魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2022-08-19 11:28:31 2022-08-19 11:30:40 129 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp02-1 win7-sp1-x64-shaapp02-1 KVM 2022-08-19 11:28:32 2022-08-19 11:30:41
魔盾分数

8.25

恶意的

文件详细信息

文件名 藤原书记云授权.exe
文件大小 1212416 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 E77F5E48
MD5 8c00eac3a9ef86cc9a16ccede7d3bae2
SHA1 d8a5990be785ee1a0da9d0281f6c2d5701bf9f82
SHA256 6c15aa0bcde0806204781acd429535fd796e1e074ca19445da7cdde06003be99
SHA512 0b506d5a7a052fb409474607e26fdc30156358c3ae1c75b8c4c3cd5500709e2e3dc41f5e3376837203e9b918f420a8c0b44b3e831023383508a32fdfe9c72f52
Ssdeep 24576:4y5h5KEl1qd0PHiF0u/PojnM+VcbsbZCi0yBY:4CKH0Pil/gjnM+VcY9Ciu
PEiD 无匹配
Yara
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • win_mutex (Create or check mutex)
  • screenshot (Detected take screenshot function)
  • create_process (Detection function for creating a new process)
  • keylogger (Detected keylogger function)
  • win_registry (Detected system registries modification function)
  • change_win_registry (Change registries to affect system)
  • win_files_operation (Affect private profile)
  • win_hook (Detected hook table access function)
  • win_private_profile (Detected private profile access function)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
  • IsPE32 (Detected a 32bit PE sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
  • HasRichSignature (Detected Rich Signature)
  • CRC32_poly_Constant (Look for CRC32 [poly])
  • CRC32_table (Look for CRC32 table)
  • MD5_Constants (Look for MD5 constants)
  • BASE64_table (Look for Base64 table)
  • with_images (Detected the presence of an or several images)
  • with_urls (Detected the presence of an or several urls)
  • UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser ()
  • UPX (Detected UPX. Commonly used by RAT!)
VirusTotal VirusTotal查询失败

特征

创建RWX内存
二进制文件可能包含加密或压缩数据
section: name: .rdata, entropy: 7.40, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x0005d000, virtual_size: 0x0005c0a6
从文件自身的二进制镜像中读取数据
self_read: process: _____________________.exe, pid: 2556, offset: 0x00000000, length: 0x00000040
self_read: process: _____________________.exe, pid: 2556, offset: 0x000000d8, length: 0x00000020
self_read: process: _____________________.exe, pid: 2556, offset: 0x0000015b, length: 0x00080000
魔盾安全Yara规则检测结果 - 高危
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
Warning: Detected UPX. Commonly used by RAT!
尝试断开连接或更改沙箱进程监控的Windows功能
unhook: function_name: SetWindowLongA, type: modification
unhook: function_name: SetWindowLongW, type: modification

运行截图

网络分析

TCP连接

IP地址 端口
23.223.199.177 80

UDP连接

IP地址 端口
192.168.122.1 53

HTTP请求

URL HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x00488ee1
声明校验值 0x00000000
实际校验值 0x00137d9d
最低操作系统版本要求 4.0
编译时间 2022-07-31 16:51:54
载入哈希 cd3930683616b59f0e260dd1ddfc368e

版本信息

LegalCopyright: \u4f5c\u8005\u7248\u6743\u6240\u6709 \u8bf7\u5c0a\u91cd\u5e76\u4f7f\u7528\u6b63\u7248
FileVersion: 1.0.0.0
Comments: \u672c\u7a0b\u5e8f\u4f7f\u7528\u6613\u8bed\u8a00\u7f16\u5199(http://www.eyuyan.com)
ProductName: \u6613\u8bed\u8a00\u7a0b\u5e8f
ProductVersion: 1.0.0.0
FileDescription: \u6613\u8bed\u8a00\u7a0b\u5e8f
Translation: 0x0804 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000a8256 0x000a9000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.58
.rdata 0x000aa000 0x0005c0a6 0x0005d000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.40
.data 0x00107000 0x00049ec8 0x00018000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.00
.rsrc 0x00151000 0x00008b5c 0x00009000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.19

导入

库 KERNEL32.dll:
0x4aa174 - GetLocalTime
0x4aa178 - GetSystemTime
0x4aa17c - GetTimeZoneInformation
0x4aa180 - RtlUnwind
0x4aa184 - GetStartupInfoA
0x4aa188 - GetOEMCP
0x4aa18c - GetCPInfo
0x4aa190 - GetProcessVersion
0x4aa194 - SetErrorMode
0x4aa198 - GlobalFlags
0x4aa19c - GetCurrentThread
0x4aa1a0 - GetFileTime
0x4aa1a4 - RaiseException
0x4aa1a8 - TlsGetValue
0x4aa1ac - LocalReAlloc
0x4aa1b0 - TlsSetValue
0x4aa1b4 - TlsFree
0x4aa1b8 - GlobalHandle
0x4aa1bc - TlsAlloc
0x4aa1c0 - LocalAlloc
0x4aa1c4 - lstrcmpA
0x4aa1c8 - GetVersion
0x4aa1cc - GlobalGetAtomNameA
0x4aa1d0 - GlobalAddAtomA
0x4aa1d4 - GlobalFindAtomA
0x4aa1d8 - GlobalDeleteAtom
0x4aa1dc - lstrcmpiA
0x4aa1e0 - SetEndOfFile
0x4aa1e4 - UnlockFile
0x4aa1e8 - LockFile
0x4aa1ec - FlushFileBuffers
0x4aa1f0 - SetFilePointer
0x4aa1f4 - GetCurrentProcess
0x4aa1f8 - DuplicateHandle
0x4aa1fc - lstrcpynA
0x4aa200 - SetLastError
0x4aa204 - FileTimeToLocalFileTime
0x4aa208 - FileTimeToSystemTime
0x4aa20c - LocalFree
0x4aa210 - InterlockedDecrement
0x4aa214 - InterlockedIncrement
0x4aa218 - TerminateProcess
0x4aa21c - HeapSize
0x4aa220 - GetACP
0x4aa224 - UnhandledExceptionFilter
0x4aa228 - FreeEnvironmentStringsA
0x4aa22c - FreeEnvironmentStringsW
0x4aa230 - GetEnvironmentStrings
0x4aa234 - GetEnvironmentStringsW
0x4aa238 - SetHandleCount
0x4aa23c - GetStdHandle
0x4aa240 - GetFileType
0x4aa244 - GetEnvironmentVariableA
0x4aa248 - HeapDestroy
0x4aa24c - HeapCreate
0x4aa250 - VirtualFree
0x4aa254 - SetEnvironmentVariableA
0x4aa258 - LCMapStringA
0x4aa25c - LCMapStringW
0x4aa260 - VirtualAlloc
0x4aa264 - IsBadWritePtr
0x4aa268 - GetStringTypeA
0x4aa26c - GetStringTypeW
0x4aa270 - SetUnhandledExceptionFilter
0x4aa274 - CompareStringA
0x4aa278 - CompareStringW
0x4aa27c - IsBadReadPtr
0x4aa280 - IsBadCodePtr
0x4aa284 - SetStdHandle
0x4aa288 - SuspendThread
0x4aa28c - TerminateThread
0x4aa290 - ReleaseMutex
0x4aa294 - CreateMutexA
0x4aa298 - CreateSemaphoreA
0x4aa29c - ResumeThread
0x4aa2a0 - ReleaseSemaphore
0x4aa2a4 - EnterCriticalSection
0x4aa2a8 - LeaveCriticalSection
0x4aa2ac - GetProfileStringA
0x4aa2b0 - WriteFile
0x4aa2b4 - WaitForMultipleObjects
0x4aa2b8 - CreateFileA
0x4aa2bc - SetEvent
0x4aa2c0 - FindResourceA
0x4aa2c4 - LoadResource
0x4aa2c8 - LockResource
0x4aa2cc - ReadFile
0x4aa2d0 - lstrlenW
0x4aa2d4 - GetModuleFileNameA
0x4aa2d8 - WideCharToMultiByte
0x4aa2dc - MultiByteToWideChar
0x4aa2e0 - GetCurrentThreadId
0x4aa2e4 - ExitProcess
0x4aa2e8 - GlobalSize
0x4aa2ec - GlobalFree
0x4aa2f0 - DeleteCriticalSection
0x4aa2f4 - InitializeCriticalSection
0x4aa2f8 - lstrcatA
0x4aa2fc - lstrlenA
0x4aa300 - CloseHandle
0x4aa304 - WinExec
0x4aa308 - lstrcpyA
0x4aa30c - FindNextFileA
0x4aa310 - GlobalReAlloc
0x4aa314 - HeapFree
0x4aa318 - HeapReAlloc
0x4aa31c - GetProcessHeap
0x4aa320 - HeapAlloc
0x4aa324 - GetUserDefaultLCID
0x4aa328 - GetFullPathNameA
0x4aa32c - FreeLibrary
0x4aa330 - LoadLibraryA
0x4aa334 - GetLastError
0x4aa338 - GetVersionExA
0x4aa33c - WritePrivateProfileStringA
0x4aa340 - CreateThread
0x4aa344 - CreateEventA
0x4aa348 - Sleep
0x4aa34c - ExpandEnvironmentStringsA
0x4aa350 - GlobalAlloc
0x4aa354 - GlobalLock
0x4aa358 - GlobalUnlock
0x4aa35c - FindFirstFileA
0x4aa360 - FindClose
0x4aa364 - GetFileAttributesA
0x4aa368 - DeleteFileA
0x4aa36c - SetCurrentDirectoryA
0x4aa370 - GetVolumeInformationA
0x4aa374 - GetModuleHandleA
0x4aa378 - GetProcAddress
0x4aa37c - MulDiv
0x4aa380 - GetCommandLineA
0x4aa384 - GetTickCount
0x4aa388 - WaitForSingleObject
0x4aa38c - GetFileSize
库 USER32.dll:
0x4aa3ec - LoadIconA
0x4aa3f0 - TranslateMessage
0x4aa3f4 - DrawFrameControl
0x4aa3f8 - DrawEdge
0x4aa3fc - DrawFocusRect
0x4aa400 - WindowFromPoint
0x4aa404 - GetMessageA
0x4aa408 - DispatchMessageA
0x4aa40c - SetRectEmpty
0x4aa410 - RegisterClipboardFormatA
0x4aa414 - CreateIconFromResourceEx
0x4aa418 - CreateIconFromResource
0x4aa41c - DrawIconEx
0x4aa420 - CreatePopupMenu
0x4aa424 - AppendMenuA
0x4aa428 - ModifyMenuA
0x4aa42c - CreateMenu
0x4aa430 - CreateAcceleratorTableA
0x4aa434 - GetDlgCtrlID
0x4aa438 - GetSubMenu
0x4aa43c - EnableMenuItem
0x4aa440 - ClientToScreen
0x4aa444 - EnumDisplaySettingsA
0x4aa448 - LoadImageA
0x4aa44c - SystemParametersInfoA
0x4aa450 - ShowWindow
0x4aa454 - IsWindowEnabled
0x4aa458 - TranslateAcceleratorA
0x4aa45c - GetKeyState
0x4aa460 - CopyAcceleratorTableA
0x4aa464 - PostQuitMessage
0x4aa468 - IsZoomed
0x4aa46c - GetClassInfoA
0x4aa470 - DefWindowProcA
0x4aa474 - GetSystemMenu
0x4aa478 - DeleteMenu
0x4aa47c - GetMenu
0x4aa480 - SetMenu
0x4aa484 - PeekMessageA
0x4aa488 - IsIconic
0x4aa48c - SetFocus
0x4aa490 - GetActiveWindow
0x4aa494 - GetWindow
0x4aa498 - DestroyAcceleratorTable
0x4aa49c - SetWindowRgn
0x4aa4a0 - GetMessagePos
0x4aa4a4 - ScreenToClient
0x4aa4a8 - ChildWindowFromPointEx
0x4aa4ac - CopyRect
0x4aa4b0 - LoadBitmapA
0x4aa4b4 - WinHelpA
0x4aa4b8 - KillTimer
0x4aa4bc - SetTimer
0x4aa4c0 - ReleaseCapture
0x4aa4c4 - GetCapture
0x4aa4c8 - SetCapture
0x4aa4cc - GetScrollRange
0x4aa4d0 - SetScrollRange
0x4aa4d4 - SetScrollPos
0x4aa4d8 - SetRect
0x4aa4dc - InflateRect
0x4aa4e0 - IntersectRect
0x4aa4e4 - DestroyIcon
0x4aa4e8 - PtInRect
0x4aa4ec - OffsetRect
0x4aa4f0 - IsWindowVisible
0x4aa4f4 - EnableWindow
0x4aa4f8 - UnregisterClassA
0x4aa4fc - GetWindowLongA
0x4aa500 - SetWindowLongA
0x4aa504 - GetSysColor
0x4aa508 - SetActiveWindow
0x4aa50c - SetCursorPos
0x4aa510 - LoadCursorA
0x4aa514 - SetCursor
0x4aa518 - GetDC
0x4aa51c - FillRect
0x4aa520 - IsRectEmpty
0x4aa524 - ReleaseDC
0x4aa528 - IsChild
0x4aa52c - DestroyMenu
0x4aa530 - SetForegroundWindow
0x4aa534 - GetWindowRect
0x4aa538 - EqualRect
0x4aa53c - UpdateWindow
0x4aa540 - ValidateRect
0x4aa544 - InvalidateRect
0x4aa548 - GetClientRect
0x4aa54c - GetFocus
0x4aa550 - GetParent
0x4aa554 - GetTopWindow
0x4aa558 - PostMessageA
0x4aa55c - IsWindow
0x4aa560 - SetParent
0x4aa564 - DestroyCursor
0x4aa568 - SendMessageA
0x4aa56c - SetWindowPos
0x4aa570 - GetWindowTextA
0x4aa574 - GetWindowTextLengthA
0x4aa578 - CharUpperA
0x4aa57c - GetWindowDC
0x4aa580 - BeginPaint
0x4aa584 - EndPaint
0x4aa588 - TabbedTextOutA
0x4aa58c - DrawTextA
0x4aa590 - GrayStringA
0x4aa594 - GetDlgItem
0x4aa598 - DestroyWindow
0x4aa59c - CreateDialogIndirectParamA
0x4aa5a0 - EndDialog
0x4aa5a4 - GetNextDlgTabItem
0x4aa5a8 - GetWindowPlacement
0x4aa5ac - RegisterWindowMessageA
0x4aa5b0 - GetForegroundWindow
0x4aa5b4 - GetLastActivePopup
0x4aa5b8 - GetMessageTime
0x4aa5bc - RemovePropA
0x4aa5c0 - CallWindowProcA
0x4aa5c4 - GetPropA
0x4aa5c8 - UnhookWindowsHookEx
0x4aa5cc - SetPropA
0x4aa5d0 - GetClassLongA
0x4aa5d4 - CallNextHookEx
0x4aa5d8 - SetWindowsHookExA
0x4aa5dc - CreateWindowExA
0x4aa5e0 - GetMenuItemID
0x4aa5e4 - GetMenuItemCount
0x4aa5e8 - RegisterClassA
0x4aa5ec - GetScrollPos
0x4aa5f0 - AdjustWindowRectEx
0x4aa5f4 - MapWindowPoints
0x4aa5f8 - SendDlgItemMessageA
0x4aa5fc - ScrollWindowEx
0x4aa600 - IsDialogMessageA
0x4aa604 - SetWindowTextA
0x4aa608 - MoveWindow
0x4aa60c - CheckMenuItem
0x4aa610 - SetMenuItemBitmaps
0x4aa614 - GetMenuState
0x4aa618 - GetMenuCheckMarkDimensions
0x4aa61c - GetClassNameA
0x4aa620 - GetDesktopWindow
0x4aa624 - LoadStringA
0x4aa628 - GetSysColorBrush
0x4aa62c - MessageBoxA
0x4aa630 - GetCursorPos
0x4aa634 - GetSystemMetrics
0x4aa638 - EmptyClipboard
0x4aa63c - SetClipboardData
0x4aa640 - OpenClipboard
0x4aa644 - GetClipboardData
0x4aa648 - CloseClipboard
0x4aa64c - wsprintfA
0x4aa650 - RedrawWindow
库 GDI32.dll:
0x4aa028 - GetTextMetricsA
0x4aa02c - ExtTextOutA
0x4aa030 - TextOutA
0x4aa034 - RectVisible
0x4aa038 - PtVisible
0x4aa03c - GetViewportExtEx
0x4aa040 - Escape
0x4aa044 - ExtSelectClipRgn
0x4aa048 - SetBkColor
0x4aa04c - CreateRectRgnIndirect
0x4aa050 - SetStretchBltMode
0x4aa054 - GetClipRgn
0x4aa058 - CreatePolygonRgn
0x4aa05c - SelectClipRgn
0x4aa060 - DeleteObject
0x4aa064 - CreateDIBitmap
0x4aa068 - GetSystemPaletteEntries
0x4aa06c - CreatePalette
0x4aa070 - StretchBlt
0x4aa074 - SelectPalette
0x4aa078 - RealizePalette
0x4aa07c - GetDIBits
0x4aa080 - GetWindowExtEx
0x4aa084 - GetViewportOrgEx
0x4aa088 - GetWindowOrgEx
0x4aa08c - BeginPath
0x4aa090 - EndPath
0x4aa094 - PathToRegion
0x4aa098 - CreateEllipticRgn
0x4aa09c - CreateRoundRectRgn
0x4aa0a0 - GetTextColor
0x4aa0a4 - GetBkMode
0x4aa0a8 - GetBkColor
0x4aa0ac - GetROP2
0x4aa0b0 - GetStretchBltMode
0x4aa0b4 - GetPolyFillMode
0x4aa0b8 - CreateCompatibleBitmap
0x4aa0bc - CreateDCA
0x4aa0c0 - CreateBitmap
0x4aa0c4 - SelectObject
0x4aa0c8 - CreatePen
0x4aa0cc - PatBlt
0x4aa0d0 - ScaleViewportExtEx
0x4aa0d4 - SetViewportExtEx
0x4aa0d8 - OffsetViewportOrgEx
0x4aa0dc - SetViewportOrgEx
0x4aa0e0 - SetMapMode
0x4aa0e4 - SetTextColor
0x4aa0e8 - SetROP2
0x4aa0ec - SetPolyFillMode
0x4aa0f0 - SetBkMode
0x4aa0f4 - RestoreDC
0x4aa0f8 - SaveDC
0x4aa0fc - CombineRgn
0x4aa100 - CreateRectRgn
0x4aa104 - FillRgn
0x4aa108 - CreateSolidBrush
0x4aa10c - CreateFontIndirectA
0x4aa110 - GetStockObject
0x4aa114 - GetObjectA
0x4aa118 - EndPage
0x4aa11c - EndDoc
0x4aa120 - DeleteDC
0x4aa124 - StartDocA
0x4aa128 - StartPage
0x4aa12c - BitBlt
0x4aa130 - CreateCompatibleDC
0x4aa134 - Ellipse
0x4aa138 - Rectangle
0x4aa13c - LPtoDP
0x4aa140 - DPtoLP
0x4aa144 - GetCurrentObject
0x4aa148 - RoundRect
0x4aa14c - GetTextExtentPoint32A
0x4aa150 - GetDeviceCaps
0x4aa154 - LineTo
0x4aa158 - MoveToEx
0x4aa15c - ExcludeClipRect
0x4aa160 - GetClipBox
0x4aa164 - ScaleWindowExtEx
0x4aa168 - SetWindowExtEx
0x4aa16c - SetWindowOrgEx
库 WINMM.dll:
0x4aa658 - waveOutUnprepareHeader
0x4aa65c - waveOutPrepareHeader
0x4aa660 - waveOutWrite
0x4aa664 - waveOutPause
0x4aa668 - waveOutReset
0x4aa66c - waveOutClose
0x4aa670 - waveOutGetNumDevs
0x4aa674 - waveOutOpen
0x4aa678 - midiOutUnprepareHeader
0x4aa67c - midiStreamOpen
0x4aa680 - midiStreamProperty
0x4aa684 - midiOutPrepareHeader
0x4aa688 - midiStreamOut
0x4aa68c - waveOutRestart
0x4aa690 - midiStreamStop
0x4aa694 - midiOutReset
0x4aa698 - midiStreamClose
0x4aa69c - midiStreamRestart
库 WINSPOOL.DRV:
0x4aa6a4 - OpenPrinterA
0x4aa6a8 - DocumentPropertiesA
0x4aa6ac - ClosePrinter
库 ADVAPI32.dll:
0x4aa000 - RegCloseKey
0x4aa004 - RegQueryValueExA
0x4aa008 - RegOpenKeyExA
0x4aa00c - RegSetValueExA
0x4aa010 - RegQueryValueA
0x4aa014 - RegCreateKeyExA
库 SHELL32.dll:
0x4aa3e0 - ShellExecuteA
0x4aa3e4 - Shell_NotifyIconA
库 ole32.dll:
0x4aa6f4 - CLSIDFromProgID
0x4aa6f8 - OleRun
0x4aa6fc - CoCreateInstance
0x4aa700 - CLSIDFromString
0x4aa704 - OleUninitialize
0x4aa708 - OleInitialize
库 OLEAUT32.dll:
0x4aa394 - SafeArrayGetElement
0x4aa398 - VariantCopyInd
0x4aa39c - VariantInit
0x4aa3a0 - SysAllocString
0x4aa3a4 - SafeArrayDestroy
0x4aa3a8 - SafeArrayCreate
0x4aa3ac - SafeArrayPutElement
0x4aa3b0 - RegisterTypeLib
0x4aa3b4 - LHashValOfNameSys
0x4aa3b8 - LoadTypeLib
0x4aa3bc - UnRegisterTypeLib
0x4aa3c0 - SafeArrayAccessData
0x4aa3c4 - SafeArrayUnaccessData
0x4aa3c8 - SafeArrayGetDim
0x4aa3cc - SafeArrayGetLBound
0x4aa3d0 - SafeArrayGetUBound
0x4aa3d4 - VariantChangeType
0x4aa3d8 - VariantClear
库 COMCTL32.dll:
0x4aa01c - ImageList_Destroy
0x4aa020 - None
库 WS2_32.dll:
0x4aa6b4 - inet_ntoa
0x4aa6b8 - WSACleanup
0x4aa6bc - ntohl
0x4aa6c0 - accept
0x4aa6c4 - getpeername
0x4aa6c8 - recv
0x4aa6cc - ioctlsocket
0x4aa6d0 - recvfrom
0x4aa6d4 - closesocket
0x4aa6d8 - WSAAsyncSelect
库 comdlg32.dll:
0x4aa6e0 - ChooseColorA
0x4aa6e4 - GetOpenFileNameA
0x4aa6e8 - GetSaveFileNameA
0x4aa6ec - GetFileTitleA

投放文件

无信息

行为分析

互斥量(Mutexes)
  • Local\MSCTF.Asm.MutexDefault1
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

_____________________.exe PID: 2556, 上一级进程 PID: 2236

访问的文件
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\test\AppData\Local\Temp\kernel32.DLL
  • C:\Users\test\AppData\Local\Temp\\xe5\x8c\x85\x18
  • C:\Users\test\AppData\Local\Temp\_____________________.exe
  • C:\Users\test\AppData\Local\Temp\gdiplus.dll
  • C:\Users\test\AppData\Local\Temp\_____________________.exe.Local\
  • C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80
  • C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
  • C:\Windows\Fonts\staticcache.dat
  • C:\Users\test\AppData\Local\Temp\user32.DLL
  • C:\Users\test\AppData\Local\Temp\user32.dll
  • C:\Users\test\AppData\Local\Temp\kernel32.dll
  • C:\Users\test\AppData\Local\Temp\gdi32.DLL
  • C:\Users\test\AppData\Local\Temp\GdiPlus.dll
读取的文件
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\test\AppData\Local\Temp\\xe5\x8c\x85\x18
  • C:\Users\test\AppData\Local\Temp\_____________________.exe
  • C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
  • C:\Windows\Fonts\staticcache.dat
修改的文件 无信息
删除的文件 无信息
注册表键
  • HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\\xe9\xbb\x91\xe4\xbd\x93
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\_____________________.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_CURRENT_USER
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
  • HKEY_LOCAL_MACHINE\Software\Classes\steam\Shell\Open\Command
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WOW\boot
  • HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib\ 800x600x24(BGR 0)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\\xe5\xbe\xae\xe8\xbd\xaf\xe9\x9b\x85\xe9\xbb\x91
读取的注册表键
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
修改的注册表键
  • HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib
  • HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib\ 800x600x24(BGR 0)
删除的注册表键 无信息
API解析
  • kernel32.dll.IsProcessorFeaturePresent
  • cryptbase.dll.SystemFunction036
  • kernel32.dll.SortGetHandle
  • kernel32.dll.SortCloseHandle
  • kernel32.dll.lstrcpyn
  • kernel32.dll.RtlMoveMemory
  • kernel32.dll.VirtualAlloc
  • kernel32.dll.GetModuleHandleA
  • kernel32.dll.GetProcAddress
  • kernel32.dll.LoadLibraryA
  • kernel32.dll.VirtualProtect
  • kernel32.dll.VirtualFree
  • comctl32.dll.ImageList_Draw
  • gdi32.dll.BitBlt
  • msimg32.dll.TransparentBlt
  • msvcrt.dll.free
  • msvfw32.dll.DrawDibOpen
  • user32.dll.GetDC
  • kernel32.dll.MulDiv
  • kernel32.dll.FlushInstructionCache
  • kernel32.dll.GetCurrentProcess
  • kernel32.dll.GetTickCount
  • kernel32.dll.VirtualQuery
  • kernel32.dll.SetFilePointer
  • kernel32.dll.GlobalAlloc
  • kernel32.dll.GlobalLock
  • kernel32.dll.GlobalUnlock
  • kernel32.dll.GlobalReAlloc
  • kernel32.dll.GlobalFree
  • kernel32.dll.FindResourceA
  • kernel32.dll.LoadResource
  • kernel32.dll.LockResource
  • kernel32.dll.SizeofResource
  • kernel32.dll.FreeLibrary
  • kernel32.dll.GetModuleFileNameA
  • kernel32.dll.GetVersion
  • kernel32.dll.GetCurrentThreadId
  • kernel32.dll.CreateFileA
  • kernel32.dll.GetFileSize
  • kernel32.dll.CloseHandle
  • kernel32.dll.ReadFile
  • kernel32.dll.SetLastError
  • comctl32.dll.ImageList_GetIcon
  • comctl32.dll.ImageList_GetImageInfo
  • comctl32.dll.ImageList_GetIconSize
  • gdi32.dll.SetWindowExtEx
  • gdi32.dll.SetWindowOrgEx
  • gdi32.dll.SetMapMode
  • gdi32.dll.SelectClipPath
  • gdi32.dll.EndPath
  • gdi32.dll.BeginPath
  • gdi32.dll.TextOutA
  • gdi32.dll.GetClipRgn
  • gdi32.dll.GetPixel
  • gdi32.dll.CreatePatternBrush
  • gdi32.dll.CreateFontIndirectA
  • gdi32.dll.SetViewportOrgEx
  • gdi32.dll.GetStockObject
  • gdi32.dll.GetTextExtentPoint32A
  • gdi32.dll.CreateRoundRectRgn
  • gdi32.dll.CreateFontA
  • gdi32.dll.SetViewportExtEx
  • gdi32.dll.SelectClipRgn
  • gdi32.dll.SelectObject
  • gdi32.dll.CreateCompatibleDC
  • gdi32.dll.DeleteDC
  • gdi32.dll.OffsetRgn
  • gdi32.dll.CombineRgn
  • gdi32.dll.CreateRectRgn
  • gdi32.dll.CreatePen
  • gdi32.dll.ExtCreateRegion
  • gdi32.dll.DeleteObject
  • gdi32.dll.Rectangle
  • gdi32.dll.SetPixel
  • gdi32.dll.PtInRegion
  • gdi32.dll.SetTextColor
  • gdi32.dll.SetBkMode
  • gdi32.dll.PatBlt
  • gdi32.dll.CreateDIBSection
  • gdi32.dll.GetObjectA
  • gdi32.dll.CreateCompatibleBitmap
  • gdi32.dll.GetTextExtentPointA
  • gdi32.dll.ExtTextOutA
  • gdi32.dll.ExtTextOutW
  • gdi32.dll.SetBkColor
  • gdi32.dll.GetTextColor
  • gdi32.dll.CreateSolidBrush
  • msvcrt.dll.??3@YAXPAX@Z
  • msvcrt.dll.__CxxFrameHandler
  • msvcrt.dll.??2@YAPAXI@Z
  • msvcrt.dll._ftol
  • msvcrt.dll._mbsstr
  • msvcrt.dll._mbscmp
  • msvcrt.dll.__dllonexit
  • msvcrt.dll.malloc
  • msvcrt.dll._initterm
  • msvcrt.dll._adjust_fdiv
  • msvcrt.dll._onexit
  • msvcrt.dll.memcpy
  • msvfw32.dll.DrawDibDraw
  • msvfw32.dll.DrawDibClose
  • user32.dll.SetWindowsHookExA
  • user32.dll.UnhookWindowsHookEx
  • user32.dll.CallNextHookEx
  • user32.dll.GetClassNameA
  • user32.dll.IsWindow
  • user32.dll.EnumThreadWindows
  • user32.dll.EnumChildWindows
  • user32.dll.LockWindowUpdate
  • user32.dll.DestroyIcon
  • user32.dll.DrawStateA
  • user32.dll.ShowWindow
  • user32.dll.GetMenuItemID
  • user32.dll.GetWindowRgn
  • user32.dll.SetMenu
  • user32.dll.GetMenu
  • user32.dll.GetSubMenu
  • user32.dll.TrackPopupMenu
  • user32.dll.CreateWindowExA
  • user32.dll.DestroyWindow
  • user32.dll.GetWindowInfo
  • user32.dll.SetWindowPos
  • user32.dll.GetClassLongA
  • user32.dll.ScreenToClient
  • user32.dll.SystemParametersInfoA
  • user32.dll.GetSystemMetrics
  • user32.dll.MenuItemFromPoint
  • user32.dll.GetMenuItemRect
  • user32.dll.GetMenuItemCount
  • user32.dll.SetMenuItemInfoA
  • user32.dll.IsMenu
  • user32.dll.GetUpdateRect
  • user32.dll.EqualRect
  • user32.dll.ShowScrollBar
  • user32.dll.SetWindowRgn
  • user32.dll.WindowFromDC
  • user32.dll.MoveWindow
  • user32.dll.GetSysColor
  • user32.dll.EnableScrollBar
  • user32.dll.GetScrollBarInfo
  • user32.dll.GetCapture
  • user32.dll.SetScrollPos
  • user32.dll.SetScrollInfo
  • user32.dll.GetScrollRange
  • user32.dll.GetScrollPos
  • user32.dll.GetScrollInfo
  • user32.dll.ReleaseDC
  • user32.dll.GetWindowDC
  • user32.dll.GetDCEx
  • user32.dll.EndPaint
  • user32.dll.BeginPaint
  • user32.dll.GetWindowLongW
  • user32.dll.SetWindowLongW
  • user32.dll.SetWindowLongA
  • user32.dll.ClientToScreen
  • user32.dll.FindWindowExA
  • user32.dll.GetMenuItemInfoA
  • user32.dll.GetParent
  • user32.dll.GetComboBoxInfo
  • user32.dll.TrackMouseEvent
  • user32.dll.GetIconInfo
  • user32.dll.GetClientRect
  • user32.dll.GetFocus
  • user32.dll.InflateRect
  • user32.dll.InvalidateRect
  • user32.dll.SetPropA
  • user32.dll.RemovePropA
  • user32.dll.CallWindowProcA
  • user32.dll.GetPropA
  • user32.dll.SetTimer
  • user32.dll.OffsetRect
  • user32.dll.KillTimer
  • user32.dll.EnableWindow
  • user32.dll.GetWindowLongA
  • user32.dll.SetRectEmpty
  • user32.dll.DrawIconEx
  • user32.dll.GetWindowTextA
  • user32.dll.DrawTextA
  • user32.dll.IsRectEmpty
  • user32.dll.IsIconic
  • user32.dll.IsZoomed
  • user32.dll.GetSystemMenu
  • user32.dll.GetMenuState
  • user32.dll.ReleaseCapture
  • user32.dll.GetMessageA
  • user32.dll.SetScrollRange
  • user32.dll.DispatchMessageA
  • user32.dll.SetRect
  • user32.dll.IsWindowVisible
  • user32.dll.RegisterClassExA
  • user32.dll.DefWindowProcA
  • user32.dll.IsWindowEnabled
  • user32.dll.SendMessageA
  • user32.dll.GetCursorPos
  • user32.dll.LoadCursorA
  • user32.dll.SetCursor
  • user32.dll.GetWindowRect
  • user32.dll.PtInRect
  • user32.dll.SetCapture
  • user32.dll.UpdateLayeredWindow
  • user32.dll.SetLayeredWindowAttributes
  • dciman32.dll.DCIOpenProvider
  • dciman32.dll.DCICloseProvider
  • dciman32.dll.DCICreatePrimary
  • dciman32.dll.DCIEndAccess
  • dciman32.dll.DCIBeginAccess
  • dciman32.dll.DCIDestroy
  • gdiplus.dll.GdiplusStartup
  • user32.dll.GetAncestor
  • user32.dll.GetMonitorInfoA
  • user32.dll.EnumDisplayMonitors
  • user32.dll.EnumDisplayDevicesA
  • gdi32.dll.GdiIsMetaPrintDC
  • comctl32.dll.RegisterClassNameW
  • uxtheme.dll.OpenThemeData
  • imm32.dll.ImmIsIME
  • gdi32.dll.GetLayout
  • gdi32.dll.GdiRealizationInfo
  • gdi32.dll.FontIsLinked
  • advapi32.dll.RegOpenKeyExW
  • advapi32.dll.RegQueryValueExW
  • advapi32.dll.RegCloseKey
  • advapi32.dll.RegQueryValueExA
  • advapi32.dll.RegQueryInfoKeyW
  • advapi32.dll.RegEnumKeyExW
  • gdi32.dll.GetTextFaceAliasW
  • gdi32.dll.GetTextExtentExPointWPri
  • uxtheme.dll.EnableThemeDialogTexture
  • user32.dll.GetClassInfoExA
  • kernel32.dll.LocalSize
  • ole32.dll.CoInitializeEx
  • ole32.dll.CoUninitialize
  • ole32.dll.CoRegisterInitializeSpy
  • ole32.dll.CoRevokeInitializeSpy
  • gdiplus.dll.GdipCreateFromHDC
  • gdiplus.dll.GdipSetClipHrgn
  • gdiplus.dll.GdipSetSmoothingMode
  • gdiplus.dll.GdipSetCompositingQuality
  • gdiplus.dll.GdipCreatePen1
  • gdiplus.dll.GdipCreatePath
  • gdiplus.dll.GdipAddPathArc
  • gdiplus.dll.GdipClosePathFigure
  • gdiplus.dll.GdipDrawPath
  • gdiplus.dll.GdipDeletePath
  • gdiplus.dll.GdipDeletePen
  • gdiplus.dll.GdipResetClip
  • gdiplus.dll.GdipDeleteGraphics
  • advapi32.dll.RegEnumValueW
  • gdi32.dll.GetFontAssocStatus
  • imm32.dll.ImmGetContext
  • imm32.dll.ImmLockIMC
  • imm32.dll.ImmUnlockIMC
  • imm32.dll.ImmReleaseContext
  • imm32.dll.ImmSetCompositionFontW
  • imm32.dll.ImmGetCompositionWindow
  • imm32.dll.ImmSetCompositionWindow
  • uxtheme.dll.BufferedPaintInit
  • uxtheme.dll.BeginBufferedPaint
  • uxtheme.dll.EndBufferedPaint