魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2018-02-22 08:53:38 | 2018-02-22 08:56:07 | 149 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-hpdapp03-1 | win7-sp1-x64-hpdapp03-1 | KVM | 2018-02-22 08:53:45 | 2018-02-22 08:56:05 |
| 魔盾分数 |
|---|
10.0Snojan |
文件详细信息
| 文件名 | GreenBrowserGBSetup.exe |
|---|---|
| 文件大小 | 1292257 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| CRC32 | 8F7F31D0 |
| MD5 | 582992b52ced275b96e51fd29b3f9e14 |
| SHA1 | f6365e474ffba08abaa38370cb13743ad54850d8 |
| SHA256 | 2e8679aa7127ad2a481d36d5eb5698eda249620e2f61c2c24c55f8bfa69d43a9 |
| SHA512 | c45e56d1e28ab4e758fdc8f8e71239692d5a3d52f41fd73189595731a474ebe9e88e99f04fd89ed75b76b86d6382aa737d5020fe7ee7050c367663e2b3f8a990 |
| Ssdeep | 24576:VfOydJf48SD/NwnUqS9Oyfv6iMwnS9Lqtm1LCENj53Cwr7zOYIjPgcAuMze4:VGMJf4Rxl9GiVVt6OENj5jKjPIuMz9 |
| PEiD | 无匹配 |
| Yara | 无Yara规则匹配 |
| VirusTotal |
VirusTotal链接 VirusTotal扫描时间: 2018-02-20 08:55:31 扫描结果: 26/68 |
特征
创建RWX内存
从文件自身的二进制镜像中读取数据
self_read: process: GreenBrowserGBSetup.exe, pid: 1288, offset: 0x00100f0d, length: 0x00001a11
self_read: process: GreenBrowserGBSetup.exe, pid: 1288, offset: 0x0010362e, length: 0x000381b3
self_read: process: is-L2T45.tmp, pid: 1688, offset: 0x00000030, length: 0x00000004
投放出一个二进制文件并执行它
binary: C:\Users\test\AppData\Local\Temp\is-89IT9.tmp\is-L2T45.tmp
文件已被至少十个VirusTotal上的反病毒引擎检测为病毒
CAT-QuickHeal: Trojan.IGENERIC
McAfee: Artemis!582992B52CED
K7GW: Riskware ( 0040eff71 )
K7AntiVirus: Riskware ( 0040eff71 )
Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9850
Cyren: W32/Trojan.GBPT-0305
Symantec: Trojan.Gen.2
Avast: FileRepMetagen [Malware]
Kaspersky: Trojan.Win32.Snojan.bubv
Paloalto: generic.ml
AegisLab: Troj.W32.Snojan!c
Tencent: Win32.Trojan.Snojan.Sunx
VIPRE: Trojan.Win32.Generic!BT
McAfee-GW-Edition: Artemis
Sophos: NirCmd (PUA)
Avira: TR/Snojan.vzoka
Antiy-AVL: Trojan/Win32.AGeneric
ViRobot: Trojan.Win32.S.Snojan.1292257
ZoneAlarm: Trojan.Win32.Snojan.bubv
AhnLab-V3: Trojan/Win32.Snojan.C2243813
AVware: Trojan.Win32.Generic!BT
MAX: malware (ai score=97)
Cylance: Unsafe
Ikarus: Trojan.Win32.Snojan
Fortinet: W32/Snojan.EKY!tr
AVG: FileRepMetagen [Malware]
运行截图
网络分析
静态分析
PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x004098cc |
| 声明校验值 | 0x00000000 |
| 实际校验值 | 0x0014b74a |
| 最低操作系统版本要求 | 1.0 |
| 编译时间 | 1992-06-20 06:22:17 |
| 载入哈希 | 884310b1928934402ea6fec1dbd3cf5e |
| 图标 |  |
| 图标精确哈希值 | 30adcb5c0b2e3c35eaec2c110733c9f8 |
| 图标相似性哈希值 | c98f96d6ffe5af8d4eb0870c1dc20826 |
版本信息
| LegalCopyright: | |
| FileDescription: | GreenBrowser \x5b89\x88c5 |
| FileVersion: | |
| Comments: | \x6b64\x5b89\x88c5\x7a0b\x5e8f\x7531 Inno Setup \x521b\x5efa\x3002 |
| CompanyName: | More Quick Tools |
| Translation: | 0x0804 0x0000 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| CODE | 0x00001000 | 0x00008ff0 | 0x00009000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.57 |
| DATA | 0x0000a000 | 0x00000248 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 2.72 |
| BSS | 0x0000b000 | 0x00000e38 | 0x00000000 | IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .idata | 0x0000c000 | 0x00000950 | 0x00000a00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 4.43 |
| .tls | 0x0000d000 | 0x00000008 | 0x00000000 | IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .rdata | 0x0000e000 | 0x00000018 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ | 0.20 |
| .reloc | 0x0000f000 | 0x000008a8 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ | 0.00 |
| .rsrc | 0x00010000 | 0x00003000 | 0x00002400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ | 4.91 |
覆盖
| 偏移量: | 0x0000c800 |
| 大小: | 0x0012efe1 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| RT_ICON | 0x00010ccc | 0x000008a8 | LANG_DUTCH | SUBLANG_DUTCH | 3.91 | data |
| RT_ICON | 0x00010ccc | 0x000008a8 | LANG_DUTCH | SUBLANG_DUTCH | 3.91 | data |
| RT_ICON | 0x00010ccc | 0x000008a8 | LANG_DUTCH | SUBLANG_DUTCH | 3.91 | data |
| RT_ICON | 0x00010ccc | 0x000008a8 | LANG_DUTCH | SUBLANG_DUTCH | 3.91 | data |
| RT_STRING | 0x000119f0 | 0x000000ae | LANG_NEUTRAL | SUBLANG_NEUTRAL | 3.05 | data |
| RT_STRING | 0x000119f0 | 0x000000ae | LANG_NEUTRAL | SUBLANG_NEUTRAL | 3.05 | data |
| RT_STRING | 0x000119f0 | 0x000000ae | LANG_NEUTRAL | SUBLANG_NEUTRAL | 3.05 | data |
| RT_STRING | 0x000119f0 | 0x000000ae | LANG_NEUTRAL | SUBLANG_NEUTRAL | 3.05 | data |
| RT_STRING | 0x000119f0 | 0x000000ae | LANG_NEUTRAL | SUBLANG_NEUTRAL | 3.05 | data |
| RT_STRING | 0x000119f0 | 0x000000ae | LANG_NEUTRAL | SUBLANG_NEUTRAL | 3.05 | data |
| RT_RCDATA | 0x00011aa0 | 0x0000002c | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.50 | data |
| RT_GROUP_ICON | 0x00011acc | 0x0000003e | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.65 | MS Windows icon resource - 4 icons, 16x16, 16 colors |
| RT_VERSION | 0x00011b0c | 0x0000039c | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.72 | data |
| RT_MANIFEST | 0x00011ea8 | 0x0000047e | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.96 | XML 1.0 document, ASCII text, with CRLF line terminators |
导入
库 kernel32.dll:
• 0x40c0b4 - DeleteCriticalSection
• 0x40c0b8 - LeaveCriticalSection
• 0x40c0bc - EnterCriticalSection
• 0x40c0c0 - InitializeCriticalSection
• 0x40c0c4 - VirtualFree
• 0x40c0c8 - VirtualAlloc
• 0x40c0cc - LocalFree
• 0x40c0d0 - LocalAlloc
• 0x40c0d4 - WideCharToMultiByte
• 0x40c0d8 - TlsSetValue
• 0x40c0dc - TlsGetValue
• 0x40c0e0 - MultiByteToWideChar
• 0x40c0e4 - GetModuleHandleA
• 0x40c0e8 - GetLastError
• 0x40c0ec - GetCommandLineA
• 0x40c0f0 - WriteFile
• 0x40c0f4 - SetFilePointer
• 0x40c0f8 - SetEndOfFile
• 0x40c0fc - RtlUnwind
• 0x40c100 - ReadFile
• 0x40c104 - RaiseException
• 0x40c108 - GetStdHandle
• 0x40c10c - GetFileSize
• 0x40c110 - GetSystemTime
• 0x40c114 - GetFileType
• 0x40c118 - ExitProcess
• 0x40c11c - CreateFileA
• 0x40c120 - CloseHandle
库 user32.dll:
• 0x40c128 - MessageBoxA
库 oleaut32.dll:
• 0x40c130 - VariantChangeTypeEx
• 0x40c134 - VariantCopyInd
• 0x40c138 - VariantClear
• 0x40c13c - SysStringLen
• 0x40c140 - SysAllocStringLen
库 advapi32.dll:
• 0x40c148 - RegQueryValueExA
• 0x40c14c - RegOpenKeyExA
• 0x40c150 - RegCloseKey
• 0x40c154 - OpenProcessToken
• 0x40c158 - LookupPrivilegeValueA
库 kernel32.dll:
• 0x40c160 - WriteFile
• 0x40c164 - VirtualQuery
• 0x40c168 - VirtualProtect
• 0x40c16c - VirtualFree
• 0x40c170 - VirtualAlloc
• 0x40c174 - Sleep
• 0x40c178 - SizeofResource
• 0x40c17c - SetLastError
• 0x40c180 - SetFilePointer
• 0x40c184 - SetErrorMode
• 0x40c188 - SetEndOfFile
• 0x40c18c - RemoveDirectoryA
• 0x40c190 - ReadFile
• 0x40c194 - LockResource
• 0x40c198 - LoadResource
• 0x40c19c - LoadLibraryA
• 0x40c1a0 - IsDBCSLeadByte
• 0x40c1a4 - GetWindowsDirectoryA
• 0x40c1a8 - GetVersionExA
• 0x40c1ac - GetUserDefaultLangID
• 0x40c1b0 - GetSystemInfo
• 0x40c1b4 - GetSystemDefaultLCID
• 0x40c1b8 - GetProcAddress
• 0x40c1bc - GetModuleHandleA
• 0x40c1c0 - GetModuleFileNameA
• 0x40c1c4 - GetLocaleInfoA
• 0x40c1c8 - GetLastError
• 0x40c1cc - GetFullPathNameA
• 0x40c1d0 - GetFileSize
• 0x40c1d4 - GetFileAttributesA
• 0x40c1d8 - GetExitCodeProcess
• 0x40c1dc - GetEnvironmentVariableA
• 0x40c1e0 - GetCurrentProcess
• 0x40c1e4 - GetCommandLineA
• 0x40c1e8 - GetACP
• 0x40c1ec - InterlockedExchange
• 0x40c1f0 - FormatMessageA
• 0x40c1f4 - FindResourceA
• 0x40c1f8 - DeleteFileA
• 0x40c1fc - CreateProcessA
• 0x40c200 - CreateFileA
• 0x40c204 - CreateDirectoryA
• 0x40c208 - CloseHandle
库 user32.dll:
• 0x40c210 - TranslateMessage
• 0x40c214 - SetWindowLongA
• 0x40c218 - PeekMessageA
• 0x40c21c - MsgWaitForMultipleObjects
• 0x40c220 - MessageBoxA
• 0x40c224 - LoadStringA
• 0x40c228 - ExitWindowsEx
• 0x40c22c - DispatchMessageA
• 0x40c230 - DestroyWindow
• 0x40c234 - CreateWindowExA
• 0x40c238 - CallWindowProcA
• 0x40c23c - CharPrevA
库 comctl32.dll:
• 0x40c244 - InitCommonControls
库 advapi32.dll:
• 0x40c24c - AdjustTokenPrivileges
投放文件
_shfoldr.dll
| 文件名 | _shfoldr.dll |
|---|---|
| 相关文件 |
|
| 文件大小 | 23312 bytes |
| 文件类型 | PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
| Ssdeep | 384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4 |
| VirusTotal | 搜索相关分析 |
_setup64.tmp
| 文件名 | _setup64.tmp |
|---|---|
| 相关文件 |
|
| 文件大小 | 5632 bytes |
| 文件类型 | PE32+ executable (console) x86-64, for MS Windows |
| MD5 | b4604f8cd050d7933012ae4aa98e1796 |
| SHA1 | 36b7d966c7f87860cd6c46096b397aa23933df8e |
| SHA256 | b50b7ac03ec6da865bf4504c7ac1e52d9f5b67c7bcb3ec0db59fab24f1b471c5 |
| SHA512 | 3057aa4810245da0b340e1c70201e5ce528cfdc5a164915e7b11855e3a5b9ba0ed77fbc542f5e4eb296ea65af88f263647b577151068636ba188d8c4fd44e431 |
| Ssdeep | 48:SvTmfWvPcXegCWUo1vlZwrAxoONfHFZONfH3d1xCWMBgW2p3SS4k+bkg6j0K:nfkcXegjJ/ZgYNzcld1xamW2pCSKv |
| VirusTotal | 搜索相关分析 |
_RegDLL.tmp
| 文件名 | _RegDLL.tmp |
|---|---|
| 相关文件 |
|
| 文件大小 | 3584 bytes |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | c594b792b9c556ea62a30de541d2fb03 |
| SHA1 | 69e0207515e913243b94c2d3a116d232ff79af5f |
| SHA256 | 5dcc1e0a197922907bca2c4369f778bd07ee4b1bbbdf633e987a028a314d548e |
| SHA512 | 387bd07857b0de67c04e0abf89b754691683f30515726045ff382da9b6b7f36570e38fae9eca5c4f0110ce9bb421d8045a5ec273c4c47b5831948564763ed144 |
| Ssdeep | 48:iAnz1hEU3FR/pmqBl8/QMCBaquEMx5BCwSS4k+bkguj0K:pz1eEFNcqBC/Qrex5MSKD |
| VirusTotal | 搜索相关分析 |
is-L2T45.tmp
| 文件名 | is-L2T45.tmp |
|---|---|
| 相关文件 |
|
| 文件大小 | 668160 bytes |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 46570158ccae518dcf05602fea3e1bd8 |
| SHA1 | c71f09e0a4fcf9061fe8de67defb569361ed90b0 |
| SHA256 | eb289ef14e8f3b47081e1168690d1d95185dbfd1c3cdc5bfb074fd76a42cead0 |
| SHA512 | 2721915717efd108cae39326d3644ecb55d1c47586e280b3f04f1b7f6a799ad9c0daaa3a410e667eaf7bed0265c9fee54cb899424d0935c2e6ab6ed896d29f97 |
| Ssdeep | 12288:E23BlFs8prPg373zHIA6VNiyTFUPHgOcAKaNuq4w7RmdCm6vxe:pBlFs8prPg373zHIA67AADAZm6vxe |
| VirusTotal | 搜索相关分析 |
行为分析
互斥量(Mutexes)
- Local\MSCTF.Asm.MutexDefault1
执行的命令
- "C:\Users\test\AppData\Local\Temp\is-89IT9.tmp\is-L2T45.tmp" /SL4 $2012A "C:\Users\test\AppData\Local\Temp\GreenBrowserGBSetup.exe" 1052429 51200
创建的服务
无信息
启动的服务
无信息
进程
GreenBrowserGBSetup.exe PID: 1288, 上一级进程 PID: 284
is-L2T45.tmp PID: 1688, 上一级进程 PID: 1288
访问的文件
- C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
- C:\Users\test\AppData\Local\Temp\netmsg.dll
- C:\Windows\System32\netmsg.dll
- C:\Users\test\AppData\Local\Temp\GreenBrowserGBSetup.exe
- C:\Users\test\AppData\Local\Temp
- C:\Users\test\AppData\Local\Temp\is-89IT9.tmp
- C:\Users\test\AppData\Local\Temp\is-89IT9.tmp\is-L2T45.tmp
- C:\Windows\Globalization\Sorting\sortdefault.nls
- \Device\KsecDD
- C:\Users\test\AppData\Local\Temp\is-89IT9.tmp\netmsg.dll
- C:\Users\test\AppData\Local\Temp\is-K0B08.tmp
- C:\Users\test\AppData\Local\Temp\is-K0B08.tmp\_isetup
- C:\Users\test\AppData\Local\Temp\is-K0B08.tmp\_isetup\_RegDLL.tmp
- C:\Users\test\AppData\Local\Temp\is-K0B08.tmp\_isetup\_setup64.tmp
- C:\Users\test\AppData\Local\Temp\is-K0B08.tmp\_isetup\_shfoldr.dll
- C:\Windows\Fonts\staticcache.dat
- c:\directory
- C:\Windows\System32\imageres.dll
- C:\Windows\System32\zh-CN\imageres.dll.mui
- C:\Windows\sysnative\zh-CN\imageres.dll.mui
- C:\Windows\System32\zh-Hans\imageres.dll.mui
- C:\Windows\System32\zh\imageres.dll.mui
- C:\Windows\System32\en-US\imageres.dll.mui
- \??\MountPointManager
- C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
读取的文件
- C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
- C:\Windows\System32\netmsg.dll
- C:\Users\test\AppData\Local\Temp\GreenBrowserGBSetup.exe
- C:\Windows\Globalization\Sorting\sortdefault.nls
- \Device\KsecDD
- C:\Users\test\AppData\Local\Temp\is-89IT9.tmp\is-L2T45.tmp
- C:\Users\test\AppData\Local\Temp\is-K0B08.tmp\_isetup\_RegDLL.tmp
- C:\Users\test\AppData\Local\Temp\is-K0B08.tmp\_isetup\_setup64.tmp
- C:\Users\test\AppData\Local\Temp\is-K0B08.tmp\_isetup\_shfoldr.dll
- C:\Windows\Fonts\staticcache.dat
- C:\Windows\System32\imageres.dll
- C:\Windows\System32\zh-CN\imageres.dll.mui
- C:\Windows\sysnative\zh-CN\imageres.dll.mui
- C:\Windows\System32\zh-Hans\imageres.dll.mui
- C:\Windows\System32\zh\imageres.dll.mui
- C:\Windows\System32\en-US\imageres.dll.mui
修改的文件
- C:\Users\test\AppData\Local\Temp\is-89IT9.tmp\is-L2T45.tmp
- C:\Users\test\AppData\Local\Temp\is-K0B08.tmp\_isetup\_RegDLL.tmp
- C:\Users\test\AppData\Local\Temp\is-K0B08.tmp\_isetup\_setup64.tmp
- C:\Users\test\AppData\Local\Temp\is-K0B08.tmp\_isetup\_shfoldr.dll
删除的文件
无信息
注册表键
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\is-L2T45.tmp
- HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_CURRENT_USER
- HKEY_CURRENT_USER\Keyboard Layout\Toggle
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOwner
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOrganization
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Sans Serif
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Data
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Generation
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Data
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Generation
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\GreenBrowser_is1
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\GreenBrowser_is1
- HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
读取的注册表键
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOwner
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOrganization
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Data
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Generation
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Data
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Generation
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- kernel32.dll.Wow64DisableWow64FsRedirection
- kernel32.dll.Wow64RevertWow64FsRedirection
- kernel32.dll.GetUserDefaultUILanguage
- comctl32.dll.RegisterClassNameW
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle
- uxtheme.dll.EnableThemeDialogTexture
- ole32.dll.CoInitializeEx
- ole32.dll.CoUninitialize
- cryptbase.dll.SystemFunction036
- ole32.dll.CoRegisterInitializeSpy
- ole32.dll.CoRevokeInitializeSpy
- uxtheme.dll.OpenThemeData
- uxtheme.dll.CloseThemeData
- uxtheme.dll.DrawThemeBackground
- uxtheme.dll.DrawThemeText
- uxtheme.dll.GetThemeBackgroundContentRect
- uxtheme.dll.GetThemePartSize
- uxtheme.dll.GetThemeTextExtent
- uxtheme.dll.GetThemeTextMetrics
- uxtheme.dll.GetThemeBackgroundRegion
- uxtheme.dll.HitTestThemeBackground
- uxtheme.dll.DrawThemeEdge
- uxtheme.dll.DrawThemeIcon
- uxtheme.dll.IsThemePartDefined
- uxtheme.dll.IsThemeBackgroundPartiallyTransparent
- uxtheme.dll.GetThemeColor
- uxtheme.dll.GetThemeMetric
- uxtheme.dll.GetThemeString
- uxtheme.dll.GetThemeBool
- uxtheme.dll.GetThemeInt
- uxtheme.dll.GetThemeEnumValue
- uxtheme.dll.GetThemePosition
- uxtheme.dll.GetThemeFont
- uxtheme.dll.GetThemeRect
- uxtheme.dll.GetThemeMargins
- uxtheme.dll.GetThemeIntList
- uxtheme.dll.GetThemePropertyOrigin
- uxtheme.dll.SetWindowTheme
- uxtheme.dll.GetThemeFilename
- uxtheme.dll.GetThemeSysColor
- uxtheme.dll.GetThemeSysColorBrush
- uxtheme.dll.GetThemeSysBool
- uxtheme.dll.GetThemeSysSize
- uxtheme.dll.GetThemeSysFont
- uxtheme.dll.GetThemeSysString
- uxtheme.dll.GetThemeSysInt
- uxtheme.dll.IsThemeActive
- uxtheme.dll.IsAppThemed
- uxtheme.dll.GetWindowTheme
- uxtheme.dll.IsThemeDialogTextureEnabled
- uxtheme.dll.GetThemeAppProperties
- uxtheme.dll.SetThemeAppProperties
- uxtheme.dll.GetCurrentThemeName
- uxtheme.dll.GetThemeDocumentationProperty
- uxtheme.dll.DrawThemeParentBackground
- uxtheme.dll.EnableTheming
- user32.dll.NotifyWinEvent
- shell32.dll.SHPathPrepareForWriteA
- kernel32.dll.GetNativeSystemInfo
- kernel32.dll.IsWow64Process
- kernel32.dll.GetSystemWow64DirectoryA
- advapi32.dll.RegDeleteKeyExA
- user32.dll.DisableProcessWindowsGhosting
- advapi32.dll.CheckTokenMembership
- shfolder.dll.SHGetFolderPathA
- gdi32.dll.GetLayout
- gdi32.dll.GdiRealizationInfo
- gdi32.dll.FontIsLinked
- advapi32.dll.RegOpenKeyExW
- advapi32.dll.RegQueryInfoKeyW
- gdi32.dll.GetTextFaceAliasW
- advapi32.dll.RegEnumValueW
- advapi32.dll.RegCloseKey
- advapi32.dll.RegQueryValueExW
- gdi32.dll.GetFontAssocStatus
- advapi32.dll.RegQueryValueExA
- advapi32.dll.RegEnumKeyExW
- gdi32.dll.GetTextExtentExPointWPri
- user32.dll.MonitorFromRect
- user32.dll.GetMonitorInfoA
- setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
- setupapi.dll.CM_Get_Device_Interface_List_ExW
- comctl32.dll.#332
- comctl32.dll.#386
- gdi32.dll.GdiIsMetaPrintDC
- oleaut32.dll.SysAllocString
- oleaut32.dll.SysStringLen
- oleaut32.dll.SysFreeString