魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2019-09-06 16:15:59	2019-09-06 16:18:25	146 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-hpdapp01-1	win7-sp1-x64-hpdapp01-1	KVM	2019-09-06 16:16:10	2019-09-06 16:18:27

魔盾分数
6.15 恶意的

文件详细信息

文件名	TQM正版.exe
文件大小	4292608 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
CRC32	0CD8BCB0
MD5	c056080f9a7ea653f8957150f42e639b
SHA1	d2a2d9ab3fbe109d3de12f2d3f313a6e3f5ebccb
SHA256	574405c9ff44b805471cc97e25374523c39baf6b023a94cc130ea62fc67738c8
SHA512	00bb27be09d1beddcac4b681ce527f8ed0a7f9dd4134ffca6cc573db2ed8fb43e97e7969420941e6d3667d99775449ac4a6f1bf2070a44a5a0a7e55f36bfce0a
Ssdeep	49152:Nd45el7WpB2rh+4TEo0qY5LMNJJt9mutKfVh8FtZ+s8KuqGaX0ToIBAUZLYp:4El7S+jEo0qYtMNDmutKCtSJBAUZLc
PEiD	无匹配
Yara	IsPE32 (Detected 32bit PE signature) IsWindowsGUI () HasRichSignature (Detected Rich Signature) DebuggerTiming__PerformanceCounter () DebuggerTiming__Ticks () create_process (Create a new process) network_http (Communications over HTTP) screenshot (Detected take screenshot function) keylogger (Run a keylogger) win_mutex (Create or check mutex) win_registry (Affect system registries) change_win_registry (Change registries to affect system) win_private_profile (Affect private profile) win_files_operation (Affect private profile) win_hook (Affect hook table) Maldun_Anomoly_Combined_Activities_Network_Logging (Spotted potential abnormal behaviors, like logging and network communications) Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files) maldoc_find_kernel32_base_method_1 () with_images (Detected the presence of an or several images) with_urls (Detected the presence of an or several urls) UPX (Detected UPX. Commonly used by RAT!) CRC32_poly_Constant (Look for CRC32 [poly]) CRC32_table (Look for CRC32 table) MD5_Constants (Look for MD5 constants) DES_sbox (Look for DES [sbox]) BASE64_table (Look for Base64 table) Code_Random (Look for Random function) UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser ()
VirusTotal	无此文件扫描结果

特征

创建RWX内存

魔盾wping.org IP地址信誉系统

Neutral: 113.141.163.87

从文件自身的二进制镜像中读取数据

self_read: process: TQM______.exe, pid: 2648, offset: 0x00000000, length: 0x00000040

self_read: process: TQM______.exe, pid: 2648, offset: 0x00000108, length: 0x00000020

self_read: process: TQM______.exe, pid: 2648, offset: 0x0000018b, length: 0x00080000

尝试断开连接或更改沙箱进程监控的Windows功能

unhook: function_name: SetWindowLongA, type: modification

unhook: function_name: SetWindowLongW, type: modification

魔盾安全Yara规则检测结果 - 高危

Informational: Detected Rich Signature

Warning: Create a new process

Warning: Communications over HTTP

Warning: Detected take screenshot function

Warning: Run a keylogger

Warning: Affect system registries

Warning: Affect private profile

Warning: Affect hook table

Critical: Spotted potential abnormal behaviors, like logging and network communications

Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files

Critical: maldoc_find_kernel32_base_method_1

Informational: Detected the presence of an or several images

Informational: Detected the presence of an or several urls

Warning: Detected UPX. Commonly used by RAT!

Informational: Look for CRC32 [poly]

Informational: Look for CRC32 table

Informational: Look for MD5 constants

Informational: Look for DES [sbox]

Informational: Look for Base64 table

Informational: Look for Random function

Informational: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser

运行截图

网络分析

访问主机记录

直接访问	IP地址	国家名
否	113.141.163.87	China

域名解析

域名	响应
w.eydata.net	A 113.141.163.87 A 110.42.2.224

TCP连接

IP地址	端口
113.141.163.87	443

UDP连接

IP地址	端口
192.168.122.1	53

静态分析

PE 信息

初始地址	0x00400000
入口地址	0x0049b439
声明校验值	0x00000000
实际校验值	0x0042291b
最低操作系统版本要求	4.0
编译时间	2019-09-02 19:51:59
载入哈希	c1ff967736ddd80a162ca80252caf234

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x000badc6	0x000bb000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.62
.rdata	0x000bc000	0x0032fdee	0x00330000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	6.42
.data	0x003ec000	0x0005f30a	0x0001a000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	5.07
.rsrc	0x0044c000	0x00011650	0x00012000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	6.72

导入

库 iphlpapi.dll:

• 0x4bc708 - GetAdaptersInfo

库 WINMM.dll:

• 0x4bc66c - midiStreamOut

• 0x4bc670 - midiOutPrepareHeader

• 0x4bc674 - waveOutPause

• 0x4bc678 - waveOutReset

• 0x4bc67c - waveOutClose

• 0x4bc680 - waveOutGetNumDevs

• 0x4bc684 - waveOutOpen

• 0x4bc688 - midiOutUnprepareHeader

• 0x4bc68c - midiStreamOpen

• 0x4bc690 - midiStreamProperty

• 0x4bc694 - waveOutUnprepareHeader

• 0x4bc698 - midiStreamStop

• 0x4bc69c - midiOutReset

• 0x4bc6a0 - midiStreamClose

• 0x4bc6a4 - midiStreamRestart

• 0x4bc6a8 - waveOutWrite

• 0x4bc6ac - waveOutRestart

• 0x4bc6b0 - waveOutPrepareHeader

库 WS2_32.dll:

• 0x4bc6c8 - WSACleanup

• 0x4bc6cc - inet_ntoa

• 0x4bc6d0 - closesocket

• 0x4bc6d4 - getpeername

• 0x4bc6d8 - accept

• 0x4bc6dc - ntohl

• 0x4bc6e0 - WSAAsyncSelect

• 0x4bc6e4 - recvfrom

• 0x4bc6e8 - ioctlsocket

• 0x4bc6ec - recv

库 KERNEL32.dll:

• 0x4bc17c - GetSystemDirectoryA

• 0x4bc180 - SetLastError

• 0x4bc184 - QueryPerformanceFrequency

• 0x4bc188 - QueryPerformanceCounter

• 0x4bc18c - GetTimeZoneInformation

• 0x4bc190 - GetVersion

• 0x4bc194 - TerminateThread

• 0x4bc198 - InterlockedDecrement

• 0x4bc19c - InterlockedIncrement

• 0x4bc1a0 - CreateMutexA

• 0x4bc1a4 - ReleaseMutex

• 0x4bc1a8 - GetWindowsDirectoryA

• 0x4bc1ac - GetACP

• 0x4bc1b0 - FreeEnvironmentStringsW

• 0x4bc1b4 - FreeEnvironmentStringsA

• 0x4bc1b8 - UnhandledExceptionFilter

• 0x4bc1bc - HeapSize

• 0x4bc1c0 - RaiseException

• 0x4bc1c4 - GetLocalTime

• 0x4bc1c8 - GetSystemTime

• 0x4bc1cc - RtlUnwind

• 0x4bc1d0 - GetStartupInfoA

• 0x4bc1d4 - GetOEMCP

• 0x4bc1d8 - GetCPInfo

• 0x4bc1dc - GetProcessVersion

• 0x4bc1e0 - SetErrorMode

• 0x4bc1e4 - GlobalFlags

• 0x4bc1e8 - GetCurrentThread

• 0x4bc1ec - GetFileTime

• 0x4bc1f0 - TlsGetValue

• 0x4bc1f4 - LocalReAlloc

• 0x4bc1f8 - TlsSetValue

• 0x4bc1fc - TlsFree

• 0x4bc200 - GlobalHandle

• 0x4bc204 - TlsAlloc

• 0x4bc208 - LocalAlloc

• 0x4bc20c - lstrcmpA

• 0x4bc210 - GlobalGetAtomNameA

• 0x4bc214 - GlobalAddAtomA

• 0x4bc218 - GlobalFindAtomA

• 0x4bc21c - GlobalDeleteAtom

• 0x4bc220 - lstrcmpiA

• 0x4bc224 - SetEndOfFile

• 0x4bc228 - UnlockFile

• 0x4bc22c - LockFile

• 0x4bc230 - FlushFileBuffers

• 0x4bc234 - DuplicateHandle

• 0x4bc238 - lstrcpynA

• 0x4bc23c - FileTimeToLocalFileTime

• 0x4bc240 - FileTimeToSystemTime

• 0x4bc244 - LocalFree

• 0x4bc248 - OpenProcess

• 0x4bc24c - TerminateProcess

• 0x4bc250 - GetCurrentProcess

• 0x4bc254 - GetFileSize

• 0x4bc258 - SetFilePointer

• 0x4bc25c - CreateToolhelp32Snapshot

• 0x4bc260 - Process32First

• 0x4bc264 - Process32Next

• 0x4bc268 - CreateSemaphoreA

• 0x4bc26c - ResumeThread

• 0x4bc270 - ReleaseSemaphore

• 0x4bc274 - EnterCriticalSection

• 0x4bc278 - LeaveCriticalSection

• 0x4bc27c - GetProfileStringA

• 0x4bc280 - WriteFile

• 0x4bc284 - WaitForMultipleObjects

• 0x4bc288 - CreateFileA

• 0x4bc28c - DeviceIoControl

• 0x4bc290 - SetEvent

• 0x4bc294 - FindResourceA

• 0x4bc298 - LoadResource

• 0x4bc29c - LockResource

• 0x4bc2a0 - ReadFile

• 0x4bc2a4 - GetModuleFileNameA

• 0x4bc2a8 - WideCharToMultiByte

• 0x4bc2ac - MultiByteToWideChar

• 0x4bc2b0 - GetCurrentThreadId

• 0x4bc2b4 - ExitProcess

• 0x4bc2b8 - GlobalSize

• 0x4bc2bc - GlobalFree

• 0x4bc2c0 - DeleteCriticalSection

• 0x4bc2c4 - InitializeCriticalSection

• 0x4bc2c8 - lstrcatA

• 0x4bc2cc - lstrlenA

• 0x4bc2d0 - InterlockedExchange

• 0x4bc2d4 - WinExec

• 0x4bc2d8 - lstrcpyA

• 0x4bc2dc - FindNextFileA

• 0x4bc2e0 - GlobalReAlloc

• 0x4bc2e4 - HeapFree

• 0x4bc2e8 - HeapReAlloc

• 0x4bc2ec - GetProcessHeap

• 0x4bc2f0 - HeapAlloc

• 0x4bc2f4 - GetFullPathNameA

• 0x4bc2f8 - FreeLibrary

• 0x4bc2fc - LoadLibraryA

• 0x4bc300 - GetLastError

• 0x4bc304 - GetVersionExA

• 0x4bc308 - WritePrivateProfileStringA

• 0x4bc30c - GetPrivateProfileStringA

• 0x4bc310 - CreateThread

• 0x4bc314 - CreateEventA

• 0x4bc318 - Sleep

• 0x4bc31c - ExpandEnvironmentStringsA

• 0x4bc320 - GlobalAlloc

• 0x4bc324 - GlobalLock

• 0x4bc328 - GlobalUnlock

• 0x4bc32c - GetTempPathA

• 0x4bc330 - FindFirstFileA

• 0x4bc334 - FindClose

• 0x4bc338 - SetFileAttributesA

• 0x4bc33c - GetFileAttributesA

• 0x4bc340 - DeleteFileA

• 0x4bc344 - CopyFileA

• 0x4bc348 - SetCurrentDirectoryA

• 0x4bc34c - GetVolumeInformationA

• 0x4bc350 - GetModuleHandleA

• 0x4bc354 - GetProcAddress

• 0x4bc358 - MulDiv

• 0x4bc35c - GetCommandLineA

• 0x4bc360 - GetTickCount

• 0x4bc364 - CreateProcessA

• 0x4bc368 - WaitForSingleObject

• 0x4bc36c - CloseHandle

• 0x4bc370 - GetEnvironmentStrings

• 0x4bc374 - GetEnvironmentStringsW

• 0x4bc378 - SetHandleCount

• 0x4bc37c - GetStdHandle

• 0x4bc380 - GetFileType

• 0x4bc384 - GetEnvironmentVariableA

• 0x4bc388 - HeapDestroy

• 0x4bc38c - HeapCreate

• 0x4bc390 - VirtualFree

• 0x4bc394 - SetEnvironmentVariableA

• 0x4bc398 - LCMapStringA

• 0x4bc39c - LCMapStringW

• 0x4bc3a0 - VirtualAlloc

• 0x4bc3a4 - IsBadWritePtr

• 0x4bc3a8 - SetUnhandledExceptionFilter

• 0x4bc3ac - GetStringTypeA

• 0x4bc3b0 - GetStringTypeW

• 0x4bc3b4 - CompareStringA

• 0x4bc3b8 - CompareStringW

• 0x4bc3bc - IsBadReadPtr

• 0x4bc3c0 - IsBadCodePtr

• 0x4bc3c4 - SetStdHandle

• 0x4bc3c8 - SuspendThread

库 USER32.dll:

• 0x4bc3f4 - GetActiveWindow

• 0x4bc3f8 - SetFocus

• 0x4bc3fc - GetWindow

• 0x4bc400 - GetSysColorBrush

• 0x4bc404 - LoadStringA

• 0x4bc408 - DefWindowProcA

• 0x4bc40c - GetClassInfoA

• 0x4bc410 - IsZoomed

• 0x4bc414 - PostQuitMessage

• 0x4bc418 - CopyAcceleratorTableA

• 0x4bc41c - GetKeyState

• 0x4bc420 - TranslateAcceleratorA

• 0x4bc424 - IsWindowEnabled

• 0x4bc428 - ShowWindow

• 0x4bc42c - SystemParametersInfoA

• 0x4bc430 - LoadImageA

• 0x4bc434 - EnumDisplaySettingsA

• 0x4bc438 - ClientToScreen

• 0x4bc43c - EnableMenuItem

• 0x4bc440 - GetSubMenu

• 0x4bc444 - GetDlgCtrlID

• 0x4bc448 - CreateAcceleratorTableA

• 0x4bc44c - CreateMenu

• 0x4bc450 - ModifyMenuA

• 0x4bc454 - AppendMenuA

• 0x4bc458 - CreatePopupMenu

• 0x4bc45c - DrawIconEx

• 0x4bc460 - CreateIconFromResource

• 0x4bc464 - CreateIconFromResourceEx

• 0x4bc468 - RegisterClipboardFormatA

• 0x4bc46c - SetRectEmpty

• 0x4bc470 - GetMessageA

• 0x4bc474 - WindowFromPoint

• 0x4bc478 - DestroyAcceleratorTable

• 0x4bc47c - SetWindowRgn

• 0x4bc480 - GetMessagePos

• 0x4bc484 - ScreenToClient

• 0x4bc488 - ChildWindowFromPointEx

• 0x4bc48c - CopyRect

• 0x4bc490 - LoadBitmapA

• 0x4bc494 - WinHelpA

• 0x4bc498 - KillTimer

• 0x4bc49c - SetTimer

• 0x4bc4a0 - ReleaseCapture

• 0x4bc4a4 - GetCapture

• 0x4bc4a8 - SetCapture

• 0x4bc4ac - GetScrollRange

• 0x4bc4b0 - SetScrollRange

• 0x4bc4b4 - SetScrollPos

• 0x4bc4b8 - SetRect

• 0x4bc4bc - GetMenuCheckMarkDimensions

• 0x4bc4c0 - GetMenuState

• 0x4bc4c4 - SetMenuItemBitmaps

• 0x4bc4c8 - CheckMenuItem

• 0x4bc4cc - MoveWindow

• 0x4bc4d0 - IsIconic

• 0x4bc4d4 - InflateRect

• 0x4bc4d8 - IntersectRect

• 0x4bc4dc - DestroyIcon

• 0x4bc4e0 - PtInRect

• 0x4bc4e4 - OffsetRect

• 0x4bc4e8 - IsWindowVisible

• 0x4bc4ec - EnableWindow

• 0x4bc4f0 - RedrawWindow

• 0x4bc4f4 - GetWindowLongA

• 0x4bc4f8 - SetWindowLongA

• 0x4bc4fc - GetSysColor

• 0x4bc500 - SetActiveWindow

• 0x4bc504 - SetCursorPos

• 0x4bc508 - LoadCursorA

• 0x4bc50c - SetCursor

• 0x4bc510 - GetDC

• 0x4bc514 - FillRect

• 0x4bc518 - IsRectEmpty

• 0x4bc51c - ReleaseDC

• 0x4bc520 - IsChild

• 0x4bc524 - DestroyMenu

• 0x4bc528 - SetForegroundWindow

• 0x4bc52c - GetWindowRect

• 0x4bc530 - EqualRect

• 0x4bc534 - UpdateWindow

• 0x4bc538 - ValidateRect

• 0x4bc53c - InvalidateRect

• 0x4bc540 - GetClientRect

• 0x4bc544 - GetFocus

• 0x4bc548 - GetParent

• 0x4bc54c - GetTopWindow

• 0x4bc550 - PostMessageA

• 0x4bc554 - IsWindow

• 0x4bc558 - SetParent

• 0x4bc55c - DestroyCursor

• 0x4bc560 - SendMessageA

• 0x4bc564 - SetWindowPos

• 0x4bc568 - MessageBoxA

• 0x4bc56c - GetCursorPos

• 0x4bc570 - GetSystemMetrics

• 0x4bc574 - EmptyClipboard

• 0x4bc578 - SetClipboardData

• 0x4bc57c - OpenClipboard

• 0x4bc580 - GetClipboardData

• 0x4bc584 - CloseClipboard

• 0x4bc588 - wsprintfA

• 0x4bc58c - WaitForInputIdle

• 0x4bc590 - PeekMessageA

• 0x4bc594 - DrawFocusRect

• 0x4bc598 - DrawEdge

• 0x4bc59c - DrawFrameControl

• 0x4bc5a0 - TranslateMessage

• 0x4bc5a4 - LoadIconA

• 0x4bc5a8 - GetDesktopWindow

• 0x4bc5ac - GetClassNameA

• 0x4bc5b0 - GetWindowThreadProcessId

• 0x4bc5b4 - FindWindowA

• 0x4bc5b8 - GetDlgItem

• 0x4bc5bc - GetWindowTextA

• 0x4bc5c0 - GetForegroundWindow

• 0x4bc5c4 - SetMenu

• 0x4bc5c8 - GetMenu

• 0x4bc5cc - DeleteMenu

• 0x4bc5d0 - SetWindowTextA

• 0x4bc5d4 - GetSystemMenu

• 0x4bc5d8 - UnregisterClassA

• 0x4bc5dc - DispatchMessageA

• 0x4bc5e0 - GetWindowTextLengthA

• 0x4bc5e4 - CharUpperA

• 0x4bc5e8 - GetWindowDC

• 0x4bc5ec - BeginPaint

• 0x4bc5f0 - EndPaint

• 0x4bc5f4 - TabbedTextOutA

• 0x4bc5f8 - DrawTextA

• 0x4bc5fc - GrayStringA

• 0x4bc600 - DestroyWindow

• 0x4bc604 - CreateDialogIndirectParamA

• 0x4bc608 - EndDialog

• 0x4bc60c - GetNextDlgTabItem

• 0x4bc610 - GetWindowPlacement

• 0x4bc614 - RegisterWindowMessageA

• 0x4bc618 - GetLastActivePopup

• 0x4bc61c - GetMessageTime

• 0x4bc620 - RemovePropA

• 0x4bc624 - CallWindowProcA

• 0x4bc628 - GetPropA

• 0x4bc62c - UnhookWindowsHookEx

• 0x4bc630 - SetPropA

• 0x4bc634 - GetClassLongA

• 0x4bc638 - CallNextHookEx

• 0x4bc63c - SetWindowsHookExA

• 0x4bc640 - CreateWindowExA

• 0x4bc644 - GetMenuItemID

• 0x4bc648 - GetMenuItemCount

• 0x4bc64c - RegisterClassA

• 0x4bc650 - GetScrollPos

• 0x4bc654 - AdjustWindowRectEx

• 0x4bc658 - MapWindowPoints

• 0x4bc65c - SendDlgItemMessageA

• 0x4bc660 - ScrollWindowEx

• 0x4bc664 - IsDialogMessageA

库 GDI32.dll:

• 0x4bc030 - ExtSelectClipRgn

• 0x4bc034 - LineTo

• 0x4bc038 - MoveToEx

• 0x4bc03c - ExcludeClipRect

• 0x4bc040 - GetClipBox

• 0x4bc044 - ScaleWindowExtEx

• 0x4bc048 - SetWindowExtEx

• 0x4bc04c - CombineRgn

• 0x4bc050 - CreateRectRgn

• 0x4bc054 - FillRgn

• 0x4bc058 - CreateSolidBrush

• 0x4bc05c - GetStockObject

• 0x4bc060 - CreateFontIndirectA

• 0x4bc064 - EndPage

• 0x4bc068 - EndDoc

• 0x4bc06c - DeleteDC

• 0x4bc070 - StartDocA

• 0x4bc074 - StartPage

• 0x4bc078 - BitBlt

• 0x4bc07c - CreateCompatibleDC

• 0x4bc080 - Ellipse

• 0x4bc084 - Rectangle

• 0x4bc088 - DPtoLP

• 0x4bc08c - GetCurrentObject

• 0x4bc090 - RoundRect

• 0x4bc094 - GetTextExtentPoint32A

• 0x4bc098 - GetDeviceCaps

• 0x4bc09c - SelectClipRgn

• 0x4bc0a0 - CreatePolygonRgn

• 0x4bc0a4 - GetClipRgn

• 0x4bc0a8 - SetStretchBltMode

• 0x4bc0ac - CreateRectRgnIndirect

• 0x4bc0b0 - SetBkColor

• 0x4bc0b4 - SetWindowOrgEx

• 0x4bc0b8 - ScaleViewportExtEx

• 0x4bc0bc - SetViewportExtEx

• 0x4bc0c0 - OffsetViewportOrgEx

• 0x4bc0c4 - SetViewportOrgEx

• 0x4bc0c8 - SetMapMode

• 0x4bc0cc - SetTextColor

• 0x4bc0d0 - SetROP2

• 0x4bc0d4 - SetPolyFillMode

• 0x4bc0d8 - SetBkMode

• 0x4bc0dc - RestoreDC

• 0x4bc0e0 - GetViewportExtEx

• 0x4bc0e4 - PtVisible

• 0x4bc0e8 - RectVisible

• 0x4bc0ec - TextOutA

• 0x4bc0f0 - ExtTextOutA

• 0x4bc0f4 - Escape

• 0x4bc0f8 - GetTextMetricsA

• 0x4bc0fc - PatBlt

• 0x4bc100 - CreatePen

• 0x4bc104 - GetObjectA

• 0x4bc108 - SelectObject

• 0x4bc10c - CreateBitmap

• 0x4bc110 - CreateDCA

• 0x4bc114 - CreateCompatibleBitmap

• 0x4bc118 - GetPolyFillMode

• 0x4bc11c - GetStretchBltMode

• 0x4bc120 - GetROP2

• 0x4bc124 - GetBkColor

• 0x4bc128 - GetBkMode

• 0x4bc12c - SaveDC

• 0x4bc130 - GetTextColor

• 0x4bc134 - CreateRoundRectRgn

• 0x4bc138 - CreateEllipticRgn

• 0x4bc13c - PathToRegion

• 0x4bc140 - EndPath

• 0x4bc144 - BeginPath

• 0x4bc148 - GetWindowOrgEx

• 0x4bc14c - GetViewportOrgEx

• 0x4bc150 - GetWindowExtEx

• 0x4bc154 - GetDIBits

• 0x4bc158 - RealizePalette

• 0x4bc15c - SelectPalette

• 0x4bc160 - StretchBlt

• 0x4bc164 - DeleteObject

• 0x4bc168 - GetSystemPaletteEntries

• 0x4bc16c - LPtoDP

• 0x4bc170 - CreatePalette

• 0x4bc174 - CreateDIBitmap

库 WINSPOOL.DRV:

• 0x4bc6b8 - OpenPrinterA

• 0x4bc6bc - DocumentPropertiesA

• 0x4bc6c0 - ClosePrinter

库 ADVAPI32.dll:

• 0x4bc000 - RegQueryValueExA

• 0x4bc004 - RegOpenKeyExA

• 0x4bc008 - RegSetValueExA

• 0x4bc00c - RegDeleteValueA

• 0x4bc010 - RegDeleteKeyA

• 0x4bc014 - RegQueryValueA

• 0x4bc018 - RegCreateKeyExA

• 0x4bc01c - RegCloseKey

库 SHELL32.dll:

• 0x4bc3e4 - Shell_NotifyIconA

• 0x4bc3e8 - ShellExecuteA

• 0x4bc3ec - SHGetSpecialFolderPathA

库 ole32.dll:

• 0x4bc710 - CLSIDFromString

• 0x4bc714 - OleUninitialize

• 0x4bc718 - OleInitialize

库 OLEAUT32.dll:

• 0x4bc3d0 - LoadTypeLib

• 0x4bc3d4 - RegisterTypeLib

• 0x4bc3d8 - UnRegisterTypeLib

• 0x4bc3dc - VariantClear

库 COMCTL32.dll:

• 0x4bc024 - None

• 0x4bc028 - ImageList_Destroy

库 comdlg32.dll:

• 0x4bc6f4 - GetFileTitleA

• 0x4bc6f8 - GetSaveFileNameA

• 0x4bc6fc - GetOpenFileNameA

• 0x4bc700 - ChooseColorA

投放文件

无信息

行为分析

互斥量(Mutexes)

Local\MSCTF.Asm.MutexDefault1

执行的命令 无信息

创建的服务 无信息

启动的服务 无信息

进程

TQM______.exe PID: 2648, 上一级进程 PID: 2296

访问的文件

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\test\AppData\Local\Temp\j\xe7\xb3\xa1w
C:\Users\test\AppData\Local\Temp\TQM______.exe
C:\Windows\Fonts\staticcache.dat
C:\Users\test\AppData\Local\Temp\wininet.dll
C:\Users\test\Documents\key.ini

读取的文件

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\test\AppData\Local\Temp\j\xe7\xb3\xa1w
C:\Users\test\AppData\Local\Temp\TQM______.exe
C:\Windows\Fonts\staticcache.dat
C:\Users\test\Documents\key.ini

修改的文件 无信息

删除的文件 无信息

注册表键

HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\TQM______.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804

读取的注册表键

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext

修改的注册表键 无信息

删除的注册表键 无信息

API解析

kernel32.dll.IsProcessorFeaturePresent
cryptbase.dll.SystemFunction036
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.lstrcpynA
kernel32.dll.RtlMoveMemory
kernel32.dll.VirtualAlloc
kernel32.dll.LoadLibraryA
kernel32.dll.GetProcAddress
kernel32.dll.VirtualProtect
kernel32.dll.VirtualFree
comctl32.dll.ImageList_Draw
gdi32.dll.BitBlt
msimg32.dll.TransparentBlt
msvcrt.dll.free
msvfw32.dll.DrawDibOpen
user32.dll.GetDC
kernel32.dll.MulDiv
kernel32.dll.FlushInstructionCache
kernel32.dll.GetCurrentProcess
kernel32.dll.GetTickCount
kernel32.dll.VirtualQuery
kernel32.dll.SetFilePointer
kernel32.dll.GlobalAlloc
kernel32.dll.GlobalLock
kernel32.dll.GlobalUnlock
kernel32.dll.GlobalReAlloc
kernel32.dll.GlobalFree
kernel32.dll.FindResourceA
kernel32.dll.LoadResource
kernel32.dll.LockResource
kernel32.dll.SizeofResource
kernel32.dll.FreeLibrary
kernel32.dll.GetModuleFileNameA
kernel32.dll.GetModuleHandleA
kernel32.dll.GetVersion
kernel32.dll.GetCurrentThreadId
kernel32.dll.CreateFileA
kernel32.dll.GetFileSize
kernel32.dll.CloseHandle
kernel32.dll.ReadFile
kernel32.dll.SetLastError
comctl32.dll.ImageList_GetIcon
comctl32.dll.ImageList_GetImageInfo
comctl32.dll.ImageList_GetIconSize
gdi32.dll.SetWindowExtEx
gdi32.dll.SetWindowOrgEx
gdi32.dll.SetMapMode
gdi32.dll.SelectClipPath
gdi32.dll.EndPath
gdi32.dll.BeginPath
gdi32.dll.TextOutA
gdi32.dll.GetClipRgn
gdi32.dll.GetPixel
gdi32.dll.CreatePatternBrush
gdi32.dll.CreateFontIndirectA
gdi32.dll.SetViewportOrgEx
gdi32.dll.GetStockObject
gdi32.dll.GetTextExtentPoint32A
gdi32.dll.CreateRoundRectRgn
gdi32.dll.CreateFontA
gdi32.dll.SetViewportExtEx
gdi32.dll.SelectClipRgn
gdi32.dll.SelectObject
gdi32.dll.CreateCompatibleDC
gdi32.dll.DeleteDC
gdi32.dll.OffsetRgn
gdi32.dll.CombineRgn
gdi32.dll.CreateRectRgn
gdi32.dll.CreatePen
gdi32.dll.ExtCreateRegion
gdi32.dll.DeleteObject
gdi32.dll.Rectangle
gdi32.dll.SetPixel
gdi32.dll.PtInRegion
gdi32.dll.SetTextColor
gdi32.dll.SetBkMode
gdi32.dll.PatBlt
gdi32.dll.CreateDIBSection
gdi32.dll.GetObjectA
gdi32.dll.CreateCompatibleBitmap
gdi32.dll.GetTextExtentPointA
gdi32.dll.ExtTextOutA
gdi32.dll.ExtTextOutW
gdi32.dll.SetBkColor
gdi32.dll.GetTextColor
gdi32.dll.CreateSolidBrush
msvcrt.dll.??3@YAXPAX@Z
msvcrt.dll.__CxxFrameHandler
msvcrt.dll.??2@YAPAXI@Z
msvcrt.dll._ftol
msvcrt.dll._mbsstr
msvcrt.dll._mbscmp
msvcrt.dll.__dllonexit
msvcrt.dll.malloc
msvcrt.dll._initterm
msvcrt.dll._adjust_fdiv
msvcrt.dll._onexit
msvcrt.dll.memcpy
msvfw32.dll.DrawDibDraw
msvfw32.dll.DrawDibClose
user32.dll.SetWindowsHookExA
user32.dll.UnhookWindowsHookEx
user32.dll.CallNextHookEx
user32.dll.GetClassNameA
user32.dll.IsWindow
user32.dll.EnumThreadWindows
user32.dll.EnumChildWindows
user32.dll.LockWindowUpdate
user32.dll.DestroyIcon
user32.dll.DrawStateA
user32.dll.ShowWindow
user32.dll.GetMenuItemID
user32.dll.GetWindowRgn
user32.dll.SetMenu
user32.dll.GetMenu
user32.dll.GetSubMenu
user32.dll.TrackPopupMenu
user32.dll.CreateWindowExA
user32.dll.DestroyWindow
user32.dll.GetWindowInfo
user32.dll.SetWindowPos
user32.dll.GetClassLongA
user32.dll.ScreenToClient
user32.dll.SystemParametersInfoA
user32.dll.GetSystemMetrics
user32.dll.MenuItemFromPoint
user32.dll.GetMenuItemRect
user32.dll.GetMenuItemCount
user32.dll.SetMenuItemInfoA
user32.dll.IsMenu
user32.dll.GetUpdateRect
user32.dll.EqualRect
user32.dll.ShowScrollBar
user32.dll.SetWindowRgn
user32.dll.WindowFromDC
user32.dll.MoveWindow
user32.dll.GetSysColor
user32.dll.EnableScrollBar
user32.dll.GetScrollBarInfo
user32.dll.GetCapture
user32.dll.SetScrollPos
user32.dll.SetScrollInfo
user32.dll.GetScrollRange
user32.dll.GetScrollPos
user32.dll.GetScrollInfo
user32.dll.ReleaseDC
user32.dll.GetWindowDC
user32.dll.GetDCEx
user32.dll.EndPaint
user32.dll.BeginPaint
user32.dll.GetWindowLongW
user32.dll.SetWindowLongW
user32.dll.SetWindowLongA
user32.dll.ClientToScreen
user32.dll.FindWindowExA
user32.dll.GetMenuItemInfoA
user32.dll.GetParent
user32.dll.GetComboBoxInfo
user32.dll.TrackMouseEvent
user32.dll.GetIconInfo
user32.dll.GetClientRect
user32.dll.GetFocus
user32.dll.InflateRect
user32.dll.InvalidateRect
user32.dll.SetPropA
user32.dll.RemovePropA
user32.dll.CallWindowProcA
user32.dll.GetPropA
user32.dll.SetTimer
user32.dll.OffsetRect
user32.dll.KillTimer
user32.dll.EnableWindow
user32.dll.GetWindowLongA
user32.dll.SetRectEmpty
user32.dll.DrawIconEx
user32.dll.GetWindowTextA
user32.dll.DrawTextA
user32.dll.IsRectEmpty
user32.dll.IsIconic
user32.dll.IsZoomed
user32.dll.GetSystemMenu
user32.dll.GetMenuState
user32.dll.ReleaseCapture
user32.dll.GetMessageA
user32.dll.SetScrollRange
user32.dll.DispatchMessageA
user32.dll.SetRect
user32.dll.IsWindowVisible
user32.dll.RegisterClassExA
user32.dll.DefWindowProcA
user32.dll.IsWindowEnabled
user32.dll.SendMessageA
user32.dll.GetCursorPos
user32.dll.LoadCursorA
user32.dll.SetCursor
user32.dll.GetWindowRect
user32.dll.PtInRect
user32.dll.SetCapture
user32.dll.UpdateLayeredWindow
user32.dll.SetLayeredWindowAttributes
dciman32.dll.DCIOpenProvider
dciman32.dll.DCICloseProvider
dciman32.dll.DCICreatePrimary
dciman32.dll.DCIEndAccess
dciman32.dll.DCIBeginAccess
dciman32.dll.DCIDestroy
comctl32.dll.RegisterClassNameW
uxtheme.dll.EnableThemeDialogTexture
uxtheme.dll.OpenThemeData
imm32.dll.ImmIsIME
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
gdi32.dll.GetTextExtentExPointWPri
wininet.dll.InternetOpenA
wininet.dll.InternetConnectA
wininet.dll.HttpOpenRequestA
wininet.dll.HttpSendRequestA
rasapi32.dll.RasConnectionNotificationW
sechost.dll.NotifyServiceStatusChangeA
wininet.dll.InternetReadFile
wininet.dll.InternetCloseHandle
gdi32.dll.GetFontAssocStatus
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
imm32.dll.ImmGetContext
imm32.dll.ImmLockIMC
imm32.dll.ImmUnlockIMC
imm32.dll.ImmReleaseContext
imm32.dll.ImmSetCompositionFontW
imm32.dll.ImmGetCompositionWindow
imm32.dll.ImmSetCompositionWindow
uxtheme.dll.BufferedPaintInit
uxtheme.dll.BeginBufferedPaint
uxtheme.dll.EndBufferedPaint
oleaut32.dll.SysAllocString
oleaut32.dll.SysStringLen
oleaut32.dll.SysFreeString