXV?$shared_ptr@VILicenseStatusLine@MtbLicensing@@@std@@@Z |
| 29 | 0x180038fa0 | ?RefreshAddonFeatures@AuthenticationAccess@MtbLicensing@@UEAAXXZ |
| 30 | 0x180038fb0 | ?RelinquishLicense@AuthenticationAccess@MtbLicensing@@UEAAXXZ |
| 31 | 0x180038fc0 | ?ReportLicensePortalData@AuthenticationAccess@MtbLicensing@@UEAA_NHAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@00000_N@Z |
| 32 | 0x1800388d0 | DllCanUnloadNow |
| 33 | 0x180038930 | DllGetClassObject |
| 34 | 0x180038a80 | DllInstall |
| 35 | 0x180038b40 | DllRegisterServer |
| 36 | 0x180038bb0 | DllUnregisterServer |
投放文件
行为分析
互斥量(Mutexes)
- Local\MSCTF.Asm.MutexDefault1
执行的命令
无信息
创建的服务
无信息
启动的服务
无信息
进程
regsvr32.exe PID: 2592, 上一级进程 PID: 2276
访问的文件
- C:\Users\test\AppData\Local\Temp\Authentication.dll
- C:\Users\test\AppData\Local\Temp\WSOCK32.dll
- C:\Windows\sysnative\wsock32.dll
- C:\Users\test\AppData\Local\Temp\NETAPI32.dll
- C:\Windows\sysnative\netapi32.dll
- C:\Users\test\AppData\Local\Temp\netutils.dll
- C:\Windows\sysnative\netutils.dll
- C:\Users\test\AppData\Local\Temp\srvcli.dll
- C:\Windows\sysnative\srvcli.dll
- C:\Users\test\AppData\Local\Temp\VERSION.dll
- C:\Windows\sysnative\version.dll
- C:\Users\test\AppData\Local\Temp\IPHLPAPI.DLL
- C:\Windows\sysnative\IPHLPAPI.DLL
- C:\Users\test\AppData\Local\Temp\WINNSI.DLL
- C:\Windows\sysnative\winnsi.dll
- C:\Users\test\AppData\Local\Temp\MSIMG32.dll
- C:\Windows\sysnative\msimg32.dll
- C:\Windows\sysnative\regsvr32.exe.Local\
- C:\Windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac
- C:\Users\test\AppData\Local\Temp\WINSPOOL.DRV
- C:\Windows\sysnative\winspool.drv
- C:\Users\test\AppData\Local\Temp\UxTheme.dll
- C:\Windows\sysnative\uxtheme.dll
- C:\Windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a
- C:\Windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\GdiPlus.dll
- C:\Users\test\AppData\Local\Temp\OLEACC.dll
- C:\Windows\sysnative\oleacc.dll
- C:\Users\test\AppData\Local\Temp\WINMM.dll
- C:\Windows\sysnative\winmm.dll
- C:\Users\test\AppData\Local\Temp\WINHTTP.dll
- C:\Windows\sysnative\winhttp.dll
- C:\Users\test\AppData\Local\Temp\webio.dll
- C:\Windows\sysnative\webio.dll
- C:\Users\test\AppData\Local\Temp\AuthenticationCHS.dll
- C:\Users\test\AppData\Local\Temp\AuthenticationCHS.dll.DLL
- C:\Users\test\AppData\Local\Temp\AuthenticationENU.dll
- C:\Users\test\AppData\Local\Temp\AuthenticationENU.dll.DLL
- C:\Users\test\AppData\Local\Temp\AuthenticationLOC.dll
- C:\Users\test\AppData\Local\Temp\AuthenticationLOC.dll.DLL
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Users\test\AppData\Local\Temp\Authentication.tlb
- C:\Users\test\AppData\Local\Temp
- C:\Windows\sysnative\zh-CN\DUser.dll.mui
- C:\Windows\winsxs\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_6ff606562acb8ef5
- C:\Windows\winsxs\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_6ff606562acb8ef5\COMCTL32.dll.mui
- C:\Windows\sysnative\imageres.dll
- C:\Windows\sysnative\zh-CN\imageres.dll.mui
- C:\Windows\sysnative\zh-Hans\imageres.dll.mui
- C:\Windows\sysnative\zh\imageres.dll.mui
- C:\Windows\sysnative\en-US\imageres.dll.mui
- C:\Windows\Fonts\staticcache.dat
读取的文件
- C:\Users\test\AppData\Local\Temp\Authentication.dll
- C:\Windows\sysnative\wsock32.dll
- C:\Windows\sysnative\netapi32.dll
- C:\Windows\sysnative\netutils.dll
- C:\Windows\sysnative\srvcli.dll
- C:\Windows\sysnative\version.dll
- C:\Windows\sysnative\IPHLPAPI.DLL
- C:\Windows\sysnative\winnsi.dll
- C:\Windows\sysnative\msimg32.dll
- C:\Windows\sysnative\winspool.drv
- C:\Windows\sysnative\uxtheme.dll
- C:\Windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\GdiPlus.dll
- C:\Windows\sysnative\oleacc.dll
- C:\Windows\sysnative\winmm.dll
- C:\Windows\sysnative\winhttp.dll
- C:\Windows\sysnative\webio.dll
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Users\test\AppData\Local\Temp\Authentication.tlb
- C:\Windows\sysnative\zh-CN\DUser.dll.mui
- C:\Windows\winsxs\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_6ff606562acb8ef5\COMCTL32.dll.mui
- C:\Windows\sysnative\imageres.dll
- C:\Windows\sysnative\zh-CN\imageres.dll.mui
- C:\Windows\sysnative\zh-Hans\imageres.dll.mui
- C:\Windows\sysnative\zh\imageres.dll.mui
- C:\Windows\sysnative\en-US\imageres.dll.mui
- C:\Windows\Fonts\staticcache.dat
修改的文件
无信息
删除的文件
无信息
注册表键
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
- HKEY_CURRENT_USER
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-Hans
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-Hans
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\Software\Microsoft\DirectUI
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\regsvr32.exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_CURRENT_USER\Keyboard Layout\Toggle
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
- HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
读取的注册表键
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-Hans
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-Hans
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- kernel32.dll.InitializeCriticalSectionEx
- kernel32.dll.FlsAlloc
- kernel32.dll.FlsSetValue
- kernel32.dll.FlsGetValue
- kernel32.dll.LCMapStringEx
- api-ms-win-core-synch-l1-2-0.dll.SleepConditionVariableCS
- api-ms-win-core-synch-l1-2-0.dll.WakeAllConditionVariable
- kernel32.dll.FlsFree
- kernel32.dll.InitOnceExecuteOnce
- kernel32.dll.CreateEventExW
- kernel32.dll.CreateSemaphoreW
- kernel32.dll.CreateSemaphoreExW
- kernel32.dll.CreateThreadpoolTimer
- kernel32.dll.SetThreadpoolTimer
- kernel32.dll.WaitForThreadpoolTimerCallbacks
- kernel32.dll.CloseThreadpoolTimer
- kernel32.dll.CreateThreadpoolWait
- kernel32.dll.SetThreadpoolWait
- kernel32.dll.CloseThreadpoolWait
- kernel32.dll.FlushProcessWriteBuffers
- kernel32.dll.FreeLibraryWhenCallbackReturns
- kernel32.dll.GetCurrentProcessorNumber
- kernel32.dll.CreateSymbolicLinkW
- kernel32.dll.GetTickCount64
- kernel32.dll.GetFileInformationByHandleEx
- kernel32.dll.SetFileInformationByHandle
- kernel32.dll.InitializeConditionVariable
- kernel32.dll.WakeConditionVariable
- kernel32.dll.WakeAllConditionVariable
- kernel32.dll.SleepConditionVariableCS
- kernel32.dll.InitializeSRWLock
- kernel32.dll.AcquireSRWLockExclusive
- kernel32.dll.TryAcquireSRWLockExclusive
- kernel32.dll.ReleaseSRWLockExclusive
- kernel32.dll.SleepConditionVariableSRW
- kernel32.dll.CreateThreadpoolWork
- kernel32.dll.SubmitThreadpoolWork
- kernel32.dll.CloseThreadpoolWork
- kernel32.dll.CompareStringEx
- kernel32.dll.GetLocaleInfoEx
- kernel32.dll.AreFileApisANSI
- kernel32.dll.GetThreadPreferredUILanguages
- authentication.dll.DllRegisterServer
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle
- user32.dll.SetProcessDPIAware
- comctl32.dll.LoadIconWithScaleDown
- ntdll.dll.RtlRunEncodeUnicodeString
- ntdll.dll.RtlInitUnicodeString
- ntdll.dll.RtlRunDecodeUnicodeString
- duser.dll.InitGadgets
- user32.dll.RegisterMessagePumpHook
- uxtheme.dll.IsThemeActive
- duser.dll.CreateGadget
- duser.dll.SetGadgetMessageFilter
- duser.dll.SetGadgetStyle
- duser.dll.SetGadgetRootInfo
- dwmapi.dll.DwmIsCompositionEnabled
- uxtheme.dll.IsAppThemed
- ole32.dll.CreateStreamOnHGlobal
- xmllite.dll.CreateXmlReader
- xmllite.dll.CreateXmlReaderInputWithEncodingName
- duser.dll.FindStdColor
- oleaut32.dll.#6
- duser.dll.SetGadgetParent
- duser.dll.GetDUserModule
- duser.dll.AttachWndProcW
- comctl32.dll.RegisterClassNameW
- uxtheme.dll.OpenThemeData
- duser.dll.GetGadgetRect
- duser.dll.GetGadgetRgn
- duser.dll.GetGadgetTicket
- uxtheme.dll.EnableThemeDialogTexture
- duser.dll.GetGadgetFocus
- gdi32.dll.GetLayout
- gdi32.dll.GdiRealizationInfo
- gdi32.dll.FontIsLinked
- advapi32.dll.RegOpenKeyExW
- advapi32.dll.RegQueryInfoKeyW
- gdi32.dll.GetTextFaceAliasW
- advapi32.dll.RegEnumValueW
- advapi32.dll.RegCloseKey
- advapi32.dll.RegQueryValueExW
- advapi32.dll.RegQueryValueExA
- advapi32.dll.RegEnumKeyExW
- gdi32.dll.GetTextExtentExPointWPri
- ole32.dll.CoInitializeEx
- ole32.dll.CoUninitialize
- ole32.dll.CoRegisterInitializeSpy
- ole32.dll.CoRevokeInitializeSpy
- duser.dll.SetGadgetFocus
- duser.dll.DUserSendEvent
- duser.dll.SetGadgetRect
- duser.dll.InvalidateGadget
- duser.dll.ForwardGadgetMessage
- oleaut32.dll.SysAllocString
- oleaut32.dll.SysStringLen
- oleaut32.dll.SysFreeString
- duser.dll.SetGadgetFocusEx
- duser.dll.DisableContainerHwnd
- duser.dll.DUserFlushMessages
- duser.dll.DUserFlushDeferredMessages
- duser.dll.DeleteHandle
- user32.dll.UnregisterMessagePumpHook
- oleaut32.dll.#500