魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2019-09-16 16:30:20	2019-09-16 16:32:51	151 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-hpdapp01-1	win7-sp1-x64-hpdapp01-1	KVM	2019-09-16 16:30:30	2019-09-16 16:32:52

魔盾分数
10.0 恶意的

文件详细信息

文件名	1PBE%E5%8A%A9%E6%89%8B1.6Beta.exe
文件大小	1490944 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
CRC32	DA42AF94
MD5	3e357e0d6ac50b3552b9a47885abc4a7
SHA1	c1dc672f260a978d4362ef16586d162691290e5e
SHA256	a2f5799a005445309929393a63832ae9f8f827fafb40b628dc8816dabdc4070b
SHA512	8a0c82bbaedf9bd5e47c7689196e4ca1010af864098cfd5973d6fc7e10a8ef89aeca1f3c25ff81e73e2568a95d2e6b1d574e3debf33d82b220f43a72739d5cce
Ssdeep	24576:TZXvEbkxPP2dEk9EpQxKG4cQToGOlylGrcKG3X:TekqEkvcGp4oGsgERQ
PEiD	无匹配
Yara	DebuggerTiming__PerformanceCounter () DebuggerTiming__Ticks (Detected timing ticks function) screenshot (Detected take screenshot function) create_process (Detection function for creating a new process) escalate_priv (Detected escalate priviledges function) keylogger (Detected keylogger function) win_registry (Detected system registries modification function) change_win_registry (Change registries to affect system) win_token (Affect system token) win_files_operation (Affect private profile) win_hook (Detected hook table access function) win_private_profile (Detected private profile access function) Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files) with_images (Detected the presence of an or several images) with_urls (Detected the presence of an or several urls) CRC32_poly_Constant (Look for CRC32 [poly]) CRC32_table (Look for CRC32 table) MD5_Constants (Look for MD5 constants) RC6_Constants (Look for RC6 magic constants in binary) Borland (Detects Borland program) IsPE32 (Detected 32bit PE signature) IsWindowsGUI (Detected Windows GUI signature) HasRichSignature (Detected Rich Signature)
VirusTotal	VirusTotal链接 VirusTotal扫描时间: 2019-09-05 06:20:42 扫描结果: 34/71

特征

魔盾安全Yara规则检测结果 - 高危

尝试修改 Explorer 设置以防止文件扩展名被显示

文件已被至少一个VirusTotal上的反病毒引擎检测为病毒

MicroWorld-eScan: Gen:Variant.Graftor.632683

FireEye: Generic.mg.3e357e0d6ac50b35

CrowdStrike: win/malicious_confidence_100% (D)

BitDefender: Gen:Variant.Graftor.632683

K7GW: Trojan ( 005246d51 )

K7AntiVirus: Trojan ( 005246d51 )

F-Prot: W32/OnlineGames.HG.gen!Eldorado

Symantec: ML.Attribute.HighConfidence

APEX: Malicious

ClamAV: Win.Malware.Zusy-6840460-0

Ad-Aware: Gen:Variant.Graftor.632683

Emsisoft: Gen:Variant.Graftor.632683 (B)

Comodo: Worm.Win32.Dropper.RA@1qraug

F-Secure: Heuristic.HEUR/AGEN.1040662

DrWeb: Trojan.Hosts.43193

Invincea: heuristic

McAfee-GW-Edition: BehavesLike.Win32.Generic.th

Cyren: W32/OnlineGames.HG.gen!Eldorado

Avira: HEUR/AGEN.1040662

Fortinet: Adware/FlyStudio

Antiy-AVL: GrayWare/Win32.FlyStudio.a

Endgame: malicious (high confidence)

Arcabit: Trojan.Graftor.D9A76B

Microsoft: Trojan:Win32/Wacatac.B!ml

Acronis: suspicious

VBA32: Trojan.Hosts

ALYac: Gen:Variant.Graftor.632683

MAX: malware (ai score=84)

Cylance: Unsafe

ESET-NOD32: a variant of Win32/Packed.FlyStudio.AA potentially unwanted

Rising: Trojan.Generic@ML.84 (RDML:cUmt7SxtslI4JIpXsPosbA)

SentinelOne: DFI - Malicious PE

GData: Win32.Application.FlyStudio.F

Cybereason: malicious.d6ac50

运行截图

网络分析

无信息

静态分析

PE 信息

初始地址	0x00400000
入口地址	0x00475c17
声明校验值	0x00000000
实际校验值	0x0016f406
最低操作系统版本要求	4.0
编译时间	2019-09-03 01:06:28
载入哈希	b1bd8405aff74922604f99cc7ebbe766

版本信息

LegalCopyright:	Copyright (C) 2019
FileVersion:	1.6.1.0
CompanyName:	QQ\uff1a1482792432
Comments:	\u672c\u7a0b\u5e8f\u4f7f\u7528\u6613\u8bed\u8a00\u7f16\u5199(http://www.eyuyan.com)
ProductName:	PBE\u52a9\u624b
ProductVersion:	1.6.1.0
FileDescription:	League of Legends PBE Support
Translation:	0x0804 0x04b0

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x000a78da	0x000a8000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.57
.rdata	0x000a9000	0x00091196	0x00092000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	6.15
.data	0x0013b000	0x00061cb1	0x00019000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	5.41
.rsrc	0x0019d000	0x00017144	0x00018000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	3.78

导入

库 WINMM.dll:

• 0x4a9668 - midiOutPrepareHeader

• 0x4a966c - midiStreamProperty

• 0x4a9670 - midiStreamOpen

• 0x4a9674 - midiOutUnprepareHeader

• 0x4a9678 - midiStreamOut

• 0x4a967c - midiStreamStop

• 0x4a9680 - midiOutReset

• 0x4a9684 - midiStreamClose

• 0x4a9688 - midiStreamRestart

• 0x4a968c - waveOutOpen

• 0x4a9690 - waveOutGetNumDevs

• 0x4a9694 - waveOutClose

• 0x4a9698 - waveOutReset

• 0x4a969c - PlaySoundA

• 0x4a96a0 - waveOutUnprepareHeader

• 0x4a96a4 - waveOutPrepareHeader

• 0x4a96a8 - waveOutWrite

• 0x4a96ac - waveOutPause

库 WS2_32.dll:

• 0x4a96c4 - accept

• 0x4a96c8 - getpeername

• 0x4a96cc - recv

• 0x4a96d0 - ioctlsocket

• 0x4a96d4 - recvfrom

• 0x4a96d8 - WSAAsyncSelect

• 0x4a96dc - closesocket

• 0x4a96e0 - WSACleanup

• 0x4a96e4 - inet_ntoa

库 MSVFW32.dll:

• 0x4a93c4 - DrawDibDraw

库 AVIFIL32.dll:

• 0x4a9024 - AVIStreamInfoA

• 0x4a9028 - AVIStreamGetFrame

库 KERNEL32.dll:

• 0x4a919c - GetVersion

• 0x4a91a0 - InterlockedIncrement

• 0x4a91a4 - InterlockedDecrement

• 0x4a91a8 - LocalFree

• 0x4a91ac - FileTimeToSystemTime

• 0x4a91b0 - FileTimeToLocalFileTime

• 0x4a91b4 - DuplicateHandle

• 0x4a91b8 - FlushFileBuffers

• 0x4a91bc - LockFile

• 0x4a91c0 - UnlockFile

• 0x4a91c4 - SetEndOfFile

• 0x4a91c8 - GetStringTypeExA

• 0x4a91cc - lstrcmpiA

• 0x4a91d0 - GlobalDeleteAtom

• 0x4a91d4 - GlobalFindAtomA

• 0x4a91d8 - GlobalAddAtomA

• 0x4a91dc - GlobalGetAtomNameA

• 0x4a91e0 - lstrcmpA

• 0x4a91e4 - LocalAlloc

• 0x4a91e8 - TlsAlloc

• 0x4a91ec - GlobalHandle

• 0x4a91f0 - TlsFree

• 0x4a91f4 - TlsSetValue

• 0x4a91f8 - LocalReAlloc

• 0x4a91fc - TlsGetValue

• 0x4a9200 - GetFileTime

• 0x4a9204 - GetCurrentThread

• 0x4a9208 - GlobalFlags

• 0x4a920c - SetErrorMode

• 0x4a9210 - GetProcessVersion

• 0x4a9214 - GetCPInfo

• 0x4a9218 - GetOEMCP

• 0x4a921c - GetStartupInfoA

• 0x4a9220 - RtlUnwind

• 0x4a9224 - GetSystemTime

• 0x4a9228 - GetLocalTime

• 0x4a922c - RaiseException

• 0x4a9230 - HeapSize

• 0x4a9234 - GetACP

• 0x4a9238 - UnhandledExceptionFilter

• 0x4a923c - FreeEnvironmentStringsA

• 0x4a9240 - FreeEnvironmentStringsW

• 0x4a9244 - GetEnvironmentStrings

• 0x4a9248 - GetEnvironmentStringsW

• 0x4a924c - SetHandleCount

• 0x4a9250 - GetStdHandle

• 0x4a9254 - GetFileType

• 0x4a9258 - GetEnvironmentVariableA

• 0x4a925c - HeapDestroy

• 0x4a9260 - HeapCreate

• 0x4a9264 - VirtualFree

• 0x4a9268 - SetEnvironmentVariableA

• 0x4a926c - LCMapStringA

• 0x4a9270 - LCMapStringW

• 0x4a9274 - VirtualAlloc

• 0x4a9278 - IsBadWritePtr

• 0x4a927c - SetUnhandledExceptionFilter

• 0x4a9280 - GetStringTypeA

• 0x4a9284 - GetStringTypeW

• 0x4a9288 - CompareStringA

• 0x4a928c - CompareStringW

• 0x4a9290 - IsBadReadPtr

• 0x4a9294 - IsBadCodePtr

• 0x4a9298 - SetStdHandle

• 0x4a929c - GetTimeZoneInformation

• 0x4a92a0 - SetLastError

• 0x4a92a4 - TerminateProcess

• 0x4a92a8 - GetFileSize

• 0x4a92ac - SetFilePointer

• 0x4a92b0 - WideCharToMultiByte

• 0x4a92b4 - MultiByteToWideChar

• 0x4a92b8 - GetCurrentProcess

• 0x4a92bc - SetSystemPowerState

• 0x4a92c0 - CreateSemaphoreA

• 0x4a92c4 - ResumeThread

• 0x4a92c8 - ReleaseSemaphore

• 0x4a92cc - EnterCriticalSection

• 0x4a92d0 - LeaveCriticalSection

• 0x4a92d4 - GetUserDefaultLCID

• 0x4a92d8 - GetProfileStringA

• 0x4a92dc - WriteFile

• 0x4a92e0 - WaitForMultipleObjects

• 0x4a92e4 - CreateFileA

• 0x4a92e8 - SetEvent

• 0x4a92ec - FindResourceA

• 0x4a92f0 - LoadResource

• 0x4a92f4 - LockResource

• 0x4a92f8 - ReadFile

• 0x4a92fc - GetModuleFileNameA

• 0x4a9300 - GetCurrentThreadId

• 0x4a9304 - ExitProcess

• 0x4a9308 - GlobalSize

• 0x4a930c - GlobalFree

• 0x4a9310 - DeleteCriticalSection

• 0x4a9314 - InitializeCriticalSection

• 0x4a9318 - lstrcatA

• 0x4a931c - lstrlenA

• 0x4a9320 - WinExec

• 0x4a9324 - lstrcpyA

• 0x4a9328 - FindNextFileA

• 0x4a932c - GlobalReAlloc

• 0x4a9330 - HeapFree

• 0x4a9334 - HeapReAlloc

• 0x4a9338 - GetProcessHeap

• 0x4a933c - HeapAlloc

• 0x4a9340 - GetFullPathNameA

• 0x4a9344 - FreeLibrary

• 0x4a9348 - LoadLibraryA

• 0x4a934c - GetLastError

• 0x4a9350 - GetVersionExA

• 0x4a9354 - WritePrivateProfileStringA

• 0x4a9358 - CreateThread

• 0x4a935c - CreateEventA

• 0x4a9360 - Sleep

• 0x4a9364 - GlobalAlloc

• 0x4a9368 - GlobalLock

• 0x4a936c - GlobalUnlock

• 0x4a9370 - FindFirstFileA

• 0x4a9374 - FindClose

• 0x4a9378 - GetFileAttributesA

• 0x4a937c - DeleteFileA

• 0x4a9380 - SetCurrentDirectoryA

• 0x4a9384 - GetVolumeInformationA

• 0x4a9388 - GetModuleHandleA

• 0x4a938c - GetProcAddress

• 0x4a9390 - MulDiv

• 0x4a9394 - GetCommandLineA

• 0x4a9398 - GetTickCount

• 0x4a939c - CreateProcessA

• 0x4a93a0 - WaitForSingleObject

• 0x4a93a4 - CloseHandle

• 0x4a93a8 - InterlockedExchange

• 0x4a93ac - VirtualProtect

• 0x4a93b0 - VirtualQuery

• 0x4a93b4 - GetSystemInfo

• 0x4a93b8 - InterlockedCompareExchange

• 0x4a93bc - lstrcpynA

库 USER32.dll:

• 0x4a93e8 - LoadStringA

• 0x4a93ec - GetMenuCheckMarkDimensions

• 0x4a93f0 - GetMenuState

• 0x4a93f4 - SetMenuItemBitmaps

• 0x4a93f8 - CheckMenuItem

• 0x4a93fc - MoveWindow

• 0x4a9400 - SetWindowTextA

• 0x4a9404 - IsDialogMessageA

• 0x4a9408 - ScrollWindowEx

• 0x4a940c - SendDlgItemMessageA

• 0x4a9410 - MapWindowPoints

• 0x4a9414 - AdjustWindowRectEx

• 0x4a9418 - GetScrollPos

• 0x4a941c - RegisterClassA

• 0x4a9420 - GetMenuItemCount

• 0x4a9424 - GetMenuItemID

• 0x4a9428 - CreateWindowExA

• 0x4a942c - SetWindowsHookExA

• 0x4a9430 - CallNextHookEx

• 0x4a9434 - GetClassLongA

• 0x4a9438 - SetPropA

• 0x4a943c - UnhookWindowsHookEx

• 0x4a9440 - GetPropA

• 0x4a9444 - CallWindowProcA

• 0x4a9448 - RemovePropA

• 0x4a944c - GetMessageTime

• 0x4a9450 - GetLastActivePopup

• 0x4a9454 - RegisterWindowMessageA

• 0x4a9458 - GetWindowPlacement

• 0x4a945c - EndDialog

• 0x4a9460 - CreateDialogIndirectParamA

• 0x4a9464 - DestroyWindow

• 0x4a9468 - GrayStringA

• 0x4a946c - DrawTextA

• 0x4a9470 - TabbedTextOutA

• 0x4a9474 - EndPaint

• 0x4a9478 - BeginPaint

• 0x4a947c - GetWindowDC

• 0x4a9480 - CharUpperA

• 0x4a9484 - GetWindowTextLengthA

• 0x4a9488 - DrawStateA

• 0x4a948c - FrameRect

• 0x4a9490 - GetNextDlgTabItem

• 0x4a9494 - GetWindowTextA

• 0x4a9498 - FindWindowExA

• 0x4a949c - GetDlgItem

• 0x4a94a0 - GetClassNameA

• 0x4a94a4 - GetDesktopWindow

• 0x4a94a8 - UnregisterClassA

• 0x4a94ac - GetForegroundWindow

• 0x4a94b0 - LoadIconA

• 0x4a94b4 - TranslateMessage

• 0x4a94b8 - DrawFrameControl

• 0x4a94bc - DrawEdge

• 0x4a94c0 - DrawFocusRect

• 0x4a94c4 - WindowFromPoint

• 0x4a94c8 - GetMessageA

• 0x4a94cc - DispatchMessageA

• 0x4a94d0 - SetRectEmpty

• 0x4a94d4 - RegisterClipboardFormatA

• 0x4a94d8 - CreateIconFromResourceEx

• 0x4a94dc - CreateIconFromResource

• 0x4a94e0 - CreatePopupMenu

• 0x4a94e4 - AppendMenuA

• 0x4a94e8 - ModifyMenuA

• 0x4a94ec - CreateMenu

• 0x4a94f0 - CreateAcceleratorTableA

• 0x4a94f4 - GetDlgCtrlID

• 0x4a94f8 - GetSubMenu

• 0x4a94fc - EnableMenuItem

• 0x4a9500 - ClientToScreen

• 0x4a9504 - EnumDisplaySettingsA

• 0x4a9508 - LoadImageA

• 0x4a950c - SystemParametersInfoA

• 0x4a9510 - ShowWindow

• 0x4a9514 - IsWindowEnabled

• 0x4a9518 - TranslateAcceleratorA

• 0x4a951c - GetKeyState

• 0x4a9520 - CopyAcceleratorTableA

• 0x4a9524 - PostQuitMessage

• 0x4a9528 - IsZoomed

• 0x4a952c - GetClassInfoA

• 0x4a9530 - DefWindowProcA

• 0x4a9534 - GetSystemMenu

• 0x4a9538 - DeleteMenu

• 0x4a953c - GetMenu

• 0x4a9540 - SetMenu

• 0x4a9544 - PeekMessageA

• 0x4a9548 - IsIconic

• 0x4a954c - SetFocus

• 0x4a9550 - GetActiveWindow

• 0x4a9554 - GetWindow

• 0x4a9558 - DestroyAcceleratorTable

• 0x4a955c - SetWindowRgn

• 0x4a9560 - GetMessagePos

• 0x4a9564 - ScreenToClient

• 0x4a9568 - ChildWindowFromPointEx

• 0x4a956c - CopyRect

• 0x4a9570 - LoadBitmapA

• 0x4a9574 - WinHelpA

• 0x4a9578 - KillTimer

• 0x4a957c - SetTimer

• 0x4a9580 - GetCapture

• 0x4a9584 - SetCapture

• 0x4a9588 - GetScrollRange

• 0x4a958c - SetScrollRange

• 0x4a9590 - SetScrollPos

• 0x4a9594 - SetRect

• 0x4a9598 - InflateRect

• 0x4a959c - IntersectRect

• 0x4a95a0 - DestroyIcon

• 0x4a95a4 - PtInRect

• 0x4a95a8 - OffsetRect

• 0x4a95ac - IsWindowVisible

• 0x4a95b0 - EnableWindow

• 0x4a95b4 - RedrawWindow

• 0x4a95b8 - GetWindowLongA

• 0x4a95bc - SetWindowLongA

• 0x4a95c0 - GetSysColor

• 0x4a95c4 - SetActiveWindow

• 0x4a95c8 - SetCursorPos

• 0x4a95cc - LoadCursorA

• 0x4a95d0 - SetCursor

• 0x4a95d4 - GetDC

• 0x4a95d8 - FillRect

• 0x4a95dc - IsRectEmpty

• 0x4a95e0 - ReleaseDC

• 0x4a95e4 - IsChild

• 0x4a95e8 - DestroyMenu

• 0x4a95ec - SetForegroundWindow

• 0x4a95f0 - GetWindowRect

• 0x4a95f4 - EqualRect

• 0x4a95f8 - UpdateWindow

• 0x4a95fc - ValidateRect

• 0x4a9600 - InvalidateRect

• 0x4a9604 - GetClientRect

• 0x4a9608 - GetFocus

• 0x4a960c - GetParent

• 0x4a9610 - GetTopWindow

• 0x4a9614 - PostMessageA

• 0x4a9618 - IsWindow

• 0x4a961c - SetParent

• 0x4a9620 - DestroyCursor

• 0x4a9624 - SendMessageA

• 0x4a9628 - SetWindowPos

• 0x4a962c - MessageBoxA

• 0x4a9630 - GetCursorPos

• 0x4a9634 - GetSystemMetrics

• 0x4a9638 - EmptyClipboard

• 0x4a963c - SetClipboardData

• 0x4a9640 - OpenClipboard

• 0x4a9644 - GetClipboardData

• 0x4a9648 - CloseClipboard

• 0x4a964c - wsprintfA

• 0x4a9650 - WaitForInputIdle

• 0x4a9654 - GetSysColorBrush

• 0x4a9658 - DrawIconEx

• 0x4a965c - ReleaseCapture

• 0x4a9660 - ExitWindowsEx

库 GDI32.dll:

• 0x4a9040 - CreateDCA

• 0x4a9044 - CreateCompatibleBitmap

• 0x4a9048 - GetPolyFillMode

• 0x4a904c - GetStretchBltMode

• 0x4a9050 - GetROP2

• 0x4a9054 - CreateBitmap

• 0x4a9058 - GetBkColor

• 0x4a905c - CreatePatternBrush

• 0x4a9060 - SelectObject

• 0x4a9064 - GetObjectA

• 0x4a9068 - CreatePen

• 0x4a906c - PatBlt

• 0x4a9070 - CombineRgn

• 0x4a9074 - GetBkMode

• 0x4a9078 - CreateRectRgn

• 0x4a907c - FillRgn

• 0x4a9080 - CreateSolidBrush

• 0x4a9084 - GetTextColor

• 0x4a9088 - GetStockObject

• 0x4a908c - SaveDC

• 0x4a9090 - RestoreDC

• 0x4a9094 - SetPolyFillMode

• 0x4a9098 - SetROP2

• 0x4a909c - SetMapMode

• 0x4a90a0 - SetViewportOrgEx

• 0x4a90a4 - OffsetViewportOrgEx

• 0x4a90a8 - SetViewportExtEx

• 0x4a90ac - ScaleViewportExtEx

• 0x4a90b0 - CreateFontIndirectA

• 0x4a90b4 - SetWindowExtEx

• 0x4a90b8 - ScaleWindowExtEx

• 0x4a90bc - GetClipBox

• 0x4a90c0 - EndPage

• 0x4a90c4 - MoveToEx

• 0x4a90c8 - LineTo

• 0x4a90cc - ExtSelectClipRgn

• 0x4a90d0 - GetViewportExtEx

• 0x4a90d4 - PtVisible

• 0x4a90d8 - RectVisible

• 0x4a90dc - ExtTextOutA

• 0x4a90e0 - Escape

• 0x4a90e4 - GetTextMetricsA

• 0x4a90e8 - SetBkColor

• 0x4a90ec - CreateRectRgnIndirect

• 0x4a90f0 - CreateDIBSection

• 0x4a90f4 - SetStretchBltMode

• 0x4a90f8 - GetClipRgn

• 0x4a90fc - CreatePolygonRgn

• 0x4a9100 - SelectClipRgn

• 0x4a9104 - DeleteObject

• 0x4a9108 - CreateDIBitmap

• 0x4a910c - GetSystemPaletteEntries

• 0x4a9110 - CreatePalette

• 0x4a9114 - StretchBlt

• 0x4a9118 - SelectPalette

• 0x4a911c - RealizePalette

• 0x4a9120 - GetDIBits

• 0x4a9124 - GetWindowExtEx

• 0x4a9128 - GetViewportOrgEx

• 0x4a912c - GetWindowOrgEx

• 0x4a9130 - BeginPath

• 0x4a9134 - EndPath

• 0x4a9138 - PathToRegion

• 0x4a913c - CreateEllipticRgn

• 0x4a9140 - EndDoc

• 0x4a9144 - DeleteDC

• 0x4a9148 - StartDocA

• 0x4a914c - StartPage

• 0x4a9150 - BitBlt

• 0x4a9154 - GetPixel

• 0x4a9158 - CreateCompatibleDC

• 0x4a915c - ExcludeClipRect

• 0x4a9160 - SetDIBitsToDevice

• 0x4a9164 - SetTextColor

• 0x4a9168 - SetBkMode

• 0x4a916c - TextOutA

• 0x4a9170 - Ellipse

• 0x4a9174 - Rectangle

• 0x4a9178 - LPtoDP

• 0x4a917c - DPtoLP

• 0x4a9180 - GetCurrentObject

• 0x4a9184 - RoundRect

• 0x4a9188 - GetTextExtentPoint32A

• 0x4a918c - SetWindowOrgEx

• 0x4a9190 - GetDeviceCaps

• 0x4a9194 - CreateRoundRectRgn

库 WINSPOOL.DRV:

• 0x4a96b4 - OpenPrinterA

• 0x4a96b8 - DocumentPropertiesA

• 0x4a96bc - ClosePrinter

库 comdlg32.dll:

• 0x4a96ec - GetSaveFileNameA

• 0x4a96f0 - GetOpenFileNameA

• 0x4a96f4 - ChooseColorA

• 0x4a96f8 - GetFileTitleA

库 ADVAPI32.dll:

• 0x4a9000 - RegCreateKeyExA

• 0x4a9004 - OpenProcessToken

• 0x4a9008 - LookupPrivilegeValueA

• 0x4a900c - AdjustTokenPrivileges

• 0x4a9010 - RegQueryValueA

• 0x4a9014 - RegSetValueExA

• 0x4a9018 - RegOpenKeyExA

• 0x4a901c - RegCloseKey

库 SHELL32.dll:

• 0x4a93dc - ShellExecuteA

• 0x4a93e0 - Shell_NotifyIconA

库 ole32.dll:

• 0x4a9700 - OleInitialize

• 0x4a9704 - OleUninitialize

• 0x4a9708 - CLSIDFromString

库 OLEAUT32.dll:

• 0x4a93cc - UnRegisterTypeLib

• 0x4a93d0 - RegisterTypeLib

• 0x4a93d4 - LoadTypeLib

库 COMCTL32.dll:

• 0x4a9030 - ImageList_Destroy

• 0x4a9034 - _TrackMouseEvent

• 0x4a9038 - None

投放文件

无信息

行为分析

互斥量(Mutexes)

Local\MSCTF.Asm.MutexDefault1

执行的命令

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t reg_dword /d 00000000 /f
LeagueClient.exe

创建的服务 无信息

启动的服务 无信息

进程

1PBE_E5_8A_A9_E6_89_8B1.6Beta.exe PID: 2500, 上一级进程 PID: 2352

reg.exe PID: 2548, 上一级进程 PID: 2500

访问的文件

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\test\AppData\Local\Temp\LeagueClient.exe
C:\Windows\Fonts\staticcache.dat
C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui

读取的文件

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Fonts\staticcache.dat
C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui

修改的文件 无信息

删除的文件 无信息

注册表键

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\1PBE_E5_8A_A9_E6_89_8B1.6Beta.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\\xe5\x8d\x8e\xe6\x96\x87\xe7\xbb\x86\xe9\xbb\x91
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\\xe5\xbe\xae\xe8\xbd\xaf\xe9\x9b\x85\xe9\xbb\x91
HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\1PBE_E5_8A_A9_E6_89_8B1.6Beta.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

读取的注册表键

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

修改的注册表键

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt

删除的注册表键 无信息

API解析

kernel32.dll.IsProcessorFeaturePresent
cryptbase.dll.SystemFunction036
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
comctl32.dll.RegisterClassNameW
uxtheme.dll.EnableThemeDialogTexture
uxtheme.dll.OpenThemeData
comctl32.dll.InitCommonControlsEx
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
gdi32.dll.GetTextExtentExPointWPri
gdi32.dll.GetFontAssocStatus
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
oleaut32.dll.SysAllocString
oleaut32.dll.SysStringLen
oleaut32.dll.SysFreeString
gdi32.dll.GdiIsMetaPrintDC