ShellExecute API が、System32ではなく EXEフォルダの "edputil.dll" を開こうとする際の Process Moniter で見たスナップショット
スタックフレーム0-29番が ShellExecute API 内部の挙動
この後、この不正DLLのDLLMainが呼ばれることを確認済み

High Resolution Date & Time:	2017/08/01 11:50:00.3659458
Event Class:	File System
Operation:	CreateFile
Result:	SUCCESS
Path:	C:\Users\shirouzu\Desktop\FastCopy330r3src\x64\Release\edputil.dll
TID:	22704
Duration:	0.0000160
Desired Access:	Read Attributes
Disposition:	Open
Options:	Open Reparse Point
Attributes:	n/a
ShareMode:	Read, Write, Delete
AllocationSize:	n/a
OpenResult:	Opened

0	FLTMGR.SYS	FltDecodeParameters + 0x1a6c	0xfffff80007384b4c	C:\WINDOWS\System32\drivers\FLTMGR.SYS
1	FLTMGR.SYS	FltDecodeParameters + 0x160c	0xfffff800073846ec	C:\WINDOWS\System32\drivers\FLTMGR.SYS
2	FLTMGR.SYS	FltQueryInformationFile + 0x6e7	0xfffff800073b6117	C:\WINDOWS\System32\drivers\FLTMGR.SYS
3	ntoskrnl.exe	NtDeviceIoControlFile + 0x1ba5	0xfffff800260a3265	C:\WINDOWS\system32\ntoskrnl.exe
4	ntoskrnl.exe	ObReferenceObjectByHandle + 0xb1b	0xfffff800260ae61b	C:\WINDOWS\system32\ntoskrnl.exe
5	ntoskrnl.exe	ObOpenObjectByNameEx + 0x1e0	0xfffff800260b2150	C:\WINDOWS\system32\ntoskrnl.exe
6	ntoskrnl.exe	FsRtlFreeExtraCreateParameterList + 0x200	0xfffff80026047e90	C:\WINDOWS\system32\ntoskrnl.exe
7	ntoskrnl.exe	setjmpex + 0x3c23	0xfffff80025d83413	C:\WINDOWS\system32\ntoskrnl.exe
8	ntdll.dll	ZwQueryAttributesFile + 0x14	0x7ff94c895b44	C:\WINDOWS\SYSTEM32\ntdll.dll
9	ntdll.dll	RtlAddRefActivationContext + 0xa67	0x7ff94c836187	C:\WINDOWS\SYSTEM32\ntdll.dll
10	ntdll.dll	RtlAddRefActivationContext + 0x8a8	0x7ff94c835fc8	C:\WINDOWS\SYSTEM32\ntdll.dll
11	ntdll.dll	RtlAddRefActivationContext + 0x6b8	0x7ff94c835dd8	C:\WINDOWS\SYSTEM32\ntdll.dll
12	ntdll.dll	RtlAddRefActivationContext + 0xd1d	0x7ff94c83643d	C:\WINDOWS\SYSTEM32\ntdll.dll
13	ntdll.dll	RtlReleaseActivationContext + 0x936	0x7ff94c834846	C:\WINDOWS\SYSTEM32\ntdll.dll
14	ntdll.dll	RtlDosPathNameToNtPathName_U_WithStatus + 0x5ba	0x7ff94c80d62a	C:\WINDOWS\SYSTEM32\ntdll.dll
15	ntdll.dll	RtlDosPathNameToNtPathName_U + 0x349	0x7ff94c80c9c9	C:\WINDOWS\SYSTEM32\ntdll.dll
16	ntdll.dll	RtlInitAnsiString + 0xda	0x7ff94c80c09a	C:\WINDOWS\SYSTEM32\ntdll.dll
17	ntdll.dll	RtlWalkFrameChain + 0x11f4	0x7ff94c806fe4	C:\WINDOWS\SYSTEM32\ntdll.dll
18	ntdll.dll	LdrResolveDelayLoadedAPI + 0xe6	0x7ff94c804086	C:\WINDOWS\SYSTEM32\ntdll.dll
19	windows.storage.dll	Global_WindowsStorage_Untyped_MountPoint + 0x1c1	0x7ff948ebd011	C:\WINDOWS\System32\windows.storage.dll
20	windows.storage.dll	SHGetSpecialFolderPathA + 0x47c9	0x7ff948ee1069	C:\WINDOWS\System32\windows.storage.dll
21	windows.storage.dll	SHRestricted + 0x2ef5	0x7ff948e82db5	C:\WINDOWS\System32\windows.storage.dll
22	windows.storage.dll	SHRestricted + 0x2954	0x7ff948e82814	C:\WINDOWS\System32\windows.storage.dll
23	SHELL32.dll	Shell_NotifyIconW + 0x374b	0x7ff949f192ab	C:\WINDOWS\System32\SHELL32.dll
24	SHELL32.dll	Shell_NotifyIconW + 0x35d0	0x7ff949f19130	C:\WINDOWS\System32\SHELL32.dll
25	SHELL32.dll	Shell_NotifyIconW + 0x329f	0x7ff949f18dff	C:\WINDOWS\System32\SHELL32.dll
26	SHELL32.dll	ShellExecuteExW + 0xc7	0x7ff949ed3e97	C:\WINDOWS\System32\SHELL32.dll
27	SHELL32.dll	ShellExecuteExW + 0x35	0x7ff949ed3e05	C:\WINDOWS\System32\SHELL32.dll
28	SHELL32.dll	ShellExecuteExA + 0x76	0x7ff94a0716a6	C:\WINDOWS\System32\SHELL32.dll
29	SHELL32.dll	ShellExecuteA + 0x71	0x7ff94a071611	C:\WINDOWS\System32\SHELL32.dll
30	setup.exe	TInstDlg::Install + 0x662, c:\users\shirouzu\desktop\fastcopy330r3src\src\install\install.cpp(613)	0x140002f12	C:\Users\shirouzu\Desktop\FastCopy330r3src\src\install\..\..\x64\Release\setup.exe
31	setup.exe	TInstDlg::EvCommand + 0x9b, c:\users\shirouzu\desktop\fastcopy330r3src\src\install\install.cpp(289)	0x140001ffb	C:\Users\shirouzu\Desktop\FastCopy330r3src\src\install\..\..\x64\Release\setup.exe
32	setup.exe	TDlg::WinProc + 0x229, c:\users\shirouzu\desktop\fastcopy330r3src\src\tlib\tdlg.cpp(117)	0x140007a99	C:\Users\shirouzu\Desktop\FastCopy330r3src\src\install\..\..\x64\Release\setup.exe
33	setup.exe	TApp::WinProc + 0x5b, c:\users\shirouzu\desktop\fastcopy330r3src\src\tlib\tapp.cpp(96)	0x140008b2b	C:\Users\shirouzu\Desktop\FastCopy330r3src\src\install\..\..\x64\Release\setup.exe
34	USER32.dll	Ordinal2707 + 0x1be	0x7ff94b79eade	C:\WINDOWS\System32\USER32.dll
35	USER32.dll	Ordinal2573 + 0x641	0x7ff94b79e261	C:\WINDOWS\System32\USER32.dll
36	USER32.dll	Ordinal2573 + 0x556	0x7ff94b79e176	C:\WINDOWS\System32\USER32.dll
37	USER32.dll	CallWindowProcW + 0x4d0	0x7ff94b79bc50	C:\WINDOWS\System32\USER32.dll
38	USER32.dll	SendMessageW + 0x37d	0x7ff94b79b16d	C:\WINDOWS\System32\USER32.dll
39	USER32.dll	SendMessageW + 0xf8	0x7ff94b79aee8	C:\WINDOWS\System32\USER32.dll
40	COMCTL32.dll	ImageList_SetBkColor + 0x524	0x7ff934916194	C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\COMCTL32.dll
41	COMCTL32.dll	CCSetScrollInfo + 0x3a96	0x7ff934944ce6	C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\COMCTL32.dll
42	USER32.dll	CallWindowProcW + 0x4d0	0x7ff94b79bc50	C:\WINDOWS\System32\USER32.dll
43	USER32.dll	DispatchMessageW + 0x1af	0x7ff94b79b5cf	C:\WINDOWS\System32\USER32.dll
44	USER32.dll	IsDialogMessageW + 0x10f	0x7ff94b796aef	C:\WINDOWS\System32\USER32.dll
45	setup.exe	TApp::PreProcMsg + 0xe8, c:\users\shirouzu\desktop\fastcopy330r3src\src\tlib\tapp.cpp(72)	0x140008ab8	C:\Users\shirouzu\Desktop\FastCopy330r3src\src\install\..\..\x64\Release\setup.exe
46	setup.exe	TApp::Run + 0x3e, c:\users\shirouzu\desktop\fastcopy330r3src\src\tlib\tapp.cpp(55)	0x14000898e	C:\Users\shirouzu\Desktop\FastCopy330r3src\src\install\..\..\x64\Release\setup.exe
47	setup.exe	WinMain + 0x1c, c:\users\shirouzu\desktop\fastcopy330r3src\src\install\install.cpp(109)	0x1400015dc	C:\Users\shirouzu\Desktop\FastCopy330r3src\src\install\..\..\x64\Release\setup.exe
48	setup.exe	__scrt_common_main_seh + 0x117, f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl(246)	0x1400092d7	C:\Users\shirouzu\Desktop\FastCopy330r3src\src\install\..\..\x64\Release\setup.exe
49	KERNEL32.DLL	BaseThreadInitThunk + 0x14	0x7ff94c752774	C:\WINDOWS\System32\KERNEL32.DLL
50	ntdll.dll	RtlUserThreadStart + 0x21	0x7ff94c860d51	C:\WINDOWS\SYSTEM32\ntdll.dll