魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2017-05-12 22:07:29	2017-05-12 22:09:56	147 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-shaapp01-1	win7-sp1-x64-shaapp01-1	KVM	2017-05-12 22:07:30	2017-05-12 22:09:56

魔盾分数
10.0 Adware

文件详细信息

文件名	Vstrat
文件大小	2755248 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
CRC32	D97BA19C
MD5	5a71c47f8a7932e7d556a0618739a915
SHA1	e67b3a3ff81d66cd94ce56b88a4228922b7cf4e9
SHA256	d248ae56f22a0abfabe57dae428981b170e363c956a78d587ad515926d0c0580
SHA512	dbce8898d66f8cbfcc0c58cb347ed6d8d271059e3aa50c5317d14e7453456b38b4e59889cc179018f065118b0fb4f7c6b86fe47f28c54ae721f634ae0149f70d
Ssdeep	49152:LDjBK2u57gXkhoFKVbz8fPKLPpRAHV0X3:XdnFc/8fPoBRAH6
PEiD	无匹配
Yara	MD5_Constants (Look for MD5 constants) SEH__vba ()
VirusTotal	VirusTotal链接 VirusTotal扫描时间: 2017-05-12 13:56:43 扫描结果: 26/60

特征

在加密调用中发现至少一个IP地址，域名，或文件名

ioc: tart.picButton

ioc: tart.mySplit2

ioc: 444432.000

ioc: http://www.3lsoft.com/0

从文件自身的二进制镜像中读取数据

self_read: process: Vstrat.exe, pid: 2272, offset: 0x00000000, length: 0x002a0000

文件已被至少十个VirusTotal上的反病毒引擎检测为病毒

Bkav: W32.HfsAdware.7AD3

K7AntiVirus: Riskware ( 0040eff71 )

nProtect: Trojan/W32.Inject.2755248

CAT-QuickHeal: Trojan.Inject

Zillya: Adware.AdwapperCRT.Win32.838

K7GW: Riskware ( 0040eff71 )

Symantec: Trojan.Gen.2

TrendMicro-HouseCall: TROJ_GEN.R0EBC0OD217

GData: Win32.Trojan.Agent.CSSGC8

NANO-Antivirus: Trojan.Win32.Inject.eluran

Emsisoft: Application.AdSoft (A)

DrWeb: Adware.Softcnapp.1

VIPRE: Trojan.Win32.Generic!BT

McAfee-GW-Edition: Artemis!Trojan

Sophos: Generic PUA OG (PUA)

Cyren: W32/Application.IBQP-7008

Webroot: W32.Adware.Gen

Avira: TR/Injector.ejnsh

Microsoft: BrowserModifier:Win32/Xiazai

McAfee: Artemis!5A71C47F8A79

AVware: Trojan.Win32.Generic!BT

VBA32: Trojan.Inject

Panda: PUP/AdvertisingApps

Yandex: Trojan.Inject!w1ZjIS7FO+w

AVG: AdPlugin.WGB

Avast: Win32:Adware-gen [Adw]

运行截图

网络分析

TCP连接

IP地址	端口
23.41.75.27	80

UDP连接

IP地址	端口
192.168.21.1	53

HTTP请求

URL	HTTP数据
http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.verisign.com
http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEGlOLg7OygwUEOx1UyT01EY%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEGlOLg7OygwUEOx1UyT01EY%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.verisign.com

URL

HTTP数据

http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com

http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEGlOLg7OygwUEOx1UyT01EY%3D

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEGlOLg7OygwUEOx1UyT01EY%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com

静态分析

PE 信息

初始地址	0x00400000
入口地址	0x004127c4
声明校验值	0x002a5aff
实际校验值	0x002a5aff
最低操作系统版本要求	4.0
编译时间	2014-10-14 11:53:25
载入哈希	759ba7b8ba859a9e92400a80c1922019
图标
图标精确哈希值	09b54e6df16799d64b8c40f0c3babc10
图标相似性哈希值	c3e2d21e7d7c09b689a24571b390a8fc

版本信息

Translation:	0x0804 0x04b0
LegalCopyright:	http://www.3lsoft.com
InternalName:	VStart
FileVersion:	5.06
CompanyName:	3L\x8f6f\x4ef6\x5de5\x4f5c\x5ba4(3LSoft)
LegalTrademarks:	http://www.3lsoft.com
Comments:	http://www.3lsoft.com
ProductName:	\x97f3\x901f\x542f\x52a8(VStart)
ProductVersion:	5.06
FileDescription:	\x97f3\x901f\x542f\x52a8 - \x60a8\x7684\x542f\x52a8\x4e13\x5bb6
OriginalFilename:	VStart.exe

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x0027ce2c	0x0027d000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.09
.data	0x0027e000	0x000233e0	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
.rsrc	0x002a2000	0x0001f454	0x00020000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	7.56

覆盖

偏移量:	0x0029f000
大小:	0x00001ab0

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
RT_CURSOR	0x002c0cfc	0x000002ec	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	1.79	data
RT_CURSOR	0x002c0cfc	0x000002ec	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	1.79	data
RT_CURSOR	0x002c0cfc	0x000002ec	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	1.79	data
RT_ICON	0x002a2940	0x00000468	LANG_NEUTRAL	SUBLANG_NEUTRAL	6.52	GLS_BINARY_LSB_FIRST
RT_ICON	0x002a2940	0x00000468	LANG_NEUTRAL	SUBLANG_NEUTRAL	6.52	GLS_BINARY_LSB_FIRST
RT_ICON	0x002a2940	0x00000468	LANG_NEUTRAL	SUBLANG_NEUTRAL	6.52	GLS_BINARY_LSB_FIRST
RT_ICON	0x002a2940	0x00000468	LANG_NEUTRAL	SUBLANG_NEUTRAL	6.52	GLS_BINARY_LSB_FIRST
RT_ICON	0x002a2940	0x00000468	LANG_NEUTRAL	SUBLANG_NEUTRAL	6.52	GLS_BINARY_LSB_FIRST
RT_ICON	0x002a2940	0x00000468	LANG_NEUTRAL	SUBLANG_NEUTRAL	6.52	GLS_BINARY_LSB_FIRST
RT_ICON	0x002a2940	0x00000468	LANG_NEUTRAL	SUBLANG_NEUTRAL	6.52	GLS_BINARY_LSB_FIRST
RT_ICON	0x002a2940	0x00000468	LANG_NEUTRAL	SUBLANG_NEUTRAL	6.52	GLS_BINARY_LSB_FIRST
RT_ICON	0x002a2940	0x00000468	LANG_NEUTRAL	SUBLANG_NEUTRAL	6.52	GLS_BINARY_LSB_FIRST
RT_ICON	0x002a2940	0x00000468	LANG_NEUTRAL	SUBLANG_NEUTRAL	6.52	GLS_BINARY_LSB_FIRST
RT_ICON	0x002a2940	0x00000468	LANG_NEUTRAL	SUBLANG_NEUTRAL	6.52	GLS_BINARY_LSB_FIRST
RT_STRING	0x002c1250	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.38	data
RT_STRING	0x002c1250	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.38	data
RT_STRING	0x002c1250	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.38	data
RT_STRING	0x002c1250	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.38	data
RT_STRING	0x002c1250	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.38	data
RT_STRING	0x002c1250	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.38	data
RT_GROUP_CURSOR	0x002c0cc0	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.32	MS Windows cursor resource - 1 icon, 40x16, hotspot @64x0
RT_GROUP_CURSOR	0x002c0cc0	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.32	MS Windows cursor resource - 1 icon, 40x16, hotspot @64x0
RT_GROUP_CURSOR	0x002c0cc0	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.32	MS Windows cursor resource - 1 icon, 40x16, hotspot @64x0
RT_GROUP_ICON	0x002a28a0	0x000000a0	LANG_NEUTRAL	SUBLANG_NEUTRAL	3.60	MS Windows icon resource - 11 icons, 16x16, 16 colors
RT_VERSION	0x002a2550	0x00000350	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.64	data

导入

库 MSVBVM60.DLL:

• 0x401000 - EVENT_SINK_GetIDsOfNames

• 0x401004 - __vbaR8FixI4

• 0x401008 - __vbaVarTstGt

• 0x40100c - __vbaVarSub

• 0x401010 - __vbaStrI2

• 0x401014 - None

• 0x401018 - _CIcos

• 0x40101c - _adj_fptan

• 0x401020 - __vbaStrI4

• 0x401024 - __vbaVarMove

• 0x401028 - None

• 0x40102c - __vbaVarVargNofree

• 0x401030 - __vbaAryMove

• 0x401034 - __vbaFreeVar

• 0x401038 - None

• 0x40103c - __vbaLineInputStr

• 0x401040 - None

• 0x401044 - __vbaLateIdCall

• 0x401048 - __vbaLenBstr

• 0x40104c - __vbaStrVarMove

• 0x401050 - None

• 0x401054 - __vbaVarIdiv

• 0x401058 - __vbaPut3

• 0x40105c - __vbaFreeVarList

• 0x401060 - __vbaEnd

• 0x401064 - _adj_fdiv_m64

• 0x401068 - None

• 0x40106c - __vbaPut4

• 0x401070 - EVENT_SINK_Invoke

• 0x401074 - __vbaNextEachVar

• 0x401078 - __vbaRaiseEvent

• 0x40107c - __vbaFreeObjList

• 0x401080 - None

• 0x401084 - __vbaVarIndexLoadRef

• 0x401088 - __vbaStrErrVarCopy

• 0x40108c - __vbaVarFix

• 0x401090 - _adj_fprem1

• 0x401094 - __vbaRecAnsiToUni

• 0x401098 - None

• 0x40109c - None

• 0x4010a0 - __vbaI2Abs

• 0x4010a4 - __vbaResume

• 0x4010a8 - __vbaCopyBytes

• 0x4010ac - __vbaForEachCollAd

• 0x4010b0 - None

• 0x4010b4 - __vbaVarCmpNe

• 0x4010b8 - __vbaStrCat

• 0x4010bc - __vbaError

• 0x4010c0 - None

• 0x4010c4 - None

• 0x4010c8 - __vbaLsetFixstr

• 0x4010cc - None

• 0x4010d0 - __vbaRecDestruct

• 0x4010d4 - __vbaSetSystemError

• 0x4010d8 - None

• 0x4010dc - None

• 0x4010e0 - __vbaLenBstrB

• 0x4010e4 - __vbaHresultCheckObj

• 0x4010e8 - __vbaNameFile

• 0x4010ec - None

• 0x4010f0 - None

• 0x4010f4 - __vbaVargVarCopy

• 0x4010f8 - __vbaLenVar

• 0x4010fc - _adj_fdiv_m32

• 0x401100 - None

• 0x401104 - __vbaAryVar

• 0x401108 - __vbaVarTstLe

• 0x40110c - Zombie_GetTypeInfo

• 0x401110 - __vbaVarXor

• 0x401114 - __vbaVarCmpGe

• 0x401118 - __vbaAryDestruct

• 0x40111c - None

• 0x401120 - __vbaVarIndexLoadRefLock

• 0x401124 - __vbaLateMemSt

• 0x401128 - __vbaBoolStr

• 0x40112c - __vbaStrBool

• 0x401130 - None

• 0x401134 - __vbaVarForInit

• 0x401138 - __vbaForEachCollObj

• 0x40113c - __vbaExitProc

• 0x401140 - None

• 0x401144 - __vbaI4Abs

• 0x401148 - None

• 0x40114c - None

• 0x401150 - __vbaOnError

• 0x401154 - __vbaObjSet

• 0x401158 - None

• 0x40115c - None

• 0x401160 - _adj_fdiv_m16i

• 0x401164 - None

• 0x401168 - __vbaObjSetAddref

• 0x40116c - _adj_fdivr_m16i

• 0x401170 - __vbaVarIndexLoad

• 0x401174 - None

• 0x401178 - None

• 0x40117c - None

• 0x401180 - __vbaFpR4

• 0x401184 - None

• 0x401188 - __vbaForEachCollVar

• 0x40118c - __vbaStrFixstr

• 0x401190 - __vbaBoolVar

• 0x401194 - None

• 0x401198 - None

• 0x40119c - None

• 0x4011a0 - __vbaFPFix

• 0x4011a4 - None

• 0x4011a8 - None

• 0x4011ac - __vbaRefVarAry

• 0x4011b0 - __vbaVargVar

• 0x4011b4 - __vbaVarTstLt

• 0x4011b8 - __vbaBoolVarNull

• 0x4011bc - __vbaFpR8

• 0x4011c0 - _CIsin

• 0x4011c4 - None

• 0x4011c8 - None

• 0x4011cc - __vbaErase

• 0x4011d0 - None

• 0x4011d4 - __vbaVarCmpGt

• 0x4011d8 - None

• 0x4011dc - __vbaVargVarMove

• 0x4011e0 - None

• 0x4011e4 - __vbaLateMemStAd

• 0x4011e8 - __vbaNextEachCollObj

• 0x4011ec - __vbaChkstk

• 0x4011f0 - None

• 0x4011f4 - __vbaFileClose

• 0x4011f8 - EVENT_SINK_AddRef

• 0x4011fc - __vbaVarAbs

• 0x401200 - None

• 0x401204 - __vbaGenerateBoundsError

• 0x401208 - __vbaGet3

• 0x40120c - None

• 0x401210 - __vbaStrCmp

• 0x401214 - __vbaGet4

• 0x401218 - __vbaPutOwner3

• 0x40121c - __vbaAryConstruct2

• 0x401220 - __vbaVarTstEq

• 0x401224 - __vbaDateR8

• 0x401228 - __vbaPutOwner4

• 0x40122c - __vbaR4Str

• 0x401230 - __vbaNextEachCollVar

• 0x401234 - __vbaObjVar

• 0x401238 - __vbaPrintObj

• 0x40123c - __vbaI2I4

• 0x401240 - None

• 0x401244 - DllFunctionCall

• 0x401248 - None

• 0x40124c - __vbaVarLateMemSt

• 0x401250 - __vbaVarOr

• 0x401254 - None

• 0x401258 - __vbaFpUI1

• 0x40125c - __vbaCastObjVar

• 0x401260 - None

• 0x401264 - __vbaLbound

• 0x401268 - __vbaRedimPreserve

• 0x40126c - __vbaStrR4

• 0x401270 - _adj_fpatan

• 0x401274 - __vbaR4Var

• 0x401278 - __vbaFixstrConstruct

• 0x40127c - None

• 0x401280 - __vbaLateIdCallLd

• 0x401284 - Zombie_GetTypeInfoCount

• 0x401288 - __vbaStrR8

• 0x40128c - __vbaRedim

• 0x401290 - __vbaRecUniToAnsi

• 0x401294 - EVENT_SINK_Release

• 0x401298 - __vbaNew

• 0x40129c - None

• 0x4012a0 - None

• 0x4012a4 - __vbaUI1I2

• 0x4012a8 - _CIsqrt

• 0x4012ac - __vbaObjIs

• 0x4012b0 - __vbaVarAnd

• 0x4012b4 - None

• 0x4012b8 - EVENT_SINK_QueryInterface

• 0x4012bc - None

• 0x4012c0 - __vbaUI1I4

• 0x4012c4 - __vbaVarMul

• 0x4012c8 - __vbaExceptHandler

• 0x4012cc - None

• 0x4012d0 - None

• 0x4012d4 - __vbaPrintFile

• 0x4012d8 - None

• 0x4012dc - __vbaStrToUnicode

• 0x4012e0 - None

• 0x4012e4 - __vbaDateStr

• 0x4012e8 - None

• 0x4012ec - _adj_fprem

• 0x4012f0 - _adj_fdivr_m64

• 0x4012f4 - None

• 0x4012f8 - __vbaR8ErrVar

• 0x4012fc - __vbaLateIdStAd

• 0x401300 - __vbaI2Str

• 0x401304 - None

• 0x401308 - __vbaVarDiv

• 0x40130c - None

• 0x401310 - None

• 0x401314 - None

• 0x401318 - None

• 0x40131c - __vbaVarCmpLe

• 0x401320 - __vbaFPException

• 0x401324 - None

• 0x401328 - __vbaInStrVar

• 0x40132c - __vbaStrCompVar

• 0x401330 - None

• 0x401334 - None

• 0x401338 - __vbaGetOwner3

• 0x40133c - __vbaUbound

• 0x401340 - __vbaStrVarVal

• 0x401344 - __vbaGetOwner4

• 0x401348 - __vbaVarCat

• 0x40134c - __vbaDateVar

• 0x401350 - __vbaLsetFixstrFree

• 0x401354 - __vbaI2Var

• 0x401358 - None

• 0x40135c - None

• 0x401360 - None

• 0x401364 - _CIlog

• 0x401368 - __vbaErrorOverflow

• 0x40136c - None

• 0x401370 - __vbaFileOpen

• 0x401374 - __vbaVarLateMemCallLdRf

• 0x401378 - __vbaVar2Vec

• 0x40137c - __vbaR8Str

• 0x401380 - None

• 0x401384 - None

• 0x401388 - __vbaInStr

• 0x40138c - __vbaNew2

• 0x401390 - __vbaVarInt

• 0x401394 - None

• 0x401398 - _adj_fdiv_m32i

• 0x40139c - None

• 0x4013a0 - _adj_fdivr_m32i

• 0x4013a4 - __vbaVarSetObj

• 0x4013a8 - None

• 0x4013ac - __vbaStrCopy

• 0x4013b0 - __vbaI4Str

• 0x4013b4 - None

• 0x4013b8 - __vbaVarNot

• 0x4013bc - __vbaVarCmpLt

• 0x4013c0 - __vbaFreeStrList

• 0x4013c4 - None

• 0x4013c8 - _adj_fdivr_m32

• 0x4013cc - __vbaR8Var

• 0x4013d0 - __vbaPowerR8

• 0x4013d4 - _adj_fdiv_r

• 0x4013d8 - None

• 0x4013dc - None

• 0x4013e0 - None

• 0x4013e4 - __vbaVarTstNe

• 0x4013e8 - None

• 0x4013ec - __vbaVarSetVar

• 0x4013f0 - __vbaI4Var

• 0x4013f4 - __vbaVarCmpEq

• 0x4013f8 - None

• 0x4013fc - None

• 0x401400 - __vbaLateMemCall

• 0x401404 - __vbaAryLock

• 0x401408 - __vbaVarAdd

• 0x40140c - None

• 0x401410 - __vbaStrToAnsi

• 0x401414 - __vbaVarDup

• 0x401418 - __vbaStrComp

• 0x40141c - None

• 0x401420 - None

• 0x401424 - __vbaVerifyVarObj

• 0x401428 - __vbaFpI2

• 0x40142c - __vbaVarMod

• 0x401430 - __vbaUnkVar

• 0x401434 - __vbaVarTstGe

• 0x401438 - __vbaVarLateMemCallLd

• 0x40143c - __vbaVarCopy

• 0x401440 - None

• 0x401444 - __vbaFpI4

• 0x401448 - __vbaVarSetObjAddref

• 0x40144c - __vbaRecDestructAnsi

• 0x401450 - __vbaLateMemCallLd

• 0x401454 - None

• 0x401458 - _CIatan

• 0x40145c - __vbaI2ErrVar

• 0x401460 - None

• 0x401464 - __vbaAryCopy

• 0x401468 - __vbaStrMove

• 0x40146c - __vbaCastObj

• 0x401470 - __vbaForEachVar

• 0x401474 - None

• 0x401478 - __vbaR8IntI4

• 0x40147c - __vbaStrVarCopy

• 0x401480 - None

• 0x401484 - None

• 0x401488 - None

• 0x40148c - _allmul

• 0x401490 - None

• 0x401494 - __vbaLateIdSt

• 0x401498 - None

• 0x40149c - _CItan

• 0x4014a0 - __vbaNextEachCollAd

• 0x4014a4 - None

• 0x4014a8 - __vbaAryUnlock

• 0x4014ac - __vbaFPInt

• 0x4014b0 - None

• 0x4014b4 - __vbaVarForNext

• 0x4014b8 - _CIexp

• 0x4014bc - __vbaMidStmtBstr

• 0x4014c0 - None

• 0x4014c4 - __vbaRecAssign

• 0x4014c8 - __vbaI4ErrVar

• 0x4014cc - __vbaFreeStr

• 0x4014d0 - __vbaFreeObj

• 0x4014d4 - None

投放文件

VIcon.VDB

文件名	VIcon.VDB
相关文件	C:\Users\test\AppData\Local\Temp\VIcon.VDB
文件大小	2 bytes
文件类型	data
MD5	c4103f122d27677c9db144cae1394a66
SHA1	1489f923c4dca729178b3e3233458550d8dddf29
SHA256	96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
SHA512	5ea71dc6d0b4f57bf39aadd07c208c35f06cd2bac5fde210397f70de11d439c62ec1cdf3183758865fd387fcea0bada2f6c37a4a17851dd1d78fefe6f204ee54
Ssdeep	3::
Yara	无匹配
VirusTotal	搜索相关分析

行为分析

互斥量(Mutexes)

Local\MSCTF.Asm.MutexDefault1

执行的命令 无信息

创建的服务 无信息

启动的服务 无信息

进程

Vstrat.exe PID: 2272, 上一级进程 PID: 292

访问的文件

C:\Users\test\AppData\Local\Temp\IMM32.DLL
C:\Windows\System32\imm32.dll
\Device\KsecDD
C:\Users\test\AppData\Local\Temp\Vstrat.exe.cfg
C:\Windows\sysnative\C_932.NLS
C:\Windows\sysnative\C_949.NLS
C:\Windows\sysnative\C_950.NLS
C:\Users\test\AppData\Local\Temp\Vstrat.exe
C:\Windows\System32\tzres.dll
C:\Windows\System32\COMCTL32.OCX
C:\Users\test\AppData\Local\Temp\Files\COMCTL32.OCX
C:\Windows\System32\MSWINSCK.OCX
C:\Users\test\AppData\Local\Temp\Files\MSWINSCK.OCX
C:\Windows\System32\vb6chs.dll
C:\Users\test\AppData\Local\Temp\Files\vb6chs.dll
C:\Users\test\AppData\Local\Temp\Files\vssafe2.dll
C:\Windows\System32\vssafe2.dll
C:\Users\test\AppData\Local\Temp\ChangeUser.exe
C:\Users\test\AppData\Local\Temp\ChangeUser2.exe
C:\Users\test\AppData\Local\Temp\Files\Config.ini
C:\Users\test\AppData\Local\Temp\Files\Config.bak
C:\Users\test\AppData\Local\Temp\Welcome.htm
C:\Users\test\AppData\Local\Temp\VIcon.idx
C:\Users\test\AppData\Local\Temp\VIcon.VDB
C:\Users\test\AppData\Local\Temp\User50\index.vsi
C:\Users\test\AppData\Local\Temp\User50
C:\Users\test\AppData\Local\Temp\Files\New.vbak
C:\Windows\Fonts\staticcache.dat

读取的文件

\Device\KsecDD
C:\Windows\System32\tzres.dll
C:\Users\test\AppData\Local\Temp\Vstrat.exe
C:\Users\test\AppData\Local\Temp\Files\COMCTL32.OCX
C:\Users\test\AppData\Local\Temp\Files\MSWINSCK.OCX
C:\Users\test\AppData\Local\Temp\Files\vb6chs.dll
C:\Users\test\AppData\Local\Temp\Files\Config.bak
C:\Users\test\AppData\Local\Temp\Files\Config.ini
C:\Users\test\AppData\Local\Temp\VIcon.idx
C:\Users\test\AppData\Local\Temp\VIcon.VDB
C:\Users\test\AppData\Local\Temp\Files\New.vbak
C:\Windows\Fonts\staticcache.dat

修改的文件

C:\Users\test\AppData\Local\Temp\Vstrat.exe
C:\Users\test\AppData\Local\Temp\VIcon.VDB

删除的文件 无信息

注册表键

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
HKEY_CURRENT_USER\Software\Classes
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_CURRENT_USER\Software\Classes\CLSID\{053A1A4B-84DF-4015-9E21-3F1CACDA6EFC}
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaxSxSHashCount
HKEY_CURRENT_USER\Software\Classes\CLSID\{9DE374EC-C556-4612-8DA4-8D5A83E8D261}
HKEY_CURRENT_USER\Software\Classes\CLSID\{D522D6F9-44C2-46EB-BB96-AAB0D6664802}
HKEY_CURRENT_USER\Software\Classes\CLSID\{44C1CDF7-7387-4F25-8D0D-70795CF1DE49}
HKEY_CURRENT_USER\Software\Classes\CLSID\{E5B2920C-A16C-490B-968E-57D19452897D}
HKEY_CURRENT_USER\Software\Classes\CLSID\{44C5F46A-6316-4AEB-B84E-00815D8693B7}
HKEY_CURRENT_USER\Software\Classes\CLSID\{C6F1D299-358E-42C0-BBE5-53897446763C}
HKEY_CURRENT_USER\Software\Classes\CLSID\{A65494A5-0F4A-42D2-9DEC-C6EAC00E654E}
HKEY_CURRENT_USER\Software\Classes\CLSID\{5752BB6B-68E7-4026-A966-3A29380C0DC9}
HKEY_CURRENT_USER\Software\Classes\CLSID\{F12B019B-5B44-490A-B743-FBF753398BE0}
HKEY_LOCAL_MACHINE\SOFTWARE\vstart
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\vstart\ExePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\\xe5\xbe\xae\xe8\xbd\xaf\xe9\x9b\x85\xe9\xbb\x91
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\Vstrat.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext

读取的注册表键

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext

修改的注册表键

HKEY_LOCAL_MACHINE\SOFTWARE\vstart
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\vstart\ExePath

删除的注册表键 无信息

API解析

imm32.dll.ImmCreateContext
imm32.dll.ImmDestroyContext
imm32.dll.ImmGetContext
imm32.dll.ImmReleaseContext
imm32.dll.ImmAssociateContext
imm32.dll.ImmGetConversionStatus
imm32.dll.ImmSetConversionStatus
imm32.dll.ImmGetOpenStatus
imm32.dll.ImmSetOpenStatus
imm32.dll.ImmSetCompositionFontA
imm32.dll.ImmSetCompositionStringA
imm32.dll.ImmGetCompositionStringA
imm32.dll.ImmSetCompositionWindow
imm32.dll.ImmEscapeA
imm32.dll.ImmIsIME
imm32.dll.ImmSetCandidateWindow
imm32.dll.ImmNotifyIME
imm32.dll.ImmSimulateHotKey
cryptbase.dll.SystemFunction036
uxtheme.dll.ThemeInitApiHook
user32.dll.IsProcessDPIAware
oleaut32.dll.OleLoadPictureEx
oleaut32.dll.DispCallFunc
oleaut32.dll.LoadTypeLibEx
oleaut32.dll.UnRegisterTypeLib
oleaut32.dll.CreateTypeLib2
oleaut32.dll.VarDateFromUdate
oleaut32.dll.VarUdateFromDate
oleaut32.dll.GetAltMonthNames
oleaut32.dll.VarNumFromParseNum
oleaut32.dll.VarParseNumFromStr
oleaut32.dll.VarDecFromR4
oleaut32.dll.VarDecFromR8
oleaut32.dll.VarDecFromDate
oleaut32.dll.VarDecFromI4
oleaut32.dll.VarDecFromCy
oleaut32.dll.VarR4FromDec
oleaut32.dll.GetRecordInfoFromTypeInfo
oleaut32.dll.GetRecordInfoFromGuids
oleaut32.dll.SafeArrayGetRecordInfo
oleaut32.dll.SafeArraySetRecordInfo
oleaut32.dll.SafeArrayGetIID
oleaut32.dll.SafeArraySetIID
oleaut32.dll.SafeArrayCopyData
oleaut32.dll.SafeArrayAllocDescriptorEx
oleaut32.dll.SafeArrayCreateEx
oleaut32.dll.VarFormat
oleaut32.dll.VarFormatDateTime
oleaut32.dll.VarFormatNumber
oleaut32.dll.VarFormatPercent
oleaut32.dll.VarFormatCurrency
oleaut32.dll.VarWeekdayName
oleaut32.dll.VarMonthName
oleaut32.dll.VarAdd
oleaut32.dll.VarAnd
oleaut32.dll.VarCat
oleaut32.dll.VarDiv
oleaut32.dll.VarEqv
oleaut32.dll.VarIdiv
oleaut32.dll.VarImp
oleaut32.dll.VarMod
oleaut32.dll.VarMul
oleaut32.dll.VarOr
oleaut32.dll.VarPow
oleaut32.dll.VarSub
oleaut32.dll.VarXor
oleaut32.dll.VarAbs
oleaut32.dll.VarFix
oleaut32.dll.VarInt
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarRound
oleaut32.dll.VarCmp
oleaut32.dll.VarDecAdd
oleaut32.dll.VarDecCmp
oleaut32.dll.VarBstrCat
oleaut32.dll.VarCyMulI4
oleaut32.dll.VarBstrCmp
ole32.dll.CoCreateInstanceEx
ole32.dll.CLSIDFromProgIDEx
sxs.dll.SxsOleAut32MapIIDOrCLSIDToTypeLibrary
user32.dll.GetSystemMetrics
user32.dll.MonitorFromWindow
user32.dll.MonitorFromRect
user32.dll.MonitorFromPoint
user32.dll.EnumDisplayMonitors
user32.dll.GetMonitorInfoA
imm32.dll.ImmGetDefaultIMEWnd
ole32.dll.CLSIDFromOle1Class
clbcatq.dll.GetCatalogObject
clbcatq.dll.GetCatalogObject2
advapi32.dll.CryptAcquireContextA
cryptsp.dll.CryptAcquireContextA
advapi32.dll.CryptCreateHash
cryptsp.dll.CryptCreateHash
advapi32.dll.CryptHashData
cryptsp.dll.CryptHashData
advapi32.dll.CryptGetHashParam
cryptsp.dll.CryptGetHashParam
advapi32.dll.CryptDestroyHash
cryptsp.dll.CryptDestroyHash
advapi32.dll.CryptReleaseContext
cryptsp.dll.CryptReleaseContext
advapi32.dll.RegCreateKeyA
advapi32.dll.RegSetValueExA
advapi32.dll.RegCloseKey
kernel32.dll.GetModuleHandleA
kernel32.dll.GetProcAddress
kernel32.dll.IsWow64Process
kernel32.dll.GetCurrentProcess
kernel32.dll.GetVersionExA
kernel32.dll.GetSystemDirectoryA
kernel32.dll.GetFileAttributesA
kernel32.dll.GetPrivateProfileStringA
kernel32.dll._lopen
user32.dll.GetAncestor
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegQueryValueExW
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
dwmapi.dll.DwmIsCompositionEnabled
gdi32.dll.GdiIsMetaPrintDC
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy